Open-source compliance-as-code for the EU AI Act.
For the engineering teams who have to ship the evidence. Each tool maps to a specific obligation and produces a named artefact an auditor can read. It all runs on your own infrastructure.
The regulatory forcing function
2 Aug 2026
Commission GPAI fining powers attach
Article 53 GPAI documentation duties have applied since 2 August 2025. On 2 August 2026 the Commission's power to fine GPAI providers attaches, at up to €15M or 3% of global annual turnover under Article 101(1). Three more application dates follow.
Feb 2025
Bans + AI literacy apply
Aug 2025
GPAI duties apply
Dec 2027
High-risk systems comply *
Aug 2028
AI inside regulated products *
* Deferred high-risk dates (2 Dec 2027 Annex III; 2 Aug 2028 Annex I) reflect the Digital Omnibus on AI, adopted 29 June 2026 and pending publication in the EU Official Journal. Until OJEU publication the original Regulation (EU) 2024/1689 dates remain technically in force.
03What we build
One tool per obligation. One artefact per tool.
Four flagship open-source tools, each mapped to a specific EU AI Act article and each producing a structured, hand-to-auditor output.
| Tool | Obligation | Artefact produced |
|---|---|---|
| License Compliance Checker | Article 53GPAI Compliance | OSS + model licence report (JSON) |
| RiskForge | Article 9Risk Management | Risk Management File (JSON / PDF) |
| RAG Benchmarking | Article 15Accuracy Requirements | Retrieval accuracy report (JSON / Markdown) |
| LitmusAI | Article 5Prohibited Practices | Prohibited-practices verdict (SARIF) |
Sigil is our exploration into runtime governance for AI agents, aimed at EU AI Act Articles 14 and 17. We are running it as fixed-scope design-partner pilots, and the pilots will decide its delivery model.
04How we work
Five principles, enforced in the tooling.
Open source, Apache 2.0
Every tool ships under Apache 2.0 with a full patent grant. Source is public, forkable, and auditable. No enterprise tier gated behind a paywall.
Local-first, zero telemetry
The CLIs run on your infrastructure and read your code. They do not phone home. No analytics, no remote calls in default mode.
Evidence, not opinion
Each tool produces a named, structured artefact you can hand to an auditor: an SBOM, a Risk Management File, a benchmark report, a screening verdict.
Every claim cites a primary source
Regulatory statements quote the Official Journal text (Regulation (EU) 2024/1689) with article and paragraph references, not a paraphrase from memory.
Limitations stated plainly
Each tool lists what it does not do. Documentary evidence is not legal advice and does not substitute for qualified counsel or a notified body.
05Who's behind it

Ajay Pundhir
Founded AI Exponent LLC and writes the code in the four flagship repos on this site: license-compliance-checker, RiskForge, RAG Benchmarking, LitmusAI. 15+ years on production ML, the last decade-plus in regulated industries, before AI governance was its own category.
Prior senior ML and platform roles across global technology and financial-services companies, plus sovereign-scale AI programmes. Full track record on askajay.ai ↗
On the solo-project question
Today this is a founder-led project with a single maintainer. We are not going to pretend otherwise with a fabricated team page. Contributions come through the public GitHub repos, and external contributors are credited there. There is no formal advisory board to announce yet. When one exists, it will be named here with consent.
Support runs through GitHub issues and email. Response times are best-effort, not contractual. The honest framing is the point: you can read every line of code before you trust it, which is the safest posture for a small team building tools that others depend on.
The two-arm structure
AiExponent.com is the technology arm of AI Exponent LLC, a US-registered company: open-source governance tooling and the engineering evidence pipeline behind it. AskAjay.ai is the advisory arm of the same parent: consulting, courses, and transformation services. Same legal entity, different audiences, different voices. The split lets each side stay honest about what it is. Visit AskAjay.ai →
06Trust & security
Your data does not leave your infrastructure.
The tools are built to be run inside your own environment. Nothing is sent to us, because there is nowhere to send it to.
Runs locally
The tools execute on your infrastructure. You control where they run and what they read.
Zero telemetry
No phone-home, no usage analytics, no remote calls in default mode.
No data leaves your environment
Your code and artefacts stay on your machines. We never receive them.
Apache 2.0
Full open-source grant, including patents. Inspect or fork any tool.
Responsible disclosure
Report a security issue to security@aiexponent.com. Policy and cadence on /trust.
Standards alignment
Outputs map to NIST AI RMF and ISO/IEC 42001 controls. We align with these frameworks; we do not claim certification against them.
07What we've shipped
The numbers we can actually stand behind.
- 4
- Apache 2.0 open-source tools, each mapped to a specific EU AI Act article.
- 8
- EU AI Act articles indexed and explained on the site, citing the Official Journal directly.
- 0
- Compliance claims without a primary-source citation. The authenticity gate is non-negotiable.
Early days. We are not yet publishing user counts, download numbers, or partner logos. Partners are named post-pilot, with consent. Once the metrics are honest, they will appear here.
08Contact
Reach the right desk.
Open-source support
Bugs, feature requests, and questions go through the public repos on GitHub.
Security disclosure
Coordinated disclosure to security@aiexponent.com.
Partnerships & pilots
Design-partner pilots and partnership enquiries to hello@aiexponent.com.
Legal
Formal and legal matters to legal@aiexponent.com.
AI Exponent LLC · AiExponent (trade name)
30 N Gould St #61306, Sheridan, WY 82801, USA