📋 Regulatory Report — For: regulators · DPO · CISO · auditors · compliance teams
For technical teams: see the Technical Forensic Report · For executives: see the Executive Report
deepseek/deepseek-chatRisk Level: [HIGH RISK] — EU AI Act Annex III
Gate passed · Maturity below threshold
| Layer | Value | Assessment |
|---|---|---|
| Regulatory verdict | PARTIAL EVIDENCE | Gate passed · Maturity below threshold |
| Raw Maturity Score (pre-gates) | 79.3/100 | Weighted average across 7 articles — before gate penalties |
| Regulatory Final Score (gates applied) | 57.2/100 | After gate kill-switches, coverage factor, and proof factor · Partial (50-74) |
| Deployment threshold | 75/100 | EU AI Act conformance baseline |
This section establishes what is known and unknown about the regulatory scope
before presenting compliance findings. An auditor will ask these questions.
| Question | Status | Notes |
|---|---|---|
| Project analysed | ✅ | agents-for-openbb — 🕸️ MICRO-MESH topology |
| Intended use case | ❓ | Not declared in scanned files |
| Deployment context | ❓ | Unknown — library or deployed system? |
| Regulatory classification | ⚠️ | Assumed HIGH (conservative default) |
| Annex III use case confirmed | ❓ | Requires manual review |
| Conformity assessment required | ❓ | Depends on deployment context |
This project appears to be a deployable AI system. High-Risk obligations apply directly if deployed in an Annex III context.
What this audit covers:
- Technical compliance evidence within the scanned codebase
- Governance documentation presence/absence
- Code-level implementation of required controls
What this audit does NOT determine:
- Whether this system is actually deployed in a regulated context
- The legal obligation status of the deploying organisation
- Whether a Notified Body assessment is required
Scores below assume the system is deployed in a High-Risk context (Art. 6 + Annex III).
If this is a research library, governance obligations fall primarily on the deploying organisation.
| Axe | Verdict | Indicateur |
|---|---|---|
| 🏛️ Regulatory Compliance | 🟢 COMPLIANT | All regulatory gates are satisfied. |
| 🔍 Technical Sincerity | 🟢 ÉLEVÉE | 87.3% |
| 🧪 Runtime Robustness | — NON ÉVALUÉ | Mode STATIC |
| 📊 Audit Coverage | 🔴 LIMITED | 53.8% (29/54 checkpoints) |
| ⭐ Assurance Level | Tier A/B — Technical evidence solides | 81.0% |
🛠️ DOC DEBTN/A🛠️ DOC DEBT🛠️ DOC DEBT🛠️ DOC DEBT🛠️ DOC DEBTLes déclarations sont corroborées par les preuves techniques.
Mode STATIC — sandbox non exécuté. Relancez avec
--mode fullpour activer cet axe.
Only 29/54 checkpoints covered — incomplete audit.
Preuves de haute qualité (code + doc alignés).
⚠️ PARTIAL TECHNICAL ALIGNMENT (57/100 — threshold: 75)
📌 DECISION SYNTHESIS
Layer Value Detail Regulatory verdict ⚠️ PARTIAL EVIDENCE Evidence maturity below deployment threshold (57/100 — threshold: 75) Regulatory Final Score (gates applied) 57.17/100 🟡 Partial (threshold : 75) · After gate kill-switches, coverage factor, and proof factor DOC↔CODE Sincerity 🟢 TRUSTED (100.0%) Declared vs implemented alignment Recommended decision P1 remediation required. Controls present but evidence incomplete. Key finding : No sufficient technical evidence identified within the analyzed scope for: Article 12.
Algorithmic sincerity analysis performed on 17/06/2026
This report does not only produce a score. It produces verifiable technical evidence, re-executable tests, and a cryptographically sealed dossier.
| Metric | Value | Meaning |
|---|---|---|
| Technical signals extracted | 92 | Facts collected from source code |
| Maturity score | 46 checkpoints | Articles 9–15 EU AI Act (Annex III) |
| Controls Failing Verification | 0 | Active evidence of control absence (not just missing evidence) |
| Evidence Gaps (NOT OBSERVED) | 14 | No evidence found in audit scope — does not assert absence |
| Raw Maturity Score (pre-gates) | 79 / 100 | Weighted average across 7 articles — before gate penalties |
| Unsupported Documentation Ratio | 100.00% | 🚨 CRITICAL — Share of documented controls without technical implementation evidence — 100% = no documented control is technically corroborated |
Interpretation : Critical divergence detected between documented controls and technical implementation.
❌ EVIDENCE INSUFFICIENT — Available technical evidence is insufficient to support a positive assessment within the analyzed scope. Technical remediation required.
Category: > ## High-Risk AI System (Annex III / Art. 6)
| Parameter | System Analysis |
|---|---|
| Impact level | Strict compliance, third-party audit and CE marking mandatory. |
| Identified exposure | Critical sectors (Health, Education, HR, Infrastructure). |
"Votre système d'IA est classé à haut risque selon l'AI Act, ce qui nécessite une conformité stricte. Avec un score de 79,3/100, des améliorations sont encore nécessaires pour atteindre la pleine conformité."
Analysis of the codebase and dependencies indicates that the system falls within the scope of the European AI legislation.
Impact of sustained non-compliance:
* Financial penalties: Up to €35 million or 7% of total worldwide annual turnover.
* Operational penalties: Ban from the European market and obligation to delete models trained on non-compliant data.
EPISTEMIC NOTE
The CAMSVA score is a Technical Verifiability Score (TVS) of 57.2/100.
It does not certify full regulatory compliance in the sense of the EU AI Act.
It measures technical alignment on the elements verifiable by automated analysis.This score covers 38 checkpoints verifiable by technical analysis (out of 54 total checkpoints).
The 16 remaining checkpoints require human attestation (see below).
| Control | Verification method |
|---|---|
| Presence of code implementing the controls | Static AST analysis + LLM |
| Audit log structure (format, fields) | JSONL / structural parsing |
| Input validation (schema, types) | Pydantic / jsonschema detection |
| HITL mechanisms active in the code | HITL pattern detection |
| Model integrity (SHA-256 checking) | Import / load-pattern analysis |
| DOC↔CODE alignment (semantic collisions) | Semantic collision engine |
| Decision traceability (audit trails) | Log structure analysis |
| Sandbox execution tests (FULL mode) | Isolated pytest, READ-ONLY |
| Out-of-scope control | Article | Reason |
|---|---|---|
| Competence and training of HITL operators | Art. 14 §5 | Human quality not verifiable by code |
| Real representativeness of training data | Art. 10 §3 | Requires domain expertise |
| Effectiveness of organisational processes | Art. 9 §7 | Practice vs written procedure |
| Actual notification to competent authorities | Art. 73 | External administrative process |
| AI governance (committees, training, culture) | Art. 9 | Organisational, not codifiable |
These elements must be the subject of a formal declaration by the compliance officer,
complementing CAMSVA's technical evidence to constitute a complete dossier.
In STATIC mode, execution tests are not run.
Re-run with --mode full to generate executable evidence artefacts
(re-runnable, signed artefacts that hold up before a regulatory auditor).
| Type | Count |
|---|---|
| Technical evidence (code, logs, config) | 17 |
| Documentary evidence (docs, notices) | 0 |
| Total facts extracted | 92 |
Regulatory Gates are the non-negotiable EU AI Act articles for high-risk systems.
A failure on any of them constitutes a deployment block, regardless of the overall maturity score.
Evidence Level Scale:
L0 No evidence · L1 Documentation only · L2 Code artefact · L3 DOC↔CODE match · L4 Runtime trace · L5 Cryptographic proof
| Article | Score | Status | Evidence Level | Gate |
|---|---|---|---|---|
| Art. 9 — Risk Management | 92% | ✅ COMPLIANT | L0 (0%) | ✅ Pass |
| Art. 10 — Data Governance | 92% | ✅ COMPLIANT | L0 (0%) | ✅ Pass |
| Art. 14 — Human Oversight (HITL) | 85% | ⚠️ PARTIAL | L0 (0%) | ✅ Pass |
| Art. 15 — Robustness & Cybersecurity | 85% | ⚠️ PARTIAL | L5 (100%) | ✅ Pass |
No blocking regulatory articles detected. > The system may proceed to formal conformity assessment.
Note: This is a technical alignment assessment, not a certification. > Formal EU AI Act compliance requires documentation completion and, for some Annex III uses, a Notified Body review.
This table cross-references AI Act requirements with your codebase reality. Unlike a declarative audit, each status below is correlated to evidence (code or documentation).
| Article | Status | Score | Sincerity | Severity | Dominant Evidence | Type | Assurance | Audit State | Nature défaut |
|---|---|---|---|---|---|---|---|---|---|
| Article 12 | ❌ NON-COMPLIANT | 0.00 | N/A | 🔴 CRITICAL | None | — | Tier E — Unsupported claim | MANQUEMENT | NO EVIDENCE OBSERVED IN AUDIT SCOPE |
| Article 14 | ⚠️ PARTIAL | 85.00 | 🛠️ DOC DEBT | 🟠 MAJOR | Authority Delegation | LOG_WORKFLOW | Tier A — Runtime · Tests · Code | STABLE | PARTIAL IMPLEMENTATION |
| Article 9 | ✅ COMPLIANT | 92.50 | 🛠️ DOC DEBT | 🟢 MINOR | Confidence-Based Human Routing | LOG_WORKFLOW | Tier A — Runtime · Tests · Code | STABLE | NO MAJOR DEFICIENCY |
| Article 15 | ⚠️ PARTIAL | 85.00 | 🛠️ DOC DEBT | 🟠 MAJOR | Contextual Memory Limitation | LOG_WORKFLOW | Tier A — Runtime · Tests · Code | STABLE | PARTIAL IMPLEMENTATION |
| Article 10 | ✅ COMPLIANT | 92.50 | 🛠️ DOC DEBT | 🟢 MINOR | Data Traceability | LOG_WORKFLOW | Tier A — Runtime · Tests · Code | STABLE | NO MAJOR DEFICIENCY |
| Article 13 | ✅ COMPLIANT | 100.00 | 🛠️ DOC DEBT | 🟢 MINOR | System Explainability | LOG_WORKFLOW | Tier A — Runtime · Tests · Code | STABLE | NO MAJOR DEFICIENCY |
| Article 73 | ✅ COMPLIANT | 100.00 | 🛠️ DOC DEBT | 🟢 MINOR | Serious Incident Notification Procedure | LOG_WORKFLOW | Tier A — Runtime · Tests · Code | STABLE | NO MAJOR DEFICIENCY |
| Indicator | Meaning | Decision Impact |
|---|---|---|
| ⚠️ ILLUSION | Critical divergence detected between documented controls and technical evidence. | Requires immediate remediation before any conformity assessment. |
| 🛠️ DOC DEBT | Technically implemented but undocumented. | Operational risk in case of audit. |
| 🛡️ AUDIT-READY | Technical evidence + Documentary evidence aligned. | Maximum confidence level. |
Auditor's Note : A "FACADE" status on a High-Criticality article (Art. 10, 14, 15) indicates that the documentation claims compliance that the code does not support. This constitutes a significant regulatory risk whose precise assessment requires specialized legal counsel.
This section shows the dependencies between controls.
A ⛔ BLOCKED control cannot be evaluated while its prerequisite is missing:
fixing the prerequisite automatically unblocks the child controls.
DYNAMIC_AUDIT — Dynamic test result for Risk Register: failedfeedback_sessions_2026_events.jsonl — No violations detected.DYNAMIC_AUDIT — Dynamic test result for Serious Incident Notification Procedure: skippedfeedback_sessions_2026_events.jsonl — Non-compliant sessions: fb-89F335E1DYNAMIC_AUDIT — Dynamic test result for Confidence-Based Human Routing: skippedDYNAMIC_AUDIT — Dynamic test result for Data Inventory: failedDYNAMIC_AUDIT — Dynamic test result for Dataset Quality: failedfeedback_sessions_2026_events.jsonl — Non-compliant sessions: fb-D534D661, fb-89F335E1, fb-3899A858, fb-6F43C4DE, fb-BB281A1FDYNAMIC_AUDIT — Dynamic test result for PII Masking Before External Transmission: skippedDYNAMIC_AUDIT — Dynamic test result for System Architecture: passedDYNAMIC_AUDIT — Dynamic test result for Model Card: failedDYNAMIC_AUDIT — Dynamic test result for Version Management: skippedDYNAMIC_AUDIT — Dynamic test result for Logging Implementation: failedDYNAMIC_AUDIT — Dynamic test result for Storage Definition: skippedDYNAMIC_AUDIT — Dynamic test result for Logging Integrity: failedDYNAMIC_AUDIT — Dynamic test result for User Notice: failedDYNAMIC_AUDIT — Dynamic test result for Human Decision Endpoint: skippedDYNAMIC_AUDIT — Dynamic test result for Human Approval Gates Execution: skippedfeedback_sessions_2026_events.jsonl — Non-compliant sessions: fb-D534D661, fb-89F335E1, fb-3899A858, fb-6F43C4DE, fb-BB281A1F | DYNAMIC_AUDIT — Dynamic test result for Automatic Blocking Linked to Human Rejection: skippedDYNAMIC_AUDIT — Dynamic test result for Full Workflow Integration: skippedfeedback_sessions_2026_events.jsonl — Non-compliant sessions: fb-D534D661, fb-89F335E1, fb-3899A858, fb-6F43C4DE, fb-BB281A1F | DYNAMIC_AUDIT — Dynamic test result for Human Validation: failedfeedback_sessions_2026_events.jsonl — No violations detected.DYNAMIC_AUDIT — Dynamic test result for Human-in-the-Loop Mechanism: skippedDYNAMIC_AUDIT — Dynamic test result for Agent Tool Scope: skippedfeedback_sessions_2026_events.jsonl — No violations detected.DYNAMIC_AUDIT — Dynamic test result for Authority Delegation: skippedDYNAMIC_AUDIT — Dynamic test result for Unsafe Serialization Formats: skippedDYNAMIC_AUDIT — Dynamic test result for Secure Format Policy: skippedDYNAMIC_AUDIT — Dynamic test result for Error Handling: skippedDYNAMIC_AUDIT — Dynamic test result for Component Obsolescence: passedDYNAMIC_AUDIT — Dynamic test result for Prompt Guardrail / Injection Detection: skippedfeedback_sessions_2026_events.jsonl — No violations detected.DYNAMIC_AUDIT — Dynamic test result for Contextual Memory Limitation: skippedfeedback_sessions_2026_events.jsonl — No violations detected.DYNAMIC_AUDIT — Dynamic test result for Execution Limits (Guardrails): skippedfeedback_sessions_2026_events.jsonl — Non-compliant sessions: fb-D534D661, fb-89F335E1, fb-3899A858, fb-6F43C4DE, fb-BB281A1FDYNAMIC_AUDIT — Dynamic test result for Bypass Detection: skippedDYNAMIC_AUDIT — Dynamic test result for Provider Identity: skippedThe sincerity analysis measures the correlation between compliance declarations (DOC) and algorithmic reality (CODE).
Sincerity Verdict :
🟠 GOVERNANCE MATURITY GAP
| Indicator | Value | Status | Interpretation |
|---|---|---|---|
| DFI (Documentation Fidelity Index) | 100.0% | 🟢 | DOC↔CODE truthfulness: 100% = no false claims in documentation |
| Evidence Coverage Gap | 1.9% | 🟢 | Controls with no evidence in audit scope — distinct from DFI |
| RuntimeConfidence | 72.5% | 🟡 | Test pass rate — FULL mode only (N/A in STATIC) |
| Composite Sincerity | 87.3% | 🟢 | DOC↔CODE alignment score |
| Audit mode | STATIC | — | STATIC = DOC↔CODE analysis · FULL = + runtime execution |
Metrics computed from artefacts in audit scope. In STATIC mode, runtime-dependent metrics (RuntimeConfidence) are unavailable. All metrics are anchored in the SHA-256 seal (Section 10).
Note: Exact figures reflect the analysed artefact set — not the full system boundary.
Situation : Significant gap: important compliance commitments are not found in the code.
Sincerity-related risks : MODERATE. The file is vulnerable. An urgent update of the implementation is required.
checkpoints supported by documentation claims, configuration files, or structural inference only — no source code artifact was directly linked. This does not mean controls are absent; they may exist in code not provided, in external services, or in formats not machine-readable.
Compliance without technical sincerity is legally riskier than non-compliance with honest documentation.
CAMSVA Multi-Source Correlation · Triangulation Code × Doc × Tests × Runtime
| Indicator | Value |
|---|---|
| Control points analysed | 31 |
| Documentary facades detected | 0 |
| Skeleton Ratio (Structural density) | 100% |
| Checkpoint | Article | Sources (Technical) | Code | Internal Doc | Test Trace | Execution Trace | Seal | Sincerité globale | Score |
|---|---|---|---|---|---|---|---|---|---|
| Audit Trail | N/A | Dossier global | NOT OBSERVED | NOT OBSERVED | ❌ ÉCHOUÉ (1) | 🔴 20 sess. · 0%✅ · 100%❌ | - | ⬛NON-COMPLIANTNONEXISTENT CONTROL** | 0.00 |
| Automatic Blocking Linked to Human Rejection | N/A | Dossier global | NOT OBSERVED | NOT OBSERVED | ⚠️ PARTIAL 0✅ / 0❌ | 🔴 20 sess. · 0%✅ · 3⚠️ · 85%❌ | - | ⬛NON-COMPLIANTNONEXISTENT CONTROL** | 0.00 |
| Confidence-Based Human Routing | N/A | Dossier global | NOT OBSERVED | NOT OBSERVED | ⚠️ PARTIAL 0✅ / 0❌ | 🟢 20 sess. · 95%✅ · 5%❌ | - | ⬛⚠️ UNVERIFIABLE — Activity signals detected but no source implementationNONEXISTENT CONTROL** | 0.00 |
| Contextual Memory Limitation | N/A | Dossier global | NOT OBSERVED | NOT OBSERVED | ⚠️ PARTIAL 0✅ / 1❌ | 🟢 20 sess. · 100%✅ | - | ⬛⚠️ UNVERIFIABLE — Activity signals detected but no source implementationNONEXISTENT CONTROL** | 0.00 |
| Data Cleansing & Anonymisation | N/A | Dossier global | NOT OBSERVED | NOT OBSERVED | ⚠️ PARTIAL 0✅ / 0❌ | 🟢 20 sess. · 100%✅ | - | ⬛⚠️ UNVERIFIABLE — Activity signals detected but no source implementationNONEXISTENT CONTROL** | 0.00 |
| Decision Record Structure | N/A | Dossier global | NOT OBSERVED | NOT OBSERVED | ⚠️ PARTIAL 0✅ / 1❌ | ⚠️ 20 sess. · 85%✅ · 3⚠️ | - | ⬛NON-COMPLIANTNONEXISTENT CONTROL** | 0.00 |
| Authority Delegation | N/A | Dossier global | NOT OBSERVED | NOT OBSERVED | ⚠️ PARTIAL 0✅ / 1❌ | 🟢 20 sess. · 100%✅ | - | ⬛⚠️ UNVERIFIABLE — Activity signals detected but no source implementationNONEXISTENT CONTROL** | 0.00 |
| Bypass Detection | N/A | Dossier global | NOT OBSERVED | NOT OBSERVED | ⚠️ PARTIAL 0✅ / 1❌ | 🔴 20 sess. · 15%✅ · 85%❌ | - | ⬛NON-COMPLIANTNONEXISTENT CONTROL** | 0.00 |
| Human-in-the-Loop Mechanism | N/A | Dossier global | NOT OBSERVED | NOT OBSERVED | ⚠️ PARTIAL 0✅ / 1❌ | 🟢 20 sess. · 100%✅ | - | ⬛⚠️ UNVERIFIABLE — Activity signals detected but no source implementationNONEXISTENT CONTROL** | 0.00 |
| Escalation to Human | N/A | Dossier global | NOT OBSERVED | NOT OBSERVED | ❌ ÉCHOUÉ (1) | 🟢 20 sess. · 100%✅ | - | ⬛⚠️ UNVERIFIABLE — Activity signals detected but no source implementationNONEXISTENT CONTROL** | 0.00 |
| Human Validation | N/A | Dossier global | NOT OBSERVED | NOT OBSERVED | ❌ ÉCHOUÉ (1) | 🔴 20 sess. · 0%✅ · 3⚠️ · 85%❌ | - | ⬛NON-COMPLIANTNONEXISTENT CONTROL** | 0.00 |
| Execution Limits (Guardrails) | N/A | Dossier global | NOT OBSERVED | NOT OBSERVED | ⚠️ PARTIAL 0✅ / 1❌ | 🟢 20 sess. · 100%✅ | - | ⬛⚠️ UNVERIFIABLE — Activity signals detected but no source implementationNONEXISTENT CONTROL** | 0.00 |
| User Override | N/A | Dossier global | NOT OBSERVED | NOT OBSERVED | ⚠️ PARTIAL 0✅ / 1❌ | 🟢 20 sess. · 100%✅ | - | ⬛⚠️ UNVERIFIABLE — Activity signals detected but no source implementationNONEXISTENT CONTROL** | 0.00 |
| PII Masking Before External Transmission | N/A | Dossier global | NOT OBSERVED | NOT OBSERVED | ⚠️ PARTIAL 0✅ / 1❌ | 🔴 20 sess. · 0%✅ · 100%❌ | - | ⬛NON-COMPLIANTNONEXISTENT CONTROL** | 0.00 |
| Agent Tool Scope | Article 14 | Dossier global | NOT OBSERVED | NOT OBSERVED | ⚠️ PARTIAL 0✅ / 1❌ | NOT OBSERVED | - | 0.00 | |
| Unsafe Serialization Formats | Article 15 | Dossier global | NOT OBSERVED | NOT OBSERVED | ⚠️ PARTIAL 0✅ / 1❌ | NOT OBSERVED | - | 0.00 | |
| Error Handling | Article 15 | Dossier global | NOT OBSERVED | NOT OBSERVED | ⚠️ PARTIAL 0✅ / 1❌ | NOT OBSERVED | - | 0.00 | |
| Prompt Guardrail / Injection Detection | Article 15 | Dossier global | NOT OBSERVED | NOT OBSERVED | ⚠️ PARTIAL 0✅ / 1❌ | NOT OBSERVED | - | 0.00 | |
| Risk Mitigation | Article 9 | Dossier global | NOT OBSERVED | NOT OBSERVED | ⚠️ PARTIAL 0✅ / 1❌ | NOT OBSERVED | - | 0.00 | |
| Logging Implementation | Article 12 | Dossier global | NOT OBSERVED | NOT OBSERVED | ❌ ÉCHOUÉ (1) | NOT OBSERVED | - | 0.00 | |
| Logging Integrity | Article 12 | Dossier global | NOT OBSERVED | NOT OBSERVED | ❌ ÉCHOUÉ (1) | NOT OBSERVED | - | 0.00 | |
| Component Obsolescence | Article 15 | Dossier global | NOT OBSERVED | NOT OBSERVED | ✅ PASSÉ (1) | NOT OBSERVED | - | 0.00 | |
| Continuous Monitoring | Article 9 | Dossier global | NOT OBSERVED | NOT OBSERVED | ❌ ÉCHOUÉ (1) | NOT OBSERVED | - | 0.00 | |
| Physical Dataset Existence | Article 10 | Dossier global | NOT OBSERVED | NOT OBSERVED | ❌ ÉCHOUÉ (1) | NOT OBSERVED | - | 0.00 | |
| Balancing & Representativeness | Article 10 | Dossier global | NOT OBSERVED | NOT OBSERVED | ⚠️ PARTIAL 0✅ / 0❌ | NOT OBSERVED | - | 0.00 | |
| Input Robustness | Article 15 | Dossier global | NOT OBSERVED | NOT OBSERVED | ⚠️ PARTIAL 0✅ / 1❌ | NOT OBSERVED | - | 0.00 | |
| Real Execution Traces | Article 12 | Dossier global | NOT OBSERVED | NOT OBSERVED | ❌ ÉCHOUÉ (1) | NOT OBSERVED | - | 0.00 | |
| Cybersecurity Audit | Article 15 | Dossier global | NOT OBSERVED | NOT OBSERVED | ✅ PASSÉ (1) | NOT OBSERVED | - | 0.00 | |
| Human Decision Endpoint | Article 14 | Dossier global | NOT OBSERVED | NOT OBSERVED | ⚠️ PARTIAL 0✅ / 0❌ | NOT OBSERVED | - | 0.00 | |
| Human Approval Gates Execution | Article 14 | Dossier global | NOT OBSERVED | NOT OBSERVED | ⚠️ PARTIAL 0✅ / 0❌ | NOT OBSERVED | - | 0.00 | |
| Full Workflow Integration | Article 14 | Dossier global | NOT OBSERVED | NOT OBSERVED | ⚠️ PARTIAL 0✅ / 0❌ | NOT OBSERVED | - | 0.00 |
| Section | Score | Status |
|---|---|---|
| I. Stratégie & Gouvernance | 92.5% | 🟢 COMPLIANT |
| II. Ingénierie des Données | 92.5% | 🟢 COMPLIANT |
| III. Transparence & Interface | 61.7% | 🟡 PARTIAL |
| IV. Résilience & Cybersécurité | 85.0% | 🟢 COMPLIANT |
Cross-analysis between declared commitments and technical reality.
Sincerity Verdict: ⬛NON-COMPLIANTNONEXISTENT CONTROL
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : EVIDENCE INSUFFICIENT
* Tests — result : ❌ ÉCHOUÉ (1)
* External Evidence :** NOT OBSERVED
🔬 Runtime — Process Mining Analysis (Behavioral Audit) :
* Sample : 2026-04-04 → 2026-04-05 (2j)
* Sessions analysed : 20
* ✅ Compliant : 0 (0.0%)
* ⚠️ Partial : 0
* 🔴 Non-compliant : 20 (100.0%)
* Sessions NOK : fb-D534D661, fb-89F335E1, fb-3899A858, fb-6F43C4DE, fb-BB281A1F, fb-FA3E3725, fb-193F126A, fb-3ABD45B7, fb-1ACF4C41, fb-9318008E, hitl-222B705F, hitl-ED2A6C5D, hitl-26E4C429, fb-9EC3B248, fb-E439D5BF, fb-5F56C6CC, fb-659B8219, fb-E3B62030, fb-F7C43BE4, fb-8111D2BC
Detailed analysis :
* ⚠️ FACADE WITHOUT TEST: No test validates the declared compliance.
Sincerity Verdict: ⬛NON-COMPLIANTNONEXISTENT CONTROL
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : EVIDENCE INSUFFICIENT
* Tests — result : ⚠️ PARTIAL 0✅ / 0❌
* External Evidence :** NOT OBSERVED
🔬 Runtime — Process Mining Analysis (Behavioral Audit) :
* Sample : 2026-04-04 → 2026-04-05 (2j)
* Sessions analysed : 20
* ✅ Compliant : 0 (0.0%)
* ⚠️ Partial : 3
* 🔴 Non-compliant : 17 (85.0%)
* Sessions NOK : fb-D534D661, fb-89F335E1, fb-3899A858, fb-6F43C4DE, fb-BB281A1F, fb-FA3E3725, fb-193F126A, fb-3ABD45B7, fb-1ACF4C41, fb-9318008E, fb-9EC3B248, fb-E439D5BF, fb-5F56C6CC, fb-659B8219, fb-E3B62030, fb-F7C43BE4, fb-8111D2BC
Detailed analysis :
* ⚠️ FACADE WITHOUT TEST: No test validates the declared compliance.
Sincerity Verdict: ⬛⚠️ UNVERIFIABLE — Activity signals detected but no source implementationNONEXISTENT CONTROL
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : OBSERVED
* Tests — result : ⚠️ PARTIAL 0✅ / 0❌
* External Evidence :** NOT OBSERVED
🔬 Runtime — Process Mining Analysis (Behavioral Audit) :
* Sample : 2026-04-04 → 2026-04-05 (2j)
* Sessions analysed : 20
* ✅ Compliant : 19 (95.0%)
* ⚠️ Partial : 0
* 🔴 Non-compliant : 1 (5.0%)
* Sessions NOK : fb-89F335E1
Detailed analysis :
* ⚠️ FACADE WITHOUT TEST: No test validates the declared compliance.
* 🚨 GHOST : Les logs simulent une réussite alors que le code source est absent ou invalide.
Sincerity Verdict: ⬛⚠️ UNVERIFIABLE — Activity signals detected but no source implementationNONEXISTENT CONTROL
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : OBSERVED
* Tests — result : ⚠️ PARTIAL 0✅ / 1❌
* External Evidence :** NOT OBSERVED
🔬 Runtime — Process Mining Analysis (Behavioral Audit) :
* Sample : 2026-04-04 → 2026-04-05 (2j)
* Sessions analysed : 20
* ✅ Compliant : 20 (100.0%)
* ⚠️ Partial : 0
* 🔴 Non-compliant : 0 (0.0%)
Detailed analysis :
* ⚠️ FACADE WITHOUT TEST: No test validates the declared compliance.
* 🚨 GHOST : Les logs simulent une réussite alors que le code source est absent ou invalide.
Sincerity Verdict: **
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : NOT OBSERVED
* Tests — result : —
* External Evidence :** NOT OBSERVED
Detailed analysis :
No anomaly detected.
Sincerity Verdict: ⬛⚠️ UNVERIFIABLE — Activity signals detected but no source implementationNONEXISTENT CONTROL
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : OBSERVED
* Tests — result : ⚠️ PARTIAL 0✅ / 0❌
* External Evidence :** NOT OBSERVED
🔬 Runtime — Process Mining Analysis (Behavioral Audit) :
* Sample : 2026-04-04 → 2026-04-05 (2j)
* Sessions analysed : 20
* ✅ Compliant : 20 (100.0%)
* ⚠️ Partial : 0
* 🔴 Non-compliant : 0 (0.0%)
Detailed analysis :
* ⚠️ FACADE WITHOUT TEST: No test validates the declared compliance.
* 🚨 GHOST : Les logs simulent une réussite alors que le code source est absent ou invalide.
Sincerity Verdict: ⬛NON-COMPLIANTNONEXISTENT CONTROL
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : PARTIAL
* Tests — result : ⚠️ PARTIAL 0✅ / 1❌
* External Evidence :** NOT OBSERVED
🔬 Runtime — Process Mining Analysis (Behavioral Audit) :
* Sample : 2026-04-04 → 2026-04-05 (2j)
* Sessions analysed : 20
* ✅ Compliant : 17 (85.0%)
* ⚠️ Partial : 3
* 🔴 Non-compliant : 0 (0.0%)
Detailed analysis :
* ⚠️ FACADE WITHOUT TEST: No test validates the declared compliance.
Sincerity Verdict: ⬛⚠️ UNVERIFIABLE — Activity signals detected but no source implementationNONEXISTENT CONTROL
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : OBSERVED
* Tests — result : ⚠️ PARTIAL 0✅ / 1❌
* External Evidence :** NOT OBSERVED
🔬 Runtime — Process Mining Analysis (Behavioral Audit) :
* Sample : 2026-04-04 → 2026-04-05 (2j)
* Sessions analysed : 20
* ✅ Compliant : 20 (100.0%)
* ⚠️ Partial : 0
* 🔴 Non-compliant : 0 (0.0%)
Detailed analysis :
* ⚠️ FACADE WITHOUT TEST: No test validates the declared compliance.
* 🚨 GHOST : Les logs simulent une réussite alors que le code source est absent ou invalide.
Sincerity Verdict: **
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : NOT OBSERVED
* Tests — result : —
* External Evidence :** NOT OBSERVED
Detailed analysis :
No anomaly detected.
Sincerity Verdict: ⬛NON-COMPLIANTNONEXISTENT CONTROL
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : EVIDENCE INSUFFICIENT
* Tests — result : ⚠️ PARTIAL 0✅ / 1❌
* External Evidence :** NOT OBSERVED
🔬 Runtime — Process Mining Analysis (Behavioral Audit) :
* Sample : 2026-04-04 → 2026-04-05 (2j)
* Sessions analysed : 20
* ✅ Compliant : 3 (15.0%)
* ⚠️ Partial : 0
* 🔴 Non-compliant : 17 (85.0%)
* Sessions NOK : fb-D534D661, fb-89F335E1, fb-3899A858, fb-6F43C4DE, fb-BB281A1F, fb-FA3E3725, fb-193F126A, fb-3ABD45B7, fb-1ACF4C41, fb-9318008E, fb-9EC3B248, fb-E439D5BF, fb-5F56C6CC, fb-659B8219, fb-E3B62030, fb-F7C43BE4, fb-8111D2BC
Detailed analysis :
* ⚠️ FACADE WITHOUT TEST: No test validates the declared compliance.
Sincerity Verdict: ⬛⚠️ UNVERIFIABLE — Activity signals detected but no source implementationNONEXISTENT CONTROL
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : OBSERVED
* Tests — result : ⚠️ PARTIAL 0✅ / 1❌
* External Evidence :** NOT OBSERVED
🔬 Runtime — Process Mining Analysis (Behavioral Audit) :
* Sample : 2026-04-04 → 2026-04-05 (2j)
* Sessions analysed : 20
* ✅ Compliant : 20 (100.0%)
* ⚠️ Partial : 0
* 🔴 Non-compliant : 0 (0.0%)
Detailed analysis :
* ⚠️ FACADE WITHOUT TEST: No test validates the declared compliance.
* 🚨 GHOST : Les logs simulent une réussite alors que le code source est absent ou invalide.
Sincerity Verdict: ⬛⚠️ UNVERIFIABLE — Activity signals detected but no source implementationNONEXISTENT CONTROL
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : OBSERVED
* Tests — result : ❌ ÉCHOUÉ (1)
* External Evidence :** NOT OBSERVED
🔬 Runtime — Process Mining Analysis (Behavioral Audit) :
* Sample : 2026-04-04 → 2026-04-05 (2j)
* Sessions analysed : 20
* ✅ Compliant : 20 (100.0%)
* ⚠️ Partial : 0
* 🔴 Non-compliant : 0 (0.0%)
Detailed analysis :
* ⚠️ FACADE WITHOUT TEST: No test validates the declared compliance.
* 🚨 GHOST : Les logs simulent une réussite alors que le code source est absent ou invalide.
Sincerity Verdict: ⬛NON-COMPLIANTNONEXISTENT CONTROL
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : EVIDENCE INSUFFICIENT
* Tests — result : ❌ ÉCHOUÉ (1)
* External Evidence :** NOT OBSERVED
🔬 Runtime — Process Mining Analysis (Behavioral Audit) :
* Sample : 2026-04-04 → 2026-04-05 (2j)
* Sessions analysed : 20
* ✅ Compliant : 0 (0.0%)
* ⚠️ Partial : 3
* 🔴 Non-compliant : 17 (85.0%)
* Sessions NOK : fb-D534D661, fb-89F335E1, fb-3899A858, fb-6F43C4DE, fb-BB281A1F, fb-FA3E3725, fb-193F126A, fb-3ABD45B7, fb-1ACF4C41, fb-9318008E, fb-9EC3B248, fb-E439D5BF, fb-5F56C6CC, fb-659B8219, fb-E3B62030, fb-F7C43BE4, fb-8111D2BC
Detailed analysis :
* ⚠️ FACADE WITHOUT TEST: No test validates the declared compliance.
Sincerity Verdict: **
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : NOT OBSERVED
* Tests — result : —
* External Evidence :** NOT OBSERVED
Detailed analysis :
No anomaly detected.
Sincerity Verdict: ⬛⚠️ UNVERIFIABLE — Activity signals detected but no source implementationNONEXISTENT CONTROL
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : OBSERVED
* Tests — result : ⚠️ PARTIAL 0✅ / 1❌
* External Evidence :** NOT OBSERVED
🔬 Runtime — Process Mining Analysis (Behavioral Audit) :
* Sample : 2026-04-04 → 2026-04-05 (2j)
* Sessions analysed : 20
* ✅ Compliant : 20 (100.0%)
* ⚠️ Partial : 0
* 🔴 Non-compliant : 0 (0.0%)
Detailed analysis :
* ⚠️ FACADE WITHOUT TEST: No test validates the declared compliance.
* 🚨 GHOST : Les logs simulent une réussite alors que le code source est absent ou invalide.
Sincerity Verdict: ⬛⚠️ UNVERIFIABLE — Activity signals detected but no source implementationNONEXISTENT CONTROL
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : OBSERVED
* Tests — result : ⚠️ PARTIAL 0✅ / 1❌
* External Evidence :** NOT OBSERVED
🔬 Runtime — Process Mining Analysis (Behavioral Audit) :
* Sample : 2026-04-04 → 2026-04-05 (2j)
* Sessions analysed : 20
* ✅ Compliant : 20 (100.0%)
* ⚠️ Partial : 0
* 🔴 Non-compliant : 0 (0.0%)
Detailed analysis :
* ⚠️ FACADE WITHOUT TEST: No test validates the declared compliance.
* 🚨 GHOST : Les logs simulent une réussite alors que le code source est absent ou invalide.
Sincerity Verdict: ⬛NON-COMPLIANTNONEXISTENT CONTROL
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : EVIDENCE INSUFFICIENT
* Tests — result : ⚠️ PARTIAL 0✅ / 1❌
* External Evidence :** NOT OBSERVED
🔬 Runtime — Process Mining Analysis (Behavioral Audit) :
* Sample : 2026-04-04 → 2026-04-05 (2j)
* Sessions analysed : 20
* ✅ Compliant : 0 (0.0%)
* ⚠️ Partial : 0
* 🔴 Non-compliant : 20 (100.0%)
* Sessions NOK : fb-D534D661, fb-89F335E1, fb-3899A858, fb-6F43C4DE, fb-BB281A1F, fb-FA3E3725, fb-193F126A, fb-3ABD45B7, fb-1ACF4C41, fb-9318008E, hitl-222B705F, hitl-ED2A6C5D, hitl-26E4C429, fb-9EC3B248, fb-E439D5BF, fb-5F56C6CC, fb-659B8219, fb-E3B62030, fb-F7C43BE4, fb-8111D2BC
Detailed analysis :
* ⚠️ FACADE WITHOUT TEST: No test validates the declared compliance.
Sincerity Verdict: **
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : NOT OBSERVED
* Tests — result : —
* External Evidence :** NOT OBSERVED
Detailed analysis :
No anomaly detected.
Sincerity Verdict: **
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : NOT OBSERVED
* Tests — result : ⚠️ PARTIAL 0✅ / 1❌
* External Evidence :** NOT OBSERVED
Detailed analysis :
No anomaly detected.
Sincerity Verdict: **
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : NOT OBSERVED
* Tests — result : ⚠️ PARTIAL 0✅ / 1❌
* External Evidence :** NOT OBSERVED
Detailed analysis :
No anomaly detected.
Sincerity Verdict: **
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : NOT OBSERVED
* Tests — result : ⚠️ PARTIAL 0✅ / 1❌
* External Evidence :** NOT OBSERVED
Detailed analysis :
No anomaly detected.
Sincerity Verdict: **
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : NOT OBSERVED
* Tests — result : ⚠️ PARTIAL 0✅ / 1❌
* External Evidence :** NOT OBSERVED
Detailed analysis :
No anomaly detected.
Sincerity Verdict: **
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : NOT OBSERVED
* Tests — result : ⚠️ PARTIAL 0✅ / 1❌
* External Evidence :** NOT OBSERVED
Detailed analysis :
No anomaly detected.
Sincerity Verdict: **
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : NOT OBSERVED
* Tests — result : —
* External Evidence :** NOT OBSERVED
Detailed analysis :
No anomaly detected.
Sincerity Verdict: **
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : NOT OBSERVED
* Tests — result : ❌ ÉCHOUÉ (1)
* External Evidence :** NOT OBSERVED
Detailed analysis :
No anomaly detected.
Sincerity Verdict: **
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : NOT OBSERVED
* Tests — result : ❌ ÉCHOUÉ (1)
* External Evidence :** NOT OBSERVED
Detailed analysis :
No anomaly detected.
Sincerity Verdict: **
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : NOT OBSERVED
* Tests — result : ✅ PASSÉ (1)
* External Evidence :** NOT OBSERVED
Detailed analysis :
No anomaly detected.
Sincerity Verdict: **
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : NOT OBSERVED
* Tests — result : ❌ ÉCHOUÉ (1)
* External Evidence :** NOT OBSERVED
Detailed analysis :
No anomaly detected.
Sincerity Verdict: **
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : NOT OBSERVED
* Tests — result : —
* External Evidence :** NOT OBSERVED
Detailed analysis :
No anomaly detected.
Sincerity Verdict: **
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : NOT OBSERVED
* Tests — result : ❌ ÉCHOUÉ (1)
* External Evidence :** NOT OBSERVED
Detailed analysis :
No anomaly detected.
Sincerity Verdict: **
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : NOT OBSERVED
* Tests — result : ⚠️ PARTIAL 0✅ / 0❌
* External Evidence :** NOT OBSERVED
Detailed analysis :
No anomaly detected.
Sincerity Verdict: **
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : NOT OBSERVED
* Tests — result : —
* External Evidence :** NOT OBSERVED
Detailed analysis :
No anomaly detected.
Sincerity Verdict: **
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : NOT OBSERVED
* Tests — result : —
* External Evidence :** NOT OBSERVED
Detailed analysis :
No anomaly detected.
Sincerity Verdict: **
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : NOT OBSERVED
* Tests — result : ⚠️ PARTIAL 0✅ / 1❌
* External Evidence :** NOT OBSERVED
Detailed analysis :
No anomaly detected.
Sincerity Verdict: **
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : NOT OBSERVED
* Tests — result : —
* External Evidence :** NOT OBSERVED
Detailed analysis :
No anomaly detected.
Sincerity Verdict: **
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : NOT OBSERVED
* Tests — result : —
* External Evidence :** NOT OBSERVED
Detailed analysis :
No anomaly detected.
Sincerity Verdict: **
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : NOT OBSERVED
* Tests — result : ❌ ÉCHOUÉ (1)
* External Evidence :** NOT OBSERVED
Detailed analysis :
No anomaly detected.
Sincerity Verdict: **
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : NOT OBSERVED
* Tests — result : —
* External Evidence :** NOT OBSERVED
Detailed analysis :
No anomaly detected.
Sincerity Verdict: **
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : NOT OBSERVED
* Tests — result : ✅ PASSÉ (1)
* External Evidence :** NOT OBSERVED
Detailed analysis :
No anomaly detected.
Sincerity Verdict: **
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : NOT OBSERVED
* Tests — result : —
* External Evidence :** NOT OBSERVED
Detailed analysis :
No anomaly detected.
Sincerity Verdict: **
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : NOT OBSERVED
* Tests — result : —
* External Evidence :** NOT OBSERVED
Detailed analysis :
No anomaly detected.
Sincerity Verdict: **
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : NOT OBSERVED
* Tests — result : —
* External Evidence :** NOT OBSERVED
Detailed analysis :
No anomaly detected.
Sincerity Verdict: **
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : NOT OBSERVED
* Tests — result : —
* External Evidence :** NOT OBSERVED
Detailed analysis :
No anomaly detected.
Sincerity Verdict: **
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : NOT OBSERVED
* Tests — result : —
* External Evidence :** NOT OBSERVED
Detailed analysis :
No anomaly detected.
Sincerity Verdict: **
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : NOT OBSERVED
* Tests — result : —
* External Evidence :** NOT OBSERVED
Detailed analysis :
No anomaly detected.
Sincerity Verdict: **
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : NOT OBSERVED
* Tests — result : —
* External Evidence :** NOT OBSERVED
Detailed analysis :
No anomaly detected.
Sincerity Verdict: **
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : NOT OBSERVED
* Tests — result : —
* External Evidence :** NOT OBSERVED
Detailed analysis :
No anomaly detected.
Sincerity Verdict: **
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : NOT OBSERVED
* Tests — result : —
* External Evidence :** NOT OBSERVED
Detailed analysis :
No anomaly detected.
Sincerity Verdict: **
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : NOT OBSERVED
* Tests — result : —
* External Evidence :** NOT OBSERVED
Detailed analysis :
No anomaly detected.
Sincerity Verdict: **
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : NOT OBSERVED
* Tests — result : —
* External Evidence :** NOT OBSERVED
Detailed analysis :
No anomaly detected.
Sincerity Verdict: **
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : NOT OBSERVED
* Tests — result : —
* External Evidence :** NOT OBSERVED
Detailed analysis :
No anomaly detected.
Sincerity Verdict: **
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : NOT OBSERVED
* Tests — result : —
* External Evidence :** NOT OBSERVED
Detailed analysis :
No anomaly detected.
Sincerity Verdict: **
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : NOT OBSERVED
* Tests — result : ⚠️ PARTIAL 0✅ / 0❌
* External Evidence :** NOT OBSERVED
Detailed analysis :
No anomaly detected.
Sincerity Verdict: **
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : NOT OBSERVED
* Tests — result : ⚠️ PARTIAL 0✅ / 0❌
* External Evidence :** NOT OBSERVED
Detailed analysis :
No anomaly detected.
Sincerity Verdict: **
* Technical Evidence (Code) : NOT OBSERVED
* Documentary Evidence : NOT OBSERVED
* Execution Evidence : NOT OBSERVED
* Tests — result : ⚠️ PARTIAL 0✅ / 0❌
* External Evidence :** NOT OBSERVED
Detailed analysis :
No anomaly detected.
This section is the detailed register of evidence extracted from the technical environment. It allows each EU AI Act requirement to be correlated with a specific asset (source code or document).
Objective: Make the audit defensible before a supervisory authority or an insurer.
(interpretations concern only the analysed scope)
| Point d'analyse | Article | Catégorie | Source | Type | Status | Verdict | Analyse |
| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |
| Confidence-Based Human Routing | no section | Confidence-Based Human Routing | ❓ Unknown source | N/A | 🟢 VERIFIED_RUNTIME | 🟢 | Non-compliant sessions: fb-89F335E1... |
| Contextual Memory Limitation | no section | Context Bounds | ❓ Unknown source | N/A | 🟢 VERIFIED_RUNTIME | 🟢 | No violations detected.... |
| Data Traceability | no section | Data Lineage | ❓ Unknown source | N/A | 🟢 VERIFIED_RUNTIME | 🟢 | No violations detected.... |
| Data Cleansing & Anonymisation | no section | Data Sanitization | ❓ Unknown source | N/A | 🟢 VERIFIED_RUNTIME | 🟢 | No violations detected.... |
| Authority Delegation | no section | Delegation Control | ❓ Unknown source | N/A | 🟢 VERIFIED_RUNTIME | 🟢 | No violations detected.... |
| System Explainability | no section | Explainability | ❓ Unknown source | N/A | 🟢 VERIFIED_RUNTIME | 🟢 | No violations detected.... |
| Human-in-the-Loop Mechanism | no section | HITL Loop | ❓ Unknown source | N/A | 🟢 VERIFIED_RUNTIME | 🟢 | No violations detected.... |
| Escalation to Human | no section | Human Escalation | ❓ Unknown source | N/A | 🟢 VERIFIED_RUNTIME | 🟢 | No violations detected.... |
| Serious Incident Notification Procedure | no section | Incident Reporting | ❓ Unknown source | N/A | 🟢 VERIFIED_RUNTIME | 🟢 | No violations detected.... |
| Execution Limits (Guardrails) | no section | Execution Limits | ❓ Unknown source | N/A | 🟢 VERIFIED_RUNTIME | 🟢 | No violations detected.... |
| User Override | no section | Human Override | ❓ Unknown source | N/A | 🟢 VERIFIED_RUNTIME | 🟢 | No violations detected.... |
| Post-Market Plan | no section | Post-Market Plan | ❓ Unknown source | N/A | 🟢 VERIFIED_RUNTIME | 🟢 | No violations detected.... |
| Component Obsolescence | Article 15 | Component Freshness | 📄 Component Obsolescence | Component Obsolescence | 🟢 VERIFIED_STATIC | 🟢 | Dynamic test result for Component Obsolescence: passed... |
| Cybersecurity Audit | Article 15 | Security Scan | 📄 Cybersecurity Audit | Cybersecurity Audit | 🟢 VERIFIED_STATIC | 🟢 | Dynamic test result for Cybersecurity Audit: passed... |
| System Architecture | Article 11 | System Architecture | 📄 System Architecture | System Architecture | 🟢 VERIFIED_STATIC | 🟢 | Dynamic test result for System Architecture: passed... |
| Robustness Level Reality | Article 15 | — | 📄 SYS_CONTRADICTION_CYBER | SYS_CONTRADICTION_CYBER | 🟢 VERIFIED_STATIC | 🟢 | Dynamic test result for SYS_CONTRADICTION_CYBER: passed... |
This list records the points where the system shows critical gaps between declarations (documentation) and technical reality (code).
| Point d'analyse | Article | Catégorie | Source | Type | Status | Verdict | Analyse |
| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |
| Audit Trail | no section | Audit Trail | ❓ Unknown source | N/A | 🔴 ABSENT | 🔴 | Non-compliant sessions: fb-D534D661, fb-89F335E1, fb-3899A858, fb-6F43C4DE, fb-BB281A1F... |
| Automatic Blocking Linked to Human Rejection | no section | Automatic Blocking Linked to Human Rejection | ❓ Unknown source | N/A | 🔴 ABSENT | 🔴 | Non-compliant sessions: fb-D534D661, fb-89F335E1, fb-3899A858, fb-6F43C4DE, fb-BB281A1F | Partial sessions: 3... |
| Decision Record Structure | no section | Decision Record | ❓ Unknown source | N/A | 🔴 ABSENT | ⚠️ | Partial sessions: 3... |
| Bypass Detection | no section | Bypass Detection | ❓ Unknown source | N/A | 🔴 ABSENT | 🔴 | Non-compliant sessions: fb-D534D661, fb-89F335E1, fb-3899A858, fb-6F43C4DE, fb-BB281A1F... |
| Human Validation | no section | Human Validation | ❓ Unknown source | N/A | 🔴 ABSENT | 🔴 | Non-compliant sessions: fb-D534D661, fb-89F335E1, fb-3899A858, fb-6F43C4DE, fb-BB281A1F | Partial sessions: 3... |
| PII Masking Before External Transmission | no section | PII Masking | ❓ Unknown source | N/A | 🔴 ABSENT | 🔴 | Non-compliant sessions: fb-D534D661, fb-89F335E1, fb-3899A858, fb-6F43C4DE, fb-BB281A1F... |
| Agent Tool Scope | Article 14 | Agent Privilege | 📄 Agent Tool Scope | Agent Tool Scope | 🔴 TEST_FAILED | 🔴 | Dynamic test result for Agent Tool Scope: failed... |
| Contextual Memory Limitation | Article 15 | Context Bounds | 📄 Contextual Memory Limitation | Contextual Memory Limitation | 🔴 TEST_FAILED | 🔴 | Dynamic test result for Contextual Memory Limitation: failed... |
| Unsafe Serialization Formats | Article 15 | Unsafe Formats | 📄 Unsafe Serialization Formats | Unsafe Serialization Formats | 🔴 TEST_FAILED | 🔴 | Dynamic test result for Unsafe Serialization Formats: failed... |
| Decision Record Structure | Article 12 | Decision Record | 📄 Decision Record Structure | Decision Record Structure | 🔴 TEST_FAILED | 🔴 | Dynamic test result for Decision Record Structure: failed... |
| Authority Delegation | Article 14 | Delegation Control | 📄 Authority Delegation | Authority Delegation | 🔴 TEST_FAILED | 🔴 | Dynamic test result for Authority Delegation: failed... |
| Error Handling | Article 15 | Error Handling | 📄 Error Handling | Error Handling | 🔴 TEST_FAILED | 🔴 | Dynamic test result for Error Handling: failed... |
| Bypass Detection | Article 15 | Bypass Detection | 📄 Bypass Detection | Bypass Detection | 🔴 TEST_FAILED | 🔴 | Dynamic test result for Bypass Detection: failed... |
| Human-in-the-Loop Mechanism | Article 14 | HITL Loop | 📄 Human-in-the-Loop Mechanism | Human-in-the-Loop Mechanism | 🔴 TEST_FAILED | 🔴 | Dynamic test result for Human-in-the-Loop Mechanism: failed... |
| Execution Limits (Guardrails) | Article 15 | Execution Limits | 📄 Execution Limits (Guardrails) | Execution Limits (Guardrails) | 🔴 TEST_FAILED | 🔴 | Dynamic test result for Execution Limits (Guardrails): failed... |
| User Override | Article 14 | Human Override | 📄 User Override | User Override | 🔴 TEST_FAILED | 🔴 | Dynamic test result for User Override: failed... |
| Prompt Guardrail / Injection Detection | Article 15 | Prompt Guardrail | 📄 Prompt Guardrail / Injection Detection | Prompt Guardrail / Injection Detection | 🔴 TEST_FAILED | 🔴 | Dynamic test result for Prompt Guardrail / Injection Detection: failed... |
| Risk Mitigation | Article 9 | Risk Mitigation | 📄 Risk Mitigation | Risk Mitigation | 🔴 TEST_FAILED | 🔴 | Dynamic test result for Risk Mitigation: failed... |
| Audit Trail | Article 12 | Audit Trail | 📄 Audit Trail | Audit Trail | 🔴 TEST_FAILED | 🔴 | Dynamic test result for Audit Trail: failed... |
| Bias Metrics | Article 10 | Bias Metrics | 📄 Bias Metrics | Bias Metrics | 🔴 TEST_FAILED | 🔴 | Dynamic test result for Bias Metrics: failed... |
| Data Cleansing & Anonymisation | Article 10 | Data Sanitization | 📄 Data Cleansing & Anonymisation | Data Cleansing & Anonymisation | 🔴 TEST_FAILED | ⚠️ | Dynamic test result for Data Cleansing & Anonymisation: skipped... |
| Escalation to Human | Article 14 | Human Escalation | 📄 Escalation to Human | Escalation to Human | 🔴 TEST_FAILED | 🔴 | Dynamic test result for Escalation to Human: failed... |
| Human Validation | Article 14 | Human Validation | 📄 Human Validation | Human Validation | 🔴 TEST_FAILED | 🔴 | Dynamic test result for Human Validation: failed... |
| Logging Implementation | Article 12 | Log Implementation | 📄 Logging Implementation | Logging Implementation | 🔴 TEST_FAILED | 🔴 | Dynamic test result for Logging Implementation: failed... |
| Logging Integrity | Article 12 | Log Integrity | 📄 Logging Integrity | Logging Integrity | 🔴 TEST_FAILED | 🔴 | Dynamic test result for Logging Integrity: failed... |
| Continuous Monitoring | Article 9 | Risk Monitoring | 📄 Continuous Monitoring | Continuous Monitoring | 🔴 TEST_FAILED | 🔴 | Dynamic test result for Continuous Monitoring: failed... |
| Agent Tool Scope | Article 14 | Agent Privilege | 📄 Agent Tool Scope | Agent Tool Scope | 🔴 TEST_FAILED | ⚠️ | Dynamic test result for Agent Tool Scope: skipped... |
| Contextual Memory Limitation | Article 15 | Context Bounds | 📄 Contextual Memory Limitation | Contextual Memory Limitation | 🔴 TEST_FAILED | ⚠️ | Dynamic test result for Contextual Memory Limitation: skipped... |
| Unsafe Serialization Formats | Article 15 | Unsafe Formats | 📄 Unsafe Serialization Formats | Unsafe Serialization Formats | 🔴 TEST_FAILED | ⚠️ | Dynamic test result for Unsafe Serialization Formats: skipped... |
| Secure Format Policy | Article 15 | Secure Format Policy | 📄 Secure Format Policy | Secure Format Policy | 🔴 TEST_FAILED | ⚠️ | Dynamic test result for Secure Format Policy: skipped... |
| Physical Dataset Existence | Article 10 | Dataset Artefact | 📄 Physical Dataset Existence | Physical Dataset Existence | 🔴 TEST_FAILED | 🔴 | Dynamic test result for Physical Dataset Existence: failed... |
| Balancing & Representativeness | Article 10 | Dataset Balance | 📄 Balancing & Representativeness | Balancing & Representativeness | 🔴 TEST_FAILED | ⚠️ | Dynamic test result for Balancing & Representativeness: skipped... |
| Data Traceability | Article 10 | Data Lineage | 📄 Data Traceability | Data Traceability | 🔴 TEST_FAILED | 🔴 | Dynamic test result for Data Traceability: failed... |
| Dataset Quality | Article 10 | Data Quality | 📄 Dataset Quality | Dataset Quality | 🔴 TEST_FAILED | 🔴 | Dynamic test result for Dataset Quality: failed... |
| Data Inventory | Article 10 | Data Inventory | 📄 Data Inventory | Data Inventory | 🔴 TEST_FAILED | 🔴 | Dynamic test result for Data Inventory: failed... |
| Decision Record Structure | Article 12 | Decision Record | 📄 Decision Record Structure | Decision Record Structure | 🔴 TEST_FAILED | ⚠️ | Dynamic test result for Decision Record Structure: skipped... |
| Authority Delegation | Article 14 | Delegation Control | 📄 Authority Delegation | Authority Delegation | 🔴 TEST_FAILED | ⚠️ | Dynamic test result for Authority Delegation: skipped... |
| Error Handling | Article 15 | Error Handling | 📄 Error Handling | Error Handling | 🔴 TEST_FAILED | ⚠️ | Dynamic test result for Error Handling: skipped... |
| System Explainability | Article 13 | Explainability | 📄 System Explainability | System Explainability | 🔴 TEST_FAILED | ⚠️ | Dynamic test result for System Explainability: skipped... |
| Bypass Detection | Article 15 | Bypass Detection | 📄 Bypass Detection | Bypass Detection | 🔴 TEST_FAILED | ⚠️ | Dynamic test result for Bypass Detection: skipped... |
| Human-in-the-Loop Mechanism | Article 14 | HITL Loop | 📄 Human-in-the-Loop Mechanism | Human-in-the-Loop Mechanism | 🔴 TEST_FAILED | ⚠️ | Dynamic test result for Human-in-the-Loop Mechanism: skipped... |
| Input Robustness | Article 15 | Input Validation | 📄 Input Robustness | Input Robustness | 🔴 TEST_FAILED | ⚠️ | Dynamic test result for Input Robustness: skipped... |
| Limitations Disclosure | Article 13 | Limitations | 📄 Limitations Disclosure | Limitations Disclosure | 🔴 TEST_FAILED | 🔴 | Dynamic test result for Limitations Disclosure: failed... |
| Storage Definition | Article 12 | Log Storage | 📄 Storage Definition | Storage Definition | 🔴 TEST_FAILED | ⚠️ | Dynamic test result for Storage Definition: skipped... |
| Real Execution Traces | Article 12 | Live Log Evidence | 📄 Real Execution Traces | Real Execution Traces | 🔴 TEST_FAILED | 🔴 | Dynamic test result for Real Execution Traces: failed... |
| Execution Limits (Guardrails) | Article 15 | Execution Limits | 📄 Execution Limits (Guardrails) | Execution Limits (Guardrails) | 🔴 TEST_FAILED | ⚠️ | Dynamic test result for Execution Limits (Guardrails): skipped... |
| Model Card | Article 11 | Model Card | 📄 Model Card | Model Card | 🔴 TEST_FAILED | 🔴 | Dynamic test result for Model Card: failed... |
| User Override | Article 14 | Human Override | 📄 User Override | User Override | 🔴 TEST_FAILED | ⚠️ | Dynamic test result for User Override: skipped... |
| Post-Market Plan | Article 9 | Post-Market Plan | 📄 Post-Market Plan | Post-Market Plan | 🔴 TEST_FAILED | ⚠️ | Dynamic test result for Post-Market Plan: skipped... |
| Prompt Guardrail / Injection Detection | Article 15 | Prompt Guardrail | 📄 Prompt Guardrail / Injection Detection | Prompt Guardrail / Injection Detection | 🔴 TEST_FAILED | ⚠️ | Dynamic test result for Prompt Guardrail / Injection Detection: skipped... |
| Risk Matrix | Article 9 | Risk Matrix | 📄 Risk Matrix | Risk Matrix | 🔴 TEST_FAILED | 🔴 | Dynamic test result for Risk Matrix: failed... |
| Risk Mitigation | Article 9 | Risk Mitigation | 📄 Risk Mitigation | Risk Mitigation | 🔴 TEST_FAILED | ⚠️ | Dynamic test result for Risk Mitigation: skipped... |
| Risk Ownership Assignment | Article 9 | Risk Ownership | 📄 Risk Ownership Assignment | Risk Ownership Assignment | 🔴 TEST_FAILED | 🔴 | Dynamic test result for Risk Ownership Assignment: failed... |
| Risk Register | Article 9 | Risk Registry | 📄 Risk Register | Risk Register | 🔴 TEST_FAILED | 🔴 | Dynamic test result for Risk Register: failed... |
| System Architecture | Article 11 | System Architecture | 📄 System Architecture | System Architecture | 🔴 TEST_FAILED | 🔴 | Dynamic test result for System Architecture: failed... |
| User Notice | Article 13 | User Notice | 📄 User Notice | User Notice | 🔴 TEST_FAILED | 🔴 | Dynamic test result for User Notice: failed... |
| Version Management | Article 11 | Version Control | 📄 Version Management | Version Management | 🔴 TEST_FAILED | ⚠️ | Dynamic test result for Version Management: skipped... |
| Robustness Level Reality | Article 15 | — | 📄 SYS_CONTRADICTION_CYBER | SYS_CONTRADICTION_CYBER | 🔴 TEST_FAILED | ⚠️ | Dynamic test result for SYS_CONTRADICTION_CYBER: skipped... |
| Input Robustness | Article 15 | Input Validation | 📄 Input Robustness | Input Robustness | 🔴 TEST_FAILED | 🔴 | Dynamic test result for Input Robustness: failed... |
| PII Masking Before External Transmission | Article 10 | PII Masking | 📄 PII Masking Before External Transmission | PII Masking Before External Transmission | 🔴 TEST_FAILED | 🔴 | Dynamic test result for PII Masking Before External Transmission: failed... |
| Deployer Identity | Article 26 | Deployer Identity | 📄 Deployer Identity | Deployer Identity | 🔴 TEST_FAILED | ⚠️ | Dynamic test result for Deployer Identity: skipped... |
| Serious Incident Notification Procedure | Article 73 | Incident Reporting | 📄 Serious Incident Notification Procedure | Serious Incident Notification Procedure | 🔴 TEST_FAILED | ⚠️ | Dynamic test result for Serious Incident Notification Procedure: skipped... |
| Log Retention Policy | Article 12 | Retention Policy | 📄 Log Retention Policy | Log Retention Policy | 🔴 TEST_FAILED | ⚠️ | Dynamic test result for Log Retention Policy: skipped... |
| Provider Identity | Article 25 | Provider Identity | 📄 Provider Identity | Provider Identity | 🔴 TEST_FAILED | ⚠️ | Dynamic test result for Provider Identity: skipped... |
| System Explainability | Article 13 | Explainability | 📄 System Explainability | System Explainability | 🔴 TEST_FAILED | 🔴 | Dynamic test result for System Explainability: failed... |
| Post-Market Plan | Article 9 | Post-Market Plan | 📄 Post-Market Plan | Post-Market Plan | 🔴 TEST_FAILED | 🔴 | Dynamic test result for Post-Market Plan: failed... |
| Bias Metrics | Article 10 | Bias Metrics | 📄 Bias Metrics | Bias Metrics | 🔴 TEST_FAILED | ⚠️ | Dynamic test result for Bias Metrics: skipped... |
| Documented AI Policy | Article 4 | AI Policy | 📄 Documented AI Policy | Documented AI Policy | 🔴 TEST_FAILED | ⚠️ | Dynamic test result for Documented AI Policy: skipped... |
| Automatic Blocking Linked to Human Rejection | Article 14 | Automatic Blocking Linked to Human Rejection | 📄 Automatic Blocking Linked to Human Rejection | Automatic Blocking Linked to Human Rejection | 🔴 TEST_FAILED | ⚠️ | Dynamic test result for Automatic Blocking Linked to Human Rejection: skipped... |
| Confidence-Based Human Routing | Article 9 | Confidence-Based Human Routing | 📄 Confidence-Based Human Routing | Confidence-Based Human Routing | 🔴 TEST_FAILED | ⚠️ | Dynamic test result for Confidence-Based Human Routing: skipped... |
| FRIA — Fundamental Rights Impact Assessment | Article 27 | FRIA | 📄 FRIA — Fundamental Rights Impact Assessment | FRIA — Fundamental Rights Impact Assessment | 🔴 TEST_FAILED | ⚠️ | Dynamic test result for FRIA — Fundamental Rights Impact Assessment: skipped... |
| Human Decision Endpoint | Article 14 | Human Decision Endpoint | 📄 Human Decision Endpoint | Human Decision Endpoint | 🔴 TEST_FAILED | ⚠️ | Dynamic test result for Human Decision Endpoint: skipped... |
| Human Approval Gates Execution | Article 14 | Human Approval Gates Execution | 📄 Human Approval Gates Execution | Human Approval Gates Execution | 🔴 TEST_FAILED | ⚠️ | Dynamic test result for Human Approval Gates Execution: skipped... |
| PII Masking Before External Transmission | Article 10 | PII Masking | 📄 PII Masking Before External Transmission | PII Masking Before External Transmission | 🔴 TEST_FAILED | ⚠️ | Dynamic test result for PII Masking Before External Transmission: skipped... |
| Full Workflow Integration | Article 14 | Full Workflow Integration | 📄 Full Workflow Integration | Full Workflow Integration | 🔴 TEST_FAILED | ⚠️ | Dynamic test result for Full Workflow Integration: skipped... |
Source) are authoritative for locating controls during a counter-review.Legal notice: Analysis excerpts are truncated for readability. The full technical logs are preserved in the report's digital seal (Section 10).
Machine-readable export: The complete evidence register is available as JSON in
.factdna/evidence_ledger.json(SHA-256 sealed in the audit manifest). This file can be imported into a GRC system or provided to a third-party auditor.
Each row is a missing root control whose remediation automatically unlocks
dependent child controls. The % indicates the share of regulatory weight for the article concerned.
| Priority | Root checkpoint | Article | Potential impact |
|---|---|---|---|
| 🔴 P1 | Provider Identity | Article 25 | 100.0% du poids article → unlocks 1 cross-article control(s) |
| 🔴 P1 | Risk Register | Article 9 | 87.1% du poids article → unlocks 5 cross-article control(s) |
| 🔴 P1 | Data Inventory | Article 10 | 52.8% du poids article → unlocks 3 cross-article control(s) |
| 🔴 P1 | Logging Implementation | Article 12 | 45.5% du poids article → unlocks 2 cross-article control(s) |
| 🔴 P1 | Secure Format Policy | Article 15 | 33.3% du poids article → unlocks 2 cross-article control(s) |
| 🔴 P1 | Human Validation | Article 14 | 29.5% du poids article → unlocks 2 cross-article control(s) |
Each row corresponds to an AI Act checkpoint for which no sufficient evidence was identified
within the analyzed scope, and describes the evidence gap to close.
The approaches listed are illustrative examples, not prescriptions — any equivalent control
that produces the expected evidence is acceptable. Implementation choices remain the
responsibility of the system owner.
| Reg. Severity | Priority | Checkpoint | Article | Example remediation approach | Indicative effort |
|---|---|---|---|---|---|
| ⛔ GATE ARTICLE | 🔴 P1 CRITIQUE | Audit Trail | Article 12 | Add an AuditLogger call before each critical decision. | 2–4 days |
| ⛔ GATE ARTICLE | 🔴 P1 CRITIQUE | Automatic Blocking Linked to Human Rejection | Article 14 | Analyse and fix checkpoint 'Automatic Blocking Linked to Human Rejection' per Article 14. | To be estimated |
| ⛔ GATE ARTICLE | 🔴 P1 CRITIQUE | Bypass Detection | Article 15 | Analyse and fix checkpoint 'Bypass Detection' per Article 15. | To be estimated |
| ⛔ GATE ARTICLE | 🔴 P1 CRITIQUE | Human Validation | Article 14 | Implement a human approval gate before any critical automated decision. | 1–2 wks |
| ⛔ GATE ARTICLE | 🔴 P1 CRITIQUE | PII Masking Before External Transmission | Article 10 | Add a PII masking layer before any transmission to an external LLM or API. | 3–5 days |
| ⛔ GATE ARTICLE | 🔴 P1 CRITIQUE | Unsafe Serialization Formats | Article 15 | Replace pickle.load() with a secure format (safetensors, ONNX, joblib with verification). | 2–5 j |
| 🔴 HIGH | 🔴 P1 CRITIQUE | Decision Record Structure | Article 12 | Enrich the log structure with mandatory accountability fields. | 3–5 days |
| ⛔ GATE ARTICLE | 🔴 P1 CRITIQUE | Prompt Guardrail / Injection Detection | Article 15 | Integrate a semantic guardrail (Llama Guard or equivalent) before LLM transmission. | 3–5 days |
| 🔴 HIGH | 🔴 P1 CRITIQUE | Risk Mitigation | Article 9 | Analyse and fix checkpoint 'Risk Mitigation' per Article 9. | To be estimated |
| 🔴 HIGH | 🔴 P1 CRITIQUE | Bias Metrics | Article 10 | Integrate bias metrics (Disparate Impact, Equal Opportunity) into the test pipeline. | 3–5 days |
| 🔴 HIGH | 🔴 P1 CRITIQUE | Logging Implementation | Article 12 | Configure a centralised logger (logging.getLogger) writing to persistent storage. | 1–2 days |
| 🟠 MEDIUM | 🔴 P1 CRITIQUE | Logging Integrity | Article 12 | Verify that log functions actually write to DB/file (no pass or print stubs). | 1–3 days |
| ⛔ GATE ARTICLE | 🔴 P1 CRITIQUE | Physical Dataset Existence | Article 10 | Analyse and fix checkpoint 'Physical Dataset Existence' per Article 10. | To be estimated |
| ⛔ GATE ARTICLE | 🔴 P1 CRITIQUE | Data Inventory | Article 10 | Analyse and fix checkpoint 'Data Inventory' per Article 10. | To be estimated |
| ⛔ GATE ARTICLE | 🔴 P1 CRITIQUE | Real Execution Traces | Article 12 | Analyse and fix checkpoint 'Real Execution Traces' per Article 12. | To be estimated |
| ⛔ GATE ARTICLE | 🔴 P1 CRITIQUE | Risk Matrix | Article 9 | Analyse and fix checkpoint 'Risk Matrix' per Article 9. | To be estimated |
| ⛔ GATE ARTICLE | 🔴 P1 CRITIQUE | Risk Ownership Assignment | Article 9 | Assign a named Risk Owner for each risk in the register. | 1 day |
| ⛔ GATE ARTICLE | 🔴 P1 CRITIQUE | Risk Register | Article 9 | Create a formalised risk register (JSON, YAML or doc section) listing all identified risks. | 2–3 days |
| 🔴 HIGH | 🟠 P2 MAJEUR | Agent Tool Scope | Article 14 | Restrict the agent tool catalogue to the strict minimum (least privilege principle). | 1–3 days |
| 🔴 HIGH | 🟠 P2 MAJEUR | Error Handling | Article 15 | Wrap critical calls in try/except blocks returning generic errors. | 1–2 days |
| 🔴 HIGH | 🟠 P2 MAJEUR | Continuous Monitoring | Article 9 | Analyse and fix checkpoint 'Continuous Monitoring' per Article 9. | To be estimated |
| 🔴 HIGH | 🟠 P2 MAJEUR | Dataset Quality | Article 10 | Analyse and fix checkpoint 'Dataset Quality' per Article 10. | To be estimated |
| 🔴 HIGH | 🟠 P2 MAJEUR | Limitations Disclosure | Article 13 | Analyse and fix checkpoint 'Limitations Disclosure' per Article 13. | To be estimated |
| 🟠 MEDIUM | 🟠 P2 MAJEUR | Model Card | Article 11 | Write a model card (intended use, limits, metrics, version). | 2–3 j |
| 🟠 MEDIUM | 🟠 P2 MAJEUR | System Architecture | Article 11 | Analyse and fix checkpoint 'System Architecture' per Article 11. | To be estimated |
| 🔴 HIGH | 🟠 P2 MAJEUR | User Notice | Article 13 | Write a user notice explaining the system's operation and limits. | 1–2 days |
| 🔴 HIGH | 🟠 P2 MAJEUR | Input Robustness | Article 15 | Add schema validation (Pydantic/jsonschema) on all user inputs. | 2–4 days |
| 🔴 P1 STRATÉGIQUE | STUB_IMPLEMENTATION_RATIO |
Global | Remplacer les fonctions vides (pass/stub) détectées par une implémentation réelle. | 3–6 sem | CODE |
Audit Trail — Audit Trail (Article 12)| Field | Value |
|---|---|
| Severity | ⛔ BLOCKING |
| Priority | 🔴 P1 CRITIQUE |
| Effort | 2–4 days |
| Type | CODE |
Action required: Add an AuditLogger call before each critical decision.
Implementation example:
AuditLogger.log_event(event='decision', resource_id=res_id)
Expected evidence (how to prove this is fixed):
audit.log file or audit_events DB table with sample entries (decision_id, timestamp, actor, input_hash, output)
Risk if not remediated:
⚠️ Without decision traceability, incident investigation and regulatory inspection become impossible. Art. 12 §1 mandatory.
Human Validation — Human Validation (Article 14)| Field | Value |
|---|---|
| Severity | ⛔ BLOCKING |
| Priority | 🔴 P1 CRITIQUE |
| Effort | 1–2 wks |
| Type | CODE |
Action required: Implement a human approval gate before any critical automated decision.
Implementation example:
if not human_approval_cb(decision=result, actor=user): raise HumanApprovalRequired()
Expected evidence (how to prove this is fixed):
hitl.py + screenshot of approval workflow + sample approval log entry
Risk if not remediated:
⚠️ Automated critical decisions may be executed without human intervention. Non-compliance with Art. 14 §4, direct enforcement action risk.
PII Masking Before External Transmission — PII Masking Before External Transmission (Article 10)| Field | Value |
|---|---|
| Severity | ⛔ BLOCKING |
| Priority | 🔴 P1 CRITIQUE |
| Effort | 3–5 days |
| Type | CODE |
Action required: Add a PII masking layer before any transmission to an external LLM or API.
Implementation example:
masked = pii_filter.mask(payload); response = llm_client.call(masked)
Expected evidence (how to prove this is fixed):
Evidence requirements depend on implementation architecture. Examples: test report, runtime logs, configuration snapshot, CI/CD validation report.
Risk if not remediated:
⚠️ Regulatory gap — see article reference.
Unsafe Serialization Formats — Unsafe Serialization Formats (Article 15)| Field | Value |
|---|---|
| Severity | ⛔ BLOCKING |
| Priority | 🔴 P1 CRITIQUE |
| Effort | 2–5 j |
| Type | CODE |
Action required: Replace pickle.load() with a secure format (safetensors, ONNX, joblib with verification).
Implementation example:
# AVANT: model = pickle.load(f)
# APRES: model = safetensors.load_file('model.safetensors')
Expected evidence (how to prove this is fixed):
Evidence requirements depend on implementation architecture. Examples: test report, runtime logs, configuration snapshot, CI/CD validation report.
Risk if not remediated:
⚠️ Regulatory gap — see article reference.
Decision Record Structure — Decision Record Structure (Article 12)| Field | Value |
|---|---|
| Severity | 🔴 HIGH |
| Priority | 🔴 P1 CRITIQUE |
| Effort | 3–5 days |
| Type | CODE |
Action required: Enrich the log structure with mandatory accountability fields.
Implementation example:
{'decision_id': str(uuid.uuid4()), 'actor_id': user.id, 'model_version': MODEL_VER, 'input_hash': sha256(input)}
Expected evidence (how to prove this is fixed):
Sample log entry: {decision_id, actor_id, model_version, input_hash, output, timestamp}
Risk if not remediated:
⚠️ AI decisions cannot be attributed or reconstructed. Required for conformity assessment under Art. 12 §2.
Prompt Guardrail / Injection Detection — Prompt Guardrail / Injection Detection (Article 15)| Field | Value |
|---|---|
| Severity | ⛔ BLOCKING |
| Priority | 🔴 P1 CRITIQUE |
| Effort | 3–5 days |
| Type | CODE |
Action required: Integrate a semantic guardrail (Llama Guard or equivalent) before LLM transmission.
Implementation example:
safe_input = guardrail.check(user_input); if not safe_input.is_safe: raise PromptInjectionError()
Expected evidence (how to prove this is fixed):
Evidence requirements depend on implementation architecture. Examples: test report, runtime logs, configuration snapshot, CI/CD validation report.
Risk if not remediated:
⚠️ Regulatory gap — see article reference.
Risk Mitigation — Risk Mitigation (Article 9)| Field | Value |
|---|---|
| Severity | 🔴 HIGH |
| Priority | 🔴 P1 CRITIQUE |
| Effort | To be estimated |
| Type | ? |
Action required: Analyse and fix checkpoint 'Risk Mitigation' per Article 9.
Expected evidence (how to prove this is fixed):
Code implementing mitigation + reference to risk_id in RISK_REGISTER + test confirming mitigation active
Risk if not remediated:
⚠️ Identified risks with no mitigation action. Regulatory gap under Art. 9 §2.
Bias Metrics — Bias Metrics (Article 10)| Field | Value |
|---|---|
| Severity | 🔴 HIGH |
| Priority | 🔴 P1 CRITIQUE |
| Effort | 3–5 days |
| Type | CODE |
Action required: Integrate bias metrics (Disparate Impact, Equal Opportunity) into the test pipeline.
Implementation example:
from fairlearn.metrics import demographic_parity_difference
dpd = demographic_parity_difference(y_true, y_pred, sensitive_features=gender)
Expected evidence (how to prove this is fixed):
fairness_report.json or model_card.md section with: protected_groups, metrics (TPR, FPR, equalized_odds)
Risk if not remediated:
⚠️ No evidence of bias evaluation. High-risk AI without fairness metrics exposed to Art. 10 §2 non-compliance.
Logging Implementation — Logging Implementation (Article 12)| Field | Value |
|---|---|
| Severity | 🔴 HIGH |
| Priority | 🔴 P1 CRITIQUE |
| Effort | 1–2 days |
| Type | CODE |
Action required: Configure a centralised logger (logging.getLogger) writing to persistent storage.
Implementation example:
import logging; logger = logging.getLogger('ai_system'); logger.addHandler(FileHandler('audit.log'))
Expected evidence (how to prove this is fixed):
audit.log or audit_events table with persistent entries (not stdout only)
Risk if not remediated:
⚠️ Logs written to stdout are lost at process restart. Non-persistent logging fails Art. 12 §1.
Logging Integrity — Logging Integrity (Article 12)| Field | Value |
|---|---|
| Severity | 🟠 MEDIUM |
| Priority | 🔴 P1 CRITIQUE |
| Effort | 1–3 days |
| Type | CODE |
Action required: Verify that log functions actually write to DB/file (no pass or print stubs).
Implementation example:
def log_event(self, **kw): self.db.insert('audit_log', kw) # NON: pass ou print()
Expected evidence (how to prove this is fixed):
Test confirming log entries written to DB/file (not just print). Log rotation config.
Risk if not remediated:
⚠️ Logs that only print to stdout provide no durable audit trail.
Risk Ownership Assignment — Risk Ownership Assignment (Article 9)| Field | Value |
|---|---|
| Severity | ⛔ BLOCKING |
| Priority | 🔴 P1 CRITIQUE |
| Effort | 1 day |
| Type | DOC |
Action required: Assign a named Risk Owner for each risk in the register.
Implementation example:
risks.yaml:
- id: RISK-001
owner: 'Chief Risk Officer'
contact: 'risk-owner@company.example'
Expected evidence (how to prove this is fixed):
Evidence requirements depend on implementation architecture. Examples: test report, runtime logs, configuration snapshot, CI/CD validation report.
Risk if not remediated:
⚠️ Regulatory gap — see article reference.
Risk Register — Risk Register (Article 9)| Field | Value |
|---|---|
| Severity | ⛔ BLOCKING |
| Priority | 🔴 P1 CRITIQUE |
| Effort | 2–3 days |
| Type | DOC |
Action required: Create a formalised risk register (JSON, YAML or doc section) listing all identified risks.
Implementation example:
risks.yaml:
- id: RISK-001
name: Algorithmic bias
probability: MEDIUM
impact: HIGH
Expected evidence (how to prove this is fixed):
risks.yaml or RISK_REGISTER.md with: id, probability, impact, mitigation, owner, review_date
Risk if not remediated:
⚠️ Without a risk register, all downstream risk management obligations (Art. 9) cannot be demonstrated. Potential regulatory exposure under Article 9.
Agent Tool Scope — Agent Tool Scope (Article 14)| Field | Value |
|---|---|
| Severity | 🔴 HIGH |
| Priority | 🟠 P2 MAJEUR |
| Effort | 1–3 days |
| Type | CODE |
Action required: Restrict the agent tool catalogue to the strict minimum (least privilege principle).
Implementation example:
ALLOWED_TOOLS = ['search', 'summarize'] # Supprimer: 'delete', 'send_email', 'execute_code'
Expected evidence (how to prove this is fixed):
Evidence requirements depend on implementation architecture. Examples: test report, runtime logs, configuration snapshot, CI/CD validation report.
Risk if not remediated:
⚠️ Regulatory gap — see article reference.
Error Handling — Error Handling (Article 15)| Field | Value |
|---|---|
| Severity | 🔴 HIGH |
| Priority | 🟠 P2 MAJEUR |
| Effort | 1–2 days |
| Type | CODE |
Action required: Wrap critical calls in try/except blocks returning generic errors.
Implementation example:
try: result = model.infer(input)
except InferenceError: return {'error': 'Service unavailable', 'code': 503}
Expected evidence (how to prove this is fixed):
Evidence requirements depend on implementation architecture. Examples: test report, runtime logs, configuration snapshot, CI/CD validation report.
Risk if not remediated:
⚠️ Regulatory gap — see article reference.
Model Card — Model Card (Article 11)| Field | Value |
|---|---|
| Severity | 🟠 MEDIUM |
| Priority | 🟠 P2 MAJEUR |
| Effort | 2–3 j |
| Type | DOC |
Action required: Write a model card (intended use, limits, metrics, version).
Implementation example:
MODEL_CARD.md: Model — <name> v<version> | Intended use: <domain task> | Limitation: <known out-of-scope conditions>
Expected evidence (how to prove this is fixed):
MODEL_CARD.md with: intended_use, limitations, performance metrics, bias assessment, version
Risk if not remediated:
⚠️ Users and deployers cannot assess system capabilities. Art. 13 transparency obligation not met.
System Architecture — System Architecture (Article 11)| Field | Value |
|---|---|
| Severity | 🟠 MEDIUM |
| Priority | 🟠 P2 MAJEUR |
| Effort | To be estimated |
| Type | ? |
Action required: Analyse and fix checkpoint 'System Architecture' per Article 11.
Expected evidence (how to prove this is fixed):
SYSTEM_DESCRIPTION.md or Annex IV-compatible technical documentation
Risk if not remediated:
⚠️ No technical documentation for conformity assessment. Required under Art. 11 and Annex IV.
User Notice — User Notice (Article 13)| Field | Value |
|---|---|
| Severity | 🔴 HIGH |
| Priority | 🟠 P2 MAJEUR |
| Effort | 1–2 days |
| Type | DOC |
Action required: Write a user notice explaining the system's operation and limits.
Implementation example:
User guide — Section 1: This AI system assists <domain task>. It does not replace expert human judgement.
Expected evidence (how to prove this is fixed):
Evidence requirements depend on implementation architecture. Examples: test report, runtime logs, configuration snapshot, CI/CD validation report.
Risk if not remediated:
⚠️ Regulatory gap — see article reference.
Input Robustness — Input Robustness (Article 15)| Field | Value |
|---|---|
| Severity | 🔴 HIGH |
| Priority | 🟠 P2 MAJEUR |
| Effort | 2–4 days |
| Type | CODE |
Action required: Add schema validation (Pydantic/jsonschema) on all user inputs.
Implementation example:
class InputSchema(BaseModel): query: str = Field(max_length=2000); ...
Expected evidence (how to prove this is fixed):
Evidence requirements depend on implementation architecture. Examples: test report, runtime logs, configuration snapshot, CI/CD validation report.
Risk if not remediated:
⚠️ Regulatory gap — see article reference.
⚠️ These are estimated scores — not predictions or guarantees.
They assume all recommended controls are implemented as described in the Playbook,
all evidence artifacts are accepted, and no new findings emerge during review.
| Work Phase | Estimated Score | Evidence Strength | Indicative Timeline |
|---|---|---|---|
| CURRENT STATE | 57.2/100 | EVIDENCE INSUFFICIENT — Available technical evidence is insufficient to support a positive assessment within the analyzed scope. Technical remediation required. | Now |
| PHASE 1 — Critical gaps | ~75/100 (estimated) | Gate article gaps resolved | 4–6 weeks |
| PHASE 2 — Full evidence | ~91/100 (estimated) | Evidence sufficient for review | 10–14 weeks |
Estimation basis:
Phase 1 — assumes: all BLOCKING checkpoints addressed, gate articles pass.
Phase 2 — assumes: 80% of HIGH/MEDIUM controls evidenced at E2 or above.
These scores are indicative estimates, not certification guarantees.
An independent conformity assessment may produce different results.
| Phase | Checkpoints | Indicative Effort |
|---|---|---|
| Phase 1 — BLOCKING | 19 | High (months) |
| Phase 2 — HIGH | 16 | High (months) |
| Phase 3 — MEDIUM/LOW | 1 | Low (days) |
Effort levels are indicative only. Actual effort depends on team size, stack,
architecture and organisational maturity — none of which are assessed by this audit.
No cost estimate is provided for this reason.Phase 1 priority: l'alignement technique des Article 12 — resolves immediate regulatory exposure and unblocks dependent controls.
This technical audit is a "point-in-time" analysis based on the assets provided during the ingestion phase.
Scope of responsibility:
1. Nature of the analysis: This audit is a technical compliance assessment, not a definitive legal opinion. It does not replace certification by a Notified Body if the system is classified "High Risk".
2. Source quality: The accuracy of the results depends on the completeness of the codebase and documentation provided. Third-party components (closed APIs, SaaS models) were assessed on the basis of their declared specifications.
3. Evolvability: Any subsequent change to the source code, algorithmic logic or training datasets voids the validity of the scores presented in this report.
| Parameter | Value |
|---|---|
| Audit LLM model | deepseek/deepseek-chat |
| Temperature | 0.0 (deterministic) |
| Static-analysis rate (STATIC_FALLBACK) | 0.0% |
0.0% (0/92 facts) of the facts were produced by static analysis (regex) — without LLM judgement. These facts have a confidence of 0.1 and do not replace semantic analysis.
Note on reproducibility: At temperature 0, the LLM produces quasi-deterministic results on a fixed commit. The same commit re-read with the same provider will produce identical or very close results. The main variability comes from cloud batching (external provider) — in air-gap mode (Ollama), reproducibility is maximal.
The final compliance score is computed with a **Progressive Rigour** algorithm. It is not a simple average, but a reliability funnel that applies reduction coefficients based on the quality of the technical evidence.
Final_Score = ( Σ(Score_Art × Weight_Art) / Σ(Weight_Art) ) × C_ov × F_p × Ψ_sincerity × Φ_certainty
This document is protected by an SHA-256 cryptographic seal.
The fingerprints below are anchored in the audit database (audit_runs)
and in the .factdna/audit_manifest.json manifest.
Any change to the score, a verdict, the source code or the text invalidates this seal.
| Element | Value |
|---|---|
| Audit identifier | CSVA-20260614-9BE11290 |
| Audit mode | STATIC |
| Sealed score | 57.17 / 100 |
| Sealed verdict | ⚠️ PARTIAL TECHNICAL ALIGNMENT (57/100 — threshold: 75) |
| Sealed SCI | 100.0% |
| Sealed IntegrityGap | 1.9% |
| Sealed RuntimeConfidence | 72.5 |
| Sealed Sincerity | 87.3% |
| Timestamp | 2026-06-17 09:47:24 UTC |
| SHA-256 — Report body | 469bd553af11394b09d7f77477b1883798cb40432588f8e2e9881c7081720243 |
| SHA-256 — Evidence Ledger | e8d1ab7a18147efbbb38169228453f18… |
| SHA-256 — Source tree | 0ab1f790327ac5db491398a61904858e… |
| SHA-256 — Tests | 3e755643549dfa81e004d60957647415… |
| SHA-256 — Configuration | 82ff2e505fd38023a47e74e0e0d87037… |
| SHA-256 — Models / Weights | N/A (0 fichiers) |
| SHA-256 — Manifest | 2ccc0d89faa13afebb13c8f541b93c3b… |
| Sealed source files | 90 file(s) |
| Database anchoring | ✅ Ancré (audit_runs) |
| RFC 3161 token (FreeTSA) | Non disponible (optionnel) |
This token is the primary proof of integrity. It can only be produced by CAMSVA.
CAMSVA-SEAL-v1:CSVA-20260614-9BE11290:20260617T094724Z:0ab1f790327ac5db491398a61904858e5253e99ceebe02a836be72e23cbdc257:37da6a4d10fb5719
Meaning: This token contains audit_id + timestamp + tree_hash, signed with HMAC-SHA256
using a secret key internal to CAMSVA (never accessible in the user's code).
A user who modifies their source files or their assert_integrity() cannot
produce a valid token for their new code.
To verify at any time that the code has not changed since this audit:
# From the CAMSVA directory (third-party tool, outside the user's scope):
python camsva.py --verify \
--project "C:/projects/kosmos1/FactDNA_Pro/camsvapro/public_audits/openbb/agents-for-openbb" \
--seal "CAMSVA-SEAL-v1:CSVA-20260614-9BE11290:20260617T094724Z:0ab1f790327ac5db491398a61904858e5253e99ceebe02a836be72e23cbdc257:37da6a4d10fb5719"
Possible results:
| Status | Meaning | Action |
|---|---|---|
IDENTICAL |
Code = audited version ✅ | Seal valid |
MODIFIED |
Files changed since the audit ⚠️ | Re-audit before deployment |
INVALID_SEAL |
Token forged or truncated 🔴 | Contact the CAMSVA auditor |
.factdna/camsva_integrity_guard.py enables a check at application startup.
This is a convenience tool — the official cryptographic proof is the Seal Token above.
# In the application entry point (opt-in):
import sys, os
sys.path.insert(0, os.path.join(os.path.dirname(__file__), ".factdna"))
from camsva_integrity_guard import assert_integrity, verify
assert_integrity(__file__) # raises RuntimeError if the code has drifted
END OF AUDIT REPORT — CAMSVA v1.0
This document is the property of the audited organisation.
Any reproduction without the associated sealing metrics is considered invalid.
Applied framework: EU AI Act (2024) — Regulation (EU) 2024/1689.