If you cannot prove compliance, you are not compliant.
EU AI Act Articles 9, 12, 13, 14, 17 · GDPR Art. 5(1)(c) · FDA 510(k) · NIST AI RMF — all mappable with one API call. Full audit trail. W3C Verifiable Credentials.
Want to know what Sgraal does not claim? Read the threat model — including the explicit non-certification disclosure.
Important — compliance evidence: /v1/check verdicts are not included in the audit trail and do not generate W3C Verifiable Credentials. For compliance-grade evidence (HIPAA, GDPR, EU AI Act, FDA 510(k), NIST AI RMF), use /v1/preflight, which produces full audit-log entries and signed W3C VCs per verdict. The /v1/check endpoint is suitable for experimentation and high-frequency agent gating only.
Without Sgraal
With Sgraal
EU AI Act non-compliance: up to €35M or 7% of global annual revenue.
Compliance profile evaluated on every preflight. Non-compliant + irreversible = Sgraal returns BLOCK.
SHA256 hash chain. request_id, omega, action_override_chain — all recorded. SIEM export: Splunk / Datadog / Elastic.
/v1/compliance/eu-ai-act/report — Article 9/12/13/14/17 evidence. Conformity declaration template.
Automated GDPR data minimization proof — cryptographically signed, court-admissible.
Sgraal computes the Minimum Viable Memory state for every agent action — the smallest set of memory entries that would yield the same decision — and signs it as a W3C Verifiable Credential.
Prove to your regulator that your AI agent operated with the minimum necessary personal data. Cryptographically signed by your tenant's PASSPORT_SIGNING_KEY. Court-admissible. Generates your Article 30 record fields — returned in the API response for you to archive in your own audit-log system (Sgraal issues the credential; it does not store it for you).
Sample credential
{
"@context": ["https://www.w3.org/2018/credentials/v1"],
"type": ["VerifiableCredential", "MVMemCertificate2026"],
"issuer": "did:sgraal:tenant_...",
"issuanceDate": "2026-05-19T08:42:11Z",
"credentialSubject": {
"agentId": "agent_a47...",
"requestId": "req_b8c...",
"originalMemorySize": 47,
"minimumViableSize": 12,
"decisionPreserved": true,
"gdprArticle": "5(1)(c)"
},
"proof": {
"type": "Ed25519Signature2020",
"jws": "eyJhbGc..."
}
}
Anonymized sample. Your tenant produces identical-format certificates signed by your own key.
Try it
curl -X POST https://api.sgraal.com/v1/certify/mvmem \ -H "Authorization: Bearer sg_live_..." \ -H "Content-Type: application/json" \ -d '{"agent_id": "demo", "memory_state": [{"id": "m1", "content": "...", "type": "semantic"}]}'
Returns a signed MVMemCertificate2026 with the structure shown above. Response headers expose X-Sgraal-Original-Memory-Size, X-Sgraal-Minimum-Viable-Size, X-Sgraal-Decision-Preserved.
See a sample response
info Pre-generated sample · No signupcheck_circle HTTP 200 · POST /v1/certify/mvmem
{
"@context": ["https://www.w3.org/2018/credentials/v1"],
"type": ["VerifiableCredential", "MVMemCertificate2026"],
"issuer": "did:sgraal:tenant_demo",
"issuanceDate": "2026-05-21T20:07:43.441557+00:00",
"credentialSubject": {
"agentId": "demo_agent",
"requestId": "457b411b-a8ac-4d93-a59d-b629148b1c5e",
"originalMemorySize": 47,
"minimumViableSize": 12,
"decisionPreserved": true,
"gdprArticle": "5(1)(c)"
},
"proof": {
"type": "Ed25519Signature2020",
"created": "2026-05-21T20:07:43.441557+00:00",
"verificationMethod": "did:sgraal:tenant_demo#key-1",
"proofPurpose": "assertionMethod",
"jws": "eyJhbGciOiJFZERTQSIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..FHT0szhLUdizD6evzdh9i7oNPejOYbG9e4O5IBsw7mKz6squXd_O58blbFz1FCuuUSxKuEj4vr36p09it1BeCA"
}
}
Sample output — your tenant produces identical-format certificates signed by your own Ed25519 key. Get your own key →
4 built-in profiles: EU AI Act (Articles 9, 12, 13, 14, 17), GDPR, FDA 510(k), HIPAA. Non-compliant + irreversible = Sgraal returns BLOCK.
Non-compliant actions are flagged before execution. Sgraal returns a BLOCK verdict; runtime enforcement remains the integrator's responsibility — consistent with the verdict-layer scope of every Sgraal endpoint.
Tamper-proof audit log with SHA256 chain. Two API calls: GET /v1/audit-log/chain-verify answers "is the chain intact"; GET /v1/audit-log/export returns the full hash-chained log. Memory Last Will: GDPR + EU AI Act 10-year retention — ensures your audit data survives the full regulatory retention period. SIEM export.
Every decision is provable. Every audit is survivable.
Auto-generated EU AI Act conformity declaration via GET /v1/compliance/eu-ai-act/declaration. Article-level evidence mapping. Ready for regulatory submission.
Submit to regulators in minutes. Not months.
Check compliance in real time and generate regulatory reports.
result = client.preflight(
memory_state=[...],
action_type="irreversible",
compliance_profile="EU_AI_ACT"
)
print(result.compliance_result.compliant) # False
print(result.recommended_action) # BLOCK
print(result.compliance_result.violations)
# ["Article 9: risk management system required",
# "Article 13: transparency obligation"]
# Two compliance endpoints, two purposes:
# /report — ongoing monitoring snapshot (decision counts, violation rates)
# /declaration — formal one-time conformance artifact for regulator submission
import requests
headers = {"Authorization": "Bearer sg_live_..."}
# Ongoing monitoring report
resp = requests.get(
"https://api.sgraal.com/v1/compliance/eu-ai-act/report",
headers=headers
)
monitoring = resp.json()
# Formal conformance declaration (Article-level evidence mapping)
resp = requests.get(
"https://api.sgraal.com/v1/compliance/eu-ai-act/declaration",
headers=headers
)
with open("eu_ai_act_conformity.json", "w") as f:
import json
json.dump(resp.json(), f, indent=2)