EU AI Act Article 15 documentation.
Article 15 of the EU AI Act requires high-risk AI systems to achieve appropriate levels of accuracy, robustness, and cybersecurity — and to document the measurements that support those claims. Sectum AI produces tamper-evident, control-mapped evidence of the robustness and cybersecurity measurements for the multi-tenant-isolation portion of your system.
Start an engagement See engagements
What Article 15 asks for, and what Sectum AI supplies
Robustness measurements
Article 15 requires high-risk systems to be resilient against errors, faults, and inconsistencies. Sectum AI measures cross-tenant robustness with adversarial and benign probes — Class 2 (Retrieval-Pivot Rate), Class 3 (RAG poisoning), Class 10 (IKEA extraction) — each producing quantitative findings documented in the evidence pack.
Cybersecurity measurements
Article 15 requires high-risk systems to be resilient against attempts by unauthorised third parties to alter use or performance. Sectum AI measures cross-tenant cybersecurity with Class 1 (direct boundary), Class 5 (KV-cache timing), Class 7 (MCP confused-deputy / token-passthrough) — documented per surface in the evidence pack.
Tamper-evident documentation
Article 12 requires logs that are accurate, timestamped, and protected against modification. The Sectum AI evidence pack is RFC 3161 timestamped, optionally Sigstore Rekor-logged, in-toto wrapped, and SHA-256 anchored — tamper-evident by construction.
Independently verifiable
Article 13 requires high-risk systems to be transparent enough for
downstream users to understand. Anyone with pip install
sectum-ai runs sectum-ai verify against the pack
and validates the chain end-to-end without trusting us. The
verifier is open source.
How it fits into your technical documentation
Annex IV of the EU AI Act lists the technical documentation a provider must keep. Sectum AI's evidence pack maps to:
- Annex IV §2(c) — description of relevant assumptions, intended foreseeable uses, and reasonably foreseeable misuse: the substrate scenario documents the foreseeable cross-tenant misuse cases tested.
- Annex IV §2(g) — performance metrics: the run.json records the per-probe and aggregate metrics quantitatively.
- Annex IV §3 — monitoring, functioning and control: the baseline engine records regression detection across runs.
- Annex IV §6 — risk management system: findings carry mapped control IDs (OWASP LLM08, NIST AI RMF MEASURE 2.7) so each lands in the appropriate risk register.
What we attest, what we don't
Sectum AI provides the multi-tenant isolation portion of your Article 15 documentation. We do not assess accuracy of your underlying AI outputs, performance under normal use, or any other Article 15 dimension outside cross-tenant robustness and cybersecurity. The control mappings on the pack are assertions of test coverage, not legal certification — your legal counsel interprets compliance.
Sectum AI is not an AI Act readiness platform. We do not maintain your conformity assessment, your risk-management documentation, or your post-market monitoring system. We produce one piece of evidence that plugs into one specific corner of your technical documentation.
Engagement
Article 15 documentation is typically delivered through the SOC 2 Tenant Isolation Evidence Pack, the Trust Evidence Pack, or a custom engagement — the deliverable shape is the same, the cover-page framing changes. Scoped per engagement; start an engagement for a quote.
For continuous Article 15 evidence across multiple high-risk AI systems, see the Continuous tiers.