System Intake & Risk Classifier

Describe your AI system. We map it to an EU AI Act risk tier, NIST RMF, ISO 42001, and GDPR obligations — instantly and deterministically.

ⓘ How to use this tool

What it does: you answer a short questionnaire about your AI system and we instantly classify its legal risk and list the obligations that apply — no files needed.

  • What you need: just knowledge of the system. Pick the closest option for each field.
  • Unsure on a field? Choose the safer (higher-risk) option — you can re-run anytime.
  • You'll get: an EU AI Act risk tier, a mapped obligation checklist, and the exact regulations that apply across authorities (EU, US states, UK, Canada, ISO/NIST, and more).
Does it involve any of these practices? (EU AI Act Art. 5)

Fairness & Bias Scanner

Upload a CSV of model outcomes. We compute real demographic parity, the 4/5ths disparate-impact ratio, and (if you have labels) equal-opportunity gaps — entirely in your browser.

ⓘ What is a “CSV of model outcomes” & how do I get one?

What it is: a simple spreadsheet saved as a .csv file where each row is one decision your AI made about one person or case. You need at least two columns:

  • A protected-attribute column — the group to check for fairness, e.g. gender, race, age_band.
  • An outcome / prediction column — what the model decided, e.g. 1/0, approved/denied, hire/no-hire.
  • (Optional) a ground-truth label column — the correct answer. Add it to also measure equal-opportunity (accuracy parity across groups).

Where to get it: export your model's prediction logs, batch-scoring output, or a table of past decisions from your data warehouse, BI tool, or notebook — most teams already log this.

How to create it: in Excel / Google Sheets add the columns above and Save As → CSV; or in Python: df[['gender','prediction','label']].to_csv('outcomes.csv', index=False).

genderpredictionlabel
female11
male01
female00

🔒 Parsed entirely in your browser — the file never leaves your device. Download a blank template ↓

Need a sample? Load demo data

Drift & Data-Quality Detector

Compare a baseline dataset against a current one to compute PSI & KS per feature, or scan a single dataset for missingness, constants, outliers and duplicates.

ⓘ What to upload, link, or where to get it

What it does: compares two snapshots of your data to detect drift — when live inputs have shifted away from what the model was built on (a leading cause of silent accuracy decay).

  • Baseline — your reference data: the training set, or a known-good period (e.g. last quarter). Upload a CSV or paste a URL.
  • Current — recent production data with the same column names. We compute PSI & KS for every shared feature.
  • Load only the baseline to run a data-quality scan (missing values, outliers, constants, duplicates).
  • URL sources supported: HuggingFace dataset pages (huggingface.co/datasets/…), direct .csv links (GitHub raw, cloud storage), HuggingFace file paths.

Download a blank CSV template ↓

Baseline dataset (training data or reference period)
Current dataset (recent production data — optional)

Documentation & Control Gap Scanner

Paste your model card, system card, or governance documentation. We score it against the control areas an EU AI Act technical file (Annex IV) and a credible model card should cover.

ⓘ What to paste or link here

What it does: scores your documentation against the 14 control areas auditors expect, then shows exactly which are present, weak, or missing.

  • Link: paste a public URL to a model card (e.g. Hugging Face, GitHub, Confluence) and click Fetch & analyse — we retrieve and scan the text server-side.
  • Paste: or paste the text directly — your model card, system card, datasheet, or any governance write-up, even a rough draft.
  • Don't have one yet? Paste whatever description exists; the scan tells you precisely which sections to write next.
  • You'll get: a completeness score and a present / weak / missing breakdown per control.
or paste text directly
Load a thin example

Governance Copilot

Ask the agent anything about your assessment or AI governance. It reads your findings and gives grounded, A-to-Z direction.

ⓘ How the Copilot works

What it does: answers your AI-governance questions and proposes step-by-step fixes, grounded in the results from the other tools (your risk tier, fairness/drift findings, and documentation gaps).

  • Run the Intake and scanners first for tailored advice — or just ask general questions about the EU AI Act, NIST RMF, ISO 42001, bias, or drift.
  • It helps you prepare and evidence compliance; it never claims to make a system “compliant” on its own.

Compliance Dossier

Your full assessment, compiled into an audit-ready report with a prioritised remediation roadmap.

ⓘ About this report

What it does: compiles every result into one audit-ready report — risk classification, applicable regulations across authorities, findings, and a prioritised remediation roadmap (each action has an owner, effort, framework reference, and acceptance test).

  • Print / PDF to share with stakeholders; Save to get a link to resume or share the assessment later.
  • Run more tools, then click Rebuild to refresh the report and score.

Regulatory Timeline & Deadline Tracker

Every major AI-governance deadline across jurisdictions — colour-coded by status and filtered to your system's risk tier when you've completed the intake.

ⓘ How to use this tracker

Select a framework below to see its phased rollout. Milestones are marked done, imminent (<90 days), or upcoming. Run the System Intake first and your risk tier will highlight only the obligations that apply to you.

Model Card Generator

Generates an EU AI Act Annex IV-compliant model card, pre-filled from your workbench findings. Fill any gaps and download as Markdown.

ⓘ What is a model card & why does it matter?

What it does: compiles a structured technical document covering the 14 Annex IV control areas required for EU AI Act high-risk systems — auto-filled from your intake, fairness, and documentation results.

  • Run the System Intake and Fairness Scanner first for the richest auto-fill.
  • Fill in any blank fields, then click Generate & Download to get a .md file ready for your technical file.
  • The card is a governance starting point — have your legal team review before submission to a notified body.

1 · System Identity (auto-filled from intake)

2 · Intended Use

3 · Training Data

4 · Evaluation & Performance

5 · Fairness & Bias (auto-filled from Fairness Scanner)

Run the Fairness Scanner first to auto-fill this section.

6 · Limitations & Risks

7 · Human Oversight & Monitoring

LLM Safety Evaluator

Paste your system prompt and adversarial test prompts. We check for AI disclosure compliance, prompt injection, PII exposure, jailbreak patterns, and hallucination guardrails — entirely in your browser.

ⓘ What to paste here & what we check

System prompt: the instructions you give the LLM before the user turn. Required by EU AI Act Art. 50 to include an AI disclosure. We check for 6 recommended safety controls.

Adversarial test prompts: one per line — paste typical attack samples from your red-team or known jailbreak libraries to see how many your system prompt can resist. We check 24 injection and jailbreak patterns.

  • All analysis runs in your browser. No prompts are sent to any server.
  • Pattern matching is a fast triage — not a substitute for live red-teaming with a real model.

AI Governance Framework

Generate a comprehensive organisational AI governance plan — team charter with input/output workflows, C-Suite accountability matrix, IT controls for AI, and a 12-month working roadmap.

ⓘ What this generates

A board-ready governance framework document covering five areas:

  • AI Governance Team Charter — mandate, composition, and the explicit input → process → output workflow the team operates on.
  • C-Suite Accountability Matrix — what each executive owns, what they receive monthly/quarterly, and what they approve.
  • IT Governance Controls for AI — data, infrastructure, security, change-management gates, vendor governance, and incident response.
  • 12-Month Working Plan — phased roadmap (Foundation → Assessment → Controls → Optimise) with inputs, activities, and deliverables per phase.
  • Staff AI Usage Policy — acceptable use, approved-tools register, and high-risk use cases that need governance approval.

Fill in your organisation profile and click Generate Framework. Download as Markdown for your intranet, board pack, or compliance file.

1 · Organisation Profile (auto-filled from intake where available)

2 · Current AI State

3 · Governance Team Structure

Agent Control Plane

Governance for the action path, not just the paperwork. Describe an action your AI agent wants to take — the control plane evaluates it against policy-as-code, redacts sensitive data, decides allow / review / deny, maps each enforced control to a regulation, and seals the decision into a tamper-evident ledger.

ⓘ How this works & why it's different

Most AI governance tools review models and documents, periodically. This governs every action an agent takes, at runtime — the layer no one else ships.

  • Policy-as-code: risk = action type × irreversibility × data sensitivity × blast radius. Crossing a threshold forces human approval or a block.
  • Redaction: PII & secrets are stripped before the action runs. The raw payload is never stored — only a redacted copy.
  • Tamper-evident ledger: each entry is hash-chained to the one before it (EU AI Act Art. 12). Change any past record and Verify chain breaks.
  • Kill switch: engage it and the whole fleet is halted (EU AI Act Art. 14(4)).
Load a high-risk example

Action ledger

No actions evaluated yet.

Refresh ledger

Incident Intelligence

A graph of real, documented AI failures — each mapped to the control that would have prevented it. We match the incidents most likely to hit your system to its risk profile, so you can fix the gaps before they become your incident.

ⓘ How matching works

We score every incident against your system's domain, risk tier, and findings — and, when available, against your live Agent Control Plane telemetry (the action types your fleet is intervened on most). Higher relevance = closer to your situation.

  • If you've run the System Intake, your profile is pre-filled. Otherwise set it below.
  • Each match shows the failure mode and the exact preventive control + framework reference.

Regulatory Horizon

The AI rules landscape moves constantly. We match upcoming deadlines and recent changes to your system — by jurisdiction, risk tier and characteristics — with a countdown and the action to take for each.

ⓘ How this works

We score every tracked development against your jurisdiction, tier, domain and traits (GenAI, personal data, automated decisions), then sort by what's coming soonest and what changed most recently.

  • Pre-filled from your System Intake when available — adjust below.
  • Each item shows who it affects, the impact, and a concrete next action.

AI System Registry

The anchor of a governance program (NIST AI RMF GOVERN 1.6, ISO/IEC 42001, EU AI Act Art. 49): every model, GenAI app and agent registered in one place — each with live obligation clocks showing exactly what it owes, by when, and the artifacts to produce.

ⓘ How this works

Register a system (or auto-fill from your System Intake). We compute every regulatory obligation that applies to it — across the jurisdictions it operates in — with a countdown to each effective date and the concrete artifact list. Link saved assessments to build the system's governance record.

  • Active duties already apply today; imminent ones take effect within 180 days.
  • The Control Library below cross-maps NIST AI RMF (72 subcategories), ISO/IEC 42001 Annex A (38 controls) and the EU AI Act artifact set, so one piece of evidence can satisfy several regimes.
Operates in:

Control Library

128 cross-mapped controls. Click a control to see its equivalents in the other frameworks.

Regulatory Watch

A background daemon scans regulatory news every 6 hours for changes to the frameworks this platform tracks (the Digital Omnibus moving the EU AI Act's Annex III deadline is exactly the kind of change this catches). Nothing here is ever applied automatically — every item is a candidate for a human to review and, if accurate, promote to the Regulatory Horizon.

ⓘ Why human-in-the-loop

Getting a compliance deadline wrong is worse than being slow to update it. The watcher classifies news by likely framework/jurisdiction and — when an LLM is configured — drafts a plain-English summary and a suggested Regulatory Horizon entry. You decide what's accurate and supply the final date/impact/action before anything is published.