The EU AI Act Is Not a Legal Problem. It Is a Technical One.

The EU AI Act is not an automotive safety standard. It covers the entire AI deployment spectrum. From recommendation engines, credit scoring tools, and hiring algorithms to medical decision support, customer interaction systems, and business intelligence. Wherever AI makes or influences decisions that affect people, the Act applies.

The normative governance framework across all these domains is ISO/IEC 42001:2023 It's the international management system standard for responsible AI. It defines what organisations must put in place to govern AI throughout its lifecycle: from design and validation through deployment to monitoring and incident response.

“AI systems should be developed and used in accordance with Union values and the Charter of Fundamental Rights of the European Union. […] AI systems should support human well-being and provide a high level of protection of health, safety and fundamental rights.”

Recital 6, EU AI Act

and further:

“Providers shall ensure that AI systems intended to interact directly with natural persons are designed and developed in such a way that the natural persons concerned are informed that they are interacting with an AI system, unless this is obvious from the circumstances and the context of use.”

Article 50(1), EU AI Act

These obligations become broadly binding across almost all applicable domains on 2. August 2026. For the last year, prohibitions like social scoring and obligations for foundation models such as ChatGPT have been phased in. On that date, the full weight of the Act lands, for nearly every organisation deploying AI in an operational context.

The homologation challenge familiar from SOTIF (ISO 21448) in autonomous driving is not unique to ADAS. It is the same structural obstacle that appears across every regulated AI domain: demonstrating that system behaviour is intentional, bounded, verifiable and that you know what you are validating against. Purely probabilistic systems make this structurally difficult. Not because of poor performance, but because of a deficit that more training data will not fix.

No context. No semantics. No function.

Probabilistic systems learn patterns. Patterns are everywhere. Given enough data, a model will find statistical regularities across almost any input. This includes also patterns that carry no semantic meaning in the domain it is supposed to operate in. The system will hallucinate: not as a bug, but as a predictable structural consequence of how it works.

Without a defined context, there is no semantics. Without semantics, there is no function. This is because it is no longer clear what problem the system behavior is supposed to solve, or whether a given output is valid, irrelevant, or dangerous in that situation.

Without context you must validate against an infinite number or literally the entire universe to hold enough of input combinations. But even that misses the point, because without a semantically defined operating domain, you do not know what you are validating against in the first place. Adding more training data treats the symptom. It does not close the structural gap.

What actually works

Two credible paths exist. The first is a formal validation structure: a model that constrains AI behavior within an explicitly defined, bounded operating context. This is a context that follows physical rules and can be verified against defined criteria. The second is neurosymbolic AI: systems that combine statistical inference with formal reasoning, enabling the system to ground its outputs in explicit symbolic logic that can be examined and validated.

A purely probabilistic AI system without either of these is a safety risk in regulated or safety-critical domains. Not in theory. By structure.

In short

• The EU AI Act covers the full AI deployment spectrum — from business intelligence and HR tools to customer interaction systems. ISO/IEC 42001:2023 provides the governance standard across all these domains.

• Full enforcement begins 2. August 2026. The Act demands demonstrable conformity — not documentation — and organisations that have not assessed their AI systems are already running out of time.

• Purely probabilistic systems cannot be homologated: without a defined context there is no semantics, and without semantics no verifiable function. The system cannot prove it is doing the right thing — only that a pattern matched.

• More training data improves coverage. It does not close the structural validation gap.

• Two credible paths forward: formal validation structures with a physically bounded operating context, or neurosymbolic AI that grounds statistical inference in explicit, verifiable reasoning.

• 
  

Our whitepaper on the EU AI Act and Technical AI Governance explores how organisations can close this gap in practice: EU AI Act and Technical AI Governance (PDF)

——

The mathematical argument: Hume, Popper, and Gödel

The limitation of purely probabilistic systems is not merely engineering intuition. It has a rigorous theoretical basis across three independent traditions.

Hume’s problem of induction establishes that no number of observed instances can logically guarantee future behavior. A model trained on billions of examples cannot, by inductive logic alone, certify that its next output will be valid. This is not a data volume problem. It is epistemologically insoluble within a purely statistical framework.

Popper’s falsifiability criterion requires that a scientific claim be testable against a defined domain of potential failure. A context-free probabilistic system has no clearly bounded set of conditions under which it should fail — making systematic falsification structurally impossible. You cannot test what you have not defined.

Gödel’s incompleteness theorems show that no sufficiently expressive formal system can prove its own consistency from within. A system attempting to self-validate without external formal grounding — as pure black-box models must — cannot establish the completeness of that validation. There will always be statements about its own behaviour that it cannot prove or disprove.

However, this limitation primarily binds context-free formal systems operating in complete isolation. By explicitly defining and bounding an external context, a system introduces semantic rules and relational constraints that reduce the infinite variance of arbitrary states. This contextual framing effectively establishes finite operational boundaries, transforming an otherwise unresolvable, self-referential paradox into a bounded, solvable problem space.

Physical reality offers a way out

The arguments of Hume, Popper, and Gödel hold fully only within a context-free definition space — one with no a priori constraints on the range of possible inputs or behaviours. Physical reality does not work that way. Physical reality is undercomplex relative to an unbounded logical space. Objects have mass. Motion is continuous. Causality is local.

This means a context can be defined that obeys physical laws — and within that context, system behaviour becomes bounded, verifiable, and to a meaningful degree deterministically manageable. A car at an intersection operates under Newtonian mechanics. A pedestrian’s motion is constrained by physiology and spatial geometry. The operating domain is not infinite. It is finite and formalizable.

This is the path toward homologable AI: not eliminating statistical inference, but grounding it within a formally defined, physically constrained context that can be validated against explicit criteria.

The theoretical foundations of this argument are developed further in our research paper: Formal Validation Structures for Safety-Critical AI Systems (Zenodo)