Compliance Command Centre: One Posture
Across Nine Regulatory Frameworks
8 frameworks green · 1 amber · 0 red
across six modules · 98.7% coverage (30d)
Art. 9 post-market log overdue · M-04
The Autonomous Enterprise Platform deploys nine AI systems across four process pillars — Quote-to-Cash, Procure-to-Pay, Finance Operations, and Supply Chain — each carrying distinct obligations under the EU AI Act, GDPR, FDA SaMD regulation, ISO 13485, and EU CSRD. No single stakeholder can hold all nine compliance postures in their head, and no individual module dashboard is built to prove a regulatory record under audit.
The Compliance Command Centre is the governance layer that aggregates posture across all nine frameworks into one master score, refreshed every fifteen minutes from BigQuery materialised views. It is deliberately read-only: the module has no write path to Firestore, SAP, or Salesforce, enforced at the IAM layer rather than by convention. Its purpose is not operational — it is evidentiary. When a regulator asks for proof that an AI system was overseen, explained, and governed, this is the module that answers.
§1 Overall Compliance Posture
Aggregate compliance health is refreshed every fifteen minutes from BigQuery materialised views across all Autonomous Enterprise modules. As of the current refresh, one framework sits in amber: the EU AI Act Art. 9 post-market monitoring log for FinRisk Sentinel (M-04) is six days overdue. All other frameworks are green. No framework is currently red.
High-risk obligations · Aug 2026
Data residency · VPC-SC europe-west3
SaMD risk management
Design History File current
Carbon Footprint API
HITL-04/05/09 all approved
Cloud Armor · Workload Identity
GKE Autopilot · Cloud Run
M-05 Asset IQ · CE mark
§2 AI System Risk Register
All AI systems are classified per EU AI Act Art. 6 and Annex III. High-risk systems require a completed conformity assessment, current technical documentation, an operational HITL mechanism, and an active post-market monitoring plan before commercial deployment. Art. 9 mandates a continuous risk management system — not a one-time assessment.
| AI System | Module | Pillar | Risk Tier | Conformity | Tech Docs | HITL | Post-Market Mon. | Basis |
|---|---|---|---|---|---|---|---|---|
| CCAI Sales Agent | M-01 | Quote-to-Cash | Limited | ✓ Complete | ✓ Current | ✓ HITL-01 Turn-11 | ✓ Active | Art. 52 transparency · chatbot |
| ContractGuard (XGBoost) | M-02 | Quote-to-Cash | High | ✓ Complete | ✓ Current | ✓ HITL-02/03 | ✓ Active | Annex III §5b — legal document AI |
| ContractGuard (Gemini 1.5 Pro) | M-02 | Quote-to-Cash | High | ✓ Complete | ✓ Current | ✓ HITL-02/03 | ✓ Active | Art. 53 GPAI + Annex III §5b |
| RevRec AI (XGBoost) | M-03 | Finance | High | ✓ Complete | ✓ Current | ✓ HITL-04/05/09 | ✓ Active | Annex III §5a — creditworthiness AI |
| FinRisk Sentinel (Isolation Forest) | M-04 | Finance | High | ✓ Complete | ✓ Current | ✓ HITL-08 Dual | ⚠ Log overdue | Annex III §5b — anomaly detection |
| Asset IQ (RUL Regression) | M-05 | Supply Chain | High | ✓ Complete | ✓ Current | ✓ HITL-06/07 | ✓ Active | Annex III §2a — medical device SaMD |
| Asset IQ (Isolation Forest) | M-05 | Supply Chain | High | ✓ Complete | ✓ Current | ✓ HITL-06/07 | ✓ Active | Annex III §2a — medical device SaMD |
| GreenOps Scheduler | M-06 | Supply Chain | Minimal | ✓ Complete | ✓ Current | No HITL required | ✓ Active | CSRD obligation only |
| Data Governance (TFX Validate) | M-08 | All Pillars | Minimal | ✓ Complete | ✓ Current | Steward reinstatement | ✓ Active | Art. 17 quality management system |
§3 HITL Audit Coverage
EU AI Act Art. 14 mandates effective human oversight for all high-risk AI systems. Eleven HITL checkpoints are active across six modules. Design Principle #1: the SHAP explanation is committed to BigQuery before a HITL record is created, so the audit trail is structurally immutable — not policy-immutable. The SAP write guard (ADR-004) enforces the same pattern: a consequential action is architecturally unreachable without a committed HITL approval record.
| Checkpoint | Module | Article Basis | Coverage (30d) | Avg Review | SLA Status (24h) | Bypasses | SHAP Pre-commit |
|---|---|---|---|---|---|---|---|
| HITL-01 · Turn-11 escalation | M-01 | Art. 14 §4 | 100% |
2.1h | ✓ 0 breaches | 0 | ✓ Committed |
| HITL-02 · Contract risk flag | M-02 | Art. 14 §4 | 99% |
3.4h | ✓ 0 breaches | 0 | ✓ Committed |
| HITL-03 · Legal counter-position | M-02 | Art. 14 §4 | 100% |
5.2h | ⚠ 1 breach (28 Mar) | 0 | ✓ Committed |
| HITL-04 · Revenue classification | M-03 | Art. 14 §4 | 99% |
3.8h | ✓ 0 breaches | 0 | ✓ Committed |
| HITL-05 · SAP journal post approval | M-03 | Art. 14 §4 + ASC 606 | 100% |
2.9h | ✓ 0 breaches | 0 | ✓ Committed |
| HITL-08 · Anomaly dual-reviewer | M-04 | Art. 14 §5 (dual) | 96% |
6.7h | ✗ 1 breach (4 Apr, 29.4h) | 3 | ✓ Committed |
| HITL-06 · RUL maintenance gate | M-05 | Art. 14 §4 + ISO 13485 | 100% |
1.9h | ✓ 0 breaches | 0 | ✓ Committed |
| HITL-07 · Parts dispatch approval | M-05 | Art. 14 §4 + ISO 13485 | 100% |
2.4h | ✓ 0 breaches | 0 | ✓ Committed |
| HITL-09 · Bulk revenue batch approval | M-03 | Art. 14 §4 + ASC 606 | 100% |
4.1h | ✓ 0 breaches | 0 | ✓ Committed |
§4 XAI / Explainability Compliance
EU AI Act Art. 13 §3 requires that operators of high-risk AI systems provide meaningful information about the logic, significance, and intended consequences of outputs. ADR-005 mandates SHAP TreeExplainer over LIME: deterministic, auditable, and structurally compatible with Firestore immutability. FinRisk Sentinel shows feature drift on payment_velocity_7d — currently under active review.
§5 GDPR & Data Rights
GDPR Art. 22 prohibits solely automated decisions with significant legal or financial effects without human review. All eleven HITL checkpoints satisfy this requirement architecturally — the SAP write guard means a journal entry is structurally unreachable without a committed human approval record. Data residency is enforced by VPC-SC perimeter lock to europe-west3. All datasets at rest are CMEK-encrypted (ADR-007).
§6 Regulatory Obligation Calendar
Upcoming regulatory deadlines, certification renewals, and audit windows across all applicable frameworks, ordered by urgency. Red items require immediate C-suite action. The EU AI Act high-risk obligation deadline of August 2026 is the platform's primary forcing function, per ADR-016.
§7 Compliance Incident & Breach Log
All HITL bypasses, model drift alerts, SLA breaches, policy violations, and data quarantine events are recorded here. Records are written to Firestore with real-time export to BigQuery (europe-west3). Immutability is structural — Firestore documents are append-only; no update path exists for committed audit records. This satisfies EU AI Act Art. 12 (record-keeping) and Art. 17 (quality management system).
| Timestamp (UTC) | Incident Description | Module | Framework / Article | Severity | Resolution |
|---|---|---|---|---|---|
| 07 Apr 2026 14:22 | Art. 9 post-market monitoring log not filed by deadline. M-04 FinRisk Sentinel risk management system log overdue by 6 days. | M-04 | EU AI Act Art. 9 | P1 | Open |
| 04 Apr 2026 09:11 | HITL-08 SLA breach. Dual-reviewer timeout at 29.4h (SLA: 24h). CFO reviewer was primary; backup reviewer not auto-assigned on absence trigger. | M-04 | EU AI Act Art. 14 §5 | P2 | In Review |
| 01 Apr 2026 16:40 | FinRisk Sentinel SHAP feature drift detected. Feature payment_velocity_7d SHAP importance shifted >20% from baseline over a 14-day window. Art. 13 transparency obligation under review. |
M-04 | EU AI Act Art. 13 §3 | P2 | In Review |
| 28 Mar 2026 11:05 | HITL-03 SLA breach (26.8h). Legal reviewer OOO; backup reviewer not assigned in Firestore escalation config. Resolution: backup reviewer policy updated, config redeployed. | M-02 | EU AI Act Art. 14 §4 | P2 | Resolved |
| 22 Mar 2026 08:30 | 14 telemetry records quarantined by M-08 Data Governance (TFX Validate). Schema violation: vibration_rms_hz out-of-range float. Records preserved per Design Principle #3 (quarantine-then-review). ISO 13485 §7.5 — product preservation. |
M-08 | ISO 13485 §7.5 | P3 | In Review |
| 15 Mar 2026 14:00 | M-01 HITL-01 bypass logged in test environment. Traffic confirmed as non-production load testing. Firestore audit record created; flagged for compliance team review as procedure requires bypass justification even in test. | M-01 | EU AI Act Art. 14 §4 | P3 | Resolved |
| 02 Mar 2026 10:15 | GreenOps (M-06) attempted to defer RUL batch job for carbon optimisation. Hard-deadline bypass rule triggered — job executed at the scheduled time. Design Principle #4 confirmed effective. No compliance impact; logged for evidence. | M-06 | Design Principle #4 · ISO 13485 | P3 | Resolved |
§8 Architecture Decision Records
Four ADRs were made specifically to satisfy EU AI Act and GDPR obligations. These are not preferences — they are regulatory requirements crystallised into irreversible architectural choices. A future team cannot change these decisions without reopening a regulatory compliance gap.
The Compliance Command Centre reads from BigQuery materialised views across all modules. It has no write path to Firestore, SAP, Salesforce, or any operational system. This is an architectural constraint, not a UI convention. A compliance dashboard that could modify the audit trail it is reporting on would destroy the evidentiary value of that trail under EU AI Act Art. 12 and ISO 13485 §4.2.5. The read-only constraint is enforced at the IAM layer: the service account for M-09 has BigQuery Data Viewer only — no Editor, no Writer, no Admin.
Alternatives considered: (1) Allow compliance officers to add annotations to incidents — rejected because annotations could be used to obfuscate original entries. (2) Allow bulk export to PDF — accepted as a read-only operation, not a write to the audit trail.
EU AI Act Art. 13 §3(b) requires that explanations enable meaningful human oversight. LIME produces approximation-based explanations that are non-deterministic: running the same explanation twice can produce different output. This means a LIME explanation logged at HITL checkpoint time cannot be verified retroactively by a regulator — it cannot be reproduced. SHAP TreeExplainer is deterministic: the same input always produces the same SHAP values. The immutability guarantee of Firestore only has regulatory value if the explanation logged there can be reproduced and verified. LIME breaks that guarantee.
EU AI Act Art. 12 requires that high-risk AI system providers keep logs automatically generated by the system for a period of at least 6 months. The document model of Firestore maps natively to HITL event records, and no HITL record is ever deleted or updated — only new documents are appended. The BigQuery export pipeline (Firestore → Pub/Sub → Dataflow → BigQuery) produces an immutable secondary copy suitable for regulatory audit and SHAP replay. Redis — the rejected alternative — is an in-memory store with no durability guarantees and no native BigQuery export; it is architecturally incompatible with Art. 12.
The EU AI Act's phased enforcement timeline — prohibited practices Feb 2025, GPAI obligations Aug 2025, high-risk system obligations Aug 2026 — is the primary scheduling constraint for the AE Platform's deployment horizons H1, H2, H3. H1 modules (Data Governance, foundational infrastructure) must be live before H2 high-risk modules can be legally deployed. A big-bang deployment of all modules simultaneously would create a period where high-risk systems are operational before the HITL audit infrastructure is in place — an immediate regulatory violation. ADR-016 prevents this by making H1 completion a hard dependency for H2 go-live approval.
§9 Stakeholder Rebuttals
Four objections raised during the governance layer design review. Each rebuttal is grounded in regulatory text, architecture evidence, or commercial precedent — not opinion.