Checklist · GDPR · EU AI Act · AI agents

EU AI governance runtime checklist.

Use this checklist to evaluate whether your LLM app or AI agent has runtime controls for sensitive data, model routing, tools, cost, human oversight, and auditor evidence.

Run the 60-second demo Evidence store guide EU governance guide

Runtime AI governance

[ ] classify request
[ ] scan PII
[ ] enforce policy
[ ] govern tools
[ ] cap cost
[ ] route by residency
[ ] write signed evidence
[ ] export for auditors

Request controlsResponse controlsTool controlsEvidence controlsAudit export

Request controls

Before the request reaches a provider.

Check	Why it matters	Talon proof
Caller identity is known	Different apps, tenants, and teams need different policies.	Gateway caller key maps to caller and tenant.
Request is rate-limited	Prevents runaway workloads and abuse.	Gateway rate limits by global and caller policy.
Prompt and messages are parsed	Policy needs model, text, and tool metadata.	Talon extracts model, text, and tools before forwarding.
PII is detected	GDPR risk must be handled before data leaves.	EU recognizers such as email, IBAN, VAT, national IDs, phone, and IP.
Data tier is classified	Model and routing policy should depend on sensitivity.	Tier classification feeds OPA policy.
Model policy is evaluated	Not every model is approved for every data type.	Allowed models and provider policy per caller.
Provider jurisdiction is checked	EU teams need data-residency controls.	EU strict, EU preferred, or global routing modes.
Estimated cost is checked	Spend should be controlled before the call.	Pre-call cost caps by caller, tenant, day, or month.
Tool list is filtered	Agents should not see destructive or unauthorized tools.	Allowed and forbidden tool policy.

Response and evidence controls

After the provider returns.

Runtime governance also needs response scanning, cost attribution, hashes, signatures, and export. A dashboard is useful, but exportable evidence is what security, DPO, and audit teams need.

[ ] response PII scanned
[ ] output tier recorded
[ ] model and tokens recorded
[ ] cost attributed
[ ] input hash recorded
[ ] output hash recorded
[ ] evidence signed
[ ] evidence exportable
[ ] signature verifiable

Agent-specific controls

Extra checks for AI agents.

🛠️

Tool governance

Allowed tools, forbidden tools, bulk-operation limits, dry-run gates, and step-level evidence.

👤

Human oversight

Plan review for sensitive tools, high data tiers, or high-cost actions.

🔁

Loop limits

Maximum iterations, maximum tool calls per run, and maximum cost per run.

Use the checklist

Turn every unchecked box into a testable control.

Start with one workflow, run it through Talon, and verify the evidence record.

Run the demo Compare Talon vs Microsoft AGT