Sentinel Sovereignty Report

Project: sentinel-preview · Storage: sqlite · Data residency: EU-DE · Sovereign scope: EU
Generated: 2026-04-14
EU AI Act Annex III enforcement: 2 August 2026. High-risk AI systems must prove automatic tamper-resistant logging.
110
days remaining

Executive summary

Your system meets EU sovereignty requirements.

The runtime sovereignty score is 98% — that is the fraction of installed Python packages with no US CLOUD Act exposure. EU AI Act overall status: PARTIAL. Automated coverage of the required articles: 36%.

Where the report flags partial or non-compliant items, the "recommended actions" block below names each one in priority order. Every action corresponds to a specific file or configuration change.

98%
Sovereignty score

112 of 114 installed packages are EU-sovereign or neutral. 3 are US-incorporated and subject to the CLOUD Act. 84 are unknown.

Critical-path violations: 0. This is a runtime snapshot. CI/CD and infrastructure are reported separately below.

EU AI Act compliance

Overall: PARTIAL · Automated coverage: 36%

Article Title Status Detail What to do
Art. 9Risk managementPARTIALPolicy evaluator configured; every decision records the policy result.
Implement a formal risk management process.
Before deployment · Engineering + Risk
Art. 10Data governanceACTION_REQUIREDData governance is not automatable by a middleware kernel.
Document training data governance end-to-end.
Your team must implement · Data + Legal
Art. 11Technical documentationACTION_REQUIREDAnnex IV technical documentation is a human deliverable.
Review manually.
— · Team
Art. 12Automatic record keepingCOMPLIANTEvery wrapped call produces a DecisionTrace automatically, stored append-only.
Enable tamper-resistant trace persistence.
Before deployment · Engineering
Art. 13Transparency & information to deployersCOMPLIANTTraces record agent, model, policy name/version, and result per decision.
Populate transparency metadata on every trace.
Before deployment · Engineering
Art. 14Human oversightCOMPLIANTKill switch implemented; every override recorded as linked trace entry.
Prove the kill switch works end-to-end.
Before deployment · Engineering + Ops
Art. 15Accuracy, robustness, cybersecurityACTION_REQUIREDModel evaluation and adversarial testing are outside the trace layer.
Define accuracy metrics for your specific use case.
Your team must implement · Data + Engineering
Art. 17Quality management systemCOMPLIANTContinuous, append-only trace record satisfies the traceability requirement.
Establish a quality management system for AI outputs.
Before deployment · Quality + Engineering
Art. 16Provider obligationsPARTIALArt. 16(d) deployer logging and 16(f) post-market monitoring evidence are produced automatically via the trace store.
Complete provider registration, conformity assessment, CE marking.
Before market placement · Legal + Compliance
Art. 26Deployer obligationsPARTIALArt. 26(5) deployer logging and Art. 26(6) human oversight primitives are shipped (kill switch + trace store).
Document human oversight procedures and train staff.
Before deployment · Operations + Legal
Art. 72Post-market monitoring (GPAI)PARTIALRecords model identity, inputs hash, outputs and decision chain for any GPAI call — the raw evidence Art. 72 requires.
Publish a GPAI post-market monitoring plan (if applicable).
Before deployment (only if GPAI applies) · Engineering + Legal

Recommended actions

HIGH
Art. 9 — Risk management
Implement a formal risk management process.
Document risk categories for each AI use case, assign risk owners, and wire a PolicyEvaluator (SimpleRuleEvaluator or LocalRegoEvaluator) into Sentinel so every decision is checked against the documented risks.
Deadline Before deployment · Owner Engineering + Risk
HIGH
Art. 16 — Provider obligations
Complete provider registration, conformity assessment, CE marking.
Art. 16(d) deployer logging and 16(f) post-market monitoring evidence are produced automatically via the trace store. Register your AI system in the EU AI Act database (Art. 71). Conduct conformity assessment (Annex VI or VII depending on risk class). Affix CE marking. Registration and conformity assessment are human deliverables.
Deadline Before market placement · Owner Legal + Compliance
HIGH
Art. 26 — Deployer obligations
Document human oversight procedures and train staff.
Art. 26(5) deployer logging and Art. 26(6) human oversight primitives (kill switch + trace store) are shipped by Sentinel. Document human oversight procedures in writing. Define escalation paths when kill switch is engaged. Train operational staff on AI system limitations and override process. Establish incident reporting workflow.
Deadline Before deployment · Owner Operations + Legal
HIGH
Art. 72 — Post-market monitoring (GPAI)
Publish a GPAI post-market monitoring plan (if applicable).
Records model identity, inputs hash, outputs and decision chain for any GPAI call — the raw evidence Art. 72 requires. Only applies if deploying a GPAI model as high-risk system. Publish a GPAI post-market monitoring plan. Maintain model cards and capability evaluations. Sentinel provides the audit trail automatically.
Deadline Before deployment (only if GPAI applies) · Owner Engineering + Legal
MEDIUM
Art. 10 — Data governance
Document training data governance end-to-end.
Record training data sources, quality controls, bias assessments, and data governance policies. This is a human process — Sentinel cannot automate it. See docs/bsi-profile.md for the BSI-aligned template.
Deadline Your team must implement · Owner Data + Legal
MEDIUM
Art. 11 — Technical documentation
Review manually.
No automated guidance available for this article.
Deadline · Owner Team
MEDIUM
Art. 15 — Accuracy, robustness, cybersecurity
Define accuracy metrics for your specific use case.
Choose accuracy, robustness, and cybersecurity metrics that match the domain risk. Implement monitoring and drift alerting. This is a human process — Sentinel cannot automate the metric choice.
Deadline Your team must implement · Owner Data + Engineering

Next steps

Once the actions above are resolved, proceed in this order:

  1. Generate an attestation you can share with auditors:
    sentinel attestation generate --output governance.json
  2. Run the manifesto + compliance check and attach the output to your change request:
    sentinel compliance check --all-frameworks
  3. Schedule BSI pre-engagement — the pre-engagement package is already in docs/bsi-pre-engagement/. Contact: ki-sicherheit@bsi.bund.de (bsi.bund.de/KI)
  4. EU AI Act Annex III enforcement: 110 days remaining (2 August 2026). Penalties up to €15M or 3% of global annual turnover.

Manifesto status

Overall manifesto score: 100%

DimensionDetail
jurisdiction0 critical-path violations
kill_switchkill switch API present
storagebackend: sqlite
bsitargeting 2026-12-31

Runtime packages

Showing first 60 of 114 installed packages. Sovereign: 112 · US-owned: 3 · Unknown: 84

Showing packages in the current Python environment. For a complete scan including your project dependencies, run sentinel report from your project directory with your virtual environment activated.

Package Version Parent Jurisdiction CLOUD Act Critical
execnet2.1.2UnknownUnknownno
typing_extensions4.15.0UnknownUnknownno
pip26.0.1UnknownUnknownno
cffi2.0.0UnknownUnknownno
ptyprocess0.7.0UnknownUnknownno
opentelemetry-exporter-otlp-proto-http1.41.0UnknownUnknownno
uv0.11.6UnknownUnknownno
idna3.11Kim DaviesNeutralNOno
rich15.0.0UnknownUnknownno
charset-normalizer3.4.7OusretNeutralNOno
mypy1.20.1Python Software FoundationNeutralNOno
mypy_extensions1.1.0UnknownUnknownno
stack-data0.6.3UnknownUnknownno
httpcore1.0.9EncodeNeutralNOno
asttokens3.0.1UnknownUnknownno
urllib32.6.3urllib3NeutralNOno
distlib0.4.0UnknownUnknownno
SecretStorage3.5.0UnknownUnknownno
importlib_metadata8.7.1UnknownUnknownno
matplotlib-inline0.2.1UnknownUnknownno
opentelemetry-semantic-conventions0.62b0UnknownUnknownno
jupyterlab_widgets3.0.16UnknownUnknownno
markdown-it-py4.0.0UnknownUnknownno
pytest-asyncio1.3.0pytest-devNeutralNOno
platformdirs4.9.6UnknownUnknownno
httpx0.28.1EncodeNeutralNOno
backoff2.2.1UnknownUnknownno
opentelemetry-api1.41.0CNCFNeutralNOno
protobuf6.33.6UnknownUnknownno
shellingham1.5.4UnknownUnknownno
pycparser3.0UnknownUnknownno
prometheus_client0.25.0PrometheusNeutralNOno
orjson3.11.8UnknownUnknownno
opentelemetry-exporter-otlp-proto-common1.41.0UnknownUnknownno
pyproject_hooks1.2.0UnknownUnknownno
pillow12.2.0UnknownUnknownno
hyperlink21.0.0UnknownUnknownno
keyring25.7.0UnknownUnknownno
jsonpatch1.33UnknownUnknownno
widgetsnbextension4.0.15UnknownUnknownno
python-discovery1.2.2UnknownUnknownno
zstandard0.25.0UnknownUnknownno
Django6.0.4UnknownUnknownno
pytest-cov7.1.0pytest-covNeutralNOno
psycopg2-binary2.9.11PostgreSQL Global Dev GroupNeutralNOno
prompt_toolkit3.0.52UnknownUnknownno
zipp3.23.1UnknownUnknownno
librt0.9.0UnknownUnknownno
opentelemetry-sdk1.41.0CNCFNeutralNOno
PyYAML6.0.3YAMLNeutralNOno
pydantic2.13.0Pydantic ServicesUKNOno
requests2.33.1Python Software FoundationNeutralNOno
tomlkit0.14.0UnknownUnknownno
iniconfig2.3.0UnknownUnknownno
opentelemetry-proto1.41.0UnknownUnknownno
mdurl0.1.2UnknownUnknownno
certifi2026.2.25CertifiNeutralNOno
grpcio1.80.0UnknownUnknownno
Pygments2.20.0UnknownUnknownno
comm0.2.3UnknownUnknownno

CI/CD findings

File Component Vendor Jurisdiction CLOUD Act
.github/workflows/ci.ymlgithub_actionsGitHub (Microsoft)USYES
.github/workflows/pages.ymlgithub_actionsGitHub (Microsoft)USYES
.github/workflows/release.ymlgithub_actionsGitHub (Microsoft)USYES
.github/workflows/rust.ymlgithub_actionsGitHub (Microsoft)USYES
pyproject.tomlpypiPython Package IndexUSNO

Infrastructure findings

File Component Vendor Jurisdiction CLOUD Act
No infrastructure findings