Sentinel Sovereignty Report

Project: sentinel-preview · Storage: sqlite · Data residency: EU-DE · Sovereign scope: EU
Generated: 2026-04-11
EU AI Act Annex III enforcement: 2 August 2026. High-risk AI systems must prove automatic tamper-resistant logging.
113
days remaining

Executive summary

Your system meets EU sovereignty requirements.

The runtime sovereignty score is 98% — that is the fraction of installed Python packages with no US CLOUD Act exposure. EU AI Act overall status: PARTIAL. Automated coverage of the required articles: 36%.

Where the report flags partial or non-compliant items, the "recommended actions" block below names each one in priority order. Every action corresponds to a specific file or configuration change.

98%
Sovereignty score

109 of 111 installed packages are EU-sovereign or neutral. 3 are US-incorporated and subject to the CLOUD Act. 81 are unknown.

Critical-path violations: 0. This is a runtime snapshot. CI/CD and infrastructure are reported separately below.

EU AI Act compliance

Overall: PARTIAL · Automated coverage: 36%

Article Title Status Detail What to do
Art. 9Risk managementPARTIALPolicy evaluator configured; every decision records the policy result.
Implement a formal risk management process.
Before deployment · Engineering + Risk
Art. 10Data governanceACTION_REQUIREDData governance is not automatable by a middleware kernel.
Document training data governance end-to-end.
Your team must implement · Data + Legal
Art. 11Technical documentationACTION_REQUIREDAnnex IV technical documentation is a human deliverable.
Review manually.
— · Team
Art. 12Automatic record keepingCOMPLIANTEvery wrapped call produces a DecisionTrace automatically, stored append-only.
Enable tamper-resistant trace persistence.
Before deployment · Engineering
Art. 13Transparency & information to deployersCOMPLIANTTraces record agent, model, policy name/version, and result per decision.
Populate transparency metadata on every trace.
Before deployment · Engineering
Art. 14Human oversightCOMPLIANTKill switch implemented; every override recorded as linked trace entry.
Prove the kill switch works end-to-end.
Before deployment · Engineering + Ops
Art. 15Accuracy, robustness, cybersecurityACTION_REQUIREDModel evaluation and adversarial testing are outside the trace layer.
Define accuracy metrics for your specific use case.
Your team must implement · Data + Engineering
Art. 17Quality management systemCOMPLIANTContinuous, append-only trace record satisfies the traceability requirement.
Establish a quality management system for AI outputs.
Before deployment · Quality + Engineering
Art. 16Provider obligationsPARTIALArt. 16(d) deployer logging and 16(f) post-market monitoring evidence are produced automatically via the trace store.
Review manually.
— · Team
Art. 26Deployer obligationsPARTIALArt. 26(5) deployer logging and Art. 26(6) human oversight primitives are shipped (kill switch + trace store).
Review manually.
— · Team
Art. 72Post-market monitoring (GPAI)PARTIALRecords model identity, inputs hash, outputs and decision chain for any GPAI call — the raw evidence Art. 72 requires.
Review manually.
— · Team

Recommended actions

HIGH
Art. 9 — Risk management
Implement a formal risk management process.
Document risk categories for each AI use case, assign risk owners, and wire a PolicyEvaluator (SimpleRuleEvaluator or LocalRegoEvaluator) into Sentinel so every decision is checked against the documented risks.
Deadline Before deployment · Owner Engineering + Risk
HIGH
Art. 16 — Provider obligations
Review manually.
No automated guidance available for this article.
Deadline · Owner Team
HIGH
Art. 26 — Deployer obligations
Review manually.
No automated guidance available for this article.
Deadline · Owner Team
HIGH
Art. 72 — Post-market monitoring (GPAI)
Review manually.
No automated guidance available for this article.
Deadline · Owner Team
MEDIUM
Art. 10 — Data governance
Document training data governance end-to-end.
Record training data sources, quality controls, bias assessments, and data governance policies. This is a human process — Sentinel cannot automate it. See docs/bsi-profile.md for the BSI-aligned template.
Deadline Your team must implement · Owner Data + Legal
MEDIUM
Art. 11 — Technical documentation
Review manually.
No automated guidance available for this article.
Deadline · Owner Team
MEDIUM
Art. 15 — Accuracy, robustness, cybersecurity
Define accuracy metrics for your specific use case.
Choose accuracy, robustness, and cybersecurity metrics that match the domain risk. Implement monitoring and drift alerting. This is a human process — Sentinel cannot automate the metric choice.
Deadline Your team must implement · Owner Data + Engineering

Next steps

Once the actions above are resolved, proceed in this order:

  1. Generate an attestation you can share with auditors:
    sentinel attestation generate --output governance.json
  2. Run the manifesto + compliance check and attach the output to your change request:
    sentinel compliance check --all-frameworks
  3. Schedule BSI pre-engagement — the pre-engagement package is already in docs/bsi-pre-engagement/. Contact BSI Referat KI-Sicherheit.
  4. EU AI Act Annex III enforcement: 113 days remaining (2 August 2026). Penalties up to €15M or 3% of global annual turnover.

Manifesto status

Overall manifesto score: 100%

DimensionDetail
jurisdiction0 critical-path violations
kill_switchkill switch API present
storagebackend: sqlite
bsitargeting 2026-12-31

Runtime packages

Showing first 60 of 111 installed packages. Sovereign: 109 · US-owned: 3 · Unknown: 81

Package Version Parent Jurisdiction CLOUD Act Critical
shellingham1.5.4UnknownUnknownno
requests2.33.1Python Software FoundationNeutralNOno
more-itertools10.8.0UnknownUnknownno
pexpect4.9.0UnknownUnknownno
grpcio1.80.0UnknownUnknownno
platformdirs4.9.4UnknownUnknownno
rfc39862.0.0UnknownUnknownno
uuid_utils0.14.1UnknownUnknownno
traitlets5.14.3UnknownUnknownno
jaraco.classes3.4.0UnknownUnknownno
opentelemetry-exporter-otlp-proto-common1.41.0UnknownUnknownno
click8.3.1PalletsNeutralNOno
asttokens3.0.1UnknownUnknownno
ptyprocess0.7.0UnknownUnknownno
certifi2026.2.25CertifiNeutralNOno
iniconfig2.3.0UnknownUnknownno
jaraco.context6.1.2UnknownUnknownno
sentinel-kernel1.7.0sentinel-kernelEUNOyes
virtualenv21.2.0UnknownUnknownno
asgiref3.11.1UnknownUnknownno
starlette1.0.0EncodeNeutralNOno
executing2.2.1UnknownUnknownno
pydantic2.12.5Pydantic ServicesUKNOno
pytest-cov7.1.0pytest-covNeutralNOno
uv0.11.3UnknownUnknownno
tomlkit0.14.0UnknownUnknownno
jedi0.19.2UnknownUnknownno
hyperlink21.0.0UnknownUnknownno
idna3.11Kim DaviesNeutralNOno
distlib0.4.0UnknownUnknownno
zstandard0.25.0UnknownUnknownno
build1.4.2UnknownUnknownno
jsonpatch1.33UnknownUnknownno
ipython_pygments_lexers1.1.1UnknownUnknownno
rich14.3.3UnknownUnknownno
userpath1.9.2UnknownUnknownno
librt0.8.1UnknownUnknownno
tenacity9.1.4UnknownUnknownno
prompt_toolkit3.0.52UnknownUnknownno
Django6.0.4UnknownUnknownno
tomli_w1.2.0UnknownUnknownno
psycopg2-binary2.9.11PostgreSQL Global Dev GroupNeutralNOno
httpcore1.0.9EncodeNeutralNOno
filelock3.25.2UnknownUnknownno
decorator5.2.1UnknownUnknownno
opentelemetry-exporter-otlp-proto-http1.41.0UnknownUnknownno
nh30.3.4UnknownUnknownno
stack-data0.6.3UnknownUnknownno
orjson3.11.8UnknownUnknownno
opentelemetry-semantic-conventions0.62b0UnknownUnknownno
markdown-it-py4.0.0UnknownUnknownno
matplotlib-inline0.2.1UnknownUnknownno
docutils0.22.4UnknownUnknownno
opentelemetry-api1.41.0CNCFNeutralNOno
wrapt1.17.3UnknownUnknownno
hatchling1.29.0Ofek LevNeutralNOno
ipython9.12.0UnknownUnknownno
opentelemetry-proto1.41.0UnknownUnknownno
twine6.2.0UnknownUnknownno
h110.16.0python-hyperNeutralNOno

CI/CD findings

File Component Vendor Jurisdiction CLOUD Act
.github/workflows/ci.ymlgithub_actionsGitHub (Microsoft)USYES
.github/workflows/pages.ymlgithub_actionsGitHub (Microsoft)USYES
.github/workflows/release.ymlgithub_actionsGitHub (Microsoft)USYES
.github/workflows/rust.ymlgithub_actionsGitHub (Microsoft)USYES
pyproject.tomlpypiPython Package IndexUSNO

Infrastructure findings

File Component Vendor Jurisdiction CLOUD Act
No infrastructure findings