Regulatory compliance & conformance
SKI was designed from first principles for regulated industries. This page covers the EU AI Act article-level crosswalk, SKI's three-tier conformance framework, and the audit trail design that makes every verdict replayable.
EU AI Act, Regulation (EU) 2024/1689
SKI publishes an article-level control crosswalk covering the high-risk AI system obligations under Regulation (EU) 2024/1689 (the EU AI Act). The crosswalk addresses both provider and deployer obligations and maps each SKI architectural control to the relevant Article.
High-risk AI obligations apply from 2 August 2026
Chapter III Section 2 obligations, covering risk management, data governance, technical documentation, transparency, accuracy, robustness, and cybersecurity, apply to high-risk AI system providers from this date. Deployer obligations under Article 26 apply from the same date.
EU AI Act timeline
| Date | Event |
|---|---|
| 1 August 2024 | Regulation (EU) 2024/1689 entered into force |
| 2 February 2025 | Prohibited AI practices (Article 5) applied |
| 2 August 2025 | GPAI model obligations applied; Article 6(1) high-risk categories applied |
| 2 August 2026 | High-risk AI Chapter III Section 2 obligations apply. Deployer obligations (Article 26) apply. |
| 2 August 2027 | Article 6(1) AI systems in Annex I products apply |
Provider obligations crosswalk (Articles 9–19, 72)
SKI addresses provider obligations through its architectural design. The following is a summary, the full element-by-element mapping is in docs/crosswalks/eu-ai-act.md ↗.
| Article | Subject | SKI control |
|---|---|---|
| Art. 9 | Risk management system | Taxonomy guard, DISCRETIONARY escalation, no-silent-clear invariant. Human review required for all ambiguous verdicts. |
| Art. 10 | Data and data governance | KG extraction and validation pipeline with human expert review at each stage. Signed KG proves provenance of the rulebook. |
| Art. 11 | Technical documentation | Spec v3.0 (open), CITATION.cff, CHANGELOG.md, benchmark methodology, conformance test suite, release notes per version. |
| Art. 12 | Record-keeping | Audit ledger with append-only enforcement, hash chaining, signed transcripts, and per-verdict model provenance. See Article 12 section below. |
| Art. 13 | Transparency (deployers) | Every verdict includes a human-readable reasoning field. Five categorical verdict types with defined escalation paths. DISCRETIONARY is never opaque. |
| Art. 14 | Human oversight | SKI is read-only. DISCRETIONARY routes ambiguous cases to named human reviewers. Zero control path to operational systems. |
| Art. 15 | Accuracy, robustness, cybersecurity | Benchmark suite (published p99 = 0.36 ms), adversarial eval suite with 50-case golden dataset, ed25519 signing, hash-chain integrity, KG signature validation. |
| Art. 17 | Quality management system | CI-gated conformance suite (77 tests), benchmark CI gate, nightly eval workflow, changelog promotion discipline, trusted publishing. |
| Art. 72 | Post-market monitoring | Prometheus metrics (ski_agreement_rate, ski_verdicts_total, ski_ledger_sequence_gaps_total), Grafana alert rules, nightly eval report. |
Deployer obligations (Article 26)
| Article 26 element | SKI support |
|---|---|
| 26(1), Use per intended purpose | SKI is a read-only sidecar. The passive architecture prevents use outside its monitoring purpose. |
| 26(2), Human oversight measures | DISCRETIONARY verdict type explicitly routes ambiguous outcomes to named human reviewers. |
| 26(5), Input data relevance | The KG is domain-specific and validated against source regulatory documents. Unmapped readings produce NULL_UNMAPPED, never a false CLEAR. |
| 26(6), Log retention | Audit ledger is append-only with configurable retention. Every verdict and signed transcript is retained per the deployer's retention policy. |
Article 12(3), Record-keeping mapping
Article 12(3) requires that high-risk AI systems automatically log events to enable post-market monitoring and investigation of incidents. The SKI audit ledger maps to each required element:
| Art. 12(3) requirement | Audit ledger field |
|---|---|
| Period of each use (date, time) | ledger.created_at (UTC timestamp, nanosecond precision) |
| Reference database against which checked | envelope.model_provenance.kg_version_hash |
| Input data | ledger.measurement_record_ref (pointer to stored measurement) |
| Persons involved in verification | envelope.verifier_result.status + DISCRETIONARY reviewer assignment |
| Result of verification | envelope.verdict, envelope.formalizable_assertions[] |
Full crosswalk
The complete element-by-element crosswalk, covering all provider and deployer obligations, is maintained in the repository:
docs/crosswalks/eu-ai-act.md →SKI Conformance Framework
SKI defines three cumulative conformance levels. Each level builds on the previous, an L2 deployment must also satisfy all L1 requirements. The 77-test conformance suite in conformance/ is the authoritative gate for each claim.
A deployment may call itself "SKI Conformant" only if it passes all tests at the claimed level on its current production build. The conformance suite must be run against the actual deployment, not a simulation or staging environment. For trademark policy, see TRADEMARKS.md ↗.
Level 1: Provenance (30 tests)
Every verdict envelope satisfies the full V3 schema, cites at least one KG node with a named source document, carries a signed LLM transcript, and includes complete model provenance (weight hash, KG hash, prompt template, decoder seed). The taxonomy guard is enforced, no CLEAR without verified assertions.
pytest conformance/provenance/ -v
# 30 testsLevel 2: Durability (30 tests)
Requires Level 1. The audit ledger enforces append-only at the database trigger level. Hash chaining is intact. Sequence gap detection fires correctly. Signed transcripts are verifiable by replay. Retention policy is documented and enforced.
pytest conformance/provenance/ conformance/durability/ -v
# 60 testsLevel 3: Sovereignty (17 tests)
Requires Level 1 + 2. The full runtime produces correct verdicts inside a --network=none container, zero outbound connections, proven not by policy but by the air-gapped boot rig that boots the complete stack and verifies hash-chained ledger entries from inside the gap. KG signature validation is enforced at load time. Helm NetworkPolicy is rendered and verified.
SKI_L3_AIRGAP=1 pytest conformance/ -v
# 77 tests, L3 requires Docker with --network=none capabilityAudit trail design
The SKI audit ledger is designed to satisfy the record-keeping requirements of high-risk AI deployments. Key properties:
- Append-only, enforced at the PostgreSQL trigger level. No UPDATE or DELETE is possible through the API or directly.
- Hash-chained, each entry contains a SHA-256 hash of the previous entry. A tampered entry breaks the chain; the gap detector alerts.
- Signed transcripts, every LLM output is signed with ed25519 before writing. An auditor can verify any transcript is authentic.
- Per-verdict provenance, model weight hash, KG version hash, prompt template ID, and decoder seed recorded on every entry.
- Sequence gap detection, the
ski_ledger_sequence_gaps_totalmetric fires if any sequence number is missing. - Configurable retention, retention policy is operator-configured; the ledger itself never deletes.
Verdict replay
Any verdict can be replayed from its stored transcript. An auditor with the same model weights, KG version, and prompt template can reconstruct the exact evaluation that produced a given envelope and verify the signature. This makes every verdict independently auditable, not just claimed to be.
# Query the ledger for a specific sequence entry
curl http://localhost:8000/api/ledger/seq/42
# Verify the transcript signature
python -m ski_sdk.audit.verify --ledger-entry 42 --key keys/signing.pubDisclaimer
The compliance information on this page, including the EU AI Act crosswalk, is provided for informational purposes only and does not constitute legal, regulatory, or compliance advice. SKI is a technical framework, not a compliance certification service.
Organisations deploying AI systems in regulated industries should obtain advice from qualified legal, regulatory, and risk counsel regarding their specific obligations under applicable law. Whether a given deployment satisfies the requirements of the EU AI Act or any other regulation depends on facts specific to each organisation, system, and use case that cannot be assessed by a technical framework alone.
KpiFinity Inc. makes no warranty, express or implied, that the SKI Framework will meet any specific regulatory requirement or that any particular deployment will be compliant with applicable law.