Status & gaps
🟡 Partial — The Annex IV the cloud assembles from the engine's bundle is not yet complete; this page enumerates the gaps.
Venturalítica is built in parallel with its documentation and is incomplete by design-honesty. We declare gaps rather than hide them. This page is the source of truth for project maturity and the path towards a complete Annex IV under EU AI Act Art. 11.
Status taxonomy
Section titled “Status taxonomy”| Status | Meaning |
|---|---|
| ✅ Stable | Implemented and covered by integration or e2e tests |
| 🟡 Partial | Works in documented cases; full coverage is missing |
| 🚧 Planned | Designed in spec, not yet implemented |
| 🧪 Experimental | Prototype; the API may change without notice |
Open points towards a complete Annex IV
Section titled “Open points towards a complete Annex IV”The following items are identified gaps between the current state of the sei engine and the requirement for a verifiable Annex IV (EU AI Act Art. 11; ISO/IEC 42001 Annex B).
| Status | Gap | Relevant clause |
|---|---|---|
| 🚧 | Keyless identity anchoring (Sigstore): ECDSA-P256+DSSE+in-toto signing is implemented, but anchoring the signer to an external trust root is pending. | Sigstore (keyless signing); in-toto (chain integrity) |
| 🚧 | Post-market monitoring: the continuous monitoring model of Art. 72 is not yet modelled in the engine. | EU AI Act Art. 72; Annex IV §9 |
| ✅ | Overall system residual risk (prEN 18228 cl. 10): already a criterion in sei conformance cl. 10 (criterion: overall_residual, aggregated by evaluate_overall_residual() and persisted in EvidenceBundle.overall_residual) and blocks the lifecycle gate; it is only advisory in the sei run gate. | prEN 18228 cl. 10 |
| 🚧 | Explicit hazard→harm chain and control hierarchy (prEN 18228 cl. 9): the current model follows ISO 23894 (risk management process); the product-safety chain and hierarchy of control measures are not yet built. | prEN 18228 cl. 9; ISO 23894 §6.4 |
| 🚧 | Fundamental rights (FRIA): the Fundamental Rights Impact Assessment (EU AI Act Art. 27) is not yet explicitly covered in the bundle. | EU AI Act Art. 27 |
| 🚧 | Prompt-tuning treatment modality (LLM case): only code-change and parameter-adjustment modalities are built. The prompt-tuning modality has been deferred. | ISO 23894 §6.5; EU AI Act Art. 10 |
| 🚧 | Annex IV §2/§3/§4/§9 conditionally pending: §2 (data) if data_governance is missing; §3 (monitoring/functioning/control) if the ex-ante pillars are missing (foreseeable misuse, residual risks, Art.14 oversight means); §4 (suitability of metrics) if control results are missing; §9 (post-market monitoring) if the manifest declares no post-market measures. §7 (harmonised standards) and §8 (EU declaration of conformity) are NEVER pending: the engine always emits their state derived from the bundle. In the current scenarios, with data/controls/measures present, only §3 and §9 appear pending. | EU AI Act Annex IV §2, §3, §4, §9 |
What is built
Section titled “What is built”The following subsystems are stable and covered by tests:
- ECDSA-P256+DSSE+in-toto signing of
.sei/*artifacts. - ISO 23894 §6.4.2–6.4.4 and §6.5 risk model (likelihood × impact 5×5, hybrid residual, appetite).
- Dual conformance by projection: prEN 18228 (priority) + ISO 23894, from a single bundle.
sei reconstruct— replay of the treatment cycle per risk from thegit log.- Annex IV assembly in the cloud (control plane) from the signed bundle; the engine only emits the evidence.
- Treatment modalities: code change (loan) and parameter adjustment (retinopathy:
use_mitigated: false→true). - Three MLOps backends tested in the e2e scenario harness (pre-merge / self-hosted runners;
ci.ymlonly runscargo test --workspace --lib): DVC (cat1), MLflow (cat2), Dagster (cat3).
Gaps as code
Section titled “Gaps as code”The above gaps are not just documentation: sei conformance and sei soa already emit per-clause and per-control gaps from the signed bundle. See the sei CLI reference; sei conformance accepts the --standard and --out flags.