Apache 2.0Local-firstZero telemetry

Open-source compliance-as-code for the EU AI Act.

For the engineering teams who have to ship the evidence. Each tool maps to a specific obligation and produces a named artefact an auditor can read. It all runs on your own infrastructure.

The regulatory forcing function

2 Aug 2026

Commission GPAI fining powers attach

Article 53 GPAI documentation duties have applied since 2 August 2025. On 2 August 2026 the Commission's power to fine GPAI providers attaches, at up to €15M or 3% of global annual turnover under Article 101(1). Three more application dates follow.

Feb 2025

Bans + AI literacy apply

Aug 2025

GPAI duties apply

Dec 2027

High-risk systems comply *

Aug 2028

AI inside regulated products *

* Deferred high-risk dates (2 Dec 2027 Annex III; 2 Aug 2028 Annex I) reflect the Digital Omnibus on AI, adopted 29 June 2026 and pending publication in the EU Official Journal. Until OJEU publication the original Regulation (EU) 2024/1689 dates remain technically in force.

03What we build

One tool per obligation. One artefact per tool.

Four flagship open-source tools, each mapped to a specific EU AI Act article and each producing a structured, hand-to-auditor output.

ToolObligationArtefact produced
License Compliance CheckerArticle 53GPAI ComplianceOSS + model licence report (JSON)
RiskForgeArticle 9Risk ManagementRisk Management File (JSON / PDF)
RAG BenchmarkingArticle 15Accuracy RequirementsRetrieval accuracy report (JSON / Markdown)
LitmusAIArticle 5Prohibited PracticesProhibited-practices verdict (SARIF)

Sigil is our exploration into runtime governance for AI agents, aimed at EU AI Act Articles 14 and 17. We are running it as fixed-scope design-partner pilots, and the pilots will decide its delivery model.

04How we work

Five principles, enforced in the tooling.

01

Open source, Apache 2.0

Every tool ships under Apache 2.0 with a full patent grant. Source is public, forkable, and auditable. No enterprise tier gated behind a paywall.

02

Local-first, zero telemetry

The CLIs run on your infrastructure and read your code. They do not phone home. No analytics, no remote calls in default mode.

03

Evidence, not opinion

Each tool produces a named, structured artefact you can hand to an auditor: an SBOM, a Risk Management File, a benchmark report, a screening verdict.

04

Every claim cites a primary source

Regulatory statements quote the Official Journal text (Regulation (EU) 2024/1689) with article and paragraph references, not a paraphrase from memory.

05

Limitations stated plainly

Each tool lists what it does not do. Documentary evidence is not legal advice and does not substitute for qualified counsel or a notified body.

05Who's behind it

Ajay Pundhir

Ajay Pundhir

Founded AI Exponent LLC and writes the code in the four flagship repos on this site: license-compliance-checker, RiskForge, RAG Benchmarking, LitmusAI. 15+ years on production ML, the last decade-plus in regulated industries, before AI governance was its own category.

Prior senior ML and platform roles across global technology and financial-services companies, plus sovereign-scale AI programmes. Full track record on askajay.ai ↗

On the solo-project question

Today this is a founder-led project with a single maintainer. We are not going to pretend otherwise with a fabricated team page. Contributions come through the public GitHub repos, and external contributors are credited there. There is no formal advisory board to announce yet. When one exists, it will be named here with consent.

Support runs through GitHub issues and email. Response times are best-effort, not contractual. The honest framing is the point: you can read every line of code before you trust it, which is the safest posture for a small team building tools that others depend on.

The two-arm structure

AiExponent.com is the technology arm of AI Exponent LLC, a US-registered company: open-source governance tooling and the engineering evidence pipeline behind it. AskAjay.ai is the advisory arm of the same parent: consulting, courses, and transformation services. Same legal entity, different audiences, different voices. The split lets each side stay honest about what it is. Visit AskAjay.ai

06Trust & security

Your data does not leave your infrastructure.

The tools are built to be run inside your own environment. Nothing is sent to us, because there is nowhere to send it to.

Runs locally

The tools execute on your infrastructure. You control where they run and what they read.

Zero telemetry

No phone-home, no usage analytics, no remote calls in default mode.

No data leaves your environment

Your code and artefacts stay on your machines. We never receive them.

Apache 2.0

Full open-source grant, including patents. Inspect or fork any tool.

Responsible disclosure

Report a security issue to security@aiexponent.com. Policy and cadence on /trust.

Standards alignment

Outputs map to NIST AI RMF and ISO/IEC 42001 controls. We align with these frameworks; we do not claim certification against them.

07What we've shipped

The numbers we can actually stand behind.

4
Apache 2.0 open-source tools, each mapped to a specific EU AI Act article.
8
EU AI Act articles indexed and explained on the site, citing the Official Journal directly.
0
Compliance claims without a primary-source citation. The authenticity gate is non-negotiable.

Early days. We are not yet publishing user counts, download numbers, or partner logos. Partners are named post-pilot, with consent. Once the metrics are honest, they will appear here.

08Contact

Reach the right desk.

Open-source support

Bugs, feature requests, and questions go through the public repos on GitHub.

Security disclosure

Coordinated disclosure to security@aiexponent.com.

Partnerships & pilots

Design-partner pilots and partnership enquiries to hello@aiexponent.com.

Legal

Formal and legal matters to legal@aiexponent.com.

AI Exponent LLC · AiExponent (trade name)
30 N Gould St #61306, Sheridan, WY 82801, USA

Full legal notices