Wave 15 · AI Governance & Conformity · OpenChainGraph v0.4

AI Governance & Conformity for Financial Services

The governance layer for the AI systems themselves — EU AI Act high-risk conformity for financial AI (Annex III: credit scoring, insurance pricing, financial-standing) plus agentic AI governance and GPAI classification. Four new tools (ART-64–67) across 8 aig-* chains compose the existing AI-Act/model-risk point tools into a verifiable, hash-anchored conformity lifecycle: classify → provider conformity pack → deployer FRIA + monitoring → fairness → audit. Reflexive tie to Wave 14: the same agents that transact on the agent-economy runtime are AI systems that must be governed today.

GPAI Arts 53-55 IN FORCE 2 Aug 2025 Art 5 prohibited practices IN FORCE 2 Aug 2025 Art 4 AI literacy IN FORCE 2 Feb 2025 Annex III high-risk — PREPARE-AHEAD 2 Dec 2027 Art 27 FRIA — PREPARE-AHEAD 2 Dec 2027 Digital Omnibus — verify formal adoption EU AI Act Reg. 2024/1689 Wave 15 · AI Governance

✅ DO NOW — Four obligations are IN FORCE as of today (2026-06-20): GPAI/foundation-model obligations (Arts 53–55, including systemic-risk 10^25 FLOP, enforceable 2 Aug 2025, explicitly UNCHANGED by the Digital Omnibus). Art 5 prohibited AI practices (IN FORCE 2 Aug 2025, €35M/7% — the Act's highest penalty). Art 4 AI literacy for providers and deployers (IN FORCE 2 Feb 2025). DORA ICT risk (fully enforced 17 Jan 2025). If you provide or deploy a GPAI model or use AI in a way that could constitute a prohibited practice, action is required NOW.

⚠ PREPARE-AHEAD — Annex III high-risk obligations (Arts 9–15), Art 27 FRIA, and Art 72 post-market monitoring confirmed for 2 Dec 2027 by the Digital Omnibus (provisional agreement 7 May 2026). Verify formal-adoption status. The deferral takes legal effect only if the Omnibus is formally adopted/published before 2 Aug 2026; otherwise the original 2 Aug 2026 date applies. Start preparation now — 18 months of runway against confirmed obligations.

EDUCATIONAL — All outputs are decision-support drafts. Not legal conformity certificates. Verify all Article/Annex references against EU AI Act (Reg. 2024/1689) consolidated text at eur-lex.europa.eu/eli/reg/2024/1689/oj and current Digital Omnibus formal-adoption status.

Lifecycle vs point tools — the uniqueness fix. Five existing tools (art-05 + catalog 327/333/451/452) are standalone point assessments. Wave 15 composes them into a hash-anchored conformity lifecycle: classify (ART-64) → provider Annex IV pack (ART-65) → deployer FRIA + monitoring (ART-66) → agentic-AI governance (ART-67) → fairness → audit. The reused tools become lifecycle stages; their reframe role is stated on every chain page. This is not a re-skin — it is the conformity lifecycle those point tools individually cannot provide.

DO NOW — in-force obligations

These tools address obligations already enforceable. Start here regardless of the Annex III high-risk timeline.

ART-64 · D0 · agent_guardrail_mandate

EU AI Act High-Risk Fit & Classification Diagnostic

Screens Art 5 prohibited practices (€35M, in force), Art 4 AI literacy (in force), GPAI applicability (in force) FIRST — then classifies Annex III high-risk status. Grades readiness across 12 dimensions + emits "do now" vs "prepare-ahead" checklists. Routes to the right aig-* chain.

run_ai_act_highrisk_fit IN FORCE (triage)

ART-67 · W-D · model_governance

Agentic AI Risk & GPAI Governance Classifier

Co-flagship and strongest in-force anchor. Classifies autonomy tier + GPAI/systemic-risk obligations (Arts 53–55, IN FORCE 2 Aug 2025). Maps Art 50 transparency, Art 14 HNP oversight, and downstream Annex III interaction. The reflexive tie to Wave 14 agent rails.

classify_agentic_ai_risk IN FORCE — GPAI Arts 53-55

PREPARE-AHEAD — high-risk lifecycle (2 Dec 2027, verify)

Annex III high-risk conformity, Art 27 FRIA, and Art 72 post-market monitoring. Start now — 18 months of preparation runway against confirmed obligations.

ART-65 · W-A · model_governance

AI Act Conformity Pack Builder

Flagship provider tool. Assembles Annex IV technical documentation, validates conformity route (internal control vs notified body), checks CE-marking and EU Declaration of Conformity readiness. Answers: "is my high-risk financial AI ready to CE-mark?" Decision-support draft.

build_ai_conformity_pack PREPARE-AHEAD 2 Dec 2027

ART-66 · W-B · compliance_mandate

FRIA & Post-Market Monitoring Plan Builder

Flagship deployer tool. Builds an Art 27 FRIA + Art 72 post-market monitoring plan + Art 12 logging + Art 14 oversight + Art 73 incident path for a bank or insurer deploying a high-risk AI system. Decision-support draft.

build_fria_monitoring_plan PREPARE-AHEAD 2 Dec 2027

Chains — aig-* (8 chains)

Start with ai-governance-fit to classify and route. Each chain follows the TCM/DTC/WTS/AER pattern: run stages over MCP or in-browser, pass execution_hash forward, export the terminal artifact. Aggregate everything in ai-governance-audit-pack.

ai-governance-fit · D0 · 1 node · DO NOW

EU AI Act High-Risk Fit & Classification Diagnostic

Single-node entry point. Screens in-force obligations first (Art 5, Art 4, GPAI), grades Annex III classification, routes to the right aig-* chain.

→ ART-64

ai-governance-gpai-agentic · W-D · 3 nodes · DO NOW

Agentic AI & GPAI Governance

GPAI/systemic-risk classification (ART-67) + agent identity (art-04) + MCP self-attestation (art-33). GPAI Arts 53–55 IN FORCE since Aug 2025. Reflexive tie to Wave 14.

→ ART-67 · art-04 · art-33

ai-governance-fairness-bias · W-C · 3 nodes · DO NOW

Fair-Lending & AI Bias Assessment

Fair-lending bias (452) + credit model performance (ml-02) + subgroup anomaly detection (ml-01). Non-discrimination obligations apply now under existing law.

→ 452 · ml-02 · ml-01

ai-governance-resilience-overlap · W-F · 3 nodes · DO NOW (DORA)

AI-as-ICT Resilience (DORA × AI Act)

DORA readiness for the AI system as ICT (art-29) + Art 15 robustness/cyber conformity (ART-65) + combined evidence integrity (cry-04). DORA fully enforced Jan 2025.

→ art-29 · ART-65 · cry-04

ai-governance-conformity · W-A · 3 nodes · PREPARE-AHEAD

AI Act High-Risk Conformity Pack (Provider)

Annex IV technical documentation + CE/DoC (ART-65) + Article 9 risk-management system (333) + conformity assessment (art-05). Flagship provider lifecycle. Decision-support draft.

→ ART-65 · 333 · art-05

ai-governance-fria-monitoring · W-B · 3 nodes · PREPARE-AHEAD

Deployer FRIA & Post-Market Monitoring

Art 27 FRIA + Art 72 monitoring (ART-66) + SR 11-7 model-risk evidence (451) + audit receipt (cry-05). Flagship deployer lifecycle. Decision-support draft.

→ ART-66 · 451 · cry-05

ai-governance-credit-ai-conformity · W-E · 3 nodes · PREPARE-AHEAD

Credit-Scoring AI Conformity & FRIA

Credit-scoring conformity (art-05) + risk-class confirmation (327) + deployer FRIA (ART-66). The Annex III credit-scoring vertical end-to-end. Decision-support draft.

→ art-05 · 327 · ART-66

ai-governance-audit-pack · W-G · 3 nodes · Convergence terminal

AI Governance Conformity Audit Pack

W-G convergence terminal. Merkle integrity over the AI-governance decision set (cry-04) → Merkle-root receipt (cry-05) → regulator/notified-body cover memo (ptg-01). Any aig-* chain can feed in.

→ cry-04 · cry-05 · ptg-01

Chain topology

ai-governance-fit (ART-64) — D0 entry point ├──→ ai-governance-gpai-agentic (W-D · DO NOW · GPAI Arts 53-55 in force) ├──→ ai-governance-fairness-bias (W-C · DO NOW · non-discrimination) ├──→ ai-governance-resilience-overlap (W-F · DO NOW · DORA) ├──→ ai-governance-conformity (W-A · PREPARE-AHEAD · provider lifecycle) ├──→ ai-governance-fria-monitoring (W-B · PREPARE-AHEAD · deployer lifecycle) ├──→ ai-governance-credit-ai-conformity (W-E · PREPARE-AHEAD · credit vertical) └──→ (all) → ai-governance-audit-pack (W-G · convergence terminal)

Who runs these chains

The AI-Act supply chain from GPAI provider to market-surveillance authority.

Tier 1 — AI assurance firms + notified bodies

The verifiers

Big Four AI assurance practices, specialist AI audit firms, and notified bodies that certify high-risk systems. Primary chains: ai-governance-conformity (W-A), ai-governance-audit-pack (W-G). An endorsed artifact becomes a conformity-evidence standard.

Tier 2 — Banks & insurers (providers + deployers)

The primary buyer

Model-risk, compliance, and AI-governance teams at lenders and insurers running high-risk credit/insurance AI. Primary chains: ai-governance-conformity, ai-governance-fria-monitoring, ai-governance-fairness-bias, ai-governance-credit-ai-conformity, ai-governance-resilience-overlap.

Tier 3 — GPAI + agentic-AI platforms

The upstream

Foundation-model and agentic-platform providers with GPAI/systemic obligations (in force now). Primary chain: ai-governance-gpai-agentic. The reflexive tie to Wave 14's agent-economy buyers.

Tier 4 — AI governance + RegTech vendors

The embedders (M&A-relevant)

AI governance, model-risk, and compliance-automation vendors embedding aig-* chains as MCP tools. The fastest-growing adjacency (~40% CAGR AI governance TAM). A hash-anchored conformity-evidence layer is what AI-governance tooling lacks.

EU AI Act (Reg. 2024/1689): eur-lex.europa.eu/eli/reg/2024/1689/oj — Arts 4, 5, 6 + Annex III, 9–15, 26–27 (FRIA), 43/47/48, 50–55, Annex IV. Verify before citing.

GPAI Code of Practice: EU AI Office — verify current version and draft status.

Digital Omnibus on AI (provisional agreement 7 May 2026): Annex III high-risk → 2 Dec 2027. Legal effect on formal adoption before 2 Aug 2026; else original 2 Aug 2026 applies. Monitor Official Journal.

DORA (Reg. 2022/2554): Fully enforced 17 Jan 2025. RoI consolidated deadline 30 Apr 2026. First TLPT notifications late 2026/early 2027.

Penalties: Art 5 prohibited practices — up to €35M / 7% global turnover. GPAI violations — up to €15M / 3%. Verify against consolidated text.