2 August 2026 deadline - GPAI obligations enforced

Your AI is now regulated infrastructure.
Ship the paperwork too.

The EU AI Act lands 2 August 2026. Audit trails, Annex IV technical documentation, risk classification, and human oversight stop being optional. Fines reach EUR 35M or 7% of global turnover. Sandcastle ships every required artefact out of the box, on infrastructure you control.

Download compliance pack Book a demo
What changes on 2 August 2026

Three new liabilities your AI suddenly has.

The EU AI Act is the world's first horizontal AI regulation. General-purpose AI obligations take effect 2 August 2026, with full high-risk system enforcement following on 2 August 2027. National competent authorities can audit, demand records, and fine.

PILLAR 01

Fines that move the share price

Prohibited AI practices: up to EUR 35M or 7% of global annual turnover, whichever is higher. Non-compliance with provider obligations: up to EUR 15M or 3%. Incorrect information to authorities: up to EUR 7.5M or 1%.

Article 99 - penalties scale with turnover, not infringement size.
PILLAR 02

Audit records on demand

Providers of high-risk AI systems must keep automatically generated logs for at least six months. Authorities can request them at any time. No logs equals presumed non-compliance.

Article 12 - logging is a provider duty, not a feature request.
PILLAR 03

Mandatory transparency

Technical documentation per Annex IV must exist before the system is placed on the market and stay current. Deployers must inform users they are interacting with AI. Output of GenAI must be machine-readable as AI-generated.

Article 11 + Article 50 - documentation is a market access condition.
How Sandcastle answers

Six controls. Already shipping.

Sandcastle was built EU-first. Every compliance control below is a built-in primitive, not a roadmap item. Each maps to a specific Article of Regulation (EU) 2024/1689.

Article 12 - Record-keeping

Tamper-evident audit trail

Every step, prompt, model call, approval, and output is logged with a SHA-256 hash chain. Each entry links cryptographically to the previous one - any retroactive edit breaks the chain and is detectable.

GET /api/audit/verify
{ "verified": true, "events": 14823,
  "chain_intact": true, "since": "2026-01-01" }
Article 11 + Annex IV - Technical documentation

Annex IV transparency report

One command generates the full Annex IV technical documentation: system purpose, training data sources, risk assessment, performance metrics, human oversight measures, and post-market monitoring plan. Versioned, exportable, ready for authorities.

$ sandcastle compliance annex-iv \
    --workflow loan-decisioning \
    --format pdf --output annex-iv-2026.pdf
Article 9 - Risk management

Risk-level classification

Every workflow declares risk_level in YAML: minimal, limited, high, or unacceptable. The engine refuses to execute unacceptable workflows and enforces mandatory approval gates on high-risk ones - the Article 9 risk management system is enforced by the runtime.

risk_level: high
steps:
  - id: review
    type: approval
    approval_config:
      message: "Human oversight required (Art. 14)"
Article 14 - Human oversight

Emergency stop + approval gates

Every running workflow exposes an emergency stop endpoint that halts execution within seconds. Approval steps let a human accept, edit, or reject any decision before it propagates - the Article 14 oversight measures are not theoretical, they are clickable.

POST /api/runs/{run_id}/emergency-stop
{ "stopped": true, "reason": "operator intervention",
  "logged_in_audit_chain": true }
Article 10 - Data governance

Privacy router (PII redaction)

Configurable per-workflow regex + named-entity redaction for emails, phone numbers, national IDs, IBAN, credit cards, and custom patterns. Operates in redact or audit-only mode. Outbound model traffic can be scrubbed before it leaves your network.

privacy:
  mode: redact
  patterns: [email, phone, iban, national_id]
  applies_to: [outbound_llm]
Article 13 + Article 50 - Transparency

Compliance mode + AI disclosure

Compliance mode tightens defaults across the board: forces approval on every high-risk step, blocks workflows missing risk_level, requires Annex IV freshness, and stamps GenAI outputs with machine-readable AI-generated metadata as required under Article 50.

$ sandcastle serve --compliance-mode strict
[ok] Audit chain verified
[ok] All workflows have risk_level
[ok] AI-output watermarking enabled
Why self-hosted matters

Provider obligations sit with you. Keep the substrate too.

Under Article 25, the entity that puts an AI system on the market under its own name is the provider - even if it builds on top of a third-party model. The Act's provider duties cannot be outsourced to your SaaS vendor's privacy policy.

Sandcastle is open-source and runs entirely on your infrastructure. The audit trail lives in your database. The logs live on your disk. Model traffic can be pinned to EU regions or to on-premise inference. No data leaves your jurisdiction without your explicit configuration.

Self-hosted sandboxes for regulated workloads. Sandcastle now wires Anthropic Managed Agents self-hosted sandboxes - tool calls run in your infrastructure (Cloudflare / Daytona / Modal / Vercel / Docker), orchestration brain at Anthropic. Combine with our Memory MCP server via tunnel to fill the memory_stores gap Anthropic disclaims. Read the deployment guide.

  • Audit logs stored in your Postgres Article 12 - logs are your obligation, not your vendor's
  • EU data residency enforced at routing layer Article 25 - provider responsibility for data flows
  • On-premise model inference via Ollama or oMLX No third-party processor for sensitive prompts
  • Source-available BSL 1.1 - inspect every line No vendor lock-in for a 10-year retention obligation
  • Annex IV documents export as PDF or JSON Article 11 - portable for handover to authorities
Ten ready-to-run workflows

The Sandcastle Compliance Pack.

Pre-built YAML workflows for the documents and processes the Act actually requires. Drop them into workflows/, edit the input schema, run them through the dashboard. Each declares its risk_level and maps to specific Articles.

Article 27

dpia.yaml

Data Protection Impact Assessment that walks through Annex IV section by section. Outputs a signed PDF ready for your DPO.

Vendor due diligence

vendor-risk-assessment.yaml

Score third-party AI vendors on data residency, audit-trail support, model lineage, and incident history.

Article 73

incident-report.yaml

Serious incident reporting to the market surveillance authority within the 15-day window required by Article 73.

Annex IV

transparency-report.yaml

Generates the Annex IV technical documentation from your run history. Versioned, signed, exportable.

Article 10

bias-audit.yaml

Fairness check on a labelled dataset with demographic slicing, disparate impact ratio, and recommendations.

Article 14

human-oversight-log.yaml

Records every human review decision (accept, edit, reject) with reviewer identity and timestamp.

Model governance

model-card-generator.yaml

Produces a model card per the Article 53 GPAI provider obligations: training data, evaluation, limitations.

Article 9

risk-register.yaml

Maintains an ongoing risk register across your AI portfolio with severity, likelihood, and mitigation status.

GDPR Article 15

gdpr-data-subject-request.yaml

Orchestrates a DSAR fulfilment: search audit trail, redact third-party data, package the response.

Article 49

ai-inventory.yaml

Org-wide AI system inventory: every workflow, model, provider, data class, and risk level in one register.

Stop drafting policy. Start shipping artefacts.

The deadline does not move. The fines do not get smaller. The auditors will not accept a Notion page. Get the compliance pack, run it through the dashboard, and have the documents ready before 2 August 2026.

Get the compliance pack Book a 30-minute walkthrough