Compliance & Regulation
How Aira maps to EU AI Act, SR 11-7, GDPR, and other regulatory frameworks.
Overview
Aira provides the technical infrastructure to meet regulatory requirements for autonomous AI agents. This guide maps Aira features to specific regulatory articles.
EU AI Act
The EU AI Act (Regulation 2024/1689) requires organizations deploying high-risk AI systems to maintain documentation, logging, and human oversight.
| Article | Requirement | Aira Feature |
|---|---|---|
| Art. 12 — Record-keeping | Automatic logging of AI system operation | Action notarization — every agent action is cryptographically signed and timestamped |
| Art. 13 — Transparency | Users must be informed that they are interacting with AI | Agent registry — public identity pages with capabilities and model versions |
| Art. 14 — Human oversight | Human intervention and override capability | Human co-signatures on actions, human review triggers on cases (disagreement threshold) |
| Art. 17 — Quality management | Quality management system throughout lifecycle | Agent versioning, compliance snapshots, evidence packages |
| Art. 26 — Deployer obligations | Monitoring, logging, inform authorities of risks | Audit logs, usage tracking, compliance snapshots with findings |
| Art. 72 — Post-market monitoring | Ongoing monitoring of AI system performance | Time-travel queries, liability chains, evidence packages for audit trail |
Compliance Snapshots
Create point-in-time compliance attestations:
snapshot = aira.create_compliance_snapshot(
framework="eu-ai-act",
agent_slug="lending-agent",
findings={
"art_12_logging": "pass",
"art_13_transparency": "pass",
"art_14_oversight": "pass",
"art_17_quality": "pass",
"art_26_monitoring": "pass",
},
)Evidence Packages for Auditors
Bundle all relevant actions into a sealed, cryptographically signed package:
package = aira.create_evidence_package(
title="EU AI Act Audit — Lending Agent Q1 2026",
action_uuids=["act-1", "act-2", "act-3"],
description="All lending decisions with full chain of custody",
)US Federal Reserve SR 11-7
SR 11-7 (Guidance on Model Risk Management) requires banks to validate, monitor, and document model performance.
| SR 11-7 Requirement | Aira Feature |
|---|---|
| Model inventory | Agent registry with versions, capabilities, model IDs |
| Model validation | Multi-model cases — compare decisions across models |
| Ongoing monitoring | Usage tracking, disagreement scoring, time-travel |
| Documentation | Cryptographic receipts, evidence packages |
| Audit trail | Immutable audit logs, action chain of custody |
Multi-Model Validation
Run the same decision through multiple models and measure agreement:
case = aira.run_case(
details="Should we approve loan application #4521?",
models=["claude-sonnet-4-6", "gpt-5.4", "gemini-3.1-pro"],
)
# Consensus scoring detects disagreement
if case["consensus"]["requires_human_review"]:
# Route to human reviewer
passGDPR
| GDPR Article | Aira Feature |
|---|---|
| Art. 5 — Data minimization | Hash-only storage by default — raw details are hashed, not stored |
| Art. 17 — Right to erasure | Legal hold prevents accidental deletion; evidence packages for retention obligations |
| Art. 25 — Data protection by design | Ed25519 signatures, SHA-256 hashing, RFC 3161 timestamps |
| Art. 30 — Records of processing | Action notarization creates immutable processing records |
| Art. 35 — DPIA | Compliance snapshots document risk assessments |
Hash-Only Mode (Default)
By default, Aira stores only the SHA-256 hash of action details — not the raw text. This means:
- You prove that an action happened without storing what the details were
- No PII is stored on Aira's servers
- The hash can be verified against your local records at any time
To opt in to storing encrypted details, pass store_details=True on the authorize() call:
auth = aira.authorize(
action_type="decision",
details="Approve loan for John Doe",
agent_id="lending-agent",
store_details=True, # Encrypted with org key
)Data Residency
- Cloud: All data is stored in EU (Frankfurt,
eu-central-1). No data leaves the EU. - Self-hosted: Data stays on your infrastructure. You control the region.
Security Primitives
| Primitive | Standard | Usage |
|---|---|---|
| SHA-256 | FIPS 180-4 | Action detail hashing |
| Ed25519 | RFC 8032 | Receipt signatures |
| RFC 3161 | Trusted timestamping | Independent timestamp proof |
| AES-256-GCM | FIPS 197 | Encrypted detail storage |
All receipts can be verified offline using the public key and the original payload hash.
Merkle Settlement
Periodic Merkle anchoring of action receipts. Every notarized receipt eventually gets sealed into exactly one settlement; the settlement's Merkle root is the cryptographic commitment that the batch existed at a specific moment in time.
EU AI Act mapping
Article-by-article mapping from the EU AI Act (Regulation 2024/1689) to the Aira capability that satisfies each requirement. Includes the specific code, config, and API call for every article.