I Added EU AI Act Compliance Checks to My CI/CD Pipeline — Here's How

Two months ago, I merged a PR that added face detection to our image processing service. Nobody on the team realized this put us squarely in the EU AI Act's high-risk category. We found out three weeks later, during a manual review. By then, the feature had been in production for 20 days with zero compliance documentation. That's when I decided: compliance checks belong in CI/CD, not in quarterly reviews. The problem with manual compliance reviews Most teams treat AI regulation the same way they treated GDPR in 2018 — as a legal problem, not an engineering problem. Someone from legal sends a spreadsheet once a quarter, engineers fill it out from memory, and everyone hopes nothing slipped through. This doesn't work when your codebase changes daily. A single pip install face-recognition in a feature branch can shift your regulatory classification overnight. What I automated My CI pipeline now checks three things on every PR that touches Python files: 1. Fram