Compliance Mapping

EU AI Act
Control Mapping

Strix does not generate compliance reports. It enforces controls at runtime and produces verifiable evidence as a result. This document maps those enforcement capabilities to the obligations defined in EU AI Act Articles 12, 14, and 28.

Enforcement, not documentation

Most compliance tooling generates reports about what should happen. Strix makes it happen — and proves it did.

Not assessment

We do not survey your gaps. Your compliance partner identifies where controls are required — we make those controls real.

Not static reports

We do not produce documentation that ages. Every piece of evidence is tied to a real execution path in production.

Runtime enforcement

Controls are enforced at the execution boundary. Evidence is produced as a byproduct of enforcement — not as a separate system.

Logging & Traceability

Can Strix prove that relevant AI and system actions are recorded in a way that is complete, traceable, and reconstructable?

Deterministic evidence records

Every governed action produces a complete record: who initiated (AI vs human), what action (capabilityId), full context (payload hash), timestamp, decision result, and execution outcome.

127 capabilities governed. Every action recorded regardless of outcome.

Chain integrity

Every evidence record is hashed with SHA-256. Proof chain hashes link sequential records. Gaps and alterations are independently detectable.

SHA-256 evidence hash per record. Proof chain hash links the full trail.

Reconstructability

Decision and execution are preserved separately. Approval and execution are preserved separately. Policy reasoning is recorded with each decision.

Separate decision, approval, and execution records with full context.

“We don't generate logs — we generate deterministic evidence tied to real execution paths.”

Human Oversight

Can a human meaningfully intervene before high-risk AI and system actions occur?

Pre-execution control

AI cannot execute high-risk actions directly. Every critical and high-risk action is intercepted before execution. The handler never runs without explicit authorization.

58 of 127 capabilities require execution tokens. Zero bypasses.

Required approval workflow

High-risk actions require human review with role-based authorization. Critical actions require multi-person quorum (2-3 approvals). Self-escalation is blocked.

Quorum thresholds: CRITICAL = 3, HIGH = 2. Self-approval disabled.

Explicit authorization artifact

An execution token is issued after approval — HMAC-SHA256 signed, bound to action + payload + actor, single-use, and consumed before the handler executes.

Token format: stx1.<jti>.<signature> — 5 min TTL, atomic redemption.

Evidence of oversight

Every approval records: who approved, when, why, and what changed after approval. The full decision chain is preserved from proposal through execution.

DecisionApproval records with actor, timestamp, method, and comment.

“Oversight isn't a UI step — it's enforced at the execution boundary.”

Enforcement pipeline

Every high-risk action passes through this sequence. There is no alternate code path that bypasses evaluation.

INTERCEPT

Action blocked

EVALUATE

Risk + policy applied

APPROVE

Human review

TOKEN

HMAC-SHA256 issued

EXECUTE

Token redeemed, handler runs

Accountability & Provider Responsibility

Can the system provider demonstrate accountability for how the system behaves and what it does?

Clear attribution

Every action answers: who initiated it (AI vs human), what system performed it, and under what policy. No ambiguity between automated and human-initiated operations.

actorId, actorRole, source (trpc/cron/ai) on every evidence record.

Decision transparency

Why something was allowed or denied. What rule triggered the decision. Not just outcome — reasoning. The policy version is recorded with each evaluation.

Policy reason, risk level, and content-addressable policy version hash.

Enforcement evidence

Proof that controls were actually applied, not just configured. Evaluation happened. Approval happened. Token was validated. Execution occurred after authorization.

Immutable state machine: DRAFT → EVALUATED → APPROVED → EXECUTED.

Verifiable proof

Not one 'verified' badge — layered proof. Hash integrity per record, chain integrity across records, signature validity for tokens, and public verification.

SHA-256 evidence hashes. Proof chain. Public /api/public/verify endpoint.

Exportable evidence package

Evidence that can be attached to an audit, given to a regulator, or referenced in documentation. Full decision + execution trail with cryptographic proof.

Proof pack: evidence records, hash chain, policy versions, approvals.

“We don't just show what happened — we prove how and why it was allowed to happen.”

The partnership model

Your compliance partner identifies where controls are required. Strix makes those controls real at runtime — and provable after the fact.

ASSESSMENT PARTNER

Before Strix

Identifies required controls per article
Maps system to Articles 12, 14, 28
Flags gaps: missing oversight, traceability, accountability
Defines which actions require governance

STRIX

After handoff

Wraps identified actions with governed execution
Defines risk levels, approval requirements, token constraints
Enables human review, token issuance, validation before execution
Produces verifiable evidence automatically

integration example

// Wrap a high-risk action with governed execution
const result = await strix.governedAction({
  capability: "admin.updateMemberRole",
  actor:      currentUser,
  context:    { targetUserId, newRole },
}, async (token) => {
  // Only runs after evaluation + approval + token redemption
  await db.members.update({ role: newRole });
});

// Evidence is produced automatically:
// → Decision record (who, what, why, when)
// → Approval chain (who approved, quorum met)
// → Execution token (HMAC signature, single-use)
// → Evidence hash (SHA-256, chain-linked)

What we need from clients

Strix doesn't replace existing systems — it wraps the actions that matter.

High-risk action list

Which operations require governance: deletions, role changes, AI-initiated actions, bulk operations, financial transactions.

API or SDK access

Access to wrap those actions with the governance SDK. One function call per governed action — no architectural changes required.

Role definitions

Who can approve what. Which actors are human, which are automated. The organizational structure that determines approval quorums.

Policy rules

Risk classifications per action, approval requirements per risk tier, and any domain-specific constraints the kernel should enforce.

What regulators see

Three deliverables, each independently verifiable.

Proof pack

Complete decision + execution records with hash chains, policy versions, approval records, and token redemption proof.

JSON export with SHA-256 integrity

Evidence records

Full governance trail for every action: actor attribution, risk classification, policy reasoning, timestamps, and outcomes.

Filterable by action, actor, risk, time

Verification output

Independent hash verification against any evidence record. Public API endpoint, no authentication required, rate-limited.

GET /api/public/verify?hash=...

The positioning

You identify where controls are required.
We make those controls real at runtime — and provable after the fact.

See it running in production

127 capabilities governed, every decision recorded, every hash independently verifiable. See the governance kernel in action.

Currently in private beta — limited spots available.

Try it in your terminal — no signup, no install persisted

$npx @strixgov/verifier@latest 5686

Verifies a real production record against the published Ed25519 key. Returns Status: VERIFIED in ~10 seconds.

Watch the 2-min walkthrough

EU AI ActControl Mapping