VAC Protocol & Athena · regulatory alignment map
The EU AI Act asks for provable human oversight and complete records. That is what this infrastructure produces.
A plain-language map of where the Verifiable Authority Chain and Athena's calibration layer are designed to support the Act's obligations — for deployers, providers, and the assessors who evaluate them.
Where the clock actually stands (post-"Digital Omnibus", formally approved June 2026): the Act entered into force in August 2024 and applies in stages. The heavy high-risk regime — risk management, logging, provable human oversight, conformity assessment — was due 2 August 2026 but has been deferred to 2 December 2027 for stand-alone high-risk systems (justice, essential services, biometrics) and August 2028 for AI embedded in regulated products. Two things did not move: the Article 50 transparency duties still apply from 2 August 2026, and the reason given for the delay is that the compliance ecosystem — standards, evidence tooling — was not ready. Building the evidence layer is precisely the work regulators just gave organisations sixteen more months to do; every major law firm's guidance says the same thing: use the time, do not wait for it.
Human oversightArticle 14
High-risk systems must be designed so natural persons can effectively oversee them. The VAC seal is oversight made evidentiary: a biometrically verified, present person authorises the consequential action, at a ceremony weight proportional to its stakes, producing an independently verifiable record that the oversight actually occurred — not a policy document asserting that it should.
Record-keeping & logsArticles 12 & 19
High-risk systems must log events automatically and providers must retain them. Every VAC authorisation emits a signed Authority Action Record — who, what, under which conditions, when — lodged to an audit chain any party can verify without trusting the operator. Logging that is cryptographically checkable rather than merely stored.
Deployer obligationsArticle 26
Deployers must use systems per instructions, assign competent human oversight, and monitor operation. Bounded delegation is the mechanism: each agent's authority is scoped — purpose, amount, counterparty, time — under a named, verified person, so "who was responsible" has a cryptographic answer, not an organisational shrug.
TransparencyArticles 13 & 50
Systems must be operable with appropriate transparency, and people informed when interacting with AI. The authority chain makes the human-vs-agent provenance of any action inspectable: an action either traces to a verified human seal or to a delegated agent under one — and the record shows which.
Accuracy & robustnessArticle 15 · FRIA Article 27
High-risk systems must achieve appropriate accuracy and robustness; public-interest deployers must assess fundamental-rights impact. Athena's known-answer calibration provides measured, per-domain evidence of model performance — 10,000+ scored challenges across 32 domains — the kind of empirical basis accuracy claims and impact assessments are supposed to rest on.
Language discipline, stated plainly: this page describes how the infrastructure is designed to support compliance with the cited provisions. It is not a claim of certification, conformity assessment, or legal advice; obligations depend on system classification, role, and deployment context, which the deploying organisation must assess. We keep this wording strict because a trust product that overclaims its own compliance posture has failed at its one job.