EU AI Act, Article 13
Article 13 of the EU AI Act requires high-risk AI systems to be designed for transparency and to record events automatically over their lifetime. This page maps Verdifax's manifest hash to the specific obligations.
What Article 13 actually says
The Article requires that high-risk AI systems be designed and developed so that:
- Their operation is sufficiently transparent to enable users to interpret outputs and use them appropriately.
- They are accompanied by instructions for use that include the system's intended purpose, capabilities, performance, and known limitations.
- Their lifecycle generates automatic logs sufficient for traceability — Article 12 specifies that those logs must enable the monitoring of the system's operation and the post-market surveillance referred to in Article 72.
The post-market surveillance requirement is where the audit-trail integrity question lands. A regulator must be able to look at a recorded event and confirm it actually happened.
Where Verdifax fits
Verdifax does not write the instructions for use. It does not interpret model output. It does not claim to satisfy Article 13 in its entirety — that's a system-level obligation that includes documentation, performance reporting, and governance.
What Verdifax does provide is the integrity layer that turns whatever logs your system produces into something a regulator can independently verify. Specifically:
| Article 13 requirement | Verdifax contribution |
|---|---|
| Automatic event logs | Every model invocation is sealed by manifest hash |
| Tamper-evident records | The hash collapses 18 sealed fields under SHA-256; any modification invalidates it |
| Reproducibility for post-market review | Re-running the same inputs produces the same hash byte-for-byte |
| Independent verification | The hash can be checked by anyone with the inputs, without trusting the operator |
| Hardware-anchored attestation | Stage 5 binds the run to a TPM2 or AMD SEV-SNP measurement |
Sample audit response
When an EU AI Act regulator requests evidence that a specific decision was made by your AI system, your response can be:
- The original input (or its hash, if PII is at issue)
- The Verdifax manifest hash for that decision
- Optional: the generated PDF audit report from
/runs/{id}/report.pdf, which includes the regulatory mapping section
The regulator re-derives the hash from the inputs and confirms it matches what was recorded. No trust in the operator required.
What this does not cover
- Annex IV technical documentation — Verdifax does not generate this. Your governance team writes it.
- Conformity assessment — Verdifax is one component, not a full assessment.
- Risk management system (Article 9) — separate obligation.
- Data governance (Article 10) — Verdifax does not see training data.
- Human oversight (Article 14) — Verdifax records what happened; it doesn't enforce who was reviewing.