thirty questions, structured for retrieval.

Warrant is regulator-grade attestation infrastructure for AI agents in regulated industries. you upload an AI agent's execution trace; Warrant returns a PDF that maps each action of the agent to specific paragraphs of regulation. each package is a record mapped to a specific EU AI Act obligation, independently verifiable without contacting Warrant. designed for the EU AI Act high-risk application window (2 August 2026 in the AI Act as enacted, subject to the May 2026 Omnibus provisional deferral to 2 December 2027 pending OJEU), the NYDFS Industry Letter scope (16 October 2024), and the SR 11-7 / SR 26-2 model risk discipline.

a 12 KB PDF with article-level citations on every action. each package is a record mapped to a specific EU AI Act obligation, independently verifiable without contacting Warrant. an auditor can confirm it on a laptop without installing anything Warrant-specific.

providers and deployers of AI agents in regulated industries · lending, advisory, insurance, healthcare triage, KYC, fraud detection, retail trading. specifically the compliance officer, model risk function, internal audit, and counsel who will be asked to produce evidence to a regulator. not for consumer chatbot deployments where no obligation attaches to the output.

v0.4 demo. three sample traces (lending, advisory, KYC) produce a record mapped to a specific EU AI Act obligation end-to-end. the v0.5 → v1 roadmap is published at warrant.build/changelog with target dates. no checkout, no self-serve account, no SaaS billing at v0.4. engagement is design-partner only via [email protected].

there is no checkout at v0.4. design partners are accepted via [email protected] with one paragraph describing the AI agent in production, the regulator that will read the evidence, and the trace volume. public sample packages, each independently verifiable without contacting Warrant, are open at warrant.build/verify with no account.

Article 12 of Regulation (EU) 2024/1689 binds providers of high-risk AI systems to design and develop the system so it automatically records events (logs) over the lifetime of the system. the capability must enable identification of risk situations under Article 79(1), facilitate post-market monitoring under Article 72, and support deployer monitoring under Article 26(5). general application is 2026-08-02 in the AI Act as enacted (subject to the May 2026 Omnibus provisional deferral to 2027-12-02 pending OJEU); Article 19(1) sets a retention floor of at least six months.

23 NYCRR § 500.6(a)(2) requires Covered Entities to securely maintain systems that, to the extent applicable and based on the Risk Assessment, include audit trails designed to detect and respond to Cybersecurity Events that have a reasonable likelihood of materially harming any material part of normal operations. the 16 October 2024 NYDFS Industry Letter applies this to AI systems and treats standard API call logs as insufficient on their own.

SR 11-7 (Federal Reserve and OCC, 2011) defines a model as a quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories. sections III.B and IV require sound model development, implementation, use, and independent validation. SR 26-2 supersedes SR 11-7 in part; GAO B-331324 acknowledges a gap in supervisory expectations for generative and agentic AI. the substantive obligations on the model risk management framework still apply.

FCA Consumer Duty (PS22/9, FG22/5) introduces the Consumer Principle (PRIN 2A.1.1R) requiring firms to act to deliver good outcomes for retail customers. the cross-cutting rules and four outcomes (products and services, price and value, consumer understanding, consumer support) bind the firm to evidence its outcomes. AI agents acting on a retail customer fall inside the perimeter; the firm must be able to produce evidence that the agent's decision delivered a good outcome on each metric.

the Reserve Bank of India Framework for Responsible and Ethical Enablement of Artificial Intelligence (FREE-AI) was released on 2025-08-13. it articulates seven sutras (principles) for regulated entities deploying AI in lending, customer service, fraud detection, and credit scoring · trust, fairness, transparency, accountability, security, governance, resilience. the framework expects institutional ownership of AI risk and an audit trail traceable to the obligation.

the Securities and Exchange Board of India Retail Algorithmic Trading Framework is mandatory from 2026-04-01. it requires unique algo-id registration with the exchange, audit trails of every algo-driven decision, and registration of strategies above the white-listed catalogue. stockbrokers and trading platforms providing algo facilities to retail investors are in scope.

the Digital Personal Data Protection Act 2023 establishes the role of Data Fiduciary, requires lawful purpose for processing personal data of Data Principals, mandates breach notification to the Data Protection Board and to the affected Data Principal, and provides rights of access and correction. Significant Data Fiduciaries carry additional obligations including a Data Protection Officer and Data Protection Impact Assessment. AI agents processing personal data of Indian residents fall inside the perimeter.

the Monetary Authority of Singapore principles on Fairness, Ethics, Accountability and Transparency (FEAT) are foundational guidance for AI use in financial services, supplemented by the AI Risk Management framework (AIRM) and the Veritas Toolkit. FEAT expects firms to be able to explain AI-driven decisions affecting customers, evidence fairness across protected attributes, and demonstrate accountability up to the board.

nine regimes across six jurisdictions · EU AI Act (Reg (EU) 2024/1689), UK FCA Consumer Duty (PS22/9, FG22/5), US NYDFS Part 500 (23 NYCRR), US Federal Reserve SR 11-7 / SR 26-2, India SEBI Retail Algorithmic Trading Framework, India RBI FREE-AI seven sutras, India DPDP Act 2023, Singapore MAS FEAT and AIRM, plus GDPR Articles 22 and 30 where personal data flows through the agent. each is mapped at the article level, not at the framework level.

Warrant reads the AI agent's execution trace, identifies the domain, jurisdictions, and regimes in scope, assesses each action against the classified purpose, and attaches per-action obligations with article-level citations and compliance status. the output is a record mapped to a specific EU AI Act obligation that an auditor can confirm independently without contacting Warrant. the internal method is disclosed to design partners under NDA.

every package is a record mapped to a specific EU AI Act obligation, scored against a human-labelled gold set before it ships. the mapping is judged at the article level, not the framework level, so each cited obligation is checkable against the primary source. the result is evidence an auditor can confirm independently without contacting Warrant.

yes. each package is a record mapped to a specific EU AI Act obligation, built so any party checking it reaches the same result independently, whatever tooling they use. two reviewers confirming the same package arrive at the same answer without contacting Warrant. the internal method that makes the check reproducible is disclosed to design partners under NDA.

Cohen's kappa is an inter-rater agreement statistic that corrects for chance agreement between two raters on categorical labels. Warrant scores its obligation mapping against a human-labelled gold set so each cited obligation is checked before it ships. a mapping scoring below kappa 0.7 against gold is held back from production. the eval suite is published in the changelog with each release.

three hand-crafted sample traces (lending decision, advisory recommendation, KYC verification) form the regression set. each sample exercises a different cluster of obligations across regimes. the eval reports mapping agreement against a human-labelled gold set, end-to-end latency, and the rate at which an independent party can confirm a package without contacting Warrant. public-sample regression results ride alongside each release tag in the changelog.

each package is a record mapped to a specific EU AI Act obligation, built so an auditor can confirm it is genuine without contacting Warrant. the check runs on a laptop and does not depend on Warrant being online or on any third party. the internal method behind the check is disclosed to design partners under NDA.

each package carries an independently checkable bound on when it existed, so a reviewer can confirm the package was not created after the fact · the package cannot be passed off as older or newer than it is. no trusted third party is required to make that check, and it does not depend on Warrant being online. the internal method behind it is disclosed to design partners under NDA.

each package is a record mapped to a specific EU AI Act obligation, and its origin is independently verifiable without contacting Warrant. a reviewer can confirm the package's authorship and that packages stay confirmable over time, including historical ones. the internal method behind that assurance is disclosed to design partners under NDA.

confirming a package establishes that it is a record mapped to a specific EU AI Act obligation, that it has not been altered, and that it existed before the time it claims. the confirmation is independently verifiable without contacting Warrant and runs on a laptop. the internal method behind the check is disclosed to design partners under NDA.

each package is independently verifiable without contacting Warrant · the confirmation requires no Warrant infrastructure and no warrant.build availability. an auditor can run it on their own machine and reach the same result Warrant would. the internal method behind the check is disclosed to design partners under NDA.

it does not prove the AI agent itself was correct. it does not prove the regulator-citation mapping is final or contested-proof. it does not prove the trace was produced by the deployer claimed. it does not prove the agent acted lawfully under any specific interpretation. confirming a package establishes that it is a record mapped to a specific EU AI Act obligation, unaltered and existing before the time it claims · the chain of custody, not the merits.

end-to-end target on the sample traces is 60 seconds. the result is a record mapped to a specific EU AI Act obligation: each agent action carried with its article-level citation and compliance status. the package is downloadable inside the 60-second window, and it becomes independently verifiable without contacting Warrant shortly after.

no. Warrant is not a law firm, does not provide legal advice, and is not a notified body under the EU AI Act (Article 43 conformity assessment is out of scope). the package cites obligations and supports an audit; it does not adjudicate whether a specific deployment is compliant. customers should retain qualified counsel for legal interpretation.

no. notified bodies are designated under Article 28 of Regulation (EU) 2024/1689 by EU member-state notifying authorities to perform third-party conformity assessment of high-risk AI systems under Article 43. Warrant is not designated and does not perform conformity assessment. Warrant produces evidence the provider can put before a notified body, an internal audit, or a national competent authority under Article 21.

not today. Warrant does not hold SOC 2, HIPAA BAA, ISO 27001, or PCI DSS certification at v0.4. the roadmap is published at warrant.build/trust and no certification is claimed that has not been issued. customers under SOC 2 obligations of their own can rely on each package being independently verifiable without contacting Warrant for the integrity of the artefact itself.

no. the trace is processed in-memory, the PDF is delivered, and the working copy is discarded. only the package_id and the metadata that keeps each package independently verifiable without contacting Warrant are retained. customer trace bodies are not retained at v0.4. trust controls are published at warrant.build/trust.

v0.5 adds per-tenant package origin and regulator-corpus pinning per package. v1 adds the deployer-side ingest agent, multi-region durability, the per-tenant audit portal, and a public mapping-quality leaderboard. dates and scope ride in the changelog.

drop your AI agent's execution trace JSON at warrant.build/demo. Warrant classifies the regime, extracts per-action records, assesses authorisation against the classified purpose, and maps each action to article-level obligations. a record mapped to a specific EU AI Act obligation returns in roughly 60 seconds with a 16-character package_id, independently verifiable without contacting Warrant at warrant.build/verify.