You are being asked to sign for AI systems reaching patients, applicants, and children.
For DPO & CISO
Sign against evidence,
not against assurances.
Data categories, legal basis, Art. 10 bias examination, Art. 14 oversight design, Art. 12 event logs, agent tool boundaries, and sealed diagnostics — assembled per system, routed to the role that must defend the decision.
Retail Credit Scorecard v7 · Art. 6(2) + Annex III(5)(b) creditworthiness
A sign-off you cannot reconstruct is a sign-off you cannot defend.
When a supervisory authority asks why this model was cleared for these patients, the answer has to be a record: what was proven, by which diagnostic, against which article, on which model version, and who accepted it. Not a recollection, and not a vendor’s PDF.
The passport, read against the articles you are accountable for.
Health AI carries GDPR Art. 9 and, as a device, MDR. Financial AI carries Art. 22 and DORA. Anything a minor can reach carries Art. 8 and DSA Art. 28. The passport is structured around those obligations — in that order.
“Which systems process special-category or children's data — and on what condition?”
Every passport records data categories with the GDPR Art. 6 basis, the Art. 9 condition, Art. 8 where a minor can be reached, and Art. 22 where the decision is automated. Atlas lets you filter the whole estate by exposure, not by vendor name.
“Is there a DPIA under Art. 35 — and does it describe the system that is actually running?”
DPIA status is a required field, tied to the model version it was written against. When the provider swaps the model behind the endpoint, the DPIA and the accuracy evidence revert to unproven and the affected visas suspend.
“Was bias examined, or merely denied?”
AI Act Art. 10 requires examination of possible biases. A Ripple carries a sealed group-disparity Evidence Record — including whether a removed protected attribute is being reconstructed from postcode, device class, or referral pathway.
“Can I hand a competent authority something they will accept?”
A Wake: a stamped, sealed evidence export carrying identity, basis, DPIA, bias examination, oversight design, sealed diagnostics, and the decision record — verifiable offline, without re-running anything.
Evidence without centralising the data
The finding travels. The patient record does not.
Data boundary — retrieval corpus never leaves the perimeter
Stays inside your perimeter
Only Evidence Records cross
Leaves as an Evidence Record
The visa, granted before the agent’s first call.
An agent calls tools, holds credentials, and writes to systems. A Droplet declares what it may do, in which context, until when — and stops it in one action when that stops being true.
“Which agents hold credentials, and what may they call?”
A Droplet declares the tool allowlist, the systems in scope, and whether the credential is read or write — before the agent's first call. Anything outside the list is refused and logged as an anomaly.
“Can a retrieved document instruct our assistant?”
Treat the RAG corpus as untrusted input, because it is. Corpus integrity is checked and injected instructions are raised as anomalies — an injected instruction inherits the agent's data access, not the attacker's.
“Is every tool-call recorded?”
AI Act Art. 12 requires automatic recording of events over the system's lifetime. Every call becomes a signed, immutable Evidence Record: tool, timestamp, input context, action, and whether a human cleared it.
“Can I stop an agent right now?”
One action revokes the visa. The agent halts at its next call, and the revocation is recorded with actor and timestamp. Drift, a model swap, or a failed diagnostic does the same automatically.
Agent Boundary Map
droplet: activeDischarge Summary Agent v2.4.1 — cardiology ward
Art. 6(1) · MDR Rule 11 Class IIa · Art. 14 owner: clinical safety officer · visa expires 30 Sep 2026
Tool-calls inside the visa
Refused at the boundary
Failure modes a visa is written against
Review workflow
From open file to sealed decision.
The file opens
Currents names the system, its data categories, and its provisional Annex III classification.
The passport is issued
The provider completes the Ripple; diagnostics seal the bias, accuracy, and exposure evidence.
The queue routes
DPO takes basis, DPIA, and bias. CISO takes tools, credentials, egress, and logging. Neither reviews the other's.
The gaps are named
Unproven sections block the decision. Absence of evidence does not default to allow.
The visa is granted or refused
One context, stated conditions, an expiry date — recorded under seal with actor and rationale.
The difference
The review, with and without the record.
Signing on assurances
- Legal basis asserted in prose across four documents
- Bias 'addressed' — no test, no result, no population
- Oversight described; the overseer has nothing to disagree with
- Agent tool-calls unlogged and unreconstructable
- Accuracy quoted from a validation run two model versions ago
- A clearance that never expires and cannot be withdrawn
Signing on evidence
- Art. 6 / 9 / 22 basis and Art. 35 DPIA as required, versioned fields
- Art. 10 group-disparity result sealed as an Evidence Record
- Art. 14 gates that halt the act for a named human who can override
- Art. 12 event log — every tool-call signed and immutable
- Art. 15 accuracy re-tested against the population in front of it
- A visa with an expiry date, revocable in one action, effective at the next call
Addressed
How this fits the role you already hold.
“We already use Microsoft Purview or equivalent privacy tooling.”
Data classification tells you where sensitive data sits. It does not tell you whether this triage model was validated on a population resembling your patients, whether its agent can write to the record, or whether its retrieval corpus has ever been checked for injected instructions. Those are the questions you are being asked to sign against.
“We cannot upload raw data, prompts, or models for evidence collection.”
You do not. Diagnostics execute inside your perimeter — on-premise, in your VPC, or air-gapped — and export only a signed Evidence Record: the finding, never the record, the corpus, the prompt, or the weights. The signing key never leaves your infrastructure.
“Our review process is already established.”
AL360° Oceans does not replace it. It supplies the evidence your process currently assumes exists: the Art. 10 bias examination that was never run, the Art. 14 oversight design that is an approve button, and the Art. 15 accuracy figure that predates the current model.
“Under DORA and MDR we already register third-party dependencies.”
Registration records the dependency. It does not record that the dependency silently changed. A passport binds evidence to the model version it was produced against — so a swap invalidates the file loudly, at the gate, rather than quietly, in the register.
Step 1 — the scan
Know what you are being asked to sign for
before you are asked to sign.
A scan names every AI system reaching health, financial, or minors' data, classifies it against Annex III, and hands you a review queue with the gaps already named.
AffectLog provides technical and operational evidence to support AI access, supplier-risk, security, privacy, and governance review. Not legal advice, certification, notified-body conformity assessment, or regulatory approval.