What is KlarvoEngine?

KlarvoEngine is Klarvo's regulatory intelligence engine. It analyses your AI system through a 3-pass classification pipeline and produces an article-cited compliance memo with obligations, deadlines, and recommended controls — in under 60 seconds.

What is the EU AI Act?

The EU AI Act (Regulation 2024/1689) is the world's first comprehensive AI regulation. It classifies AI systems by risk level and imposes obligations on providers and deployers of AI systems operating in the EU.

Any organisation that provides or deploys AI systems affecting people in the EU — regardless of where the organisation is based. This includes websites with AI chatbots, companies using AI analytics, and businesses integrating AI models into their products.

Prohibited AI practices have been enforceable since February 2025. GPAI model obligations since August 2025. Article 50 transparency and most remaining obligations apply from August 2, 2026.

What are the penalties?

Up to €35 million or 7% of global turnover for prohibited practices. Up to €15 million or 3% for transparency and other violations. For SMEs, the penalty is whichever amount is lower.

Incident Management Overview

Incident Management

Under Article 26, deployers of high-risk AI systems must monitor operation, report serious incidents, and be prepared to suspend use when risk is identified. Klarvo's incident management system provides the structure for tracking, responding to, and documenting AI-related incidents.

What Counts as an Incident?

AI incidents requiring documentation include:

Safety events: Physical or psychological harm caused by AI outputs

Rights violations: Discriminatory outcomes, privacy breaches, unfair denials of service

Performance failures: Unexpected outputs, hallucinations, systematic errors

Security events: Data leaks, unauthorized access, adversarial attacks

Compliance gaps: Discovered non-conformities with the AI Act

User complaints: Documented concerns about AI behaviour

Severity Levels

Level

Description

Response Time

Escalation

Critical

Immediate harm, safety risk, potential prohibited practice

< 24 hours

Leadership + legal + authority (if serious)

High

Significant rights impact, large-scale effect

< 48 hours

Compliance Owner + provider

Medium

Moderate impact, contained to limited scope

< 1 week

System Owner + Compliance Owner

Low

Minor issue, no harm, easily correctable

< 2 weeks

System Owner

Incident Workflow

Detection → Logging → Triage → Containment → Investigation → Resolution → Postmortem → Closure ↓ ↓ Notification Reassessment (internal + external) (if needed)

Serious Incident Reporting (Article 26(5))

Deployers must report serious incidents to:

The AI system provider — notify immediately

Market surveillance authority — within required timeframe

A "serious incident" is one that results in:

Death or serious damage to health

Serious/irreversible disruption of critical infrastructure management

Breach of obligations intended to protect fundamental rights

Serious damage to property or the environment

Integration with System Reassessment

Incidents can trigger system reassessment:

Critical incidents → Automatic reassessment flag on the AI system

Pattern of medium incidents → Recommended review of classification

Resolved incidents → Documented in system history for audit trail

Best Practices

🚨 Log immediately: Don't wait for investigation to start — capture the facts as they're known

📞 Notify early: Err on the side of over-communication

🔍 Root cause analysis: Every resolved incident should identify the underlying cause

📝 Postmortem: Document lessons learned and preventive measures

🔄 Update procedures: Improve incident response based on learnings