Under the EU AI Act, a deployer is the natural or legal person under whose authority a high-risk AI system is used in a professional capacity. Their primary obligations include implementing meaningful human oversight, monitoring the system's operation for anomalies, and ensuring input data is relevant and representative of the intended purpose. The deployer must also retain automatically generated logs for a period appropriate to the system's intended purpose.
Glossary
Deployer Obligations

What is Deployer Obligations?
Deployer obligations are the specific legal duties assigned to the professional user of a high-risk AI system under the EU AI Act, distinct from the developer's responsibilities.
A critical deployer obligation is conducting a Fundamental Rights Impact Assessment (FRIA) before putting the system into service. This documented process evaluates the specific risks to the rights and freedoms of affected individuals. Deployers must also immediately report any serious incident or malfunction to the provider and the relevant market surveillance authority, and cooperate fully in any post-market monitoring or audit.
Frequently Asked Questions
Clarifying the legal duties assigned to professional users of high-risk AI systems under the EU AI Act, including oversight, monitoring, and fundamental rights impact assessments.
A deployer is the professional user who operates a high-risk AI system under their authority, and their primary obligations include implementing human oversight measures, ensuring input data is relevant and representative, monitoring the system's operation, and conducting a Fundamental Rights Impact Assessment (FRIA). Unlike the provider who builds the system, the deployer is responsible for its proper use in a specific context. They must assign competent human overseers with the authority to override automated decisions, retain automatically generated logs for audit purposes, and immediately inform the provider and market surveillance authorities of any serious incidents or malfunctions. If a deployer substantially modifies the system or uses it outside its intended purpose, they legally assume the provider's obligations and must conduct a new conformity assessment.
Core Deployer Duties
The legal duties under the EU AI Act assigned to the professional user of a high-risk AI system, including ensuring human oversight, monitoring operation, and conducting fundamental rights impact assessments.
Fundamental Rights Impact Assessment (FRIA)
A mandatory, documented process for deployers of high-risk AI systems to evaluate the specific risks to the rights and freedoms of individuals likely to be affected by the system's operation. The assessment must include:
- A detailed description of the deployer's processes in which the high-risk AI system will be used
- The period and frequency of the system's intended use
- The categories of natural persons and groups likely to be affected
- The specific risks of harm likely to impact those groups
- The human oversight measures to be implemented
- The measures to be taken in case of materialized risks
Human Oversight Obligations
Deployers must ensure that natural persons to whom human oversight is assigned have the necessary competence, training, and authority to carry out that role. This goes beyond a tokenistic rubber-stamp. Oversight must be built on human-in-the-loop, human-on-the-loop, or human-in-command paradigms. The operator must be able to:
- Fully understand the system's capacities and limitations
- Remain aware of automation bias
- Correctly interpret the system's output
- Decide to disregard, override, or reverse the output
- Intervene or stop the system via a 'kill switch'
Input Data Control
The deployer bears strict responsibility for ensuring that the input data fed into the high-risk AI system is relevant and sufficiently representative for its intended purpose. This is a critical distinction from provider obligations. If a deployer feeds biased or irrelevant data into a compliant model, the deployer is liable for the resulting harm. This requires rigorous data governance at the point of use, including checks for distribution drift and data quality anomalies.
Monitoring and Incident Reporting
Deployers are legally obligated to monitor the operation of the high-risk AI system based on the instructions of use. If the deployer identifies or has reason to believe that the system presents a serious incident—defined as any malfunction or failure leading to death or serious damage to health or property—they must immediately notify the provider and the relevant market surveillance authority. This triggers a mandatory investigation and potential recall.
Record-Keeping and Logs
Deployers must retain the automatically generated logs of the high-risk AI system for a period appropriate to the system's intended purpose, at minimum six months unless otherwise specified in applicable EU or national law. These logs must capture:
- The period of each use
- The reference database against which input data has been checked
- The input data that led to a match
- The natural persons involved in verification
Transparency to Affected Individuals
Deployers of emotion recognition systems or biometric categorization systems must inform the exposed natural persons of the operation of the system. For systems making consequential decisions—those producing legal effects or similarly significant impacts—the deployer must provide a meaningful explanation of the role of the AI in the decision-making procedure and the principal parameters of the decision taken. This operationalizes the right to explanation.
Operationalizing Deployer Obligations
The systematic translation of legal duties under the EU AI Act into concrete, auditable workflows and technical controls for the professional user of a high-risk AI system.
Operationalizing deployer obligations is the process of converting the EU AI Act's abstract legal duties into specific, repeatable technical and procedural controls. For a deployer—the entity using a high-risk AI system in a professional setting—this means moving beyond policy documents to implement human oversight mechanisms, automated monitoring pipelines, and data governance protocols that function in a live production environment.
This requires integrating compliance directly into the system's operational lifecycle, including the execution of a fundamental rights impact assessment and the maintenance of an auditable human oversight log. The goal is to ensure that obligations like meaningful human intervention and post-market monitoring are not manual afterthoughts but are engineered as deterministic, verifiable features of the system's architecture.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Deployer vs. Provider Obligations
A comparative breakdown of the distinct legal duties assigned to the developer (Provider) and the professional user (Deployer) of a high-risk AI system under the EU AI Act.
| Obligation | Provider | Deployer | Shared/Joint |
|---|---|---|---|
Risk Management System | Establish, implement, document, and maintain | ||
Technical Documentation | Compile and maintain comprehensive dossier | Retain records of use and monitoring | |
Conformity Assessment | Conduct before market placement | ||
CE Marking & Registration | Affix mark and register in EU database | ||
Fundamental Rights Impact Assessment | Conduct prior to first use | ||
Human Oversight | Design system to allow for it | Assign competent humans with actual authority to override | |
Post-Market Monitoring | Systematically collect and analyze performance data | Monitor operation for anomalies and risks | |
Serious Incident Reporting | Notify authorities immediately | Notify provider and authorities immediately | |
Data Governance | Ensure training data meets quality criteria | Ensure input data is relevant to intended purpose | |
Instructions for Use | Provide clear, complete, and correct instructions | Operate system in accordance with instructions | |
Substantial Modification | Re-assess compliance if system is modified | Do not modify system without provider coordination | |
Cooperation with Authorities | Provide documentation on request | Provide documentation on request |
Related Terms
The legal duties assigned to the professional user of a high-risk AI system under the EU AI Act, ensuring operational accountability beyond the provider's initial certification.
Fundamental Rights Impact Assessment
A mandatory, documented process deployers must complete before putting a high-risk AI system into use. It evaluates the specific risks to the rights and freedoms of individuals likely to be affected.
- Must include a detailed description of the deployer's processes, the system's intended purpose, and the categories of natural persons affected.
- Requires an analysis of the specific risks of harm to fundamental rights (e.g., non-discrimination, data protection, human dignity).
- Deployers must describe the human oversight measures and the actions taken to mitigate identified risks.
- The completed assessment must be notified to the relevant market surveillance authority.
Human Oversight Implementation
Deployers must ensure that natural persons assigned to oversee a high-risk AI system have the necessary competence, training, and authority to intervene effectively.
- Oversight is not a passive monitoring role; it requires the capacity to override, ignore, or reverse the system's output.
- Deployers must guard against automation bias, where operators become over-reliant on the system's recommendations.
- The oversight mechanism must be designed to allow a human to fully understand the system's capacities and limitations and remain aware of any tendency to automatically rely on the output.
- This directly operationalizes the concept of Meaningful Human Intervention.
Input Data Control
Deployers are legally obligated to ensure that the input data fed into a high-risk AI system is relevant and sufficiently representative for its intended purpose.
- This obligation shifts a portion of data governance responsibility from the provider to the professional user during the operational phase.
- Deployers must prevent data drift and ensure inputs do not introduce new biases or degrade the model's performance.
- This is a critical control point, as a system compliant at the time of CE Marking can become non-compliant if fed with poor-quality operational data.
- The obligation aligns with the broader Data Governance Criteria required for high-risk systems.
Monitoring and Incident Reporting
Deployers must monitor the operation of the high-risk AI system and immediately report any serious incident or malfunction to the provider and the market surveillance authority.
- A serious incident is defined as any event that directly or indirectly leads to death, serious damage to health, or serious and irreversible damage to property.
- Deployers must keep logs automatically generated by the system for a period appropriate to the system's intended purpose, at least six months unless otherwise specified.
- This duty creates a continuous feedback loop, feeding into the provider's Post-Market Monitoring obligations.
- Failure to report constitutes a direct breach of the Act.
Record-Keeping and Log Retention
Deployers must retain logs automatically generated by the high-risk AI system to ensure an adequate level of traceability of the system's functioning.
- These logs are essential for auditing, post-incident investigation, and fulfilling Data Subject Rights requests, including the right to explanation.
- The retention period is defined by law or the system's intended purpose, with a statutory minimum of six months.
- This obligation ensures that the AI Audit Trail is maintained not just by the provider but also by the entity operating the system in a live environment.
- Log integrity is crucial for demonstrating compliance during inspections by Market Surveillance Authorities.
Cooperation with Authorities
Deployers are legally compelled to cooperate fully with national competent authorities, including Market Surveillance Authorities, upon any reasoned request.
- Cooperation includes providing access to logs, documentation, and operational data to demonstrate ongoing compliance.
- Deployers must take immediate corrective action if they determine a system is not in conformity with the Act, and inform the provider and distributor.
- This duty transforms the deployer from a passive user into an active participant in the Continuous Compliance Monitoring ecosystem.
- Non-cooperation can trigger enforcement actions, including fines and restrictions on the system's use.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us