EU AI Act Conformity Assessment and AI Agent Evidence

What conformity assessment asks of an agent

Conformity assessment under the EU AI Act is the process of verifying that a high-risk system satisfies the applicable requirements before and during its time on the market. The recurring challenge for agents is reproducibility: an assessor needs to see that a control behaves consistently, but a generative system can produce different outputs for similar inputs. The evidence therefore has to attach to the deterministic part of the system.

SovereignClaw concentrates the assessable behavior in its kernel. Intent is frozen into a byte-stable SovereignIR using SHA3-256 canonical hashing, so identical intents yield identical hashes, and policy evaluation is deterministic. That gives a conformity assessment a stable, reproducible surface to examine rather than a moving target.

• Canonical SovereignIR: identical intents produce identical hashes (S2).
• Deterministic policy evaluation yields repeatable decisions.
• Tier-driving facts are independent of the model (S3).

Verified properties as a basis for evidence

An assessment is stronger when claimed properties are demonstrable rather than asserted. SovereignClaw documents nine formal security properties, S1 through S9, verified across 20 Rust crates with more than 829 tests. These cover the execution boundary, frozen inputs, independent fact verification, monotonic policy, nonce uniqueness, adapter binding, threshold authorization, receipt verifiability, and skill publication binding.

For a conformity file, this means a specific claim, for example that no operation reaches an adapter without a valid gate artifact, can be tied to a named property with associated tests rather than to a prose description. The four pending patent applications and the DOI-registered research record provide additional context for the design rationale, though they are background rather than a substitute for the assessment itself.

• Nine formal properties (S1 to S9) tied to named guarantees.
• Versioned, cryptographically hashed policy bundles.
• DOI-registered research record for design rationale.

Receipts as conformity artifacts

Beyond design-time evidence, a conformity assessment benefits from operational proof that controls work in production. Every permitted execution emits a signed Authority Receipt recording the intent hash, policy version, decision rationale, risk tier, approval state, adapter identity, tenant scope, correlation ID, and outcome, all recorded in an append-only Merkle ledger that can be verified externally.

Because each receipt names the exact policy version in force, an assessor can confirm that the configuration under review is the configuration that actually governed execution. That linkage between an evaluated policy bundle and real decisions is the kind of concrete artifact a conformity exercise can rely on.

Enterprise evaluation checklist

When preparing agent evidence for a conformity assessment, prioritize controls that are deterministic, named, and verifiable, and operational records that tie back to a specific configuration. Avoid relying on evidence drawn only from model behavior, which is inherently hard to reproduce.

SovereignClaw provides evidence for a conformity assessment and helps operationalize the underlying requirements. It is not a notified body, it does not certify conformity, and it does not replace the assessment work your organization or your assessor must perform.

• Are core controls deterministic and reproducible?
• Can each claimed property be tied to verification evidence?
• Do receipts name the exact policy version that governed execution?
• Is the evidence externally verifiable without vendor cooperation?