Mustafa.
Back to all projects

Aktenlage — the EU AI Act Article 26 evidence layer

A pure-Python tool that turns an agent's operational traces into an audit-ready EU AI Act Article 26 evidence pack — every obligation judged on two axes (documented × actually running), zero LLM and zero network by construction, and the static access-surface analysis of Agent Blast Radius sealed into the same hash-bound case file. Its thesis, in working code: Compliance ist keine Absicht, sondern eine Aktenlage — compliance is an artifact, not a promise.

Year
2026
Role
Salesforce Developer — EU AI Act Evidence
Tech stack
EU AI Act — Article 26 (deployer obligations)Pure Python — zero LLM, zero network, zero creditsDokument × Praxis two-axis verdictVorprüfung sanity layer (S1–S11)Deterministic, byte-identical reportsMutation-tested verifier (11/11 caught)Bridges into Agent Blast Radius (hash-bound)Agent Script parser (Salesforce's own)German audit report + sha256 evidence manifest

Highlights

  • The thesis, in working code: Article 26 cannot be satisfied with a policy document — it needs infrastructure. Aktenlage reads an agent's real operational evidence (session traces, the oversight register, the incident log, the retention policy, the .agent source) and produces a German, audit-ready evidence pack: an article-by-article ✓/⚠/✗ verdict plus a Lückenanalyse (gap analysis)
  • Every obligation is judged on two legs — Dokument (is the commitment written down) × Praxis (is there operational trace it actually runs) — and the verdict is the worse of the two. A filing cabinet full of policy with zero activity can never earn a ✓; that structurally defeats the 'Potemkin bundle' where pretty documents pass an empty system
  • The verifier can't be the model: the checks import only dataclasses and a loader — zero LLM calls, zero network, zero Flex Credits, sub-second, byte-identical across runs. The three-line requirements.txt cannot reach a network. That's an argument, not a coincidence
  • It is the legal output layer of Agent Blast Radius. Three bridges seal Blast Radius' static access-surface report into the same case file — hash-bound to its source — and section 8 prints the fingerprint, the reach and the Eskalationslücke. The bridges only produce evidence files; the checks stay pure and never adjudicate a legal question, pointing instead to the DPIA/FRIA
  • A Vorprüfung layer audits evidence quality, not just existence: dangling references, in-field arithmetic that doesn't add up, causality violations (a notice dated after the event it announces), a stale Agent-Script hash, and — S11 — an access analysis that actually belongs to a different system. A row with a Vorprüfung finding can never earn a ✓
  • The demo report ships with two deliberate, test-locked gaps (a missing AI-disclosure in one session; a FRIA that is templated but not performed). Any edit that 'cleans them up' breaks a test — because showing the system catches the gap is more convincing than appearing gap-free. An audit report where everything is green is marketing, not evidence
  • Honestly framed and locked by a test: this generates technical evidence for an Article-26 / DPIA review — it is not a compliance certificate and not legal advice; the demo scenarios are synthetic (STDM-inspired), and the mapping was done from an engineering perspective. The verifier is itself verified — a mutation script plants 11 deliberate breakages and all 11 are caught — and the Hospital example embeds a real Agent Blast Radius run (PS506 on a Diagnosis field), read from a live org at zero credits

The problem

Article 26 of the EU AI Act puts operational duties on the deployer of a high-risk AI system — human oversight by an authorised person, input-data relevance, serious-incident monitoring, log retention, worker information. The instinct is to answer it with a policy binder. But a binder proves intention, not operation: it cannot show that the oversight person actually looked, that the logs actually outlive the platform's own deletion window, that the incident was actually reconciled. And the honest failure mode is worse than an obvious one — a beautiful document cabinet on top of a system that never ran produces a page of green checks that means nothing.

The approach

Make the trace the evidence, and make the verifier structurally unable to flatter it. Aktenlage loads a local evidence bundle — session traces, an oversight register, incident and retention records, the .agent source — through a single I/O point, then runs a Vorprüfung (sanity) layer that audits evidence quality (dangling references, arithmetic that doesn't add up, causality and chronology violations, a stale Agent-Script hash, an access report that belongs to a different system) and twelve pure checks that each judge an obligation on two axes: is it documented, and does the operational trace show it actually ran — the verdict is the worse of the two, and any sanity finding caps the row below ✓. The checks import only dataclasses and a loader: no model, no network, no credits, deterministic to the byte. Three bridges connect it to Agent Blast Radius as evidence producers, never evaluators — the .agent file is parsed with Salesforce's own parser, Blast Radius' deterministic access report is sealed in hash-bound and printed in section 8, and log retention is cross-checked against the platform's own deletion window — so the case file carries machine evidence without the legal layer ever rendering a verdict it isn't entitled to.

The outcome

The tool passes its own thesis. Its demo report ships with two deliberate gaps — a missing AI-disclosure in one session, a FRIA templated but not performed — locked by a test, because a system that visibly catches the gap is more convincing than one that appears flawless; any attempt to 'clean up' the report fails the suite. The verifier is itself verified: a mutation script plants eleven deliberate breakages and all eleven are caught, an escaped mutation being exactly the empty-green risk the whole design exists to prevent. It runs against real orgs read read-only through the sf CLI at zero credits, and the portable Hospital example embeds a real Agent Blast Radius run — a Diagnosis field reaching the model past the running user's field-level access (PS506) — so the access section is real evidence, not a mock-up. Honestly bounded: this produces technical evidence for an Article-26 / DPIA review, on synthetic demo scenarios; it is not a compliance certificate and not legal advice, the FRIA check can never return a green because pure code cannot judge that an assessment was done well, and the paragraphs that are a legal call are documented as out of scope rather than ruled on. HanseWatt builds it, Prüfstand proves it, Blast Radius bounds it — Aktenlage files it.

GitHub & Notion — private, walkthrough on request