An AI supplier is asking for access to clinical, financial, or minors' data.

For procurement

No passport,
no purchase.

Scan the estate. Require the passport before a supplier reaches your data. Grant a visa for one context, with an expiry date — and refuse the renewal when the evidence has lapsed but the contract has not.

Evidence against named articlesRole-bound review queuesClearance that expiresDecisions recorded under seal

Third-party AI intake — declaration to visa (DORA register of information)

Intake

Provider · model · endpoint

Currents scan

Art. 6 route · Annex III test

Evidence call

Annex IV · Art. 10 bias file

Ripple issued

Signed · versioned · portable

Seal Review

DPO · CISO · Art. 14 owner

Droplet

Time-bound · re-scan on swap

Ripple — evidence passportReview Needed

Benefit Eligibility Model BE-1.4

Essential public assistance · Annex III 5(a) · GDPR Art. 22

Evidence51%
Expiry01 Aug 2026
Raw data exportoff
ALP-2026-NS-P9K4

Procurement is where the border actually stands.

Every AI system that reaches a patient record, a credit file, or a child’s account passed through a purchase order first. That is the last point at which a missing DPIA, an unexamined bias, or an agent with write credentials can still be refused at no cost.

The shift

From collecting claims to issuing clearances.

Without AL360° Oceans

  • A new questionnaire for every supplier, comparable to nothing
  • Evidence in email threads, PDFs, and a shared drive
  • No record of which special-category data each system reaches
  • DPO and CISO asked to sign without the basis to sign
  • Renewal dates in a spreadsheet nobody opens until it is late
  • Approval granted once, for everywhere, forever
  • A silent model swap invalidates the file, and no one is told

With AL360° Oceans

  • One passport per system, issued once, presented at every review
  • Evidence sealed as signed Evidence Records, verifiable offline
  • Art. 9, Art. 8, and Art. 22 exposure named per system in Atlas
  • Role-bound queues: each reviewer sees only what they can defend
  • Passports and visas expire on their own schedule, not the contract's
  • A Droplet clears ONE context — a second context needs a second visa
  • Model change detected; the passport reverts and the visa suspends

What gets closed

Four failures the purchase order is supposed to catch.

A new AI supplier, a new questionnaire, and no comparable evidence across any of them.

Require a Ripple. The passport is issued once by the provider and presented in the same structure at every review — comparable across suppliers, and against named EU AI Act and GDPR articles.

The DPO and CISO sign-offs are the bottleneck, and neither has the evidence to sign.

The passport routes to each role with only what that role can defend: Art. 9 and Art. 22 basis to the DPO; tool allowlist, credential scope, and Art. 12 logging to the CISO. Neither reviews what is not theirs.

The contract renews. The evidence does not.

Passports and visas expire on their own schedule, not the contract's. A renewal against lapsed evidence is refused at the gate rather than discovered at the audit.

The vendor swapped the model behind the endpoint and told no one.

A silent model swap reverts the passport's accuracy and bias sections to unproven and suspends every Droplet granted on them. The supplier is notified; the system stops at its next call.

The supplier gate

Scan. Require the passport. Grant the visa.

Every step is recorded: who cleared it, on what evidence, under which conditions, and until when.

01

Scan first

Currents opens the file on the AI already inside the perimeter — before the next supplier pitch.

02

Require the passport

No Ripple, no purchase. The provider issues once; you receive the same structure every time.

03

Route the review

DPO takes basis and special-category data. CISO takes tools, credentials, egress, and logging.

04

Grant or refuse the visa

A Droplet clears ONE context, on THIS data, under stated conditions — with an expiry date on its face.

05

Hold the register

Atlas keeps every passport, visa, and open gap. Renewal without refreshed evidence is not possible.

One case

A triage assistant wants access to the emergency department.

The request

A clinical directorate wants to deploy an AI triage assistant. It processes patient data — GDPR Art. 9 — and is Annex III high-risk under the EU AI Act. Where it is a medical device, MDR applies in parallel.

The scan finds

No Art. 35 DPIA. No Art. 10 bias examination — the model was validated on a cohort that does not match this catchment. No Art. 12 event logging. The model behind the API changed two quarters ago.

The gate

Procurement requires a Ripple before access. The DPO takes the Art. 9 basis and the DPIA; the CISO takes egress, credentials, and logging. Neither signs until the gaps close.

The clearance

A Droplet is granted for adult emergency intake only — read-only, oversight gate on every escalation, twelve-month expiry. Paediatric intake is refused: the population it was validated on is not this one.

Role handoff — under seal

1

Procurement

Requires the passport before access is discussed

2

DPO

Art. 9 basis, Art. 35 DPIA, Art. 10 bias examination

3

CISO

Tool allowlist, credential scope, egress, Art. 12 logging

4

Procurement

Grants the visa for one context — or refuses it

Each stage seals an Evidence Record: actor, rationale, conditions, timestamp.

Evidence coverage

What every passport answers before you sign.

Which personal data does the system reach, and on what basis?

Data categories with GDPR Art. 6 basis, Art. 9 condition, Art. 8 where minors are involved, Art. 22 where the decision is automated.

Was bias actually examined, or only described?

AI Act Art. 10 group disparity analysis — sealed as an Evidence Record, including proxy reconstruction from postcode, device, or pathway.

Can the human overseer actually intervene?

Art. 14 oversight design: which acts halt, for whom, and on what basis they can disagree with the output.

Has accuracy held since validation?

Art. 15 robustness re-tested against the current population — not the validation set from two model versions ago.

Is every event automatically logged?

Art. 12 traceability. For agents, every tool-call is a signed Evidence Record. Unlogged means unauthorised.

When does the clearance die?

Every passport and every visa expires. A renewal against lapsed evidence is refused at the gate.

Addressed

How the gate fits the process you already run.

We already run a security questionnaire process.

A questionnaire is answered by the party with the least incentive to disclose, in a format comparable to nothing. A passport is issued against named articles and sealed by diagnostics that ran on the provider's own data. When the model behind the endpoint changes, the questionnaire stays true and the passport does not.

Legal handles our supplier reviews.

AL360° Oceans does not perform legal review, and does not attempt to. It produces the technical and operational record legal cannot construct for itself: which special-category data the system reaches, whether bias was examined under Art. 10, whether oversight under Art. 14 can actually intervene, and whether accuracy has held since validation.

We already require SOC 2 or ISO 27001.

Those attest to how a supplier runs its company. They say nothing about whether this model was validated on a population that resembles your patients, whether its agent holds write credentials to your core systems, or whether its RAG corpus has ever been checked for injected instructions.

This will slow down supplier onboarding.

The first passport takes the provider an afternoon. Every subsequent review is answered from it in minutes. What is slow today is the sixth reconstruction of the same evidence — and the audit that finds the fifth one was wrong.

Step 1 — the scan

Open the file on your AI suppliers.
Ten working days. Then the gate holds.

Currents names every AI supplier already reaching health, financial, or minors' data, classifies each against Annex III, and hands procurement the queue of passports to require.

AffectLog provides technical and operational evidence to support AI access, supplier-risk, security, privacy, and governance review. Not legal advice, certification, notified-body conformity assessment, or regulatory approval.