TeNova

Docs / EU High-Risk Classification Response

Response to EU Commission Draft Guidelines on High-Risk AI System Classification

How the SWT3 AI Witness Protocol provides continuous evidence for high-risk AI systems classified under Regulation (EU) 2024/1689, Annex III.

Context: The European Commission published draft guidelines on high-risk AI system classification under Article 6 of the AI Act on May 19, 2026. This document is TeNova's response to the public consultation, which closes June 23, 2026.

Enforcement timeline: GPAI transparency obligations enforceable August 2, 2026. AI content marking enforcement December 2, 2026. High-risk AI enforcement December 2, 2027.

1. About TeNova and SWT3

Tenable Nova LLC is a US-based company that develops the SWT3 AI Witness Protocol, an open cryptographic protocol for AI system accountability. SWT3 produces per-inference witness anchors that record compliance-relevant factors without intercepting, storing, or transmitting prompt content or model outputs.

The protocol is implemented as open-source SDKs (Apache 2.0 license) in Python, TypeScript, Rust, C#, and Ruby, published on PyPI, npm, crates.io, NuGet, and RubyGems. The current version (v0.5.3) covers 49 AI procedures across 22 namespaces, validated by 928 cross-language tests. The protocol specification is patent pending.

Positioning: SWT3 is an independent witness protocol. It records what happened, when, and under what conditions. It does not score models, approve deployments, or substitute for organizational risk management processes. SWT3 provides the evidence layer; Notified Bodies and organizational governance provide the judgment.

2. General Comments on the Draft Guidelines

TeNova supports the Commission's risk-based approach to AI classification and offers the following observations relevant to the guidelines:

2.1 Continuous evidence vs. point-in-time assessment

The draft guidelines appropriately emphasize that high-risk classification triggers ongoing obligations under Articles 9, 11, 12, and 14. We note that current conformity assessment practices rely primarily on point-in-time documentation reviews. For AI systems that evolve through fine-tuning, adapter stacking, RAG context updates, and multi-agent orchestration, point-in-time snapshots may not capture the full operational risk profile.

Cryptographic witness protocols like SWT3 provide continuous, tamper-evident evidence that bridges the gap between assessments. Each inference produces a fingerprinted record that auditors can verify independently at any future point.

2.2 Classification should consider evidence mechanisms

We recommend that the guidelines acknowledge the availability of automated evidence mechanisms when determining whether an AI system's risk can be adequately managed. Systems that produce continuous compliance evidence may present a different risk profile than systems with equivalent capabilities but no continuous monitoring.

2.3 Proportionate data protection through clearing levels

The draft guidelines raise valid concerns about data protection in the context of AI system monitoring. The SWT3 clearing protocol addresses this directly through four levels of data clearing (Level 0 Analytics through Level 3 Classified), allowing evidence fidelity to be proportional to data sensitivity. At Level 3, only numeric factors and hashed identifiers cross the network boundary.

3. Annex III Category Mapping

The following table maps each Annex III high-risk category to the SWT3 procedures that provide relevant continuous evidence.

Annex III Category Relevant SWT3 Procedures Evidence Type
1. Biometrics (remote identification) AI-INF.1, AI-FAIR.1/2/3, AI-DATA.3/4, AI-MARK.1 Full Inference provenance, fairness metrics, data lifecycle, content marking
2. Critical infrastructure (energy, water, transport, digital) AI-INF.1/2/3, AI-HW.1/3, AI-ENV.1/2, AI-SAFE.1, AI-BASE.1 Full Inference monitoring, hardware attestation, environmental integrity, safe state, behavioral baseline
3. Education (access, assessment, proctoring) AI-FAIR.1/2/3, AI-EXPL.1/2, AI-HITL.1/2, AI-DATA.1/2 Full Fairness metrics, explainability, human oversight, data provenance
4. Employment (recruitment, task allocation, evaluation) AI-FAIR.1/2/3, AI-EXPL.1/2, AI-HITL.1/2, AI-ACC.1 Full Fairness, explainability, human oversight, access control
5. Essential services (credit scoring, insurance, social benefits) AI-FAIR.1/2/3, AI-EXPL.1/2, AI-DATA.1/2, AI-REV.1 Full Fairness, explainability, data provenance, revocation
6. Law enforcement (risk assessment, profiling) AI-FAIR.1/2/3, AI-HITL.1/2, AI-ACC.1, AI-VIO.1, AI-BASE.1 Full Fairness, human oversight, access control, violations, behavioral baseline
7. Migration (border control, visa assessment) AI-FAIR.1/2/3, AI-HITL.1/2, AI-INF.1, AI-EXPL.1/2 Full Fairness, human oversight, provenance, explainability
8. Justice (judicial decisions, alternative dispute resolution) AI-FAIR.1/2/3, AI-HITL.1/2, AI-EXPL.1/2, AI-ACC.1, AI-CHR.1 Full Fairness, human oversight, explainability, access control, agent charter
8a. Democratic processes (election influence) AI-MARK.1, AI-FAIR.1/2/3, AI-GRD.1/2, AI-VIO.1 Full Content marking, fairness, guardrails, violation recording

4. Article 9: Risk Management System

Art. 9(2)(b) -- Continuous Risk Estimation

Foreseeable risks that may emerge when the AI system is used

SWT3 provides continuous risk evidence through AI-FAIR.1/2/3 (demographic parity, equalized odds, disparate impact), AI-VIO.1 (policy violation recording with category codes), AI-SAFE.1 (safe-state transitions), and AI-BASE.1 (agent behavioral baseline with drift detection). Each anchor records numeric risk factors that auditors can trend over time.

Art. 9(4)(a) -- Risk identification including model tampering

Known and foreseeable risks to health, safety, or fundamental rights

AI-MDL.1 hashes model weights at inference time, detecting swaps or tampering. AI-MDL.5 records weight file integrity. AI-MDL.6 attests adapter stacks (LoRA, QLoRA). AI-GRD.1/2/3 record guardrail enforcement and content safety filter status. AI-SEC.1/2 record adversarial detection and input validation results.

5. Article 11: Technical Documentation

Art. 11(1) -- Documentation before market placement

Technical documentation demonstrating compliance

SWT3 witness anchors provide automated, continuous documentation of: inference provenance (AI-INF.1), model identity and version (AI-MDL.1/2), data governance (AI-DATA.1/2/3/4), content marking (AI-MARK.1), hardware environment (AI-HW.1/3, AI-ENV.1/2), and skill manifests (AI-SKILL.1). The Compliance Passport export aggregates this evidence into a single HTML + signed JSON artifact suitable for Art. 11 annexes.

6. Article 12: Record-Keeping

Art. 12(1) -- Automatic recording of events

Traceability of AI system functioning throughout its lifetime

Every SWT3 witness anchor is a record in the sense of Art. 12(1). Each contains a SHA-256 fingerprint computed from the formula SHA256("WITNESS:{tenant}:{procedure}:{fa}:{fb}:{fc}:{timestamp_ms}").hex()[:12]. Anchors are immutable once minted. Daily Merkle rollups produce tamper-evident root hashes across all anchors for a given tenant and day. Revocation (AI-REV.1) creates a new anchor referencing the original -- it does not delete or modify the original record.

7. Article 14: Human Oversight

Art. 14(1)/(2) -- Human oversight measures

AI systems designed to be effectively overseen by natural persons

AI-HITL.1 records human-in-the-loop verification events. AI-HITL.2 records human override decisions. AI-EXPL.1/2 record model explanations and confidence scores that enable informed human oversight. AI-ACC.1 records access control decisions. The clearing protocol ensures that oversight evidence is available to Notified Bodies while protecting sensitive inference details at higher clearing levels.

8. Recommendations

TeNova respectfully recommends the following additions to the final guidelines:

  1. Recognize cryptographic witness protocols as valid evidence mechanisms. Per-inference witness anchors provide a higher assurance level than periodic documentation reviews for demonstrating continuous compliance with Articles 9, 11, 12, and 14. The guidelines should acknowledge that automated, tamper-evident evidence mechanisms exist and can supplement traditional assessment practices.
  2. Accept clearing levels as proportionate data protection. The guidelines should recognize that compliance monitoring does not require access to raw prompt content or model outputs. Clearing protocols that transmit only cryptographic hashes and numeric factors can provide sufficient evidence for conformity assessment while fully respecting data protection requirements under the GDPR.
  3. Encourage interoperable evidence formats. We recommend that the guidelines reference NIST OSCAL and open witness protocols as interoperable evidence formats that Notified Bodies can consume without vendor-specific tooling. SWT3 anchors are verifiable with a single SHA-256 hash comparison, requiring no proprietary software.

9. Company Details

Legal entityTenable Nova LLC
HeadquartersUnited States
Contactengineering@tenovaai.com
Websitehttps://tenova.io
ProtocolSWT3 AI Witness Protocol v0.5.3
SDK languagesPython, TypeScript, Rust, C#, Ruby
LicenseApache 2.0 (SDKs), Patent pending (protocol)
Procedures49 AI procedures across 22 namespaces
Tests928 cross-language tests, 33 fingerprint parity vectors
RegistriesPyPI, npm, crates.io, NuGet, RubyGems, MCP Registry