Products · #17 · Risk & Compliance
TIER B REFERENCE BUILD

AI Act Compliance Evidence Pipeline

If a regulator asks you to prove your AI is compliant - can you? This pipeline makes the answer yes: Annex IV documentation and a tamper-evident audit trail, generated, not written.

from €2,490

make run - CREDIT-SCORING MODEL (ANNEX III 5b)

Pipeline
train + calibrate AUC .79 · ECE .04
bias audit four-fifths 0.87 - passes
drift baseline PSI 0.04 · thresholds set
explanations SHAP per decision
500 decisions logged, hash-chained
annex_iv.md + evidence.json written
⛓-⛓-⛓-⛓-⛓-⛓-⛓-⛓
AuditLog.verify() → TRUE · tamper-evident · replayable
Annex IV technical documentation - generated
ANNEX IV - TECHNICAL DOCUMENTATION

per Regulation (EU) 2024/1689, Article 11 · generated 2026-07-14 03:12 UTC

§1 General description of the AI system✓ GENERATED
§2 Intended purpose & risk classification✓ GENERATED
§3 Data & data governance✓ GENERATED
§4 Metrics: accuracy, calibration, bias-by-group✓ GENERATED
§5 Human oversight measures✓ GENERATED
§6 Monitoring, drift & post-market plan✓ GENERATED
§7 Logging & record-keeping (Art. 12)✓ GENERATED
§8 Provider details & conformity route« OPERATOR »
EVIDENCE PACKAGE
ASSESSOR-REVIEWABLE

How it works

01

Scope & risk class - with a human

What does the system decide, who does it affect, is it Annex III? The pipeline starts with operator checkpoints, not assumptions - risk class is never asserted by a machine.

02

One run generates the evidence

Calibration (AUC, Brier, ECE), bias-by-group with the four-fifths rule, SHAP explanations, drift baseline with alert thresholds - measured on your model, your data.

03

Three artifacts, regulator-shaped

annex_iv.md (Art. 11 technical file), audit_log.jsonl (Art. 12, hash-chained - tampering breaks the chain verifiably), evidence.json (every metric, replayable).

04

It stays current by itself

Nightly monitoring re-runs drift checks; every model upgrade regenerates the dossier. Compliance as a pipeline, not a PDF that rots in a drawer.

The Four Guarantees™ - this build

Measured value

A defensible conformity-evidence package in 3-6 weeks instead of ~6 months of manual documentation work - the agreed outcome (conservative).

Defensible

This IS the defensibility machine: Art. 11 technical file, Art. 12 tamper-evident log, Art. 13 explanations - generated from the actual system, not described from memory.

Self-correcting

PSI/KS drift with WARN/ALERT thresholds (Art. 15, 72) feeding champion/challenger retraining; the dossier regenerates on every change.

Yours & everywhere

One container - GCP/AWS/Azure/on-prem. Full source. MCP tools (predict / explain / evidence / healthcheck) so your agents query compliance status directly.

The number, sized honestly

Reference run: a credit-scoring model (canonical Annex III 5(b) high-risk case) on the public German Credit dataset - the full pipeline you can watch execute before buying anything.

3-6 wks to an assessor-reviewable evidence package - vs ~6 months manual
3 artifacts per run: Annex IV file · hash-chained log · evidence.json
Aug 2 2026 - the high-risk obligations deadline this was built for
100% of logged decisions replayable - tampering breaks the chain, verifiably

Three ways to own it

Tier What you get Price
Scaffolding The full repo + templates - pipeline, Annex IV generator, audit chain, Terraform, MCP server. Your team points it at your model. €2,490
PoC ★★RECOMMENDED Run against one of your real AI systems - the Annex IV evidence pack generated end-to-end, gaps surfaced honestly. Code + quality report yours. No guarantee at PoC. from €7,500
Implementation ★★★ Production: pipeline wired into your ML lifecycle, evidence auto-refresh, audit-chain monitoring, regulation-update maintenance, assessor-ready exports - the agreed number (conservative) attaches here. from €22,500

★ = engagement depth. PoC is the recommended path: quality proven on your data before production money. The PoC carries no performance guarantee by design; the agreed number (conservative) attaches at Implementation, informed by the PoC report.

What we don't promise

Annex IV is a legal document - your compliance officer signs it, not us, and never a machine. This pipeline produces the evidence and the format; a qualified assessor or notified body reviews before any conformity declaration. We never assert your risk class - that's a checkpoint with a human and, where it's ambiguous, your counsel. Not legal advice, by design.

Ready to see your own number?

Request the build: within 48h you get a personal reply with the value sized to your volume.

No commitment · reply within 48h · your data stays in the EU