The toolchain.
Every AiExponent open source tool, the regulatory articles they answer, and Sigil, our exploration into runtime governance. Free tools are Apache 2.0, run locally, and install in 60 seconds. Sigil design-partner pilots are recruiting.
Free · Apache 2.0 · Runs locally
Four flagship tools.
Each one stands alone. Together they cover the whole compliance file.
Each tool maps to a specific EU AI Act obligation and produces a named regulatory artefact: an SBOM, a Risk Management File, a benchmark report, a prohibited-practice verdict. Install via pip, run locally.
License Compliance Checker
Article 53 requires model documentation. Scan the repo; the licence and training-data report comes out.
Regulatory relevance
GPAI Compliance · Generates audit evidence supporting EU AI Act Article 53 documentation obligations: evaluates model card completeness, license compliance, and training data risk for AI components in your stack.
bashpip install license-compliance-checkerRiskForge
Article 9 requires a documented risk management system. 37 guided questions produce the file, no consultants, ~30 minutes.
Regulatory relevance
Risk Management · Produces structured Article 9 Risk Management Files for high-risk AI systems suitable for inclusion in your Annex IV technical documentation pack. Organises the assessment across 8 risk dimensions derived across Articles 9, 10, 13, 14 and 15 (health & safety, fundamental rights, discrimination, privacy, transparency, human oversight, robustness, and data governance), with cross-maps to NIST AI RMF and ISO/IEC 42001. Not a substitute for notified-body conformity assessment.
bashpip install riskforgeRAG Benchmarking
Article 15 requires declared accuracy and robustness. Benchmark the system; the metrics report comes out.
Regulatory relevance
Accuracy Requirements · Provides systematic accuracy testing and documentation for high-risk AI systems under Article 15.
bashpip install rag-benchmarkingLitmusAI
Article 5 prohibits eight AI practices. Screen the system; a per-prohibition verdict comes out.
Regulatory relevance
Prohibited Practices · Screens AI systems against the eight prohibited-practice categories of EU AI Act Article 5(1)(a)–(h). Conservative-by-default verdicts; UNREVIEWED reference ruleset (no external lawyer review yet); BYO signed-ruleset path for customers who need lawyer-reviewed output today. Article 5 has been applicable since 2 February 2025 (Art. 113(a)); sanctionable since 2 August 2025 (Art. 113(b)).
bashpip install litmus-screenerHow the tools chain
One tool per article. The artefact is the proof.
Conformity assessment is a paper trail across roughly a dozen EU AI Act articles. We ship one tool per article, each producing the file the assessor opens next.
- 0101License Compliance CheckerArt. 53OSS + model licence report (JSON)Live
- 0202RAG BenchmarkingArt. 15Retrieval accuracy report (JSON / Markdown)Live
- 0303RiskForgeArt. 9Risk Management File (JSON / PDF)Live
- 0404LitmusAIArt. 5Prohibited-practices verdict (SARIF)Live
- 0505TraceForgeArt. 10Dataset governance report2027 · gated
- 0606TransparencyDeckArt. 13Deployer-facing transparency documentOct 2026
- 0707Agentic Document AnalyserArt. 11, 12Technical file + logging extractAlpha
- 0808RMFMapperNIST AI RMF ↔ EU AI ActCross-map matrixDemand-gated
- 0909ISOEvidenceISO 42001Management-system gap reportDemand-gated
- 1010VigilanceDashArt. 72Post-market monitoring feedRevisit 2027
- 1111OrgLiterateArt. 4Literacy evidence file (JSON / PDF)Sep 2026
- 1212ConformityBotArt. 43Conformity-assessment aggregationRevisit 2027
- 1313SigilArt. 14, 17Runtime oversight + QMS evidencePilots
- 1414HealthAI-ComplyMDR + EU AI Act + FDAClinical-AI evidence bundle2028
Four open-source tools live today: License Compliance Checker, RiskForge, RAG Benchmarking, LitmusAI. Each maps to one EU AI Act obligation. Install any of them in under 60 seconds. The rest of the chain ships through 2026–2027, with HealthAI-Comply in 2028.
Infrastructure Layer · 4 alpha tools
Evidence processing utilities
Cross-cutting tooling that feeds the flagships. Alpha stage, not marketed as standalone governance tools. Docker deployment.
Agentic Document Analyser
Articles 11 + 19Converts unstructured compliance documents (risk assessments, model cards, contracts, audit logs) into structured JSON using Vision-Language Models. Acts as the evidence processing layer for the AiExponent compliance toolchain. Feeds Article 11 technical documentation and Article 19 automatically-generated-log preservation workflows.
TraceForge
Article 10TraceForge addresses EU AI Act Article 10 training-data governance: lineage tracking, dataset risk registry, opt-out signal detection, and provenance evidence for high-risk AI systems. A conditional 2027 build, gated on adoption evidence from the shipped tools.
TransparencyDeck
Article 13TransparencyDeck addresses EU AI Act Article 13 transparency obligations: deployer-facing documentation, instructions for use, capability and limitation disclosure. Building October 2026.
Cross-Framework Coverage
One evidence workflow. Many jurisdictions.
Our tools cross-map to the major AI regulations worldwide, so one evidence artefact can satisfy obligations in multiple jurisdictions.
EU AI Act
The world's first comprehensive AI regulation. Phased enforcement 2024–2028.
Articles 4, 5, 9, 10, 13, 15, 53, 72
Up to €35M or 7% of global annual turnover (whichever is higher)
NIST AI RMF
Voluntary framework; US federal agency AI use is governed by OMB M-25-21. De facto standard for US enterprise AI.
Govern · Map · Measure · Manage
EO 14179 · OMB M-25-21
ISO/IEC 42001:2023
AI Management System standard. Certification increasingly required for enterprise procurement.
38 Annex A controls
Supports EU AI Act Art. 17 (QMS)
Canada AIDA
Bill C-27 (which contained AIDA) died at the January 2025 prorogation of Parliament. No active federal AI statute as of July 2026.
Watch for reintroduction
Status verified 2026-07-11
Sigil: runtime governance, built with design partners
An exploration into runtime AI agent governance: policy enforcement, tamper-evident audit logs, and compliance evidence for EU AI Act Articles 14 and 17, cross-mapped to NIST AI RMF and ISO/IEC 42001. Runs as fixed-scope design-partner pilots; the pilots decide the delivery model. Early access by enquiry.
We are exploring runtime governance for EU AI Act Articles 14 and 17: human-oversight controls in operation, and quality management evidence generated from real system behaviour. The work runs as fixed-scope pilots with a small number of design partners. Those pilots decide what Sigil becomes, including whether it runs in your infrastructure or as a managed service.
Pricing. We're finalising pricing with design-partner customers. Early-access participants help shape the tiers and get founding-customer terms.
Want to shape Sigil?
We are recruiting a small number of design-partner teams. If you are building high-risk AI systems and want runtime governance aligned to EU AI Act Articles 14 & 17, get in touch about a fixed-scope pilot.
Request Early AccessThese tools answer specific obligations. For programme-level regulatory design across an AI portfolio, the sister practice is at askajay.ai →