Docs

EU AI Act mapping

The open build demonstrates the record-keeping and integrity obligations directly. The dossier-shaped obligations (Annex IV documents, qualified signatures, incident notifications) are Enterprise, and labeled as such.

Obligation to mechanism

Nothing below is sold as shipping in the open build unless the status says so.

Article 12 · Automatic event logging over the system lifetime

Ed25519-signed receipt per verdict, Merkle append-log per run · verifiable offline

Live

Integrity of records

iaga replay --verify-only, bit-exact replay, drift detection

Live

Documented risk controls

Dictum typed policies plus the Hindley-Milner type checker

Live

Article 11 + Annex IV · Technical documentation

Dossier generation from the receipt chain

Roadmap

Records with legal weight (eIDAS)

Qualified signatures via a Trust Service Provider (ETSI EN 319 132)

Roadmap

Article 72 · Post-market monitoring

Continuous drift monitoring · open build ships the drift-replay primitive

Enterprise

Article 73 · Serious incident reporting

AI Office notification generation

Roadmap

Why offline verification matters

A receipt is only useful to a regulator if it can be trusted without trusting the vendor. IAGA receipts verify offline against a Merkle root, so an auditor, a notified body, or a court can confirm the evidence with the standalone iaga-verify binary and one public key. The receipt chain works even if IAGA disappears. That independence is the point.

The full mapping

The article-by-article mapping across the AI Act, GDPR, and DORA, and what Enterprise turns each obligation into, is in ENTERPRISE.md on GitHub.