Compliance

EU AI Act enforcement, Federal Compliance (NIST, FedRAMP, CMMC), Governance Proof Tokens, SR 11-7 model inventory, and the Policy Registry.

EU AI Act Compliance

The EU AI Act becomes fully enforceable on August 2, 2026. GaaS implements five governance policies covering Articles 9 through 15, giving high-risk AI deployments a compliance-ready audit trail from day one.

Enforcement Date August 2, 2026

Maximum Fine €30M

Turnover Cap 6% global annual turnover

Implemented Policies

Policy ID	Article	Name	Failure Mode
`pol_euaia_001`	Art. 9	Risk Management System	FAIL
`pol_euaia_002`	Art. 10	Data Governance & Management	CONDITIONAL
`pol_euaia_003`	Art. 13	Transparency & Information	CONDITIONAL
`pol_euaia_004`	Art. 14	Human Oversight	FAIL CRITICAL
`pol_euaia_005`	Art. 15	Accuracy, Robustness & Cybersecurity	FAIL

High-Risk Domains: These policies activate automatically when the intent target falls within a high-risk domain: healthcare, critical_infrastructure, education, employment, essential_services, law_enforcement, migration, justice.

API Endpoints

GET /v1/compliance/eu-ai-act — Current compliance status for your organisation
GET /v1/compliance/eu-ai-act/report — Full compliance report with policy-level detail

Compliance Status Response

// GET https://api.gaas.is/v1/compliance/eu-ai-act
// X-API-Key: your_api_key

{
  "org_id": "org_abc123",
  "as_of": "2026-08-02T00:00:00Z",
  "overall_status": "compliant",
  "policies": {
    "pol_euaia_001": { "status": "pass", "article": "Art. 9", "checks_passed": 4, "checks_total": 4 },
    "pol_euaia_002": { "status": "conditional", "article": "Art. 10", "pending_actions": ["data_lineage_attestation"] },
    "pol_euaia_003": { "status": "conditional", "article": "Art. 13", "pending_actions": ["transparency_notice_deployment"] },
    "pol_euaia_004": { "status": "pass", "article": "Art. 14", "escalation_coverage": "100%" },
    "pol_euaia_005": { "status": "pass", "article": "Art. 15", "accuracy_score": 0.97 }
  },
  "high_risk_decisions_last_30d": 1482,
  "human_oversight_rate": "100%"
}

Federal Compliance

GaaS maps governance controls to four major US federal frameworks, enabling AI systems to satisfy procurement and security requirements for government agencies and defense contractors.

NIST AI Risk Management Framework 1.0

Maps to all 4 NIST AI RMF functions (GOVERN, MAP, MEASURE, MANAGE) across 23 subcategories. GaaS provides automated evidence generation for each subcategory based on live pipeline data.

GET /v1/compliance/nist-ai-rmf — Current NIST AI RMF status
GET /v1/compliance/nist-ai-rmf/report — Full report with subcategory-level detail

NIST SP 800-53 Rev. 5 Moderate Baseline

5 enforcement policies (pol_nist800_001–005) covering 4 control families: Access Control (AC), Audit & Accountability (AU), System & Information Integrity (SI), and Incident Response (IR).

GET /v1/compliance/nist-800-53 — Current NIST 800-53 status
GET /v1/compliance/nist-800-53/report — Full report with control-family detail

FedRAMP Moderate Baseline

5 enforcement policies (pol_fedramp_001–005) for cloud services selling to US federal agencies. Includes 3PAO-ready evidence packages with NIST SP 800-53A assessment procedures.

GET /v1/compliance/fedramp — Current FedRAMP status
GET /v1/compliance/fedramp/report — Full FedRAMP report

CMMC 2.0 Level 1–2

4 enforcement policies (pol_cmmc_001–004) covering Level 1 (basic safeguarding of Federal Contract Information) and Level 2 (advanced protection aligned to NIST SP 800-171 Rev. 2) for Defense Industrial Base contractors.

GET /v1/compliance/cmmc — Current CMMC status
GET /v1/compliance/cmmc/report — Full CMMC report

Federal Procurement Summary

A single endpoint that aggregates compliance status across all four frameworks, plus 3PAO evidence packages per control.

GET /v1/compliance/federal — Combined federal procurement readiness summary
GET /v1/compliance/federal/evidence/{control_id} — 3PAO evidence package for a specific control (ControlEvidencePackage with NIST SP 800-53A assessment procedures)

Governance Proof Tokens

Every decision produced by GaaS carries a Governance Proof Token (GPT) — an ECDSA P-256 signed artefact that cryptographically binds the verdict, the policies evaluated, and the full audit reference into a single tamper-evident object.

Think of it as the exhibit in an AI liability lawsuit: an independently verifiable, court-admissible record proving that governance was applied at decision time.

Token Fields

Field	Description
`token_id`	Unique stable identifier for the proof token (`gpt_` prefix)
`decision_id`	The decision this token covers
`verdict`	Final governance verdict: `approve`, `block`, `escalate`, or `modify`
`policies_evaluated`	Count of policies run against the intent
`policies_passed`	Count of policies that returned PASS or CONDITIONAL
`risk_score`	6-dimensional composite risk score (0.0 – 1.0)
`risk_classification`	`low`, `medium`, `high`, or `critical`
`audit_ref`	Foreign key into the immutable audit record chain
`audit_hash`	SHA-256 hash of the referenced audit record for chain verification
`gaas_signature`	ECDSA P-256 signature over the token payload (base64url-encoded DER)

The token is embedded directly in every GovernanceDecision response at the governance_proof_token field — no additional API call required.

Verification Endpoint

GET /v1/verify/proof/{token_id} — Verify a token by ID. Public endpoint — no API key required.

Example Token

{
  "governance_proof_token": {
    "token_id":            "gpt_7xk9mR2pLqN4vBs",
    "decision_id":         "dec_abc123",
    "verdict":             "approve",
    "policies_evaluated":  18,
    "policies_passed":     18,
    "risk_score":          0.12,
    "risk_classification": "low",
    "audit_ref":           "aud_f3a8c2d1e94b",
    "audit_hash":          "sha256:a3f1e2d4b9...",
    "issued_at":           "2026-08-01T14:32:07.421Z",
    "gaas_signature":      "MEYCIQDx2k...base64url...Q=="
  }
}

Signature Algorithm: ECDSA P-256 (modern, compact, FIPS 186-4 compliant). The signature covers SHA-256("{token_id}:{decision_id}:{audit_hash}"). Verify any token via GET /v1/verify/proof/{token_id}.

SR 11-7 Model Inventory

The Federal Reserve's SR 11-7 guidance requires financial institutions to maintain a comprehensive inventory of all models in use, including their validation status, ownership, and purpose. GaaS auto-generates an SR 11-7 compliant model inventory from agent profiles and live audit data — no spreadsheet required.

Validation Status Mapping

GaaS Agent Status	SR 11-7 Validation Status
`CERTIFIED`	VALIDATED — Model has passed full independent validation
`VERIFIED`	IN_VALIDATION — Validation in progress; compensating controls active
`REGISTERED`	PENDING_VALIDATION — Model registered but not yet submitted for validation

API Endpoints

GET /v1/model-inventory — Full SR 11-7 inventory for your organisation
GET /v1/model-inventory/{agent_id} — Inventory record for a single agent

Example

# GET https://api.gaas.is/v1/model-inventory/agent_fintech_01
# X-API-Key: your_api_key

{
  "agent_id":            "agent_fintech_01",
  "model_name":          "Payment Authorisation Agent v2.3",
  "model_type":          "decision_engine",
  "owner":               "treasury@acme-bank.com",
  "purpose":             "Real-time payment fraud scoring and authorisation",
  "sr117_status":        "VALIDATED",
  "gaas_status":         "CERTIFIED",
  "last_validation_date": "2026-01-15",
  "next_review_date":    "2026-07-15",
  "decisions_last_90d":  48391,
  "block_rate":          0.023,
  "escalation_rate":     0.004,
  "audit_coverage":      "100%"
}

Automatic Updates: The inventory refreshes in real time as decisions flow through the pipeline. Validation status, decision counts, block rates, and escalation rates all reflect live data — no manual entry required.

Policy Registry

The Policy Registry is npm for AI governance — a curated catalogue of versioned, composable policy packs that you can install into your membrane with a single API call. Packs are maintained by the GaaS team and the community, pinned to a semver, and verified for compatibility before installation.

Seed Packs

Pack ID	Description	Policies
`gaas-core-v1`	Foundational governance policies for all AI deployments	10
`gaas-healthcare-v1`	HIPAA, patient consent, minimum-necessary, emergency access	4
`gaas-financial-v1`	PCI DSS, PSD2 SCA, AML velocity, SR 11-7 controls	8
`gaas-privacy-v1`	GDPR, CCPA, FERPA — privacy-by-design governance	3
`gaas-eu-ai-act-v1`	EU AI Act Articles 9/10/13/14/15 for high-risk systems	5
`gaas-nist-csf-v1`	NIST Cybersecurity Framework 2.0	5
`gaas-nist-800-53-v1`	NIST SP 800-53 Rev. 5 Moderate Baseline (AC, AU, SI, IR)	5
`gaas-fedramp-moderate-v1`	FedRAMP Moderate Baseline with 3PAO evidence packages	5
`gaas-cmmc-v1`	CMMC 2.0 Level 1–2 for Defense Industrial Base	4

API Endpoints

GET /v1/policy-registry — Search and browse available policy packs
GET /v1/policy-registry/{pack_id} — Full details and changelog for a specific pack
POST /v1/policy-registry/{pack_id}/install — Install a pack into your active membrane

Installing the EU AI Act Pack

# Install the EU AI Act pack
# POST https://api.gaas.is/v1/policy-registry/gaas-eu-ai-act-v1/install
# X-API-Key: your_api_key

{
  "membrane_id": "mem_xyz789",
  "version":     "1.0.0"
}

// Response
{
  "status":           "installed",
  "pack_id":          "gaas-eu-ai-act-v1",
  "version":          "1.0.0",
  "policies_added":   ["pol_euaia_001", "pol_euaia_002", "pol_euaia_003", "pol_euaia_004", "pol_euaia_005"],
  "membrane_id":      "mem_xyz789",
  "effective_from":   "2026-08-01T00:00:00Z",
  "requires_restart": false
}

Zero Downtime: Policy pack installation is hot-reloaded — your membrane applies the new policies to incoming intents immediately without any service interruption or redeploy.

Audit Reconstruction & Verification

GaaS provides auditor-facing endpoints for independently verifying governance decisions without live system access. Download self-contained verification bundles (ZIP archives) or retrieve structured decision reconstructions with inline hash verification.

Verification Bundles

Verification bundles are ZIP archives containing audit records, governance proof tokens, a self-contained Python verification script (verify.py), and a manifest. Auditors can verify hash chain integrity and cryptographic signatures offline.

GET /v1/audit/{audit_id}/verification-bundle — Download verification bundle for a single audit record (ZIP)
GET /v1/audit/verification-bundle — Download verification bundle for a date range. Query params: start_date, end_date, limit (1–1000), offset

Decision Reconstruction

Returns a structured JSON report for a governance decision, including all 5 pipeline stages, inline SHA-256 hash re-verification, and chain position validation. Suitable for regulators who need to understand exactly how a decision was made.

GET /v1/audit/{audit_id}/reconstruction — Reconstruct a governance decision with inline hash verification

Auth: All reconstruction endpoints require operator role or above.

GDPR Compliance — Data subject rights, erasure, and sub-processor notifications
Policies — Full policy catalogue and tier structure
API Reference — Complete endpoint documentation
Advanced Features — Audit trail, webhooks, and observability

Ready to achieve EU AI Act compliance?

Provision your governance membrane in under five minutes and have all five EU AI Act policies active before August 2026.

Get started free →

Compliance

EU AI Act Compliance

Implemented Policies

API Endpoints

Compliance Status Response

Federal Compliance

NIST AI Risk Management Framework 1.0

NIST SP 800-53 Rev. 5 Moderate Baseline

FedRAMP Moderate Baseline

CMMC 2.0 Level 1–2

Federal Procurement Summary

Governance Proof Tokens

Token Fields

Verification Endpoint

Example Token

SR 11-7 Model Inventory

Validation Status Mapping

API Endpoints

Example

Policy Registry

Seed Packs

API Endpoints

Installing the EU AI Act Pack

Audit Reconstruction & Verification

Verification Bundles

Decision Reconstruction

Related Pages

Ready to achieve EU AI Act compliance?