Article 26 Deployer Pack
A signed bundle a deployer hands their downstream customer to demonstrate Article 26 conformity. PDF + JSONL receipts + Merkle proofs + CycloneDX AI BOM + signed manifest, anchored to the public ledger.
System overview
Intended purpose, deployer's own use cases, known limitations, geographic + linguistic scope — sourced from the registered system's model card.
Risk register snapshot Art 26 §1, §2
Inherent + residual likelihood/impact, treatment plans, target resolution dates. All risks frozen at the pack's build time.
Human-oversight evidence Art 26 §2
Oversight log, approval records (`/approvals/`), abort events, override frequency, named oversight personnel — confirming the deployer assigned competent staff.
Input-data monitoring Art 26 §4
Sample-set characteristics, drift events from drift_events, bias-assessment results, redaction policy effectiveness.
Incident reporting record Art 26 §5
All ai_incidents rows in scope — opened/mitigated/closed timestamps, named lead, post-mortem links, market-surveillance authority notification timestamps.
Information for natural persons Art 26 §11, Art 50
Synthetic-content disclosure templates, transparency UI screenshots, consent flow records.
Cooperation with authorities Art 26 §12
Named compliance officer, contact channel, retention guarantees, signed Ed25519 manifest hash + Solana txid.