Compliance
EU AI Act compliance for high-risk AI
The EU AI Act's high-risk category includes credit, employment, and insurance scoring. Prism is built to satisfy the logging, transparency, and oversight articles.
- Article 12: automatic event logging for the lifetime of the system
- Article 13: transparency information for deployers
- Article 14: human oversight measures with traceable interventions
- Article 72: post-market monitoring
About this framework
Regulation (EU) 2024/1689, the EU AI Act, is the world's first horizontal AI regulation. It classifies AI systems into prohibited, high-risk, limited-risk, and minimal-risk tiers. High-risk includes credit scoring, insurance pricing, employment decisioning, and many medical-device uses. Obligations for high-risk AI phased in progressively from August 2024 to August 2027. Penalties reach €35M or 7% of global turnover.
Who needs to comply
Industries this applies to
Banking
Credit scoring AI is named high-risk under Annex III.
Insurance
Life and health pricing AI is high-risk under Annex III.
Fintech
BNPL and consumer credit decisioning fall in scope.
Healthcare
AI in medical devices and health insurance triggers high-risk obligations.
Mapping
Article-by-article evidence
| Obligation | Capability | Evidence |
|---|---|---|
| Art. 12 — automatic logging | Prisms | Every LLM and tool call logged with timestamp, identity, and outcome; immutable export |
| Art. 13 — transparency for deployers | Prism Sessions + Docs | Conversation-level review; documented system behavior and limitations |
| Art. 14 — human oversight | Prism Guardrails + Sessions | Real-time intercept points; reviewer-friendly conversation rendering |
| Art. 15 — accuracy, robustness, cybersecurity | Prism Red Teaming + Model Audits | Adversarial test results; benchmark runs comparing accuracy and robustness |
| Art. 72 — post-market monitoring | Prism Evaluations | Continuous quality scoring; regression view across weeks and months |
Obligation
Art. 12 — automatic logging
Capability
Prisms
Evidence
Every LLM and tool call logged with timestamp, identity, and outcome; immutable export
Obligation
Art. 13 — transparency for deployers
Capability
Prism Sessions + Docs
Evidence
Conversation-level review; documented system behavior and limitations
Obligation
Art. 14 — human oversight
Capability
Prism Guardrails + Sessions
Evidence
Real-time intercept points; reviewer-friendly conversation rendering
Obligation
Art. 15 — accuracy, robustness, cybersecurity
Capability
Prism Red Teaming + Model Audits
Evidence
Adversarial test results; benchmark runs comparing accuracy and robustness
Obligation
Art. 72 — post-market monitoring
Capability
Prism Evaluations
Evidence
Continuous quality scoring; regression view across weeks and months
Retention
Art. 12 requires logs are kept for at least 6 months by default. Prism data residency lets you keep traces longer or in-region (EEA), with export-on-demand for national supervisory authorities.
Read the source
Go straight to the regulator
Not familiar with this framework? These are the authoritative sources, opened in a new tab.
Built for: Providers and deployers of high-risk AI systems under the EU AI Act
Related
LLM Observability
Structured traces give you the full story of what your AI said, why it said it, how long it took, and what it cost.
LLM Guardrails
Real-time detection and enforcement for PII, PHI, prompt injection, content policy violations, and off-topic responses, scoped per agent, per project, per knowledge base.
Session Review
Compliance officers read sessions like chat transcripts: no JSON, no log parsing, no engineering ticket.
AI Red Teaming
Structured adversarial testing to find prompt injection vulnerabilities, guardrail bypasses, and unsafe behaviors, before they reach production.
NIST AI Risk Management Framework: Prism Compliance Mapping
Each NIST AI RMF function has subcategories that demand evidence. Prism produces it: from MEASURE-2.7 trace logs to MANAGE-2.1 adversarial test results.
ISO/IEC 42001 AI Management System
ISO 42001 is the first auditable management-system standard for AI. Prism produces the operational evidence each clause asks an internal auditor to see.
GDPR Compliance for AI Workloads
GDPR doesn't change for AI: lawful basis, minimization, and the right to explanation still apply. Prism produces the records each Article expects.
DORA Compliance for AI in EU Financial Services
DORA treats AI systems as ICT services. Operational resilience, incident reporting, and third-party register obligations all apply. Prism produces the evidence.
AI compliance and risk management for banks
From underwriting copilots to fraud-screening agents, banks need the same model risk discipline they have for traditional models. Prism is built around it.
AI governance for insurance
Insurers face NAIC's Model Bulletin and a patchwork of state-level AI rules. Prism gives carriers one platform to produce the evidence each one demands.
AI risk management for fintech
Sponsor banks expect SR 11-7 hygiene. CFPB and state AGs care about ECOA. Prism makes both legible without slowing your release pace.
Start tracing in 5 minutes
One SDK. Five minutes. Full audit trails, PII redaction, and guardrail enforcement, from day one.