[guillermollopis]

The permission control and policy engine angle is interesting, Article 14 (human oversight) explicitly requires the ability for authorized persons to intervene, override, or stop the AI system. Having that built into the agent framework layer makes sense.

One thing I'd think about: how does this map to the documentation requirement? Under Annex IV, you need to document exactly what oversight mechanisms exist, how they work, and under what conditions they activate. The governance layer generates the evidence, but someone still needs to turn it into the structured documentation format that regulators expect.

This is the gap I see across most of the compliance tooling, runtime enforcement tools (like this) and documentation tools (Holistic AI, Annexa, ComplyAct) solve different halves of the problem. The teams that will have the smoothest conformity assessments are the ones connecting both.