EU AI Act
Evidence oversight for your AI agents — before Aug 2
On 2 August 2026 the EU AI Act becomes fully applicable and enforcement — including GPAI fines — goes live. Sanction is the evidence and human-oversight layer you put around the agents you operate, so you can demonstrate the record-keeping, transparency, and oversight the Act expects.
Straight about the timeline: the May 2026 Digital Omnibus pushed the high-riskobligations to 2027–2028. Aug 2, 2026 is the enforcement-goes-live and GPAI milestone — and the moment every team deploying AI is asked “can you evidence oversight and logging?” Sanction is how you answer with proof, not a slide.
What Sanction gives you
Three of the Act’s operator obligations, and the surface that evidences each.
Every governed decision, token log, and secret access is persisted, then pulled as a signed, hash-chained export. Altering, dropping, or reordering any entry breaks the chain — and anyone can re-verify it.
Every decision carries a stable outcome code and the exact policy revision it ran under, and can be replayed from its stored context to reproduce the result.
Over-threshold actions escalate to a human whose approval mints a single-use grant; the record captures who decided, when, and why. The freeze kill-switch halts an agent — or a whole pool — instantly.
Pull the evidence
One call produces a tamper-evident, Article-framed bundle for a wallet — or a whole org. Anyone can re-verify it independently; the framing rides alongside the signed chain and never alters it.
# One signed, Article-framed evidence bundle for a whole org
curl "https://getsanction.com/api/v1/audit/export?wallet_id=WALLET_ID\
&scope=subtree&framing=eu-ai-act" \
-H "x-mgmt-key: sk_your_management_key"
# → the signed export + an ai_act block: Article mapping, retention,
# decision counts (incl. how many a named human resolved), signed head# Prove it wasn't altered afterward — no trust in us required
curl -X POST "https://getsanction.com/api/v1/audit/verify" \
-H "x-mgmt-key: sk_your_management_key" --data-binary @export.json
# → { "valid": true, "chain_valid": true, "signature_valid": true }Append-only by construction
The audit trail is append-only — governed decisions, token logs, and secret-access records are never modified or deleted after write. There is no purge job and no mutation path. An export is a signed snapshot; the records remain for the life of the wallet.
The honest boundary
Sanction gives you evidence to supportArt 12/13/14 obligations for the agents you run. It is not a compliance certification, a conformity assessment, or legal advice — and it isn’t itself a high-risk AI system. Talk to your own counsel about which obligations apply to your systems. We say “helps you demonstrate,” never “makes you compliant.”