Compliance & Risk

AI compliance just got mandatory. Vidai makes it easier.

From the EU AI Act to DORA to ISO 42001, the rules now demand a defensible record of what your high-risk AI actually did. Vidai produces it automatically, in the path, with no manual screenshot ritual to keep up.

EU AI ActDORAGDPR
vidai · obligation rail
Vidai obligation rail: the single point every regulation's evidence is produced from
ISO 42001UK CTPRFCA

Why this got urgent

The audit surface just multiplied by 10×.

In the chat era, one task was one AI call: one event to log, one record to keep. Agentic AI changed that. One task now fans out into ten or more autonomous calls, and when those calls sit inside a high-risk or regulated workflow, each one is an event you may have to account for. The per-application compliance patchwork that barely coped in the chat era is not failing gracefully at 10× the traffic. It is underwater.

See the traffic multiplier at your scale →

The mandate

The regulators already wrote the rules.

Several regimes, already in force, require a defensible, reconstructable record of what your AI did in high-risk and critical workflows. Not a recommendation, a legal obligation with enforcement attached. None of them say "buy a gateway." All require an outcome the per-application patchwork was already struggling to produce.

RegulationStatusWhat it requires
EU AI Act, Art. 12 mapping → In force Automatic event logging for high-risk AI, over the system's lifetime.
DORA mapping → In force A register, concentration-risk and substitutability evidence for every ICT and AI provider.
UK Critical Third Party Regime In force Operational-resilience duties for designated AI providers.
UK FCA approach Active supervision Evidence of who owns the AI process, what approvals preceded it, and how it is monitored.
GDPR, Art. 44 In force A lawful basis for every cross-border AI data transfer outside the EEA.
ISO/IEC 42001 mapping → AI mgmt standard Event-logging controls; Vidai is system of record for four of them.

Sourced from the regulations in force, 2026. Deeper, article-level control mappings on the EU AI Act, DORA and ISO/IEC 42001 pages.

The problem

Configured is not enforced.

A policy document. A spreadsheet. A per-application checkbox each team implements differently, or not at all. None of it survives the moment an assessor says "show me." The control that matters is the one in the request path, not the one in the wiki.

01

No real number

"We have policies" is not "39% of traffic was under an enforced compliance control this quarter." One is a claim. The other is a number an auditor can reason about.

02

Configured isn't acting

A guardrail set to log-only observes but never acts. It still shows as "configured." Observed is not enforced, and nobody notices the difference until the audit.

03

Assertions, not evidence

When the regulator picks a control and asks "prove it," a slide deck is not an answer. You need the frozen, per-request record of what actually happened.

Horizontal enforcement

One plane enforces it. Not fifty teams reading a PDF.

The reason AI compliance is paper today is that it's done per application: every team interprets the policy doc, implements it differently, and the gaps are invisible until they aren't. Vidai enforces the policy in the request path, horizontally, across every project, team, application and agent that sends an AI request.

Every request, the same policy. A new team or a new agent fleet doesn't get a fresh chance to skip the control. It goes through the same plane as everything else.
It catches the gap you can't see. "We enforce our chat app but our agents call Vidai wide open" is exactly the failure the per-subject view surfaces, humans versus agents, as a share of governed traffic.
Enforcement, not a document. The control is the thing in the request path, not the thing in the wiki that people promise to follow.

What enforcement looks like

Three mechanisms, decided by content and context.

Every AI request is inspected at the boundary. The control plane decides what to do with it, by reading the request itself, not by trusting the application that sent it.

Redact

PII, secrets and sensitive payload fields are stripped from the prompt before it crosses the perimeter. The request continues; the data does not.

Block

Calls to unapproved models, unauthorised regions, or principals outside policy are stopped at the boundary. The application gets a structured refusal, not a leak.

Redirect

Regulated traffic is pinned to a compliant region or provider. The application keeps speaking the same SDK; the routing happens at the plane.

Every action is recorded as a frozen per-request event. The numbers shown later as the obligation rail are read from those records, not from what was configured.

The number

Every obligation, as a share of real traffic.

"1,217 requests enforced" means nothing without a denominator. "39% of traffic under a compliance control, 0 leaked" is the number an auditor can actually work with. Data residency, sensitive data and model access, each measured against the traffic that actually flowed, with the remainder accounted for, not hidden.

ISO/IEC 42001

Mapped to the standard your auditor names.

Whatever your assessors use, SOC 2, NIST AI RMF, HIPAA or ISO/IEC 42001, the evidence ritual today is manual screenshots in a spreadsheet, stale the moment they're written. For the controls where Vidai is the system of record, that ritual is obsolete. See the full ISO 42001 mapping →

4controls: we are the record
5controls: we hand you the primitive
29your process, and we say so

The proof

Hand the auditor evidence, not assertions.

Pick any number and the record behind it is real, per-request and frozen. There is no "trust us" step.

Request Logs. Every enforcement event as an inspectable record: the principal, the requested versus served model, the rule that fired, the guardrail outcome. Filterable and exportable.
Audit Log. Every change to a compliance control recorded with the actor, the before and after, and the timestamp. Who tightened the policy, when, and what it was before.
The record is immutable. Coverage reads from the per-request record frozen at write time. Change a policy tomorrow and last quarter's evidence stays exactly as it was.
We won't dress up a manual extract. A one-click, tamper-evident assessor pack is on the roadmap. Today the evidence data is real, complete and exportable. We won't call a manual export an attested one, and we'll tell you so.

What you need to run it

The enforcement is everywhere. The proof layer is Enterprise.

Vidai's enforcement, guardrails, routing and deny rules, runs on every edition. The compliance proof layer, the obligation rail, per-rule attribution, the ISO 42001 evidence map and ML guardrails, is the Enterprise tier. See pricing.

Walk the auditor through it.

A 20-minute walkthrough: the obligation rail, the per-request record behind any number, and how the evidence maps to the regimes you answer to.