EU AI Act — aligned by designA Quantamix Solutions product

Make an AI’s decisions provable to a stranger.

GraQle is EU AI Act–aligned by design. We give your high-risk AI system the signals, audit trail, and disclosure primitives you need to satisfy your own Article 9 risk-management file — without GraQle itself being subject to the high-risk obligations.

Read the Article-by-Article docs See it yourself — verify a proof

The distinction that makes it click

A witness statement, or a fingerprint?

A witness statement

Needs the witness in the room to mean anything. Most AI governance today is a dashboard that shows what the system says now — not a record of what it actually did months ago. The audit trail usually lives on the vendor’s servers and is regenerated on demand. Fragments, not proof.

A fingerprint

Stands on its own — anyone can check it later. GraQle turns each AI decision into a tamper-evident, signed, publicly-anchored record a regulator can verify with no access to us and no one from the company present. The personal data stays out: the trail holds the proof of the decision, not the people behind it.

The witness-statement-vs-artefact framing was co-created publicly with enterprise architect Javier Á. Martínez Rodríguez.

Three things GraQle does NOT do (legally clean)

GraQle is NOT itself a high-risk AI system. No Annex III category applies to a developer-side reasoning SDK — you do not inherit the high-risk obligations from us.
GraQle is NOT a General-Purpose AI Model provider under Article 51. We use third-party LLMs — we do not place one on the EU market.
We provide signals and audit primitives that deployers quote in their compliance file. We use the word aligned — never the stronger claims a substrate cannot make for you. The discipline is enforced in our own code by a non-claims invariant test.

Article-by-Article

Seven articles, each mapped to a shipped surface

Every row points at something you can run today. Your Article 9 risk-management file can quote these surfaces directly.

Art 4AI literacy

A direct obligation on providers and deployers.

Deployer-facing documentation set + integration guidance. Quote it straight into your training records.

Art 12Record-keeping

Audit logs for every AI reasoning event.

graq compliance export — JSONL evidence trail + SHA-256 sidecar. Tamper-detectable years later.

Art 13Deployer transparency

Interpretable output signals for the people affected.

graph_health + confidence on every reasoning envelope. Interpretable output by default.

Art 14Human oversight

Effective human oversight — real authority to override.

Confidence-threshold-routable scores + a degraded-reasoning banner. Below threshold, auto-apply paths refuse with a structured human-review envelope.

Art 15Robustness

Accuracy, robustness, and cybersecurity.

graq compliance status --include-robustness — 17 named defences and 7 measurable claims, emitted as a machine-readable attestation.

Art 25Value-chain responsibility

Upstream-provider duty to share information.

Intended-purpose statement + the full compliance documentation set, so deployer duties flow even when the model came from a vendor.

Art 50Transparency for users

Inform the natural person they are interacting with AI.

GRAQLE_EU_AI_ACT_MODE=on — a once-per-session disclosure banner plus a machine-readable ai_disclosure field on every envelope.

What we do not cover — and say so

Naming the boundary is the credibility move. GraQle is one layer of a stack — it does not pretend to be the whole thing.

Article 5

Prohibited practices — deployer-decision territory, not SDK territory.

Article 53

GPAI obligations — we use third-party LLMs; we are not a GPAI provider.

Article 55

Systemic-risk GPAI duties — same; not a GPAI provider.

Annex VII

Conformity assessment — a deployer / notified-body process a substrate cannot perform.

Roadmap, stated honestly: the cryptographic substrate, the offline verifier, the runtime middleware, and the anchoring worker are shipped. Automated Article 9 periodic-assessment and Article 11 baseline-document generation are in research — we make no shipped claim for them here.

From decision to artefact

Mount it once. Every decision emits a verifiable receipt.

Attach GraQle to a production AI service as middleware, or a one-line decorator. Every decision becomes a PII-safe, verifiable record — no change to the decision code, nothing added to the user’s response time. Unmapped personal fields are dropped by default.

An honest boundary: the substrate records and proves the decision. It does not decide permission, and it is not the whole answer — other layers of the stack belong to other people doing that work.

service.py

from graqle.governance.runtime import attest

@attest               # one line — PII-safe, zero latency
def decide(application):
    ...
    return verdict     # → a signed, tamper-evident receipt

Why you shouldn’t have to trust us

The verification needs a public key and a public log entry — not access to us. A stranger who never heard of GraQle can check a record using open standards alone.

RFC 8785 — canonical form

Any language verifies the bytes the same way.

RFC 6962 — Merkle trees

Inclusion is provable; tampering is detectable.

Sigstore Rekor — public log

Anchored in a public transparency log — the kind that secures software supply chains.

ed25519 — signatures

Signed with a key-validity window. Verify with the public key alone.

your evidence trail

$ graq compliance export --since 2026-08-01 \
    -o evidence.jsonl --sha256-sidecar
✓ canonical-form JSONL written
✓ SHA-256 sidecar — tamper-detectable years later

$ graq attest verify evidence.jsonl
✓ VERIFIED — public key + public log only. No access to us.

What’s shipped — and where to check it

Every line is live code on PyPI and GitHub. If marketing ever disagrees with the repo, the repo wins.

Offline proof verifier — a stranger verifies a bundle with public keys alone: no network, no account, no proprietary code.graq attest verify · python -m graqle.verify
Cryptographic substrate — RFC 8785 canonicalization, RFC 6962 Merkle trees, ed25519 custody, Sigstore Rekor anchor.graqle.governance.tamper_evidence
Runtime middleware — one line records a deployed AI’s decision, PII-safe, no latency on the response path.graqle.governance.runtime
Continuous anchoring worker + an Article-72-style health snapshot.graq govern serve · graq govern health
Article 12 evidence export with a deterministic canonical-form JSONL and a tamper-detect sidecar.graq compliance export --sha256-sidecar
Article 15 robustness attestation — 17 named defences, 7 measurable claims, machine-readable.graq compliance status --include-robustness

The dates that drive this

2025-02-02Article 4 (AI literacy) in force — deployers already carry this obligation.

2026-08-02Articles 12, 13, 14, 15, 25, 50 applicable to high-risk systems; Article 50 transparency applies to every AI system that interacts with people.

2026-12-02Annex III high-risk enforcement (per the Omnibus delay).

Honest answers

The questions a serious buyer asks

Reach for evidence that stands on its own.

Someone will ask you to prove what your AI did. GraQle builds the part that makes the answer stand on its own — and points to the people who hold the rest of the stack.

Read the docs Compliance for documents? See TraceGov