GitHub ↗Book a pilot

§ Enterprise

Regulatory conformance
for agentic AI systems.

Maxwell produces deterministic, machine-checkable evidence of conformance with the EU AI Act, DORA, NIST AI RMF, ISO 42001 — artefacts your auditors can accept and your regulators can read.

Book a pilot conversation →See how it works

§ 01 — Regulatory mapping

Every invariant.
Every framework.

Each AG- invariant carries a full mapping to the specific article and control it satisfies. Compliance evidence generated automatically in every CI run.

EU AI Act
In force Aug 2026 · Annex III high-risk
Art. 9
AG-001, AG-005, AG-012
Risk management — error handling, output validation, model integrity.
Art. 12
AG-006, AG-017
Record-keeping — logging, traceability of consequential decisions.
Art. 14
AG-009, AG-011
Human oversight — escalation paths, override provisions.
Art. 15
AG-002, AG-003, AG-004
Accuracy, robustness — loop bounds, timeout controls.
DORA
Digital Operational Resilience Act · financial entities
Art. 25(1)
AG-001, AG-002, AG-005
ICT risk management — error containment, loop bounding, output validation.
Art. 25(2)
AG-004, AG-014
Resilience testing — timeout enforcement, input snapshotting.
Art. 25(3)
AG-006, AG-017
Incident reporting — complete, structured audit trail.
NIST AI RMF + ISO 42001
AI management systems · risk framework
DE-3
AG-001, AG-004
Detect — error detection mechanisms, timeout governance.
GV-2
AG-002, AG-003
Govern — loop termination, bounded execution.
GV-6
AG-009, AG-011
Human oversight — hard-coded escalation paths.
ISO 6.1 / 9.1
AG-001, AG-006
Risk treatment, monitoring — error containment, decision logging.

§ 02 — From Regulation to Code

From Regulation to Code — What Maxwell Verifies.

Each EU AI Act obligation maps to specific Maxwell invariants that are verified on every deployment.

REGULATORY OBLIGATIONWHAT THE REGULATOR EXPECTSWHAT MAXWELL PROVESKEY INVARIANTS
Art. 9 / Risk ManagementContinuous, systematic controls for foreseeable AI risksEvery loop is bounded. Every LLM call has error handling. Every external call has a timeout.AG-001, AG-002, AG-004
Art. 10 / Data GovernanceData provenance tracked and declaredEvery data input has a declared source. External inputs are snapshotted at decision time.AG-032, AG-014
Art. 12 / Record-KeepingAutomatic logging over system lifetimeEvery execution path — including the "happy path" — passes through a structured log. No decision bypasses the audit trail.AG-006, AG-017
Art. 13 / TransparencySystem behaviour is explainable and stableModel version is fixed — behaviour cannot change without an explicit deployment. Every decision has a declared owner.AG-012, AG-008
Art. 14 / Human OversightHumans can effectively interveneError handlers contain meaningful logic (no silent failures). High-impact actions have human override gates.AG-007, AG-009
Art. 15 / Accuracy & RobustnessSystem is resilient and outputs are reliableAgent outputs are validated before reaching production systems. Low-confidence outputs branch to review. Fallbacks are deterministic.AG-005, AG-020, AG-021

∎ This mapping is embedded in every Maxwell rule definition. The audit report references the specific article for each finding. When the regulator asks “how do you comply with Article 15?”, you hand them the report section — not a policy document.

§ 03 — Pilot programme

30-day structured pilot.
Your codebase. Our engine.

We run structured pilots with EU fintech and healthtech teams. One agent system, one codebase, one Maxwell scan — producing a full Provenance artefact your team can evaluate and your compliance function can review.

Book a pilot conversation →
01Scoping call — your deployment, risk surface, and regulatory exposure.
02Maxwell scan — your codebase, your infrastructure, our engine.
03Provenance review — full artefact walk-through with your compliance team.
04Decision — deploy to CI, escalate internally, or pause. No pressure.