ae-platform / module-09 · governance layer · 2026
EU AI Act · High-Risk GDPR Art. 22 Read-only · IAM enforced
Module 09  ·  Governance Layer  ·  The Autonomous Enterprise Platform  ·  2026

Compliance Command Centre: One Posture
Across Nine Regulatory Frameworks

89%
master compliance score
8 frameworks green · 1 amber · 0 red
11
active HITL checkpoints
across six modules · 98.7% coverage (30d)
1
P1 incident open
Art. 9 post-market log overdue · M-04
Abstract

The Autonomous Enterprise Platform deploys nine AI systems across four process pillars — Quote-to-Cash, Procure-to-Pay, Finance Operations, and Supply Chain — each carrying distinct obligations under the EU AI Act, GDPR, FDA SaMD regulation, ISO 13485, and EU CSRD. No single stakeholder can hold all nine compliance postures in their head, and no individual module dashboard is built to prove a regulatory record under audit.

The Compliance Command Centre is the governance layer that aggregates posture across all nine frameworks into one master score, refreshed every fifteen minutes from BigQuery materialised views. It is deliberately read-only: the module has no write path to Firestore, SAP, or Salesforce, enforced at the IAM layer rather than by convention. Its purpose is not operational — it is evidentiary. When a regulator asks for proof that an AI system was overseen, explained, and governed, this is the module that answers.

EU AI Act 2024/1689 GDPR Art. 22 ISO 13485:2016 FDA 21 CFR 820 EU CSRD / ESRS E1 ASC 606 · IFRS 15 ISO 27001 · DORA HITL audit SHAP / XAI read-only architecture

§1 Overall Compliance Posture

Aggregate compliance health is refreshed every fifteen minutes from BigQuery materialised views across all Autonomous Enterprise modules. As of the current refresh, one framework sits in amber: the EU AI Act Art. 9 post-market monitoring log for FinRisk Sentinel (M-04) is six days overdue. All other frameworks are green. No framework is currently red.

⚠ P1 Open
EU AI Act Art. 9 — FinRisk Sentinel (M-04): the post-market monitoring log was due 07 April 2026 and is now six days overdue. Assigned to the CFO office for immediate remediation. Regulator notification may become required under Art. 62 if the log is not filed within fourteen days of the original deadline.
Master Compliance Score
89%
Compliant
Refreshed: 13 Apr 2026 · 09:42 UTC
8 green
1 amber
0 red
EU AI Act
Art. 6, 9, 13, 14, 17 · Annex III
High-risk obligations · Aug 2026
81% · Art. 9 risk log overdue (M-04)
GDPR
Art. 22 automated decisions
Data residency · VPC-SC europe-west3
97% · 2 pending SAR reviews within SLA
ISO 13485:2016
QMS · M-05 Asset IQ
SaMD risk management
100% · surveillance audit: Jun 2026
FDA 21 CFR 820
SaMD · M-05 Asset IQ
Design History File current
94% · DHF & software validation current
EU CSRD / ESRS E1
Scope 1–3 · M-06 GreenOps
Carbon Footprint API
100% · Q1 2026 ESRS E1 filed
ASC 606 / IFRS 15
RevRec AI · M-03
HITL-04/05/09 all approved
99% · 1 pending Finance Controller review
ISO 27001
ISMS · VPC-SC · CMEK · BeyondCorp
Cloud Armor · Workload Identity
100% · cert. valid to Dec 2026
EU DORA
ICT resilience · Chaos Engineering
GKE Autopilot · Cloud Run
91% · Q2 resilience test scheduled
EU MDR 2017/745
Medical Device Regulation
M-05 Asset IQ · CE mark
96% · CE mark current · EUDAMED filed

§2 AI System Risk Register

All AI systems are classified per EU AI Act Art. 6 and Annex III. High-risk systems require a completed conformity assessment, current technical documentation, an operational HITL mechanism, and an active post-market monitoring plan before commercial deployment. Art. 9 mandates a continuous risk management system — not a one-time assessment.

Figure 1
Annex III risk classification across all nine AE platform AI systems
AI System Module Pillar Risk Tier Conformity Tech Docs HITL Post-Market Mon. Basis
CCAI Sales Agent M-01 Quote-to-Cash Limited ✓ Complete ✓ Current ✓ HITL-01 Turn-11 ✓ Active Art. 52 transparency · chatbot
ContractGuard (XGBoost) M-02 Quote-to-Cash High ✓ Complete ✓ Current ✓ HITL-02/03 ✓ Active Annex III §5b — legal document AI
ContractGuard (Gemini 1.5 Pro) M-02 Quote-to-Cash High ✓ Complete ✓ Current ✓ HITL-02/03 ✓ Active Art. 53 GPAI + Annex III §5b
RevRec AI (XGBoost) M-03 Finance High ✓ Complete ✓ Current ✓ HITL-04/05/09 ✓ Active Annex III §5a — creditworthiness AI
FinRisk Sentinel (Isolation Forest) M-04 Finance High ✓ Complete ✓ Current ✓ HITL-08 Dual ⚠ Log overdue Annex III §5b — anomaly detection
Asset IQ (RUL Regression) M-05 Supply Chain High ✓ Complete ✓ Current ✓ HITL-06/07 ✓ Active Annex III §2a — medical device SaMD
Asset IQ (Isolation Forest) M-05 Supply Chain High ✓ Complete ✓ Current ✓ HITL-06/07 ✓ Active Annex III §2a — medical device SaMD
GreenOps Scheduler M-06 Supply Chain Minimal ✓ Complete ✓ Current No HITL required ✓ Active CSRD obligation only
Data Governance (TFX Validate) M-08 All Pillars Minimal ✓ Complete ✓ Current Steward reinstatement ✓ Active Art. 17 quality management system

§3 HITL Audit Coverage

EU AI Act Art. 14 mandates effective human oversight for all high-risk AI systems. Eleven HITL checkpoints are active across six modules. Design Principle #1: the SHAP explanation is committed to BigQuery before a HITL record is created, so the audit trail is structurally immutable — not policy-immutable. The SAP write guard (ADR-004) enforces the same pattern: a consequential action is architecturally unreachable without a committed HITL approval record.

HITL Coverage (30d)
98.7%
↑ 0.3pp vs prior 30 days
Checkpoints Active
11
Across M-01, 02, 03, 04, 05, 09
SLA Breaches (30d)
2
↑ 1 vs prior period · M-02, M-04
Avg Review Time
4.2h
↓ 0.8h improvement
Figure 2
All eleven HITL checkpoints, coverage rate, and SLA performance over the trailing 30 days
Checkpoint Module Article Basis Coverage (30d) Avg Review SLA Status (24h) Bypasses SHAP Pre-commit
HITL-01 · Turn-11 escalation M-01 Art. 14 §4
100%
2.1h ✓ 0 breaches 0 ✓ Committed
HITL-02 · Contract risk flag M-02 Art. 14 §4
99%
3.4h ✓ 0 breaches 0 ✓ Committed
HITL-03 · Legal counter-position M-02 Art. 14 §4
100%
5.2h ⚠ 1 breach (28 Mar) 0 ✓ Committed
HITL-04 · Revenue classification M-03 Art. 14 §4
99%
3.8h ✓ 0 breaches 0 ✓ Committed
HITL-05 · SAP journal post approval M-03 Art. 14 §4 + ASC 606
100%
2.9h ✓ 0 breaches 0 ✓ Committed
HITL-08 · Anomaly dual-reviewer M-04 Art. 14 §5 (dual)
96%
6.7h ✗ 1 breach (4 Apr, 29.4h) 3 ✓ Committed
HITL-06 · RUL maintenance gate M-05 Art. 14 §4 + ISO 13485
100%
1.9h ✓ 0 breaches 0 ✓ Committed
HITL-07 · Parts dispatch approval M-05 Art. 14 §4 + ISO 13485
100%
2.4h ✓ 0 breaches 0 ✓ Committed
HITL-09 · Bulk revenue batch approval M-03 Art. 14 §4 + ASC 606
100%
4.1h ✓ 0 breaches 0 ✓ Committed

§4 XAI / Explainability Compliance

EU AI Act Art. 13 §3 requires that operators of high-risk AI systems provide meaningful information about the logic, significance, and intended consequences of outputs. ADR-005 mandates SHAP TreeExplainer over LIME: deterministic, auditable, and structurally compatible with Firestore immutability. FinRisk Sentinel shows feature drift on payment_velocity_7d — currently under active review.

XGBoost · ContractGuard
M-02 · Quote-to-Cash · Annex III §5b
Explanation coverage (30d)100%
Top feature stabilityStable
Art. 13 §3 status✓ Met
SHAP Stable
Gemini 1.5 Pro 1M · ContractGuard
M-02 · Quote-to-Cash · Art. 53 GPAI
Grounding citation rate100%
Grounding stabilityStable
Hallucination rate (30d)0.00%
Grounding Stable
XGBoost · RevRec AI
M-03 · Finance · Annex III §5a
Explanation coverage (30d)99.6%
Top feature stabilityStable
SHAP determinism (ADR-005)✓ TreeExplainer
SHAP Stable
Isolation Forest · FinRisk Sentinel
M-04 · Finance · Annex III §5b
Explanation coverage (30d)94.1%
Top feature stability⚠ Drift alert
Drifted featurepayment_velocity_7d
Drift Detected
RUL Regression · Asset IQ
M-05 · Supply Chain · Annex III §2a
Explanation coverage (30d)100%
Top feature stabilityStable
ISO 13485 XAI req.✓ DHF logged
SHAP Stable
Isolation Forest · Asset IQ
M-05 · Supply Chain · Annex III §2a
Explanation coverage (30d)100%
Top feature stabilityStable
ISO 13485 XAI req.✓ DHF logged
SHAP Stable

§5 GDPR & Data Rights

GDPR Art. 22 prohibits solely automated decisions with significant legal or financial effects without human review. All eleven HITL checkpoints satisfy this requirement architecturally — the SAP write guard means a journal entry is structurally unreachable without a committed human approval record. Data residency is enforced by VPC-SC perimeter lock to europe-west3. All datasets at rest are CMEK-encrypted (ADR-007).

Open SAR Requests
2
Within 30-day SLA · due 30 Apr
Art. 22 Opt-Out Flags
0
All decisions HITL-reviewed
Quarantine Records (M-08)
14
Pending data steward review
VPC-SC Perimeter
Active
europe-west3 · cross-region blocked
Data Residency & Infrastructure Controls
BigQuery data locationeurope-west3 ✓
CMEK encryption at restAll datasets ✓
Firestore audit exportReal-time to BQ ✓
Cross-region API callsVPC-SC blocked ✓
Workload Identity FederationActive (all services) ✓
BeyondCorp zero-trustEnforced ✓
Cloud Armor WAF (ADR-014)Active ✓
Consent, Rights & Obligations
Consent records current100% ✓
Right to erasure requests0 open ✓
DPIA filed (M-04, M-05)Apr 2026 ✓
Google DPA (data processor)Current ✓
BQ data retention lifecyclePolicy enforced ✓
Right to explanation (Art. 22)SHAP log available ✓
DPO notification logCurrent ✓

§6 Regulatory Obligation Calendar

Upcoming regulatory deadlines, certification renewals, and audit windows across all applicable frameworks, ordered by urgency. Red items require immediate C-suite action. The EU AI Act high-risk obligation deadline of August 2026 is the platform's primary forcing function, per ADR-016.

07 Apr 20266 days overdue
EU AI Act Art. 9 — FinRisk Sentinel (M-04) post-market monitoring log overdue
Art. 9 requires a continuous risk management system including periodic post-market monitoring reports. The log for M-04 was due 07 Apr 2026 and is now 6 days overdue. CFO office must file immediately. If not resolved within 14 days of deadline, proactive notification to the relevant national supervisory authority may be required under Art. 62.
Overdue · P1
30 Apr 202617 days remaining
GDPR Art. 12 — Subject Access Request deadline (2 open SARs)
Two SARs received 31 Mar 2026. The 30-day statutory response deadline is 30 Apr 2026. Data Steward to review 14 quarantine records in M-08 and confirm no personal data is held beyond retention policy. Legal must approve the response template before dispatch.
Due 30 Apr
01 Aug 2026109 days remaining
EU AI Act — High-Risk system obligations fully enforceable (Art. 9–17 for M-02, M-03, M-04, M-05)
From 1 Aug 2026, all four high-risk AI systems must have: completed conformity assessment; registration in the EU AI Act database; operational HITL with immutable audit trail; active post-market monitoring plan; designated responsible person under Art. 25. ClaraVis H-1 is compliant on all fronts except the M-04 post-market log. ADR-016 phased adoption was designed explicitly around this deadline.
109 Days
15 Jun 202663 days remaining
ISO 13485:2016 Surveillance Audit — Asset IQ (M-05) · TÜV SÜD
Annual surveillance audit for ISO 13485:2016 QMS certification covering M-05 Asset IQ as SaMD. Design History File, risk management file (ISO 14971), software validation records, and post-market surveillance data must be current. The GCP infrastructure evidence package (Vertex AI Pipelines, Feature Store lineage, Firestore audit trail) must be prepared for auditor review.
Scheduled
30 Jun 202678 days remaining
EU CSRD / ESRS E1 — Q2 2026 Scope 3 Emissions Report
GreenOps Platform (M-06) to generate the Carbon Footprint API report for Q2 2026. ESRS E1 requires Scope 3 Category 11 (downstream use of sold products) for 12,000+ installed MRI/CT units across 34 countries. The hard-deadline bypass rule (Design Principle #4) ensures GreenOps batch jobs are never deferred by carbon scheduling.
Scheduled
30 Sep 2026170 days remaining
FDA 21 CFR 820 — Annual Design History File Review (M-05 Asset IQ)
Annual DHF review for SaMD classification. Software validation evidence, anomaly detection performance metrics, and HITL-06/07 audit records to be compiled. Vertex AI Pipelines model registry export is required, along with evidence that no changes have been made without a corresponding software change order.
170 Days
31 Dec 2026261 days remaining
ISO 27001:2022 Certification Renewal — ISMS
ISMS certification expires Dec 2026. Recertification audit to be scheduled Q3 2026. Evidence package: Cloud Armor WAF logs, VPC-SC audit logs, BeyondCorp access records, CMEK key rotation history, Workload Identity Federation configuration, IAM least-privilege review, Chaos Engineering test results, and Security Command Centre findings resolution log.
261 Days

§7 Compliance Incident & Breach Log

All HITL bypasses, model drift alerts, SLA breaches, policy violations, and data quarantine events are recorded here. Records are written to Firestore with real-time export to BigQuery (europe-west3). Immutability is structural — Firestore documents are append-only; no update path exists for committed audit records. This satisfies EU AI Act Art. 12 (record-keeping) and Art. 17 (quality management system).

Figure 3
Append-only incident log, most recent entries first
Timestamp (UTC) Incident Description Module Framework / Article Severity Resolution
07 Apr 2026 14:22 Art. 9 post-market monitoring log not filed by deadline. M-04 FinRisk Sentinel risk management system log overdue by 6 days. M-04 EU AI Act Art. 9 P1 Open
04 Apr 2026 09:11 HITL-08 SLA breach. Dual-reviewer timeout at 29.4h (SLA: 24h). CFO reviewer was primary; backup reviewer not auto-assigned on absence trigger. M-04 EU AI Act Art. 14 §5 P2 In Review
01 Apr 2026 16:40 FinRisk Sentinel SHAP feature drift detected. Feature payment_velocity_7d SHAP importance shifted >20% from baseline over a 14-day window. Art. 13 transparency obligation under review. M-04 EU AI Act Art. 13 §3 P2 In Review
28 Mar 2026 11:05 HITL-03 SLA breach (26.8h). Legal reviewer OOO; backup reviewer not assigned in Firestore escalation config. Resolution: backup reviewer policy updated, config redeployed. M-02 EU AI Act Art. 14 §4 P2 Resolved
22 Mar 2026 08:30 14 telemetry records quarantined by M-08 Data Governance (TFX Validate). Schema violation: vibration_rms_hz out-of-range float. Records preserved per Design Principle #3 (quarantine-then-review). ISO 13485 §7.5 — product preservation. M-08 ISO 13485 §7.5 P3 In Review
15 Mar 2026 14:00 M-01 HITL-01 bypass logged in test environment. Traffic confirmed as non-production load testing. Firestore audit record created; flagged for compliance team review as procedure requires bypass justification even in test. M-01 EU AI Act Art. 14 §4 P3 Resolved
02 Mar 2026 10:15 GreenOps (M-06) attempted to defer RUL batch job for carbon optimisation. Hard-deadline bypass rule triggered — job executed at the scheduled time. Design Principle #4 confirmed effective. No compliance impact; logged for evidence. M-06 Design Principle #4 · ISO 13485 P3 Resolved

§8 Architecture Decision Records

Four ADRs were made specifically to satisfy EU AI Act and GDPR obligations. These are not preferences — they are regulatory requirements crystallised into irreversible architectural choices. A future team cannot change these decisions without reopening a regulatory compliance gap.

ADR-017 Compliance Command Centre is read-only Accepted · Apr 2026

The Compliance Command Centre reads from BigQuery materialised views across all modules. It has no write path to Firestore, SAP, Salesforce, or any operational system. This is an architectural constraint, not a UI convention. A compliance dashboard that could modify the audit trail it is reporting on would destroy the evidentiary value of that trail under EU AI Act Art. 12 and ISO 13485 §4.2.5. The read-only constraint is enforced at the IAM layer: the service account for M-09 has BigQuery Data Viewer only — no Editor, no Writer, no Admin.

Alternatives considered: (1) Allow compliance officers to add annotations to incidents — rejected because annotations could be used to obfuscate original entries. (2) Allow bulk export to PDF — accepted as a read-only operation, not a write to the audit trail.

ADR-005 SHAP over LIME for the XAI layer Accepted · Foundation

EU AI Act Art. 13 §3(b) requires that explanations enable meaningful human oversight. LIME produces approximation-based explanations that are non-deterministic: running the same explanation twice can produce different output. This means a LIME explanation logged at HITL checkpoint time cannot be verified retroactively by a regulator — it cannot be reproduced. SHAP TreeExplainer is deterministic: the same input always produces the same SHAP values. The immutability guarantee of Firestore only has regulatory value if the explanation logged there can be reproduced and verified. LIME breaks that guarantee.

ADR-004 Firestore for agent state and HITL audit Accepted · Foundation

EU AI Act Art. 12 requires that high-risk AI system providers keep logs automatically generated by the system for a period of at least 6 months. The document model of Firestore maps natively to HITL event records, and no HITL record is ever deleted or updated — only new documents are appended. The BigQuery export pipeline (Firestore → Pub/Sub → Dataflow → BigQuery) produces an immutable secondary copy suitable for regulatory audit and SHAP replay. Redis — the rejected alternative — is an in-memory store with no durability guarantees and no native BigQuery export; it is architecturally incompatible with Art. 12.

ADR-016 Phased adoption over big-bang deployment Accepted · Foundation

The EU AI Act's phased enforcement timeline — prohibited practices Feb 2025, GPAI obligations Aug 2025, high-risk system obligations Aug 2026 — is the primary scheduling constraint for the AE Platform's deployment horizons H1, H2, H3. H1 modules (Data Governance, foundational infrastructure) must be live before H2 high-risk modules can be legally deployed. A big-bang deployment of all modules simultaneously would create a period where high-risk systems are operational before the HITL audit infrastructure is in place — an immediate regulatory violation. ADR-016 prevents this by making H1 completion a hard dependency for H2 go-live approval.

§9 Stakeholder Rebuttals

Four objections raised during the governance layer design review. Each rebuttal is grounded in regulatory text, architecture evidence, or commercial precedent — not opinion.

CAIO — Chief AI Officer
Do we really need a ninth governance module? The Strategy Dashboard already shows compliance posture.
"M-07 Strategy Dashboard already has a compliance panel. Isn't M-09 duplication?"
Architect Response
M-07 shows a single panel: a count of HITL checkpoints passing and a RAG status dot. It is a signal, not evidence. The EU AI Act Art. 12 record-keeping obligation requires that the AI provider be able to produce, on regulatory demand, the full audit trail — which human approved which decision, with what SHAP explanation, at what timestamp, with what SLA performance. M-07 cannot produce that. M-09 can. They serve fundamentally different consumers: M-07 is a C-suite signal dashboard; M-09 is a regulatory evidence platform.
Art. 12 §1: "Providers of high-risk AI systems shall ensure that those systems have the technical capability to automatically generate logs." M-07 reads logs. M-09 exposes them for audit.
CLO — Chief Legal Officer
We're not sure our EU AI Act risk classification is correct. What if regulators disagree with our Annex III mapping?
"You've classified FinRisk Sentinel as High-Risk under §5b. Our legal team thinks it might be limited risk. Can we downgrade it?"
Architect Response
Annex III §5b covers AI systems used for creditworthiness assessment or credit scoring. FinRisk Sentinel analyses payment anomalies and flags transactions for CFO/Finance Controller review — it directly informs credit and payment risk decisions affecting the creditworthiness assessment of counterparties. The safer legal position is to classify conservatively and maintain the HITL plus post-market monitoring overhead than to classify as limited risk, reduce oversight, and face enforcement action post-Aug 2026. HITL-08 dual-reviewer adds 6.7 hours of review time; that is the cost of the conservative classification.
The EU AI Act's enforcement regime for misclassification of high-risk systems includes fines up to €30M or 6% of global annual turnover — whichever is higher. The cost of HITL-08 is negligible by comparison.
CFO — Chief Financial Officer
SHAP explanations for every HITL decision sounds expensive. What does this cost us in BigQuery storage and Vertex AI compute?
"How much does storing SHAP values for every single HITL decision actually cost at scale?"
Architect Response
A SHAP explanation for the XGBoost models (ContractGuard, RevRec AI) produces one float per feature per prediction. With 40–80 features per model and roughly 500 HITL decisions per month across all checkpoints, the monthly SHAP log volume is approximately 40,000 float values — under 2MB of BigQuery storage, costing less than €0.05/month. The Isolation Forest SHAP values for FinRisk are slightly larger (200 features) but remain under 10MB/month total. Vertex AI Pipelines compute for SHAP runs is included in the model inference cost, not billed separately. The compliance cost is immaterial relative to the regulatory fine exposure it eliminates.
Total estimated SHAP storage cost across all models at current ClaraVis HITL volumes: <€2/month. EU AI Act non-compliance fine ceiling for ClaraVis (€1.2B revenue): €72M. The ROI of this architecture decision does not require a spreadsheet.
CPO — Chief Privacy Officer
The GDPR Art. 22 right to explanation conflicts with our SHAP implementation. Can a SHAP value actually satisfy the Art. 22 obligation?
"Art. 22 says individuals must receive 'meaningful information about the logic involved.' Does a SHAP value satisfy that? Our customers won't understand feature importance scores."
Architect Response
SHAP values are not the Art. 22 explanation — they are the data that powers it. The HITL UI translates SHAP values into plain-language explanations before presenting them to human reviewers. When an individual exercises their Art. 22 right, they receive a natural-language summary generated from the SHAP output, not the raw float values. The SHAP log is the audit evidence that the explanation was grounded in the model's actual computation — not a post-hoc rationalisation. This is the critical distinction: many Art. 22 obligations are satisfied by narratives with no computational basis. The AE platform's Art. 22 response is verifiable against the model's actual decision logic — a stronger compliance posture than industry standard, not a weaker one.
WP29 Guidelines on Automated Decision-Making (2018) confirm that "meaningful information about the logic involved" does not require mathematical precision for data subjects — but it must be grounded in the actual algorithmic basis. SHAP provides that ground truth.

§10 Adjacent Modules