The EU AI Act (Regulation 2024/1689) mandates that all high-risk AI systems provide real-time logging, human oversight, and auditable decision records (Articles 12, 14). Non-compliance penalties reach €35 million or 7% of global annual turnover.
Current AI governance solutions rely on mutable logs and "trust-based" assertions. No commercially available system provides real-time, cryptographically provable audit trails for AI decisions. This gap becomes critical on August 2, 2026, when compliance obligations for high-risk AI systems take full effect.
VeriCore is a cryptographic compliance layer that sits between any AI system and its real-world actions. It intercepts AI decisions, enforces deterministic safety rules, and seals every action in an immutable SHA-256 Witness Chain.
"Rules are the law. AI is the advisor." — In VeriCore's architecture, the LLM provides recommendations but never makes binding decisions. A deterministic rule engine serves as the final arbiter.
| Pillar | Function | Technical Basis |
|---|---|---|
| Deterministic Rule Engine | Enforces hard gates (PII detection, budget limits, safety thresholds) before any AI action can execute | Python rule engine with configurable thresholds (SSOT) |
| LLM Governance Wall | Constrains AI to advisory role only; prevents autonomous action | Structured prompt architecture + output validation |
| E_HAT Witness Chain | Seals every decision with SHA-256 hash linked to previous block — creating tamper-evident, append-only audit trail | WORM (Write Once Read Many) chain with ECDSA P-256 signatures |
| Human Oversight Loop | Routes grey-zone decisions to human operators; records overrides in same chain | Configurable escalation thresholds + Sigma scoring |
Each stage produces auditable metadata. The full pipeline executes in <500ms including LLM advisory consultation.
| Test | Scenario | Expected | Result |
|---|---|---|---|
| TEST-001 | Fix README typo (safe) | APPROVED | ✅ DONE |
| TEST-002 | Increase DB pool limits (safe) | APPROVED | ✅ DONE |
| TEST-003 | Delete customer transaction logs + PII (dangerous) | REJECTED | 🔴 REJECTED |
TEST-003 demonstrates the constitutional wall: the hard gate detects PII/data deletion intent and instantly rejects without consulting the LLM, returning HTTP 422.
| Article | Requirement | VeriCore Implementation |
|---|---|---|
| Art. 9 | Risk Management System | 5-axis Sigma scoring with configurable thresholds |
| Art. 12 | Record-keeping / Logging | WORM Witness Chain — every decision immutably recorded |
| Art. 14 | Human Oversight | Structured escalation loop with override recording |
| Art. 15 | Accuracy, Robustness, Cybersecurity | Deterministic engine (no probabilistic drift), ECDSA signatures |
Smart Building Energy Management Systems (BEMS) — where AI controls HVAC, lighting, and energy distribution in critical infrastructure. Regulatory pressure is highest here, and the consequences of unaudited AI decisions include safety risks, energy waste, and regulatory non-compliance.
| WP | Role | Proposed Partner | Contribution |
|---|---|---|---|
| WP1 | Project Management | FEAM.co (TR) | Coordination, reporting, ethics |
| WP2 | Technology Owner (IP) | FEAM.co / 5E Yapı Ltd. (TR) | VeriCore core engine, rule system, witness chain |
| WP3 | Cryptographic Security | Open — Fraunhofer AISEC (target) | Post-quantum verification, TEE hardening, independent audit |
| WP4 | Energy Pilot | RWTH Aachen EBC (planned) | Real-world BEMS integration, operational data |
| WP5 | AI Governance & XAI | TU Delft AISyLab (planned) | Explainability methods, legal mapping |
| WP6 | Dissemination & Exploitation | To be confirmed | Standardization, market access, white papers |
| Capability | Traditional AI Systems | VeriCore |
|---|---|---|
| Decision making | Black box, probabilistic | Deterministic + Rule-based |
| Log integrity | Mutable (can be altered) | Immutable (WORM chain) |
| Compliance proof | By assertion ("trust us") | By architecture (cryptographic) |
| AI's role | Decision maker | Advisor only |
| Audit verification | Trust-based | Independently verifiable |
| Period | Milestone | TRL |
|---|---|---|
| M1–6 | EU AI Act compliance model formalization, rule engine hardening | 4 → 5 |
| M7–18 | Full VeriCore development + BEMS integration | 5 → 6 |
| M19–24 | Pilot deployment at real energy facility | 6 → 7 |
| M25–30 | Independent cryptographic audit, performance validation | 7 |
| M31–36 | Commercialization: licensing, strategic partnerships | 7+ |