EU AI Act compliance with Prova.

Regulation says

Establish, implement, document, and maintain a risk management system throughout the AI lifecycle. The system must identify and analyse known and foreseeable risks, estimate and evaluate risks, and adopt measures to address them.

Prova covers this via

The AI Risk Score computes a 0-100 score across five components (audit coverage, detector breadth, policy coverage, enforcement rate, compliance readiness) on a rolling basis. The Policy Engine enforces 18 built-in policies with block/alert/observe modes and logs every policy evaluation to the Audit Vault as a signed event. The signed quarterly export is the documentation artefact for your Article 9 risk management record.

Regulation says

High-risk AI systems must automatically log events throughout their operation to the extent reasonably expected. Logs must be kept for a period appropriate to the intended purpose, at minimum the period laid down in applicable Union or national law.

Prova covers this via

Every model call, agent run, tool use, and policy evaluation produces a tamper-evident Ed25519-signed receipt stored in the Audit Vault. Events are immutable once written. The export endpoint at GET /api/v1/audit/export returns a signed NDJSON stream suitable for long-term archival in your own storage. Retention period is configurable at the infrastructure level; air-gapped self-hosted deployments give you full custody.

Regulation says

High-risk AI systems must be designed and developed to ensure sufficient transparency to enable deployers to interpret the output and use the system appropriately. The receipt format must be verifiable independently.

Prova covers this via

Every receipt includes a canonical JSON payload, a SHA-256 hash, and an Ed25519 signature. The signing key's public half is published at GET /api/v1/keys/{key_id}. Any party with the public key can verify the receipt offline using standard OpenSSL commands without trusting Prova. The receipt includes the model provider, model name, framework, environment, and the full finding set, giving a complete picture of the decision context.

Regulation says

High-risk AI systems must be designed and developed with appropriate human-machine interface tools so that deployers can effectively oversee the system during use. The system must allow intervention, pause, or override.

Prova covers this via

Gateway mode (POST /api/v1/gateway/check) evaluates policies and detectors before the model call and returns an allow/alert/block decision. A block halts execution and writes a receipt with the block reason. The policy engine supports four modes: observe (log only), alert (log + flag), block (halt + log), and dry-run (test without enforcement). Human reviewers can use the Audit Vault browser to inspect, annotate, and export any event.

Regulation says

Providers of high-risk AI systems must put in place a quality management system including documented strategies and procedures for risk management, testing, post-market monitoring, change management, and incident reporting.

Prova covers this via

Custom policies go through a pending_review state before promotion to live, and a second user with policy.approve_version must approve each change. Every policy edit, toggle, and approval fires an operational audit event so the change management trail is itself signed. The incident investigation timeline chains related events across a time window into a single exportable report, covering the post-market monitoring and incident reporting requirement.

Regulation says

Providers must establish and document a post-market monitoring system proportionate to the nature and risk of the high-risk AI system. The system must actively and systematically collect, document, and analyse relevant data from deployers to identify any need for corrective actions.

Prova covers this via

AI Inventory passively discovers integrations from receipts and actively registers them via the API. Network-layer discovery via Cloudflare Logpush or Datadog log forwarder catches uninstrumented calls. The bias drift detector samples 10% of events on a rolling window and flags statistical divergence in approval rates. The hallucination detector samples 20% of RAG events and flags responses not entailed by retrieved context. Both detectors write signed findings to the Audit Vault for systematic review.

Regulation says

Deployers must take appropriate technical and organisational measures to ensure they use high-risk AI systems in accordance with the instructions of use. Deployers in the public sector or deployers conducting fundamental rights impact assessments must maintain logs.

Prova covers this via

The first-party SDK (Python and Node) wraps any LangGraph, CrewAI, or custom agent with a single decorator. The ingest API accepts events in batch or single mode. Both paths produce receipts that deployers can archive independently. The SDK's offline verifyReceipt function lets deployers confirm receipt integrity without a network call, satisfying the requirement to maintain their own independent record.

Regulation says

Your own AI governance tooling must itself be governed. Regulators will ask how you control who can see audit data, who can change policies, and who can approve changes.

Prova covers this via

Five roles (owner, developer, security, audit, contractor) with a full permission matrix. Every dashboard action is gated. Invite and revoke flows emit signed operational audit events. SAML/OIDC SSO via Supabase Auth Pro is available on Enterprise tier and must be configured before regulated-industry sign-off. This is the one requirement that needs an Enterprise contract to satisfy fully.