Most fintechs think they're EU AI Act compliant because they have logs.
They're not.
And the difference matters more than most people realize.
Here's what logs actually are: a record your system wrote, stored in a database you control, that you can query, export, and theoretically edit. When a regulator asks "prove this AI decision happened exactly this way" — you hand them a CSV. They have no way to know if that CSV looked different yesterday.
That's not a compliance problem. That's a trust problem. And regulators know it.
What the EU AI Act Articles 9-17 actually require is tamper-proof records. Not just records that exist — records that can be independently verified as unchanged since the moment they were created. Those are two completely different infrastructure problems.
The way you solve the second one is cryptographic sealing. You take the decision output the moment it happens, run it through a hash function, and chain that hash to every decision before it. Now if anyone touches the record — even one character — the chain breaks. Mathematically detectable. No trust required.
Bitcoin does this for transactions. The same principle applies to AI decisions.
A PDF compliance policy doesn't get you there. A well-organized Postgres database doesn't get you there. The gap is at the infrastructure layer, between the moment your model outputs a decision and the moment that decision hits storage. That one-second window is where the proof either gets created or doesn't.
Most companies are solving the documentation layer and calling it done. The technical layer is what regulators will actually test.
Good framing on the audit trail gap. Tamper-evident records versus editable CSVs is a distinction that gets ignored until someone is actually in front of a regulator.
One layer upstream: most small businesses that now use AI tools do not know which regulations apply to them until something changes. The cryptographic audit trail assumes you knew you needed to comply. A lot of companies find out after the fact, from Reddit, not from counsel.
Building in that upstream gap with BillWatch - tracking federal bills by business type, plain-language summaries before they take effect. Pre-order at billwatch-landing.vercel.app.
Good breakdown of the documentation vs. proof gap. One layer up is the awareness problem -- most companies don't know which articles apply to their use case until an auditor tells them.
Worth noting: the AI Office implementing regs for high-risk categories are still being finalized, so even companies that've solved the cryptographic layer may need to revisit scope in 6-12 months.
Seeing the same delayed-awareness pattern on the US side with federal legislation -- small businesses typically find out a bill affects them after it passes. That's the gap I'm working on with BillWatch.
The awareness gap is real and honestly it's why the cryptographic layer matters even more once they do find out. By the time an auditor tells them which articles apply, it's too late to retroactively seal decisions that already happened.
BillWatch sounds like it sits upstream of AIDAL — you catch the law coming, we catch every decision made under it. Interesting combination. What markets are you targeting first?