AI GOVERNANCE  ·  CI/CD-NATIVE  ·  EU AI ACT  ·  ISO 42001  ·  GDPR

AI systems drift.
Regulation punishes it.
We catch it first.

Vigilens sits inside the CI/CD pipeline — where AI is actually built and changed. It closes the gap between engineering and compliance before an auditor ever gets involved, and is building toward predicting behavioural drift before it becomes an incident.

Live · system audit
PASSING
SYSTEM credit-risk-v3.2
CLASSIFICATION HIGH-RISK · ANNEX III
CONTROLS PASSING 58 / 70
EVIDENCE FRESHNESS 12 min ago
AUDIT PACK v0247 · ready
Audit readiness 73%
VGL · 2026.04.26 NEXT RUN · 14:00 UTC
EU AI ACTHIGH-RISK OBLIGATIONS: 2 AUGUST 2026
GDPRARTICLES 5, 6, 22, 25, 35 · AI DECISION MAKING
ISO 42001FULL AIMS CLAUSE COVERAGE
ISO 27001AI SYSTEM SECURITY CONTROLS
NON-COMPLIANCEUP TO €35M OR 7% GLOBAL TURNOVER
DETERMINISTIC VERDICTSNO LLM DECIDES PASS OR FAIL
CI/CD NATIVERUNS AT EVERY COMMIT · CONTINUOUS
EU AI ACTHIGH-RISK OBLIGATIONS: 2 AUGUST 2026
GDPRARTICLES 5, 6, 22, 25, 35 · AI DECISION MAKING
ISO 42001FULL AIMS CLAUSE COVERAGE
ISO 27001AI SYSTEM SECURITY CONTROLS
NON-COMPLIANCEUP TO €35M OR 7% GLOBAL TURNOVER
DETERMINISTIC VERDICTSNO LLM DECIDES PASS OR FAIL
PREDICT BEFORE INCIDENTPREDICTION ENGINE · IN DEVELOPMENT
LIVE PRODUCT

Watch the pipeline run.

VIGILENS — LIVE IN YOUR PIPELINE
app.vigilens.io / onboarding / classify
CLASSIFY
CONTROLS
EVIDENCE
AUDIT PACK
Workspace
Frameworks
EU AI Act
ISO 42001
GDPR
Step 1 — Describe your AI system
READY
AI System Registration
Describe your AI system
System Name
Loan Approval Engine v2.4
What does it do?
⚡ CLASSIFY RISK
🔴
Classification Result
HIGH RISK
EU AI Act Annex III · Article 6 · Automated individual decisions
Control Library — Running Checks
0 / 8 controls passing
Human oversight review procedure documented
EU AI ACT
Technical documentation filed per Annex IV
EU AI ACT
Access control records current (90 days)
SOC 2
Incident response plan reviewed
SOC 2
Bias evaluation missing for v2.4
EU AI ACT
!
Data drift threshold exceeded — review required
NIST
Log retention policy active (EU AI Act compliant)
SOC 2
Model card published to internal registry
NIST
Evidence Stream — Auto-Collected
LIVE
GitHub · PR #441 merged → main
Model retrain commit — documentation requirement triggered
2m ago
Jira · ISSUE-2289 resolved
Human review ticket closed by @leila.a — auto-linked to control
14m ago
Datadog · Anomaly detected
Prediction drift +18% — Jira review ticket auto-created by Vigilens
1h ago
S3 · Log archive snapshot
Monthly inference logs archived · EU AI Act record-keeping satisfied
3h ago
MLflow · Model version v2.4 registered
Lineage captured — training data hash, hyperparameters, eval metrics
Yesterday
📦
GENERATING AUDIT PACK…
Loan Approval Engine v2.4
EU AI Act · GDPR · ISO 42001 — READY
Controls
Artifacts
Frameworks
⬇ DOWNLOAD PACK — PDF + JSON
Generated with Vigilens · AI Governance Platform · vigilens.ai
CLASSIFICATION COMPLETE ×
EU AI Act — HIGH RISK detected. 70 applicable controls loaded.
! 2 VIOLATIONS NEED REVIEW ×
Bias evaluation missing · Data drift exceeded threshold.
1,204 ARTIFACTS COLLECTED ×
GitHub · Jira · Datadog · S3 · MLflow — 5 integrations active.
AI Classify
Controls
Evidence
📦
Audit Pack
THE PROBLEM

The real problem is not slow documentation.
It is that nobody knows when the system goes wrong.

STRUCTURAL CAUSE
01

The two teams never talk

The people who build AI systems and the people responsible for their behaviour operate in entirely different worlds. They speak different languages, use different tools, and meet only at audit time — when it is already too late.

THE COST
02

The audit is expensive because the gap is expensive

Getting to a submission-ready compliance pack for a high-risk AI system takes 6 to 18 weeks. That cost is not documentation overhead. It is the cost of the gap compounding since the last audit.

THE REAL RISK
03

A passed audit does not mean the system is behaving

A system that passed an audit six months ago may be behaving very differently today. It drifted. It retrained. It found ways around its own guardrails. A point-in-time check misses all of that.

THE ARCHITECTURE

Make compliance a property of the pipeline,
not a product of the audit.

When the engineer and the compliance professional see the same picture in real time, the gap closes. The back-and-forth stops. The audit shrinks from weeks to days.

LAYER 01

Classify

Determines jurisdiction, entity role, and risk tier. High-risk systems mapped to full EU AI Act Annex III and Annex IV obligations. Runs once at onboarding; updates automatically when the system description changes.

EU AI Act Annex III Annex IV
LAYER 02

Controls

EU AI Act, GDPR, ISO 42001, and ISO 27001 encoded as executable rules. Auto-assigned per classification. Every control carries an acceptance specification — the exact evidence required, cited to the article.

Rules-as-Code Deterministic
LAYER 03

Evidence

Pulled continuously from GitHub, GitLab, Jira, Confluence, Datadog, MLflow. Every artifact is hashed, timestamped, and immutable. Evidence polarity is enforced: a gap recorded as a gap can never pass a control.

GitHub Jira Datadog MLflow
LAYER 04

Verdict Engine

Deterministic verdicts computed from acceptance specs and evidence. No language model decides pass or fail. Human overrides are logged and attributed. Verdicts are always computed, never generated.

CI/CD Continuous Traceable
LAYER 05

Prediction Engine IN DEVELOPMENT

Forward simulation over accumulated compliance state. The goal: predict behavioural drift before it becomes an incident. Built on Vigilens' proprietary evidence model — the same structured state that powers continuous monitoring.

Drift Prediction Forward Simulation
FREE TOOL · START HERE

Does your AI system fall under
the EU AI Act?

Answer 6 questions to find out your classification and obligations under the EU AI Act (Regulation 2024/1689). Based on the official Future of Life Institute compliance flowchart — updated July 2025. This is the first step in the Vigilens pipeline. Once classified, you can connect your CI/CD pipeline and get continuous compliance monitoring from commit one.

Covers all provider, deployer, distributor and importer roles under Article 3
Outputs your specific obligations with article references
Free — no account required
vigilens.ai / eu-ai-act-checker
STEP 01 / 06 — ENTITY TYPE

What is your organisation's role?

Select the option that best describes your relationship to this AI system. You may qualify as more than one type — run the checker once per role. (Source: Article 3, Recital 83)

STEP 02 / 06 — PROHIBITED PRACTICES

Does your AI system perform any of the following?

These functions are prohibited under Article 5 of the EU AI Act. Select all that apply — if any apply, immediate legal review is required.

STEP 03 / 06 — HIGH-RISK CATEGORIES

Which categories does your AI system's use case fall into?

These are the Annex III high-risk categories under Article 6(2). Select all that apply — even partial overlap is enough to trigger high-risk status.

STEP 04 / 06 — SPECIAL SYSTEM TYPES

Does your AI system have any of these characteristics?

These trigger either GPAI obligations (Article 51–55) or transparency obligations (Article 50). Select all that apply.

STEP 05 / 06 — SCOPE & JURISDICTION

Which of the following apply to your AI system?

Certain systems are excluded from scope, and jurisdiction determines whether the Act applies at all. Select all that apply. (Source: Article 2)

STEP 06 / 06 — YOUR DETAILS

Where should we send your compliance report?

We'll email you a personalised compliance summary based on your answers. Company email required — personal email addresses are not accepted.

By submitting you agree to receive your compliance summary and occasional relevant updates from Vigilens. Unsubscribe anytime.

INSIGHTS

The ungoverned AI
problem, explained.

Regulation 12 Feb 2026 · 8 min read

The EU AI Act Is Here: What High-Risk AI Deployers Must Do Before August 2026

Deadlines are no longer abstract. The EU AI Act's high-risk obligations are live — and most AI teams deploying into HR, credit, and customer decisions have months to get compliant. Here's the practical checklist your legal team won't give you.

Read article
Rules-as-Code 28 Jan 2026 · 6 min read

Why AI Compliance Needs to Run Like CI/CD: Rules-as-Code Explained

Your code has unit tests. Your infrastructure has Terraform. But your governance still runs on Word documents and annual audits. Rules-as-Code changes that — turning regulations into executable checks that run on every release.

Read article
Enterprise 10 Jan 2026 · 5 min read

The $2M Enterprise Deal Your Governance Gap Is Killing

AI startups are losing enterprise contracts not because of the product — but because they can't produce verifiable proof that their AI is safe, auditable, and under control. The security questionnaire has become the new product demo. Here's how to win it.

Read article
Compliance Guide 12 Mar 2026 · 10 min read

Is My Company EU AI Act Compliant? Here's How to Check.

A plain-language guide to understanding the EU AI Act, what Articles 5, 6 and 9 actually require, and a step-by-step checklist to assess your current compliance status.

Read article
Innovation 12 Mar 2026 · 8 min read

The EU AI Act Was Built for Big Tech. Not for You.

Compliance costs of up to €400,000. Launch delays for 60% of EU startups. Here's the data on how regulation is hitting SMEs hardest — and how to automate your way through it.

Read article
Regulation 23 Apr 2026 · 6 min read

EU AI Act Enforcement Timeline 2024–2027

Prohibited practices were the first to bite. GPAI obligations followed in August 2025. High-risk AI hits 2 August 2026. Full phase-in breakdown and readiness checklist for each enforcement wave.

Read article
Technical Guide 10 Apr 2026 · 7 min read

EU AI Act Article 9: Risk Management System Requirements

Four mandatory components — hazard identification, risk estimation, risk evaluation, risk mitigation — plus the continuous lifecycle obligation that runs from design to post-market monitoring.

Read article
Technical Guide 19 Apr 2026 · 6 min read

EU AI Act Annex IV: Technical Documentation Requirements

Eight sections, a continuous update obligation, and 10-year retention. What Annex IV actually requires — and how to structure your documentation so an auditor can verify it in minutes.

Read article
Compliance Guide 14 Apr 2026 · 5 min read

EU AI Act FRIA: Fundamental Rights Impact Assessment Explained

Who must conduct a FRIA, when it must be done, what it covers, how it differs from a GDPR DPIA, and the Article 27 notification obligation to market surveillance authorities.

Read article
Roles Guide 17 Apr 2026 · 6 min read

EU AI Act: Provider vs Deployer — What It Means for SaaS

Most AI SaaS companies are simultaneously providers and deployers. The obligations are different and both apply. Here is how to map your product architecture to the right compliance track.

Read article
Regulation 21 Apr 2026 · 5 min read

GPAI vs High-Risk AI: Separate Tracks, Overlapping Obligations

Chapter V applies to GPAI model providers. Chapter III applies to high-risk system deployers. When your GPAI model powers a high-risk application, both chapters apply simultaneously.

Read article
Engineering Guide 25 Apr 2026 · 8 min read

GitHub Best Practices for EU AI Act Compliance Evidence

PR naming conventions, branch structure, CODEOWNERS, release tagging, and GitHub Actions checks that generate Article 9, 12, and 14 compliance evidence automatically on every commit.

Read article
Engineering Guide 25 Apr 2026 · 7 min read

Confluence and Jira for EU AI Act Technical Documentation

Annex IV page templates, Jira label conventions for tracing obligations to tickets, and how to build the Confluence-Jira-GitHub evidence chain regulators expect.

Read article
Engineering Guide 25 Apr 2026 · 7 min read

MLflow and Datadog for EU AI Act Compliance

MLflow run tags for Article 9 test evidence, model registry compliance gates, Datadog Article 12 log schema, Article 72 monitor naming, and 10-year retention configuration.

Read article
View all 14 posts  →
Last reviewed: 25 April 2026