Sentinel Sovereignty Report

Project: sentinel-preview · Storage: sqlite · Data residency: EU-DE · Sovereign scope: EU
Generated: 2026-04-12
EU AI Act Annex III enforcement: 2 August 2026. High-risk AI systems must prove automatic tamper-resistant logging.
112
days remaining

Executive summary

Your system meets EU sovereignty requirements.

The runtime sovereignty score is 98% — that is the fraction of installed Python packages with no US CLOUD Act exposure. EU AI Act overall status: PARTIAL. Automated coverage of the required articles: 36%.

Where the report flags partial or non-compliant items, the "recommended actions" block below names each one in priority order. Every action corresponds to a specific file or configuration change.

98%
Sovereignty score

111 of 113 installed packages are EU-sovereign or neutral. 3 are US-incorporated and subject to the CLOUD Act. 83 are unknown.

Critical-path violations: 0. This is a runtime snapshot. CI/CD and infrastructure are reported separately below.

EU AI Act compliance

Overall: PARTIAL · Automated coverage: 36%

Article Title Status Detail What to do
Art. 9Risk managementPARTIALPolicy evaluator configured; every decision records the policy result.
Implement a formal risk management process.
Before deployment · Engineering + Risk
Art. 10Data governanceACTION_REQUIREDData governance is not automatable by a middleware kernel.
Document training data governance end-to-end.
Your team must implement · Data + Legal
Art. 11Technical documentationACTION_REQUIREDAnnex IV technical documentation is a human deliverable.
Review manually.
— · Team
Art. 12Automatic record keepingCOMPLIANTEvery wrapped call produces a DecisionTrace automatically, stored append-only.
Enable tamper-resistant trace persistence.
Before deployment · Engineering
Art. 13Transparency & information to deployersCOMPLIANTTraces record agent, model, policy name/version, and result per decision.
Populate transparency metadata on every trace.
Before deployment · Engineering
Art. 14Human oversightCOMPLIANTKill switch implemented; every override recorded as linked trace entry.
Prove the kill switch works end-to-end.
Before deployment · Engineering + Ops
Art. 15Accuracy, robustness, cybersecurityACTION_REQUIREDModel evaluation and adversarial testing are outside the trace layer.
Define accuracy metrics for your specific use case.
Your team must implement · Data + Engineering
Art. 17Quality management systemCOMPLIANTContinuous, append-only trace record satisfies the traceability requirement.
Establish a quality management system for AI outputs.
Before deployment · Quality + Engineering
Art. 16Provider obligationsPARTIALArt. 16(d) deployer logging and 16(f) post-market monitoring evidence are produced automatically via the trace store.
Complete provider registration, conformity assessment, CE marking.
Before market placement · Legal + Compliance
Art. 26Deployer obligationsPARTIALArt. 26(5) deployer logging and Art. 26(6) human oversight primitives are shipped (kill switch + trace store).
Document human oversight procedures and train staff.
Before deployment · Operations + Legal
Art. 72Post-market monitoring (GPAI)PARTIALRecords model identity, inputs hash, outputs and decision chain for any GPAI call — the raw evidence Art. 72 requires.
Publish a GPAI post-market monitoring plan (if applicable).
Before deployment (only if GPAI applies) · Engineering + Legal

Recommended actions

HIGH
Art. 9 — Risk management
Implement a formal risk management process.
Document risk categories for each AI use case, assign risk owners, and wire a PolicyEvaluator (SimpleRuleEvaluator or LocalRegoEvaluator) into Sentinel so every decision is checked against the documented risks.
Deadline Before deployment · Owner Engineering + Risk
HIGH
Art. 16 — Provider obligations
Complete provider registration, conformity assessment, CE marking.
Art. 16(d) deployer logging and 16(f) post-market monitoring evidence are produced automatically via the trace store. Register your AI system in the EU AI Act database (Art. 71). Conduct conformity assessment (Annex VI or VII depending on risk class). Affix CE marking. Registration and conformity assessment are human deliverables.
Deadline Before market placement · Owner Legal + Compliance
HIGH
Art. 26 — Deployer obligations
Document human oversight procedures and train staff.
Art. 26(5) deployer logging and Art. 26(6) human oversight primitives (kill switch + trace store) are shipped by Sentinel. Document human oversight procedures in writing. Define escalation paths when kill switch is engaged. Train operational staff on AI system limitations and override process. Establish incident reporting workflow.
Deadline Before deployment · Owner Operations + Legal
HIGH
Art. 72 — Post-market monitoring (GPAI)
Publish a GPAI post-market monitoring plan (if applicable).
Records model identity, inputs hash, outputs and decision chain for any GPAI call — the raw evidence Art. 72 requires. Only applies if deploying a GPAI model as high-risk system. Publish a GPAI post-market monitoring plan. Maintain model cards and capability evaluations. Sentinel provides the audit trail automatically.
Deadline Before deployment (only if GPAI applies) · Owner Engineering + Legal
MEDIUM
Art. 10 — Data governance
Document training data governance end-to-end.
Record training data sources, quality controls, bias assessments, and data governance policies. This is a human process — Sentinel cannot automate it. See docs/bsi-profile.md for the BSI-aligned template.
Deadline Your team must implement · Owner Data + Legal
MEDIUM
Art. 11 — Technical documentation
Review manually.
No automated guidance available for this article.
Deadline · Owner Team
MEDIUM
Art. 15 — Accuracy, robustness, cybersecurity
Define accuracy metrics for your specific use case.
Choose accuracy, robustness, and cybersecurity metrics that match the domain risk. Implement monitoring and drift alerting. This is a human process — Sentinel cannot automate the metric choice.
Deadline Your team must implement · Owner Data + Engineering

Next steps

Once the actions above are resolved, proceed in this order:

  1. Generate an attestation you can share with auditors:
    sentinel attestation generate --output governance.json
  2. Run the manifesto + compliance check and attach the output to your change request:
    sentinel compliance check --all-frameworks
  3. Schedule BSI pre-engagement — the pre-engagement package is already in docs/bsi-pre-engagement/. Contact: ki-sicherheit@bsi.bund.de (bsi.bund.de/KI)
  4. EU AI Act Annex III enforcement: 112 days remaining (2 August 2026). Penalties up to €15M or 3% of global annual turnover.

Manifesto status

Overall manifesto score: 100%

DimensionDetail
jurisdiction0 critical-path violations
kill_switchkill switch API present
storagebackend: sqlite
bsitargeting 2026-12-31

Runtime packages

Showing first 60 of 113 installed packages. Sovereign: 111 · US-owned: 3 · Unknown: 83

Showing packages in the current Python environment. For a complete scan including your project dependencies, run sentinel report from your project directory with your virtual environment activated.

Package Version Parent Jurisdiction CLOUD Act Critical
shellingham1.5.4UnknownUnknownno
requests2.33.1Python Software FoundationNeutralNOno
more-itertools10.8.0UnknownUnknownno
pexpect4.9.0UnknownUnknownno
grpcio1.80.0UnknownUnknownno
platformdirs4.9.4UnknownUnknownno
rfc39862.0.0UnknownUnknownno
uuid_utils0.14.1UnknownUnknownno
traitlets5.14.3UnknownUnknownno
jaraco.classes3.4.0UnknownUnknownno
opentelemetry-exporter-otlp-proto-common1.41.0UnknownUnknownno
click8.3.1PalletsNeutralNOno
asttokens3.0.1UnknownUnknownno
ptyprocess0.7.0UnknownUnknownno
certifi2026.2.25CertifiNeutralNOno
iniconfig2.3.0UnknownUnknownno
jaraco.context6.1.2UnknownUnknownno
sentinel-kernel1.7.0sentinel-kernelEUNOyes
virtualenv21.2.0UnknownUnknownno
asgiref3.11.1UnknownUnknownno
starlette1.0.0EncodeNeutralNOno
executing2.2.1UnknownUnknownno
pydantic2.12.5Pydantic ServicesUKNOno
pytest-cov7.1.0pytest-covNeutralNOno
uv0.11.3UnknownUnknownno
tomlkit0.14.0UnknownUnknownno
jedi0.19.2UnknownUnknownno
hyperlink21.0.0UnknownUnknownno
pytest-xdist3.8.0UnknownUnknownno
idna3.11Kim DaviesNeutralNOno
distlib0.4.0UnknownUnknownno
zstandard0.25.0UnknownUnknownno
build1.4.2UnknownUnknownno
jsonpatch1.33UnknownUnknownno
ipython_pygments_lexers1.1.1UnknownUnknownno
rich14.3.3UnknownUnknownno
userpath1.9.2UnknownUnknownno
librt0.8.1UnknownUnknownno
tenacity9.1.4UnknownUnknownno
prompt_toolkit3.0.52UnknownUnknownno
Django6.0.4UnknownUnknownno
tomli_w1.2.0UnknownUnknownno
psycopg2-binary2.9.11PostgreSQL Global Dev GroupNeutralNOno
httpcore1.0.9EncodeNeutralNOno
filelock3.25.2UnknownUnknownno
decorator5.2.1UnknownUnknownno
opentelemetry-exporter-otlp-proto-http1.41.0UnknownUnknownno
nh30.3.4UnknownUnknownno
stack-data0.6.3UnknownUnknownno
orjson3.11.8UnknownUnknownno
opentelemetry-semantic-conventions0.62b0UnknownUnknownno
markdown-it-py4.0.0UnknownUnknownno
matplotlib-inline0.2.1UnknownUnknownno
docutils0.22.4UnknownUnknownno
opentelemetry-api1.41.0CNCFNeutralNOno
wrapt1.17.3UnknownUnknownno
hatchling1.29.0Ofek LevNeutralNOno
ipython9.12.0UnknownUnknownno
opentelemetry-proto1.41.0UnknownUnknownno
twine6.2.0UnknownUnknownno

CI/CD findings

File Component Vendor Jurisdiction CLOUD Act
.github/workflows/ci.ymlgithub_actionsGitHub (Microsoft)USYES
.github/workflows/pages.ymlgithub_actionsGitHub (Microsoft)USYES
.github/workflows/release.ymlgithub_actionsGitHub (Microsoft)USYES
.github/workflows/rust.ymlgithub_actionsGitHub (Microsoft)USYES
pyproject.tomlpypiPython Package IndexUSNO

Infrastructure findings

File Component Vendor Jurisdiction CLOUD Act
No infrastructure findings