Compliance & Risk
AI compliance just got mandatory. Vidai makes it easier.
From the EU AI Act to DORA to ISO 42001, the rules now demand a defensible record of what your high-risk AI actually did. Vidai produces it automatically, in the path, with no manual screenshot ritual to keep up.
Why this got urgent
The audit surface just multiplied by 10×.
In the chat era, one task was one AI call: one event to log, one record to keep. Agentic AI changed that. One task now fans out into ten or more autonomous calls, and when those calls sit inside a high-risk or regulated workflow, each one is an event you may have to account for. The per-application compliance patchwork that barely coped in the chat era is not failing gracefully at 10× the traffic. It is underwater.
The mandate
The regulators already wrote the rules.
Several regimes, already in force, require a defensible, reconstructable record of what your AI did in high-risk and critical workflows. Not a recommendation, a legal obligation with enforcement attached. None of them say "buy a gateway." All require an outcome the per-application patchwork was already struggling to produce.
Sourced from the regulations in force, 2026. Deeper, article-level control mappings on the EU AI Act, DORA and ISO/IEC 42001 pages.
The problem
Configured is not enforced.
A policy document. A spreadsheet. A per-application checkbox each team implements differently, or not at all. None of it survives the moment an assessor says "show me." The control that matters is the one in the request path, not the one in the wiki.
No real number
"We have policies" is not "39% of traffic was under an enforced compliance control this quarter." One is a claim. The other is a number an auditor can reason about.
Configured isn't acting
A guardrail set to log-only observes but never acts. It still shows as "configured." Observed is not enforced, and nobody notices the difference until the audit.
Assertions, not evidence
When the regulator picks a control and asks "prove it," a slide deck is not an answer. You need the frozen, per-request record of what actually happened.
Horizontal enforcement
One plane enforces it. Not fifty teams reading a PDF.
The reason AI compliance is paper today is that it's done per application: every team interprets the policy doc, implements it differently, and the gaps are invisible until they aren't. Vidai enforces the policy in the request path, horizontally, across every project, team, application and agent that sends an AI request.
What enforcement looks like
Three mechanisms, decided by content and context.
Every AI request is inspected at the boundary. The control plane decides what to do with it, by reading the request itself, not by trusting the application that sent it.
Redact
PII, secrets and sensitive payload fields are stripped from the prompt before it crosses the perimeter. The request continues; the data does not.
Block
Calls to unapproved models, unauthorised regions, or principals outside policy are stopped at the boundary. The application gets a structured refusal, not a leak.
Redirect
Regulated traffic is pinned to a compliant region or provider. The application keeps speaking the same SDK; the routing happens at the plane.
Every action is recorded as a frozen per-request event. The numbers shown later as the obligation rail are read from those records, not from what was configured.
The number
Every obligation, as a share of real traffic.
"1,217 requests enforced" means nothing without a denominator. "39% of traffic under a compliance control, 0 leaked" is the number an auditor can actually work with. Data residency, sensitive data and model access, each measured against the traffic that actually flowed, with the remainder accounted for, not hidden.
The proof
Hand the auditor evidence, not assertions.
Pick any number and the record behind it is real, per-request and frozen. There is no "trust us" step.
What you need to run it
The enforcement is everywhere. The proof layer is Enterprise.
Vidai's enforcement, guardrails, routing and deny rules, runs on every edition. The compliance proof layer, the obligation rail, per-rule attribution, the ISO 42001 evidence map and ML guardrails, is the Enterprise tier. See pricing.
Walk the auditor through it.
A 20-minute walkthrough: the obligation rail, the per-request record behind any number, and how the evidence maps to the regimes you answer to.