Sentinel Evidence Report

Project: sentinel-preview · Storage: sqlite · Data residency: EU-DE · Sovereign scope: EU
Generated: 2026-04-20T23:15:59+02:00
EU AI Act Annex III enforcement: 2 August 2026. High-risk AI systems must prove automatic tamper-resistant logging.
104
days remaining

Executive summary

Your system produces EU-jurisdiction evidence under the Record-Enforce-Prove model.

The runtime sovereignty score is 100% — that is the fraction of installed Python packages with no US CLOUD Act exposure. EU AI Act overall status: PARTIAL. Automated coverage of the required articles: 36%.

Where the report flags partial or non-compliant items, the "recommended actions" block below names each one in priority order. Every action corresponds to a specific file or configuration change.

100%
Sovereignty score

40 of 40 installed packages are EU-sovereign or neutral. 1 are US-incorporated and subject to the CLOUD Act. 27 are unknown.

Critical-path violations: 0. This is a runtime snapshot. CI/CD and infrastructure are reported separately below.

EU AI Act compliance

Overall: PARTIAL · Automated coverage: 36%

Article Title Status Detail What to do
Art. 9Risk managementPARTIALPolicy evaluator configured; every decision records the policy result.
Implement a formal risk management process.
Before deployment · Engineering + Risk
Art. 10Data governanceACTION_REQUIREDData governance is not automatable by a middleware kernel.
Document training data governance end-to-end.
Your team must implement · Data + Legal
Art. 11Technical documentationACTION_REQUIREDAnnex IV technical documentation is a human deliverable.
Review manually.
— · Team
Art. 12Automatic record keepingCOMPLIANTEvery wrapped call produces a DecisionTrace automatically, stored append-only.
Enable tamper-resistant trace persistence.
Before deployment · Engineering
Art. 13Transparency & information to deployersCOMPLIANTTraces record agent, model, policy name/version, and result per decision.
Populate transparency metadata on every trace.
Before deployment · Engineering
Art. 14Human oversightCOMPLIANTKill switch implemented; every override recorded as linked trace entry.
Prove the kill switch works end-to-end.
Before deployment · Engineering + Ops
Art. 15Accuracy, robustness, cybersecurityACTION_REQUIREDModel evaluation and adversarial testing are outside the trace layer.
Define accuracy metrics for your specific use case.
Your team must implement · Data + Engineering
Art. 17Quality management systemCOMPLIANTContinuous, append-only trace record satisfies the traceability requirement.
Establish a quality management system for AI outputs.
Before deployment · Quality + Engineering
Art. 16Provider obligationsPARTIALArt. 16(d) deployer logging and 16(f) post-market monitoring evidence are produced automatically via the trace store.
Complete provider registration, conformity assessment, CE marking.
Before market placement · Legal + Compliance
Art. 26Deployer obligationsPARTIALArt. 26(5) deployer logging and Art. 26(6) human oversight primitives are shipped (kill switch + trace store).
Document human oversight procedures and train staff.
Before deployment · Operations + Legal
Art. 72Post-market monitoring (GPAI)PARTIALRecords model identity, inputs hash, outputs and decision chain for any GPAI call — the raw evidence Art. 72 requires.
Publish a GPAI post-market monitoring plan (if applicable).
Before deployment (only if GPAI applies) · Engineering + Legal

Recommended actions

HIGH
Art. 9 — Risk management
Implement a formal risk management process.
Document risk categories for each AI use case, assign risk owners, and wire a PolicyEvaluator (SimpleRuleEvaluator or LocalRegoEvaluator) into Sentinel so every decision is checked against the documented risks.
Deadline Before deployment · Owner Engineering + Risk
HIGH
Art. 16 — Provider obligations
Complete provider registration, conformity assessment, CE marking.
Art. 16(d) deployer logging and 16(f) post-market monitoring evidence are produced automatically via the trace store. Register your AI system in the EU AI Act database (Art. 71). Conduct conformity assessment (Annex VI or VII depending on risk class). Affix CE marking. Registration and conformity assessment are human deliverables.
Deadline Before market placement · Owner Legal + Compliance
HIGH
Art. 26 — Deployer obligations
Document human oversight procedures and train staff.
Art. 26(5) deployer logging and Art. 26(6) human oversight primitives (kill switch + trace store) are shipped by Sentinel. Document human oversight procedures in writing. Define escalation paths when kill switch is engaged. Train operational staff on AI system limitations and override process. Establish incident reporting workflow.
Deadline Before deployment · Owner Operations + Legal
HIGH
Art. 72 — Post-market monitoring (GPAI)
Publish a GPAI post-market monitoring plan (if applicable).
Records model identity, inputs hash, outputs and decision chain for any GPAI call — the raw evidence Art. 72 requires. Only applies if deploying a GPAI model as high-risk system. Publish a GPAI post-market monitoring plan. Maintain model cards and capability evaluations. Sentinel provides the audit trail automatically.
Deadline Before deployment (only if GPAI applies) · Owner Engineering + Legal
MEDIUM
Art. 10 — Data governance
Document training data governance end-to-end.
Record training data sources, quality controls, bias assessments, and data governance policies. This is a human process — Sentinel cannot automate it. See docs/bsi-profile.md for the BSI-aligned template.
Deadline Your team must implement · Owner Data + Legal
MEDIUM
Art. 11 — Technical documentation
Review manually.
No automated guidance available for this article.
Deadline · Owner Team
MEDIUM
Art. 15 — Accuracy, robustness, cybersecurity
Define accuracy metrics for your specific use case.
Choose accuracy, robustness, and cybersecurity metrics that match the domain risk. Implement monitoring and drift alerting. This is a human process — Sentinel cannot automate the metric choice.
Deadline Your team must implement · Owner Data + Engineering

Next steps

Once the actions above are resolved, proceed in this order:

  1. Generate an attestation you can share with auditors:
    sentinel attestation generate --output governance.json
  2. Run the manifesto + compliance check and attach the output to your change request:
    sentinel compliance check --all-frameworks
  3. Schedule BSI pre-engagement — the pre-engagement package is already in docs/bsi-pre-engagement/. Contact: ki-sicherheit@bsi.bund.de (bsi.bund.de/KI)
  4. EU AI Act Annex III enforcement: 104 days remaining (2 August 2026). Penalties up to €15M or 3% of global annual turnover.

Manifesto status

Overall manifesto score: 100%

DimensionDetail
jurisdiction0 critical-path violations
kill_switchkill switch API present
storagebackend: sqlite
bsitargeting 2026-12-31

Runtime packages

Showing first 60 of 40 installed packages. Sovereign: 40 · US-owned: 1 · Unknown: 27

Showing packages in the current Python environment. For a complete scan including your project dependencies, run sentinel report from your project directory with your virtual environment activated.

Package Version Parent Jurisdiction CLOUD Act Critical
iniconfig2.3.0UnknownUnknownno
pyte0.8.2UnknownUnknownno
pytest-cov7.1.0pytest-covNeutralNOno
pillow12.2.0UnknownUnknownno
pytest-xdist3.8.0UnknownUnknownno
coverage7.13.5Coverage.pyNeutralNOno
Pygments2.20.0UnknownUnknownno
packaging26.1UnknownUnknownno
pytest-asyncio1.3.0pytest-devNeutralNOno
wcwidth0.6.0UnknownUnknownno
execnet2.1.2UnknownUnknownno
sentinel-kernel3.1.0sentinel-kernelEUNOyes
charset-normalizer3.4.7OusretNeutralNOno
pytest9.0.3pytest-devNeutralNOno
termtosvg1.1.0UnknownUnknownno
pluggy1.6.0UnknownUnknownno
ruff0.15.10AstralUSNOno
lxml6.0.4UnknownUnknownno
reportlab4.4.10UnknownUnknownno
requests2.33.1Python Software FoundationNeutralNOno
certifi2026.2.25CertifiNeutralNOno
asn1crypto1.5.1UnknownUnknownno
wheel0.46.3UnknownUnknownno
idna3.11Kim DaviesNeutralNOno
cffi2.0.0UnknownUnknownno
pyHanko0.34.1UnknownUnknownno
cryptography46.0.7UnknownUnknownno
mypy1.20.1Python Software FoundationNeutralNOno
pycparser3.0UnknownUnknownno
pathspec1.0.4UnknownUnknownno
PyYAML6.0.3YAMLNeutralNOno
librt0.9.0UnknownUnknownno
tzlocal5.3.1UnknownUnknownno
urllib32.6.3urllib3NeutralNOno
pyhanko-certvalidator0.30.2UnknownUnknownno
typing_extensions4.15.0UnknownUnknownno
uritools6.0.1UnknownUnknownno
mypy_extensions1.1.0UnknownUnknownno
pip26.0UnknownUnknownno
oscrypto1.3.0UnknownUnknownno

CI/CD findings

File Component Vendor Jurisdiction CLOUD Act
.github/workflows/ci.ymlgithub_actionsGitHub (Microsoft)USYES
.github/workflows/pages.ymlgithub_actionsGitHub (Microsoft)USYES
.github/workflows/release.ymlgithub_actionsGitHub (Microsoft)USYES
.github/workflows/rust.ymlgithub_actionsGitHub (Microsoft)USYES
pyproject.tomlpypiPython Package IndexUSNO

Infrastructure findings

File Component Vendor Jurisdiction CLOUD Act
No infrastructure findings