CorvinOS is engineered from the ground up to meet all requirements of the European Union's AI Act 2026. Not a bolt-on feature—compliance is structural.
The EU AI Act 2026 establishes a risk-based regulatory framework for artificial intelligence systems. CorvinOS implements comprehensive compliance measures across all risk categories and operational layers.
We treat compliance not as a checkbox exercise, but as a fundamental architectural principle. Every component of CorvinOS—from voice transcription to multi-engine orchestration to audit logging— is designed with EU AI Act requirements as first-class constraints.
Users must always know when they're interacting with an AI system. CorvinOS implements a one-time, user-friendly disclosure card that appears on first contact.
Layer 19 (Disclosure) manifests as a visual card shown to every user on their first interaction with a bridge (Discord, WhatsApp, Web). The card is non-dismissible on first view and reappears on-demand. It clearly states the AI nature, data handling practices, and provides explicit opt-out controls.
Lawful basis for processing is non-negotiable. CorvinOS implements granular, deny-by-default consent with time-bound TTLs and per-feature gates.
Layer 16 Phase 4 (Consent Gate) enforces per-user, per-feature consent. No processing occurs until explicit grant. TTL can be set by the user; expiry is automatic. Each grant/revoke event is written to the tamper-evident audit chain with cryptographic proof.
Demonstrating compliance requires evidence. CorvinOS maintains a cryptographically secure, tamper-evident audit trail of every material operation.
Layer 16 (Audit Hardening) and Layer 37 (Audit-at-Rest Encryption) work in tandem. Every material event (consent grant, data access, deletion request, model output, error) is recorded in an append-only, hash-chained ledger. The chain is cryptographically sealed every 30 days or 100 MB, and sealed segments are encrypted for long-term archival. The `voice-audit verify` command validates the entire chain's integrity.
Some jurisdictions or data subjects require local processing. CorvinOS offers EU-only data residency with engine allowlists and egress lockdown to ensure data never leaves the zone.
ADR-0007 (Multi-Tenant Axis) defines compliance zones as a dimension of the tenant config. Layer 34 (Data Classification) and Layer 35 (Egress Lockdown) work together to enforce zone boundaries. If a tenant specifies EU-only, only local engines (Hermes) or EU-hosted Claude can be used. All data is stored in the designated region. Network egress is blocked to non-compliant hosts.
The EU AI Act defines risk categories. CorvinOS supports all categories through layered controls.
| Risk Level | Definition | CorvinOS Controls | Status |
|---|---|---|---|
| Minimal Risk | General-purpose chatbots, recommendation engines | L19 disclosure, L16 consent, L16 audit | ✓ Compliant |
| Limited Risk | Voice AI, biometric classification, HR decisions | All minimal + L34 data classification, L35 egress lockdown | ✓ Compliant |
| High Risk | Critical infrastructure, law enforcement, financial decisions | All limited + L37 encryption, L38 A2A protocol, L36 GDPR erasure | ✓ Compliant |
| Prohibited | Subliminal manipulation, social credit systems | CorvinOS architecture precludes these use cases | ✓ N/A |
CorvinOS compliance spans 38+ security and governance layers. Here are the key EU AI Act layers:
Fail-closed write protection on policy files. Ensures compliance configs cannot be bypassed.
Tamper-evident hash chains. Provides proof of every material event for DPA Article 30.
One-time AI disclosure card. Meets Article 50 transparency requirement.
PUBLIC → CONFIDENTIAL → SECRET matrix. Engine routing respects data sensitivity.
Network firewall. Prevents data exfiltration outside compliance zones.
Right-to-deletion orchestrator (Art. 17). Pseudonymisation on deletion.
Sealed segments with optional RFC 3161 TSA. Long-term integrity proof.
Agent-to-agent execution. Audited interoperability with external systems.
✓ Users control their data: Consent gates are enforced at the platform level.
Revocation is instant and requires no re-authorization from operators.
✓ Transparency is structural: Every user sees an AI disclosure on first contact.
They can opt out at any time via `/consent off`.
✓ Audit trail is immutable: Hash-chained events cannot be modified or deleted
after creation. Tamper attempts are cryptographically detectable.
✓ Data stays in zone: EU-only tenants use local engines or EU-hosted models only.
Network egress outside the zone is blocked by policy.
✓ Right to deletion is honored: Art. 17 erasure orchestrator
deletes user data across all layers within 30 days, with pseudonymization in audit logs.