📊 Governance Status Board

DomainStatus
⚠️ Control Effectiveness🔴 ALERT
🗄️ Data Quality○ NO RUNTIME DATA
👁️ Human Oversight🟠 MONITORED
📄 Documentation & Compliance🟠 MONITORED
🔒 Security○ NO RUNTIME DATA
🤖 Agentic Behaviour🔴 ALERT
⚖️ Global Governance○ NO RUNTIME DATA

→ Full dashboard (7 domains)

⚠️
Demo dossier — synthetic runtime data. These audits are published for demonstration purposes. Runtime traces were synthetically generated to illustrate the behavioral audit methodology. Systems are anonymised. Full production dossiers with live execution evidence are available under NDA — contact@factnotebook.com
⚠️
STATIC ANALYSIS — Limited confidence Code and documentation were analysed statically — the audit engine did not execute the system live. Where session traces were provided, behavioural findings derive from those traces, not from live execution. Some verdicts rely on heuristic signals and are labelled accordingly; they may not reflect actual runtime behaviour. For a full technical dossier with executable evidence and SHA-256 seal, contact contact@factnotebook.com.

Executive Report

agents-for-openbb

Audit ID: CSVA-20260614-9BE11290 | Risk class: HIGH | Date: 2026-06-17 09:47 UTC


Compliance Verdict: PARTIAL EVIDENCE

PARTIAL TECHNICAL ALIGNMENT — identified control gaps require remediation within 90 days.

Immediate action: Begin remediation on priority articles. Schedule re-audit in 6-8 weeks.


KPI Dashboard

How scores are computed: Each of the 46 checkpoints carries a weight (2–5). The article score is the weighted average of its checkpoints. Articles 9, 10, 14, 15 are gate articles — a score below 50 on any of them sets that article to 0 and overrides the global score downward. Full methodology: factdna.ai/methodology

Dimension Score Status Meaning
Compliance Score 22 / 100 🔴 Controls demonstrated by evidence (E2–E6). Skipped tests do not reduce this score.
Test Assurance 7 / 100 🔴 Controls verified by automated tests. Skipped: 35 (assurance gap, not compliance gap)
Runtime Evidence 22 / 100 🔴 Controls proven by E4+ runtime traces or E6 correlated chains
Documentation Coverage 24 / 100 🔴 Controls with at least E1 documentation or config evidence
Doc ↔ Code Alignment 87.3% 🟢 Does documentation match what the code actually does? (SCI=100.0% · Gap=1.9%)
Regulatory Evidence Grade 🟢 STRONG — Runtime + Tests 🟢 Overall evidence quality: Doc=0% · Code=0% · Runtime=20%

🔬 Runtime Sessions Analysis (Process Mining — Behavioral Audit)

Analysed sample: 2026-04-04 → 2026-04-05 (2 jours · 109 événements)
20 sessions · 18 checkpoints · Average compliance : 🟡 71.9% · Non-compliance : 25.6%

Checkpoint Compliance rate Sessions (✅ / ⚠️ / 🔴) Sessions NOK
🔴 Audit Trail 0% 0 ✅ / 0 ⚠️ / 20 🔴 fb-D534D661, fb-89F335E1, fb-3899A858, fb-6F43C4DE, fb-BB281A1F, fb-FA3E3725, fb-193F126A, fb-3ABD45B7, fb-1ACF4C41, fb-9318008E, hitl-222B705F, hitl-ED2A6C5D, hitl-26E4C429, fb-9EC3B248, fb-E439D5BF, fb-5F56C6CC, fb-659B8219, fb-E3B62030, fb-F7C43BE4, fb-8111D2BC
🔴 Automatic Blocking Linked to Human Rejection 0% 0 ✅ / 3 ⚠️ / 17 🔴 fb-D534D661, fb-89F335E1, fb-3899A858, fb-6F43C4DE, fb-BB281A1F, fb-FA3E3725, fb-193F126A, fb-3ABD45B7, fb-1ACF4C41, fb-9318008E, fb-9EC3B248, fb-E439D5BF, fb-5F56C6CC, fb-659B8219, fb-E3B62030, fb-F7C43BE4, fb-8111D2BC
🔴 Human Validation 0% 0 ✅ / 3 ⚠️ / 17 🔴 fb-D534D661, fb-89F335E1, fb-3899A858, fb-6F43C4DE, fb-BB281A1F, fb-FA3E3725, fb-193F126A, fb-3ABD45B7, fb-1ACF4C41, fb-9318008E, fb-9EC3B248, fb-E439D5BF, fb-5F56C6CC, fb-659B8219, fb-E3B62030, fb-F7C43BE4, fb-8111D2BC
🔴 PII Masking Before External Transmission 0% 0 ✅ / 0 ⚠️ / 20 🔴 fb-D534D661, fb-89F335E1, fb-3899A858, fb-6F43C4DE, fb-BB281A1F, fb-FA3E3725, fb-193F126A, fb-3ABD45B7, fb-1ACF4C41, fb-9318008E, hitl-222B705F, hitl-ED2A6C5D, hitl-26E4C429, fb-9EC3B248, fb-E439D5BF, fb-5F56C6CC, fb-659B8219, fb-E3B62030, fb-F7C43BE4, fb-8111D2BC
🔴 Bypass Detection 15% 3 ✅ / 0 ⚠️ / 17 🔴 fb-D534D661, fb-89F335E1, fb-3899A858, fb-6F43C4DE, fb-BB281A1F, fb-FA3E3725, fb-193F126A, fb-3ABD45B7, fb-1ACF4C41, fb-9318008E, fb-9EC3B248, fb-E439D5BF, fb-5F56C6CC, fb-659B8219, fb-E3B62030, fb-F7C43BE4, fb-8111D2BC
🟢 Decision Record Structure 85% 17 ✅ / 3 ⚠️ / 0 🔴
🟢 Confidence-Based Human Routing 95% 19 ✅ / 0 ⚠️ / 1 🔴 fb-89F335E1
🟢 Contextual Memory Limitation 100% 20 ✅ / 0 ⚠️ / 0 🔴
🟢 Data Traceability 100% 20 ✅ / 0 ⚠️ / 0 🔴
🟢 Data Cleansing & Anonymisation 100% 20 ✅ / 0 ⚠️ / 0 🔴
🟢 Authority Delegation 100% 20 ✅ / 0 ⚠️ / 0 🔴
🟢 System Explainability 100% 20 ✅ / 0 ⚠️ / 0 🔴
🟢 Human-in-the-Loop Mechanism 100% 20 ✅ / 0 ⚠️ / 0 🔴
🟢 Escalation to Human 100% 20 ✅ / 0 ⚠️ / 0 🔴
🟢 Serious Incident Notification Procedure 100% 20 ✅ / 0 ⚠️ / 0 🔴
🟢 Execution Limits (Guardrails) 100% 20 ✅ / 0 ⚠️ / 0 🔴
🟢 User Override 100% 20 ✅ / 0 ⚠️ / 0 🔴
🟢 Post-Market Plan 100% 20 ✅ / 0 ⚠️ / 0 🔴

Source: workflow mining E5 — session-level behavioral evidence. Each row represents the evaluation of one AI Act control across all sessions in the period.


Critical Gates — Art. 9 / 10 / 14 / 15

Article Requirement Score Status
Art. 9 Risk Management System 92.5/100 🟢 PASS
Art. 10 Data Governance 92.5/100 🟢 PASS
Art. 14 Human Oversight 85.0/100 🟢 PASS
Art. 15 Robustness & Accuracy 85.0/100 🟢 PASS

A GATE FAIL on any of these articles overrides the global score. Deployment in high-risk regulated environments is not recommended regardless of overall maturity score.


Evidence Level Breakdown — Per Checkpoint

This section answers: 'Is oversight genuinely integrated into system architecture, or merely aspirational?'
Each checkpoint shows its highest evidence level observed in the analysed artefacts. A NOT OBSERVED verdict does not assert that a control is absent — it asserts that no evidence of it was found in the scope of this audit.

Evidence Level Scale:

Level Verdict Label Icon Meaning
E6 DEMONSTRATED ⛓️ Regulatory control DEMONSTRATED by correlated event chain (end-to-end execution proven)
E5 VERIFIED 🔐 Cryptographically verified continuous evidence
E4 EXECUTED 📋 Operational log evidence (runtime execution proven)
E3 TESTED 🧪 Sandbox test evidence (executed in controlled environment)
E2 IMPLEMENTED 🔍 Code architecture evidence (pattern detected in source)
E1 DECLARED 📄 Documentation / config evidence (declared only)
E0 NOT OBSERVED No evidence observed in analysed artefacts
NOT ASSESSABLE 🚫 Control requires an evidence channel unavailable in this audit — instrumentation gap, excluded from score

🟢 Art. 9 — Risk Management System | 92/100

Checkpoint Status · Level · Confidence Next Step to Elevate
Post-Market Plan 🔐 VERIFIED · E5 ●HIGH Continuous monitoring — maintain hash chain integrity
Confidence-Based Human Routing 🔐 VERIFIED · E5 ●HIGH Continuous monitoring — maintain hash chain integrity
Risk Mitigation 📄 DECLARED · E1 ◑MED Implement the control in code for E2 evidence
Continuous Monitoring NOT OBSERVED Implement the control, document it, then run audit
Risk Matrix NOT OBSERVED Implement the control, document it, then run audit
Risk Ownership Assignment NOT OBSERVED Implement the control, document it, then run audit
Risk Register NOT OBSERVED Implement the control, document it, then run audit

⚠️ Note: NOT OBSERVED means no evidence was found in the artefacts analysed (source code, tests, configs, logs). It does not assert that the control is absent from the full system.

🟢 Art. 10 — Data Governance | 92/100

Checkpoint Status · Level · Confidence Next Step to Elevate
Data Cleansing & Anonymisation 🔐 VERIFIED · E5 ●HIGH Continuous monitoring — maintain hash chain integrity
Data Traceability 🔐 VERIFIED · E5 ●HIGH Continuous monitoring — maintain hash chain integrity
PII Masking Before External Transmission 🔐 VERIFIED · E5 ●HIGH Continuous monitoring — maintain hash chain integrity
Bias Metrics 📄 DECLARED · E1 ◑MED Implement the control in code for E2 evidence
Balancing & Representativeness 📄 DECLARED · E1 ◑MED Implement the control in code for E2 evidence
Physical Dataset Existence 🚫 NOT ASSESSABLE · no data evidence channel Instrument system to emit data evidence, re-run
Dataset Quality NOT OBSERVED Implement the control, document it, then run audit
Data Inventory NOT OBSERVED Implement the control, document it, then run audit

⚠️ Note: NOT OBSERVED means no evidence was found in the artefacts analysed (source code, tests, configs, logs). It does not assert that the control is absent from the full system.

🚫 Note: NOT ASSESSABLE means the control requires an evidence channel that was not available in this audit (e.g. runtime traces or a dataset). It is neither pass nor fail — it signals that the system is not instrumented to demonstrate this control. Make the system auditable, then re-run.

🟢 Art. 14 — Human Oversight | 85/100

Checkpoint Status · Level · Confidence Next Step to Elevate
Authority Delegation 🔐 VERIFIED · E5 ●HIGH Continuous monitoring — maintain hash chain integrity
Human-in-the-Loop Mechanism 🔐 VERIFIED · E5 ●HIGH Continuous monitoring — maintain hash chain integrity
User Override 🔐 VERIFIED · E5 ●HIGH Continuous monitoring — maintain hash chain integrity
Escalation to Human 🔐 VERIFIED · E5 ●HIGH Continuous monitoring — maintain hash chain integrity
Human Validation 🔐 VERIFIED · E5 ●HIGH Continuous monitoring — maintain hash chain integrity
Automatic Blocking Linked to Human Rejec 🔐 VERIFIED · E5 ●HIGH Continuous monitoring — maintain hash chain integrity
Agent Tool Scope 📄 DECLARED · E1 ◑MED Implement the control in code for E2 evidence
Human Decision Endpoint NOT OBSERVED Implement the control, document it, then run audit

⚠️ Note: NOT OBSERVED means no evidence was found in the artefacts analysed (source code, tests, configs, logs). It does not assert that the control is absent from the full system.

🟢 Art. 15 — Robustness & Accuracy | 85/100

Checkpoint Status · Level · Confidence Next Step to Elevate
Contextual Memory Limitation 🔐 VERIFIED · E5 ●HIGH Continuous monitoring — maintain hash chain integrity
Bypass Detection 🔐 VERIFIED · E5 ●HIGH Continuous monitoring — maintain hash chain integrity
Execution Limits (Guardrails) 🔐 VERIFIED · E5 ●HIGH Continuous monitoring — maintain hash chain integrity
Component Obsolescence 🧪 TESTED · E3 ●HIGH Submit production log extract for E4 evidence
Cybersecurity Audit 🧪 TESTED · E3 ●HIGH Submit production log extract for E4 evidence
Robustness Level Reality 🧪 TESTED · E3 ●HIGH Submit production log extract for E4 evidence
Unsafe Serialization Formats 📄 DECLARED · E1 ◑MED Implement the control in code for E2 evidence
Error Handling 📄 DECLARED · E1 ◑MED Implement the control in code for E2 evidence

⚠️ Evidence Contradictions — Auditor Review Required

These checkpoints show runtime evidence COMPLIANT but automated test FAILED.
This pattern may indicate: (1) staged/synthetic log files, (2) broken test environment, (3) code path mismatch between test and production.
The compliance verdict should not be accepted without verifying the authenticity of the runtime traces.

Checkpoint Runtime Evidence Test Result Auditor Action
⚠️ Contextual Memory Limitation E5 COMPLIANT Test FAILED Verify runtime trace authenticity
⚠️ Decision Record Structure E5 COMPLIANT Test FAILED Verify runtime trace authenticity
⚠️ Authority Delegation E5 COMPLIANT Test FAILED Verify runtime trace authenticity
⚠️ Bypass Detection E5 COMPLIANT Test FAILED Verify runtime trace authenticity
⚠️ Human-in-the-Loop Mechanism E5 COMPLIANT Test FAILED Verify runtime trace authenticity
⚠️ Execution Limits (Guardrails) E5 COMPLIANT Test FAILED Verify runtime trace authenticity
⚠️ User Override E5 COMPLIANT Test FAILED Verify runtime trace authenticity
⚠️ Escalation to Human E5 COMPLIANT Test FAILED Verify runtime trace authenticity
⚠️ Data Traceability E5 COMPLIANT Test FAILED Verify runtime trace authenticity
⚠️ PII Masking Before External Transmission E5 COMPLIANT Test FAILED Verify runtime trace authenticity
⚠️ System Explainability E5 COMPLIANT Test FAILED Verify runtime trace authenticity
⚠️ Post-Market Plan E5 COMPLIANT Test FAILED Verify runtime trace authenticity

Top Business Risks

⚠️ See Critical Gates section above — gate failures constitute regulatory risk even when no DOC↔CODE collisions are detected.


Remediation Projection

Phase Score Status Timeline
Current state 57.2 / 100 PARTIAL EVIDENCE Now
Phase 1 — Critical gaps ~75 / 100 (estimated) Gate article gaps resolved 4–6 weeks
Phase 2 — Full evidence ~91 / 100 (estimated) Evidence sufficient for review 10–14 weeks

Phase 1 priority: Articles Article 12 — resolves immediate regulatory exposure.


LEGAL STATUS: TECHNICAL EVIDENCE REPORT — This document is an automated factual report. It documents technical alignment with EU AI Act control points. It does not constitute legal advice or regulatory certification.

Methodology Notice
Evidence levels (E0–E5), contradiction detection, assurance scoring and control mapping are defined in the FactNotebook Technical Evidence Framework.
View methodology →
💬 Feedback
Does this report convince you? ×

⚠️ Runtime Risk Exposure

The following risks have violated controls in runtime sessions. → Full Risk Control Matrix

Risk IDDescriptionCriticalityExposure
RISK-FIN-001The LLM agent may produce factually incorrect financial data (wrong earnings, false M&A events, incoCRITICAL100.0%
RISK-FIN-002Agent responses are streamed directly to users without any human review step, even for high-stakes iCRITICAL100.0%
RISK-FIN-003The agent uses widget data to answer questions but does not formally record which data sources inforCRITICAL100.0%
RISK-FIN-005Training data bias may cause systematic over-bullishness on US large-cap tech stocks vs other sectorCRITICAL100.0%
RISK-FIN-006When no widget data is provided, the agent answers from LLM training data which may be months out ofCRITICAL100.0%