The context
The vendor embeds AI components into several of its products. The AI Act applies on 2 August 2026, with obligations that depend on the risk tier of each system. The compliance department wanted to equip its team to scope a new system in a few hours, rather than mobilising an external consultant on every product change. The goal was not to replace the legal counsel, but to provide them with a first structured analysis and a documentary draft ready to review.
The need
An agent able to prepare a compliance file end to end. Capture the description of the system, identify the applicable risk category, enumerate the corresponding obligations, flag the areas of uncertainty that require a human decision, and produce a documentation skeleton aligned with the requirements of the regulation. The whole had to remain controllable and auditable, with no black box, and hosted on European infrastructure to comply with the client's sovereignty policy.
What we delivered
An agent orchestrated via MCP. Each capability, search over the text of the AI Act, risk classification, report generation, is exposed as an independent MCP server, which makes the system debuggable and extensible. Mistral model hosted in the EU for inference, Qdrant vector database over the full regulation and the guidelines published, persistent state in PostgreSQL for traceability of analyses. The decision flow and the mapping to AI Act and GDPR obligations are documented in an architecture file delivered to the client. Everything remains within the European jurisdiction.