G8KEPR provides the audit logging, human oversight, and risk management infrastructure required for high-risk AI systems under the EU Artificial Intelligence Act (Regulation 2024/1689).
High-risk AI system obligations under Chapter III, Section 2 of the EU AI Act.
Art. 9Continuous risk assessment pipeline with AIVSS scoring. Risk findings persisted and exported per audit cycle.
Art. 10Training and evaluation data provenance tracked via SBOM. PII scrubbing enforced on all ingestion paths.
Art. 11105+ docs covering architecture, ADRs, threat models, and compliance artifacts. Updated on every release.
Art. 12Tamper-evident hash-chained audit log on every AI model call, tool invocation, and verification decision. 7-year retention by default.
Art. 13Model card, capability boundaries, and confidence scoring surfaced to end users via the verification engine output.
Art. 14Human-in-the-loop escalation routes for CRITICAL findings. Configurable per-org; BLOCK action triggers HITL queue.
Art. 15An ML detector trained on 78,000+ labeled attack samples, Sigma rules, RAG grounding checks, and output verification covering adversarial robustness.
Art. 16Quality management system (QMS) framework in place. EU notified body registration pending SOC 2 Type I completion.
Art. 17ISO 42001 AI management framework implemented. External audit scheduled post-SOC 2 completion.
Article 5 prohibited practices detection is described separately below.
Every AI model invocation, MCP tool call, and verification decision is logged with HMAC-chained integrity. Logs are immutable, tenant-isolated, and retained for 7 years.
Model capability declarations, provider provenance, and confidence scores are attached to every AI response. Consumers see what model answered and why.
CRITICAL-severity findings automatically route to a human review queue. No irreversible AI-driven action is taken without human confirmation when configured.
AIVSS scoring runs on every AI output. Threat patterns, semantic drift, and prohibited practices (Art. 5) are checked in real time.
PII scrubbing, GDPR right-to-erasure, and SBOM-tracked training data provenance satisfy Art. 10 data governance requirements.
G8KEPR implements the ISO/IEC 42001 AI management system standard — the same framework auditors use to assess EU AI Act compliance.
G8KEPR's Prohibited Practices Detector runs in real time on every AI output, flagging patterns that fall under Article 5 absolute prohibitions.
Detection uses an ML detector trained on 78,000+ labeled attack samples, Sigma rules, and semantic matching. False positive rate target: <2%.
We provide a pre-built compliance package including: Article 12 audit log exports, risk assessment reports, technical documentation (Art. 11), and a template conformity declaration. Available to Enterprise customers.