From AI Act Documents to Verifiable Proof
Most AI Act work ends in documents. We wanted artifacts that could be verified: who approved them, what they contain, when they were sealed, and whether the evidence actually supports the claim.
The gap
The EU AI Act has produced more whitepapers than working implementations. Article 5 prohibitions and AI literacy obligations began applying in February 2025. Governance rules and GPAI obligations followed in August 2025. The Act's obligations are phasing in across 2025–2028, with different timelines for prohibited practices, GPAI obligations, and high-risk systems.
What most organisations have today: policy documents, gap analyses, and PDF binders mapped against the Act's structure. What almost no one has: verifiable runtime artifacts that prove a system's documentation state at a given moment, with cryptographic integrity that survives external audit.
We built a verifiable governance primitive — EVE Bridge combined with a human-governed approval layer — then used it in two ways: first to seal our own voluntary AI Act-grade documentation, then to test deterministic evidence resolution against uploaded GRC documents.
Application 1 — EVE-AIACT-PROOF-V1. ComplieDocs is voluntarily declared not high-risk under Article 6(3). We still produced and sealed AI Act-grade documentation as due diligence. Six articles (6, 9, 10, 11, 14, 47), nineteen Bridge entries, complete. Public master manifest: EVE-COMPLIEDOCS-00001125. Anyone can verify it at https://verify.eveverified.com/aiact-proof.html.
Application 2 — EVE GRC Witness. A private preview, live at https://grc.eveverified.com. Same primitive, applied differently: deterministic evidence resolution against uploaded documents for Article 9 requirements. Three states only — Supported, Partial, NO_ANSWER. No LLM in the resolver path. The public Demo AI sample result is sealed and publicly verifiable; user-uploaded preview documents are processed temporarily and are not sealed in this version.
I am writing this to make a rare implementation visible — and to invite scrutiny from the people who will eventually audit work like this.
The primitive
The primitive has five components — three shared by every application (a human-governed approval layer, EVE Bridge, and public verification), and two pipeline elements applied per use case (AI in witness mode and a deterministic resolver). The discipline is to compose them explicitly, and to be honest about which components run in which application.
Human-governed approval layer (internally: Trinity). Trinity is the system of record for governance decisions. Every artifact that is part of a sealed proof package, every approved derived knowledge entry, and every governed configuration change passes through it before sealing. Each approval records, as a single signed event: the approver's identity, a decision ID (e.g. EVE-2026-002475, EVE-2026-002486), the SHA-256 of the content approved, a timestamp, a vault proof, and a status — APPROVED, APPROVED_WITH_NOTE, or REVOKED. For the ComplieDocs project, Trinity enforces a T3 trust tier: forced human sign-off, override disabled. There is no AI-write path into Trinity. Audit history is append-only — revoked and superseded entries are preserved, never deleted.
AI in witness mode. Where AI is used, it is constrained. Claude and Qwen can read approved sources, summarise, and render structured data into prose. They cannot write to Trinity. They cannot make decisions. Their output passes a contains_blocked_phrase() filter before it reaches a human reviewer — advisory and synthesising phrases are rejected: "you should", "we recommend", "must implement", "is compliant", "is sufficient". The filter prevents advisory language; it does not, on its own, prevent factual fabrication. The system is designed to fail closed — if the LLM is unavailable, a deterministic template renders the same output structure from the same data. The system functions without AI. AI accelerates without taking responsibility.
Deterministic resolver. When evidence matching against an approved requirement set is required, a deterministic resolver runs — no LLM, no randomness, identical output across runs given identical inputs. The resolver returns three states only: Supported, Partial, or NO_ANSWER. It is used in Application 2 (GRC Witness); Application 1 does not use it, because the artifacts there are voluntary compliance documents drafted in advance, not evidence-matched against an external corpus.
EVE Bridge — cryptographic witness sealing. Once an artifact is approved in Trinity, or a resolver run is ready to be sealed, a sealing call is made to the EVE Bridge API. Bridge computes a SHA-256 of the payload, assigns a sequential identifier (EVE-COMPLIEDOCS-00001119, 00001120, and so on), and writes a new entry to the chain. Each seal's chain_seal field is a hash that anchors to the previous entry. Retrospective modification of any sealed record would break the chain on the next verification. The chain is currently at integrity version v1.1.0.
Public verification. Every sealed record marked as public is retrievable from https://api.eveverified.com/eve/verify/{eve_id} (JSON, read-only, no authentication) or rendered as HTML at https://verify.eveverified.com/?id={eve_id}. The response includes the full sealed payload, the SHA-256 seal, the chain seal, and a valid: true flag. Anyone can verify any public sealed record without access to our internal systems. This is the trust surface external parties rely on: they verify directly, not through us.
How the components compose. EVE-AIACT-PROOF-V1 (Application 1, complete) uses Trinity + AI in witness mode + Bridge + public verification across nineteen sealed entries. EVE GRC Witness (Application 2, private preview) uses Trinity + the deterministic resolver + Bridge + public verification for the Demo AI sample result; user-uploaded preview documents are processed temporarily and are not sealed in this version. The next two sections describe each application in turn.
Application 1: EVE-AIACT-PROOF-V1
ComplieDocs is voluntarily declared not high-risk under Article 6(3) of the AI Act: it has no trained model, no training datasets, no automated decision-making, and architectural controls prevent the residual-risk vectors that would otherwise classify it. The declaration is itself documented, sealed, and publicly verifiable.
A system that is not high-risk has no mandatory Article 11 technical documentation, no mandatory Article 47 declaration of conformity, no mandatory Article 9 risk management system. We produced all of these voluntarily, as due diligence. The point: if we cannot build verifiable AI Act-grade documentation for our own low-risk system, we cannot credibly claim to do it for anyone else's.
The result is EVE-AIACT-PROOF-V1: nineteen sealed Bridge entries, six AI Act articles documented to high-risk equivalent standard.
Three sealed records per article. Each article is anchored by three distinct sealed records, each citing the others by EVE-ID:
- ·Regulatory representation. The verbatim text of the EU AI Act article is fetched from EUR-Lex (CELEX
32024R1689), hashed with SHA-256, and sealed. This is the ground-truth anchor: the source the rest of the proof refers to. Sealed once, on 27 January 2026. - ·Authenticity proof. A secondary attestation that confirms the regulatory representation seal was produced through the approved corpus-ingestion path, not back-channelled or substituted. Sealed during the proof project's Phase 3.
- ·Voluntary compliance document. The actual ComplieDocs documentation for that article — risk management text, technical documentation, classification analysis, declaration of conformity. Each compliance document carries a
cited_articlesfield that lists all six articles by both their regulatory representation and authenticity proof EVE-IDs. Tampering with any sealed record would invalidate the cross-reference graph on next verification.
The six articles:
| Article | Topic | Source | Auth proof | Doc | Sealed |
|---|---|---|---|---|---|
| Art 6 | Classification of high-risk AI | -00000902 | -00001021 | -00001121 | 2026-05-13 |
| Art 9 | Risk management system | -00000903 | -00001022 | -00001122 | 2026-05-15 |
| Art 10 | Data and data governance | -00000904 | -00001023 | -00001123 | 2026-05-15 |
| Art 11 | Technical documentation | -00000905 | -00001024 | -00001119 | 2026-05-07 |
| Art 14 | Human oversight | -00000906 | -00001025 | -00001124 | 2026-05-15 |
| Art 47 | EU declaration of conformity | -00000907 | -00001026 | -00001120 | 2026-05-13 |
All EVE-IDs prefixed EVE-COMPLIEDOCS-. Regulatory representation seals all date to 27 January 2026; authenticity proof seals are contemporaneous Phase 3 attestations.
The master manifest. All eighteen layer entries above are bound together by a final sealed record — EVE-COMPLIEDOCS-00001125 — that lists every constituent EVE-ID, the SHA-256 of every compliance document on disk, and the chain seal hash that anchors the manifest into the chain at the moment of sealing. The manifest is the single canonical handle for the proof package; a verifier who wants one entry point starts there.
Public verification. The proof is published at https://verify.eveverified.com/aiact-proof.html. The page lists all nineteen entries with direct links to the verification API for each. No login. No credentials. Any reader can pull the JSON for each public entry, inspect the sealed payload, verify the recorded SHA-256 seals, and follow the chain integrity fields exposed by EVE Verify. This is what verifiable should mean.
Application 2: EVE GRC Witness
The first application demonstrated the primitive on our own documentation. The second applies the same primitive to a different problem: given an arbitrary corpus of customer documents and an approved regulatory requirement set, what evidence is actually present, what is partial, and what is missing?
EVE GRC Witness is the private preview of this pilot, live at https://grc.eveverified.com. Scope is deliberately narrow: Article 9 only, English documents supported best (Swedish terminology support is being expanded), no other regulations.
The flow. Three approved anchors exist before any customer uploads anything:
- ·The Article 9 regulatory text, sealed at
EVE-COMPLIEDOCS-00000903(the same regulatory representation cited in §3). - ·A mapping of Article 9 into 18 individual requirements, with required evidence types and matching terms per requirement. This mapping was human-authored and Trinity-approved under decision ID
EVE-2026-002486. - ·A terminology asset — Evidence Lexicon v2.1 — that defines the concepts, terms, and synonyms (English + Swedish) that count as evidence for each requirement, including normalisation rules for Swedish compound words.
When a user uploads a document (PDF, DOCX, or TXT, processed server-side in a temporary preview session; retention is limited for the preview and no user-uploaded documents are sealed), the system runs the deterministic resolver from §2: no LLM, no randomness, identical output across runs given identical inputs. The result is a per-requirement determination using three values only: Supported, Partial, or NO_ANSWER. There is no confidence score, no probability, no guess. When evidence is insufficient, the system says so as a first-class output value.
The Demo AI sample. A public sample result is sealed and publicly verifiable: EVE-COMPLIEDOCS-00001129. It is the resolver's output against a deliberately incomplete fictional corpus (marked _FICTIONAL_DEMO_ONLY on every file) for a synthetic organisation called Demo AI. The result:
The gaps are deliberate. The Demo AI corpus does not document post-market monitoring, does not describe deployer obligations, does not assess vulnerable-group risk, and does not specify a lifecycle review frequency. These all map directly to specific Article 9 sub-paragraphs and surface as NO_ANSWER in the output. The point of the demo is to make the missing evidence as visible and as attributable as the present evidence.
What is not yet sealed. User-uploaded documents in the private preview are processed temporarily and are not sealed. Sealing a per-customer result requires Trinity approval of the resolver run, which is currently retained for the Demo AI sample only. Production sealing of customer results would compose Application 1's three-record pattern and is on the path for a later phase.
NO_ANSWER as a first-class result. Most compliance tooling treats missing evidence as something to hide or interpolate. EVE GRC Witness treats it as a deliverable. When you receive 4 NO_ANSWER rows alongside 7 Supported and 5 Partial, you know exactly which Article 9 sub-paragraphs your existing documentation does not address. That visibility — not a percentage — is the point.
The hard parts
The architecture was the easier part. The harder part was forcing the system to say exactly what it knows — and no more.
Not overclaiming compliance. A sealed document is not a compliant document. Evidence coverage is not a compliance status. A public verification link proves that a specific artifact existed, with a specific hash, at a specific time. It does not prove that a regulator, auditor, notified body, or court would accept the underlying content as sufficient. That distinction matters. We removed language that sounded like "compliant", "certified", or "audited" unless the system could actually support that claim. The wording we settled on is documentation state, not compliance state. The GRC Witness demo says this directly: "Evidence coverage does not equal compliance status."
Separating voluntary documentation from legal classification. ComplieDocs is voluntarily declared not high-risk under Article 6(3). We still produced Article 11 technical documentation, Article 9 risk management documentation, and an Article 47 declaration of conformity as voluntary due diligence. That does not turn ComplieDocs into a high-risk system, and it does not create a legal certification. The documents are AI Act-grade documentation artifacts, not a claim that a legal threshold has been met. Each sealed compliance document carries classification: voluntary and states what it does not assert: not a CE marking, not a notified-body assessment, not a binding regulatory determination. Keeping that line clear is part of the system design, not a footnote.
Keeping AI in witness mode. Where AI is used, it cannot become the authority. Claude and Qwen do not write to the approval layer. They do not approve artifacts. They do not decide that a requirement is satisfied. Their role is to help render, summarise, or explain already-governed data. Their output passes a blocklist filter that rejects advisory and compliance-claiming language such as "you should", "we recommend", "must implement", "is compliant", and "is sufficient". That filter is useful, but it is not a truth engine. It does not, by itself, prevent factual mistakes. The defence is architectural: AI has no write path into the system of record, deterministic fallback exists, and a human reviewer must approve content before anything is sealed. AI can assist the witness layer. It cannot own the decision.
Avoiding fake green results. The most dangerous failure mode in compliance tooling is a false positive: marking something as Supported when the evidence does not actually support it. That creates false assurance, which is worse than a visible gap. For GRC Witness, we encoded a simple rule: no Supported from headings alone. A heading can show that a document is relevant, but it cannot prove that the required evidence exists. The resolver should show the matched terms, the source document, and the missing evidence so a reviewer can see why the result was produced. This makes the system stricter. More rows become Partial or NO_ANSWER. That is intentional.
False positives and false negatives in evidence matching. Deterministic matching is not the same as correct matching. A deterministic resolver can still miss evidence if the vocabulary is too narrow. We saw that directly with Swedish text. The first Swedish test returned 0% coverage because the lexicon expected English terminology. The evidence was not necessarily absent; the resolver simply could not see it. After adding Swedish terms such as funktionsregression, testfall, and prestandatestning, the same test moved to 75% on the checked items. That was an important product lesson. The lexicon is part of the control surface. If it is too narrow, real evidence is missed. If it is too broad, weak evidence becomes green. It has to be governed like the rest of the system.
The hardest part is discipline. It is tempting to make the output look better: fewer NO_ANSWER rows, more green badges, broader matching, more confident prose. But that would defeat the purpose. EVE is not trying to make documentation look complete. It is trying to show what can be supported, what is partial, what is missing, and what has actually been approved and sealed. The value is not that the system always produces a reassuring answer. The value is that it can refuse to.
What is open
The system described in §3 and §4 is not finished. The work below is named, scoped, or running, but not yet sealed in the same way the existing applications are.
Evidence Builder. Today, GRC Witness asks: here is your corpus — what evidence is present, what is partial, what is missing? The next pipeline step inverts the question: here is your organisation and your AI system — what evidence and documentation sections are required, and what can the system propose as a draft? AI assistance is allowed at this layer, but in the same witness mode described in §2: every proposed paragraph is tagged as provided-by-user, inferred-from-context, or missing — and inferred or missing items are flagged for human decision before anything is sealed. The point is to compress the time from "I have a system" to "I have a defensible documentation draft", without ever crossing into compliance-claim territory.
Lexicons and languages. Evidence Lexicon v2.1 supports English and Swedish; the Swedish work taught us that lexicon coverage is not a one-time task. Other Nordic languages, German, French, and the controlled vocabularies that each AI Act language version uses are all open. Lexicon expansion is the highest-leverage, lowest-glamour work in the system.
More AI Act articles. Six articles are voluntarily sealed; the rest of the high-risk obligations (Articles 8, 12, 13, 15, 16, 26, 49, and the relevant Annexes) are not yet covered. We expect to expand article coverage in line with what design partners actually need, not in numerical order.
Customer workspaces. Today GRC Witness has a single shared preview surface. A per-customer workspace — separate session namespace, separate approval scope, optional separate governed approval instance — is a natural step before any production rollout. The architectural primitives are in place; the multi-tenancy is not yet built.
Session retention. User-uploaded preview documents in GRC Witness are processed in temporary sessions. Session cleanup runs at server startup but not periodically; a long-running instance accumulates sessions until restart. Cleanup at request-time or via a scheduled task is a concrete, named open item — small in code, important for the retention claim to hold tightly.
Optional air-gapped mode. For organisations that will not upload documents to a hosted service at all, a local-only or air-gapped resolver — same code, same approved sources, no outbound Bridge call during local operation — is a credible option. Sealing in that mode would happen against a local chain, with optional public anchoring later.
Design partners. We are accepting one to two design partners for the Evidence Builder phase — EU companies with active AI Act compliance work, ideally in manufacturing, healthcare, or financial services — to shape it against real use cases rather than guesses. Contact: joakim@organiq.se.
Origin: this started somewhere else
EVE was not originally built as a compliance product. It was built as a trust layer for systems where guessing is unacceptable.
The first problem was local energy sharing. A local energy network that lets households share solar production, battery capacity and charging infrastructure needs to prove what happened: which meter produced which reading, which rule was applied, which balance changed, and what evidence was missing if a settlement is disputed.
In that context, a system that guesses is not useful. If settlement, money or responsibility depends on the result, the system has to show its source, its rule and its evidence — or say that it cannot answer.
That problem led to the same primitives described in this post: approved sources, governed decisions, deterministic resolution, missing-evidence states, and public verification.
The domains are different, but the control problem is similar. In energy sharing, the question is whether a kilowatt-hour, meter reading or settlement event can be trusted. In GRC, the question is whether a requirement, document claim or evidence path can be trusted.
I am new to compliance as a profession. I am not new to the underlying problem: building systems that are traceable, evidence-based and verifiable when something goes wrong.
This post describes what happened when a trust primitive originally shaped by measurement and settlement was pointed at regulation.
Verify it yourself
Everything described above can be checked without contacting us.
All nineteen sealed entries with their relationships, hashes, and verification links.
https://verify.eveverified.com/aiact-proof.htmlRetrieve any sealed record by its EVE-ID. JSON, read-only, no authentication.
The Demo AI sample result is sealed at EVE-COMPLIEDOCS-00001129 and can be verified independently.
If you find inconsistencies, gaps, or claims that do not hold up to scrutiny, we want to hear about them. Contact: joakim@organiq.se.