| Domain | Status |
|---|---|
| ⚠️ Control Effectiveness | 🔴 ALERT |
| 🗄️ Data Quality | ○ NO RUNTIME DATA |
| 👁️ Human Oversight | 🟠 MONITORED |
| 📄 Documentation & Compliance | 🟠 MONITORED |
| 🔒 Security | ○ NO RUNTIME DATA |
| 🤖 Agentic Behaviour | 🔴 ALERT |
| ⚖️ Global Governance | ○ NO RUNTIME DATA |
Audit ID: CSVA-20260614-9BE11290 | Risk class: HIGH | Date: 2026-06-17 09:47 UTC
PARTIAL TECHNICAL ALIGNMENT — identified control gaps require remediation within 90 days.
Immediate action: Begin remediation on priority articles. Schedule re-audit in 6-8 weeks.
How scores are computed: Each of the 46 checkpoints carries a weight (2–5). The article score is the weighted average of its checkpoints. Articles 9, 10, 14, 15 are gate articles — a score below 50 on any of them sets that article to 0 and overrides the global score downward. Full methodology: factdna.ai/methodology
| Dimension | Score | Status | Meaning |
|---|---|---|---|
| Compliance Score | 22 / 100 | 🔴 | Controls demonstrated by evidence (E2–E6). Skipped tests do not reduce this score. |
| Test Assurance | 7 / 100 | 🔴 | Controls verified by automated tests. Skipped: 35 (assurance gap, not compliance gap) |
| Runtime Evidence | 22 / 100 | 🔴 | Controls proven by E4+ runtime traces or E6 correlated chains |
| Documentation Coverage | 24 / 100 | 🔴 | Controls with at least E1 documentation or config evidence |
| Doc ↔ Code Alignment | 87.3% | 🟢 | Does documentation match what the code actually does? (SCI=100.0% · Gap=1.9%) |
| Regulatory Evidence Grade | 🟢 STRONG — Runtime + Tests | 🟢 | Overall evidence quality: Doc=0% · Code=0% · Runtime=20% |
Analysed sample: 2026-04-04 → 2026-04-05 (2 jours · 109 événements)
20 sessions · 18 checkpoints · Average compliance : 🟡 71.9% · Non-compliance : 25.6%
| Checkpoint | Compliance rate | Sessions (✅ / ⚠️ / 🔴) | Sessions NOK |
|---|---|---|---|
| 🔴 Audit Trail | 0% | 0 ✅ / 0 ⚠️ / 20 🔴 | fb-D534D661, fb-89F335E1, fb-3899A858, fb-6F43C4DE, fb-BB281A1F, fb-FA3E3725, fb-193F126A, fb-3ABD45B7, fb-1ACF4C41, fb-9318008E, hitl-222B705F, hitl-ED2A6C5D, hitl-26E4C429, fb-9EC3B248, fb-E439D5BF, fb-5F56C6CC, fb-659B8219, fb-E3B62030, fb-F7C43BE4, fb-8111D2BC |
| 🔴 Automatic Blocking Linked to Human Rejection | 0% | 0 ✅ / 3 ⚠️ / 17 🔴 | fb-D534D661, fb-89F335E1, fb-3899A858, fb-6F43C4DE, fb-BB281A1F, fb-FA3E3725, fb-193F126A, fb-3ABD45B7, fb-1ACF4C41, fb-9318008E, fb-9EC3B248, fb-E439D5BF, fb-5F56C6CC, fb-659B8219, fb-E3B62030, fb-F7C43BE4, fb-8111D2BC |
| 🔴 Human Validation | 0% | 0 ✅ / 3 ⚠️ / 17 🔴 | fb-D534D661, fb-89F335E1, fb-3899A858, fb-6F43C4DE, fb-BB281A1F, fb-FA3E3725, fb-193F126A, fb-3ABD45B7, fb-1ACF4C41, fb-9318008E, fb-9EC3B248, fb-E439D5BF, fb-5F56C6CC, fb-659B8219, fb-E3B62030, fb-F7C43BE4, fb-8111D2BC |
| 🔴 PII Masking Before External Transmission | 0% | 0 ✅ / 0 ⚠️ / 20 🔴 | fb-D534D661, fb-89F335E1, fb-3899A858, fb-6F43C4DE, fb-BB281A1F, fb-FA3E3725, fb-193F126A, fb-3ABD45B7, fb-1ACF4C41, fb-9318008E, hitl-222B705F, hitl-ED2A6C5D, hitl-26E4C429, fb-9EC3B248, fb-E439D5BF, fb-5F56C6CC, fb-659B8219, fb-E3B62030, fb-F7C43BE4, fb-8111D2BC |
| 🔴 Bypass Detection | 15% | 3 ✅ / 0 ⚠️ / 17 🔴 | fb-D534D661, fb-89F335E1, fb-3899A858, fb-6F43C4DE, fb-BB281A1F, fb-FA3E3725, fb-193F126A, fb-3ABD45B7, fb-1ACF4C41, fb-9318008E, fb-9EC3B248, fb-E439D5BF, fb-5F56C6CC, fb-659B8219, fb-E3B62030, fb-F7C43BE4, fb-8111D2BC |
| 🟢 Decision Record Structure | 85% | 17 ✅ / 3 ⚠️ / 0 🔴 | — |
| 🟢 Confidence-Based Human Routing | 95% | 19 ✅ / 0 ⚠️ / 1 🔴 | fb-89F335E1 |
| 🟢 Contextual Memory Limitation | 100% | 20 ✅ / 0 ⚠️ / 0 🔴 | — |
| 🟢 Data Traceability | 100% | 20 ✅ / 0 ⚠️ / 0 🔴 | — |
| 🟢 Data Cleansing & Anonymisation | 100% | 20 ✅ / 0 ⚠️ / 0 🔴 | — |
| 🟢 Authority Delegation | 100% | 20 ✅ / 0 ⚠️ / 0 🔴 | — |
| 🟢 System Explainability | 100% | 20 ✅ / 0 ⚠️ / 0 🔴 | — |
| 🟢 Human-in-the-Loop Mechanism | 100% | 20 ✅ / 0 ⚠️ / 0 🔴 | — |
| 🟢 Escalation to Human | 100% | 20 ✅ / 0 ⚠️ / 0 🔴 | — |
| 🟢 Serious Incident Notification Procedure | 100% | 20 ✅ / 0 ⚠️ / 0 🔴 | — |
| 🟢 Execution Limits (Guardrails) | 100% | 20 ✅ / 0 ⚠️ / 0 🔴 | — |
| 🟢 User Override | 100% | 20 ✅ / 0 ⚠️ / 0 🔴 | — |
| 🟢 Post-Market Plan | 100% | 20 ✅ / 0 ⚠️ / 0 🔴 | — |
Source: workflow mining E5 — session-level behavioral evidence. Each row represents the evaluation of one AI Act control across all sessions in the period.
| Article | Requirement | Score | Status |
|---|---|---|---|
| Art. 9 | Risk Management System | 92.5/100 | 🟢 PASS |
| Art. 10 | Data Governance | 92.5/100 | 🟢 PASS |
| Art. 14 | Human Oversight | 85.0/100 | 🟢 PASS |
| Art. 15 | Robustness & Accuracy | 85.0/100 | 🟢 PASS |
A GATE FAIL on any of these articles overrides the global score. Deployment in high-risk regulated environments is not recommended regardless of overall maturity score.
This section answers: 'Is oversight genuinely integrated into system architecture, or merely aspirational?'
Each checkpoint shows its highest evidence level observed in the analysed artefacts. A NOT OBSERVED verdict does not assert that a control is absent — it asserts that no evidence of it was found in the scope of this audit.
Evidence Level Scale:
| Level | Verdict Label | Icon | Meaning |
|---|---|---|---|
| E6 | DEMONSTRATED | ⛓️ | Regulatory control DEMONSTRATED by correlated event chain (end-to-end execution proven) |
| E5 | VERIFIED | 🔐 | Cryptographically verified continuous evidence |
| E4 | EXECUTED | 📋 | Operational log evidence (runtime execution proven) |
| E3 | TESTED | 🧪 | Sandbox test evidence (executed in controlled environment) |
| E2 | IMPLEMENTED | 🔍 | Code architecture evidence (pattern detected in source) |
| E1 | DECLARED | 📄 | Documentation / config evidence (declared only) |
| E0 | NOT OBSERVED | ❌ | No evidence observed in analysed artefacts |
| — | NOT ASSESSABLE | 🚫 | Control requires an evidence channel unavailable in this audit — instrumentation gap, excluded from score |
| Checkpoint | Status · Level · Confidence | Next Step to Elevate |
|---|---|---|
| Post-Market Plan | 🔐 VERIFIED · E5 ●HIGH |
Continuous monitoring — maintain hash chain integrity |
| Confidence-Based Human Routing | 🔐 VERIFIED · E5 ●HIGH |
Continuous monitoring — maintain hash chain integrity |
| Risk Mitigation | 📄 DECLARED · E1 ◑MED |
Implement the control in code for E2 evidence |
| Continuous Monitoring | ❌ NOT OBSERVED | Implement the control, document it, then run audit |
| Risk Matrix | ❌ NOT OBSERVED | Implement the control, document it, then run audit |
| Risk Ownership Assignment | ❌ NOT OBSERVED | Implement the control, document it, then run audit |
| Risk Register | ❌ NOT OBSERVED | Implement the control, document it, then run audit |
⚠️ Note: NOT OBSERVED means no evidence was found in the artefacts analysed (source code, tests, configs, logs). It does not assert that the control is absent from the full system.
| Checkpoint | Status · Level · Confidence | Next Step to Elevate |
|---|---|---|
| Data Cleansing & Anonymisation | 🔐 VERIFIED · E5 ●HIGH |
Continuous monitoring — maintain hash chain integrity |
| Data Traceability | 🔐 VERIFIED · E5 ●HIGH |
Continuous monitoring — maintain hash chain integrity |
| PII Masking Before External Transmission | 🔐 VERIFIED · E5 ●HIGH |
Continuous monitoring — maintain hash chain integrity |
| Bias Metrics | 📄 DECLARED · E1 ◑MED |
Implement the control in code for E2 evidence |
| Balancing & Representativeness | 📄 DECLARED · E1 ◑MED |
Implement the control in code for E2 evidence |
| Physical Dataset Existence | 🚫 NOT ASSESSABLE · no data evidence channel | Instrument system to emit data evidence, re-run |
| Dataset Quality | ❌ NOT OBSERVED | Implement the control, document it, then run audit |
| Data Inventory | ❌ NOT OBSERVED | Implement the control, document it, then run audit |
⚠️ Note: NOT OBSERVED means no evidence was found in the artefacts analysed (source code, tests, configs, logs). It does not assert that the control is absent from the full system.
🚫 Note: NOT ASSESSABLE means the control requires an evidence channel that was not available in this audit (e.g. runtime traces or a dataset). It is neither pass nor fail — it signals that the system is not instrumented to demonstrate this control. Make the system auditable, then re-run.
| Checkpoint | Status · Level · Confidence | Next Step to Elevate |
|---|---|---|
| Authority Delegation | 🔐 VERIFIED · E5 ●HIGH |
Continuous monitoring — maintain hash chain integrity |
| Human-in-the-Loop Mechanism | 🔐 VERIFIED · E5 ●HIGH |
Continuous monitoring — maintain hash chain integrity |
| User Override | 🔐 VERIFIED · E5 ●HIGH |
Continuous monitoring — maintain hash chain integrity |
| Escalation to Human | 🔐 VERIFIED · E5 ●HIGH |
Continuous monitoring — maintain hash chain integrity |
| Human Validation | 🔐 VERIFIED · E5 ●HIGH |
Continuous monitoring — maintain hash chain integrity |
| Automatic Blocking Linked to Human Rejec | 🔐 VERIFIED · E5 ●HIGH |
Continuous monitoring — maintain hash chain integrity |
| Agent Tool Scope | 📄 DECLARED · E1 ◑MED |
Implement the control in code for E2 evidence |
| Human Decision Endpoint | ❌ NOT OBSERVED | Implement the control, document it, then run audit |
⚠️ Note: NOT OBSERVED means no evidence was found in the artefacts analysed (source code, tests, configs, logs). It does not assert that the control is absent from the full system.
| Checkpoint | Status · Level · Confidence | Next Step to Elevate |
|---|---|---|
| Contextual Memory Limitation | 🔐 VERIFIED · E5 ●HIGH |
Continuous monitoring — maintain hash chain integrity |
| Bypass Detection | 🔐 VERIFIED · E5 ●HIGH |
Continuous monitoring — maintain hash chain integrity |
| Execution Limits (Guardrails) | 🔐 VERIFIED · E5 ●HIGH |
Continuous monitoring — maintain hash chain integrity |
| Component Obsolescence | 🧪 TESTED · E3 ●HIGH |
Submit production log extract for E4 evidence |
| Cybersecurity Audit | 🧪 TESTED · E3 ●HIGH |
Submit production log extract for E4 evidence |
| Robustness Level Reality | 🧪 TESTED · E3 ●HIGH |
Submit production log extract for E4 evidence |
| Unsafe Serialization Formats | 📄 DECLARED · E1 ◑MED |
Implement the control in code for E2 evidence |
| Error Handling | 📄 DECLARED · E1 ◑MED |
Implement the control in code for E2 evidence |
These checkpoints show runtime evidence COMPLIANT but automated test FAILED.
This pattern may indicate: (1) staged/synthetic log files, (2) broken test environment, (3) code path mismatch between test and production.
The compliance verdict should not be accepted without verifying the authenticity of the runtime traces.
| Checkpoint | Runtime Evidence | Test Result | Auditor Action |
|---|---|---|---|
| ⚠️ Contextual Memory Limitation | E5 COMPLIANT | Test FAILED | Verify runtime trace authenticity |
| ⚠️ Decision Record Structure | E5 COMPLIANT | Test FAILED | Verify runtime trace authenticity |
| ⚠️ Authority Delegation | E5 COMPLIANT | Test FAILED | Verify runtime trace authenticity |
| ⚠️ Bypass Detection | E5 COMPLIANT | Test FAILED | Verify runtime trace authenticity |
| ⚠️ Human-in-the-Loop Mechanism | E5 COMPLIANT | Test FAILED | Verify runtime trace authenticity |
| ⚠️ Execution Limits (Guardrails) | E5 COMPLIANT | Test FAILED | Verify runtime trace authenticity |
| ⚠️ User Override | E5 COMPLIANT | Test FAILED | Verify runtime trace authenticity |
| ⚠️ Escalation to Human | E5 COMPLIANT | Test FAILED | Verify runtime trace authenticity |
| ⚠️ Data Traceability | E5 COMPLIANT | Test FAILED | Verify runtime trace authenticity |
| ⚠️ PII Masking Before External Transmission | E5 COMPLIANT | Test FAILED | Verify runtime trace authenticity |
| ⚠️ System Explainability | E5 COMPLIANT | Test FAILED | Verify runtime trace authenticity |
| ⚠️ Post-Market Plan | E5 COMPLIANT | Test FAILED | Verify runtime trace authenticity |
⚠️ See Critical Gates section above — gate failures constitute regulatory risk even when no DOC↔CODE collisions are detected.
| Phase | Score | Status | Timeline |
|---|---|---|---|
| Current state | 57.2 / 100 | PARTIAL EVIDENCE | Now |
| Phase 1 — Critical gaps | ~75 / 100 (estimated) | Gate article gaps resolved | 4–6 weeks |
| Phase 2 — Full evidence | ~91 / 100 (estimated) | Evidence sufficient for review | 10–14 weeks |
Phase 1 priority: Articles Article 12 — resolves immediate regulatory exposure.
LEGAL STATUS: TECHNICAL EVIDENCE REPORT — This document is an automated factual report. It documents technical alignment with EU AI Act control points. It does not constitute legal advice or regulatory certification.
The following risks have violated controls in runtime sessions. → Full Risk Control Matrix
| Risk ID | Description | Criticality | Exposure |
|---|---|---|---|
RISK-FIN-001 | The LLM agent may produce factually incorrect financial data (wrong earnings, false M&A events, inco | CRITICAL | 100.0% |
RISK-FIN-002 | Agent responses are streamed directly to users without any human review step, even for high-stakes i | CRITICAL | 100.0% |
RISK-FIN-003 | The agent uses widget data to answer questions but does not formally record which data sources infor | CRITICAL | 100.0% |
RISK-FIN-005 | Training data bias may cause systematic over-bullishness on US large-cap tech stocks vs other sector | CRITICAL | 100.0% |
RISK-FIN-006 | When no widget data is provided, the agent answers from LLM training data which may be months out of | CRITICAL | 100.0% |