Dual-standard conformance

The EU AI Act refers to harmonised standards for risk management. Venturalítica currently supports two: prEN 18228 (CEN/CENELEC JTC 21, priority as the Art. 9 harmonised standard) and ISO 23894 (AI risk management process). A single signed bundle can be projected onto either — or both — without modifying or re-annotating the AssuranceProgram.

---

The projection principle

The risk program — the risk: section of sei.yaml — contains the risks, measures, and results of the evaluated controls. sei conformance projects that content onto the clause catalogue of the requested standard: for each catalogue clause, it determines whether one or more measures cover it (with which control and result), whether they partially cover it, or whether there is a gap.

This projection is what allows N conformance reports to be generated from a single AssuranceProgram, without duplicating annotations or creating source-of-truth ambiguity.

The canonical identifiers for the two standards are:

Standard	Canonical id
prEN 18228 (harmonised, priority)	eu/pren-18228@2026
ISO 23894:2023	iso/23894@2023

---

Generating the per-standard report

Project onto the prEN 18228 catalogue

sei conformance --repo . --standard eu/pren-18228@2026

Project onto the ISO 23894 catalogue

sei conformance --repo . --standard iso/23894@2023

All applicable standards (declared in applicable_standards)

sei conformance --repo .

The output groups clauses by cycle phase of the standard (e.g. overall_residual, treatment, identification…) and indicates for each clause:

• ✅ COVERED — one or more measures reference it and the associated control passed.
• ⚠ PARTIAL — measures that reference it but the control is failing or advisory.
• ❌ GAP — no measure cites the clause, or the blocking control does not pass.

Example output for eu/pren-18228@2026 on the loan scenario (state T1, green gate):

═══ Conformidad eu/pren-18228@2026 ═══
Cobertura: 1 cubiertas · 0 parciales · 1 huecos

  ── ciclo: risk_control ──
    ✅ cl.9.2 Implementation and verification of risk control measures — unfair-credit-exclusion (PASA)

  ── ciclo: overall_residual ──
    ❌ cl.10 Evaluation of overall residual risk — residual agregado CRÍTICO/EXCEDE apetito

cl.10 and global residual risk

Clause cl.10 of prEN 18228 covers the global residual risk of the system, not per-individual-risk residuals. In the loan scenario, the unfair-credit-exclusion control passes (closed cycle), but the system’s aggregate residual appears as CRITICAL/exceeds due to the risk.opacity risk. This gap is real and expected: it indicates the system has not yet fully treated all its risks. The gap is recorded, not silenced.

---

Writing the conformance artifact

With --out, the command writes the report as a signed artifact:

Generate and write the conformance artifact

sei conformance --repo . --standard eu/pren-18228@2026 --out

Generated files:

.sei/conformance/eu_pren-18228_2026.json       ← signed SeiArtifact<Conformance>
.sei/conformance/eu_pren-18228_2026.json.sig   ← DSSE envelope · in-toto · ECDSA-P256

The file slug is derived from the standard id (replacing /, @ and - for filesystem compatibility).

---

Per-iteration projection: --history

--history projects conformance over each committed iteration of the bundle (each sei run that was committed), showing how coverage evolves during the RDD cycle:

View the evolution of conformance over time

sei conformance --repo . --standard eu/pren-18228@2026 --history

Typical output (two iterations: T0 red gate, T1 green gate):

═══ Conformidad eu/pren-18228@2026 POR ITERACIÓN (RDD) ═══
  a3f2b1c0 2026-05-23 · 0 cubiertas / 2 huecos  «T0: V1 evidencia (gate RED)»
  7e9d4f2a 2026-05-23 · 1 cubiertas / 1 huecos  «T1: re-ancla V2 (gate GREEN)»

This illustrates the ISO 23894 treatment loop: coverage grows as controls pass. Each iteration corresponds to a bundle commit, traceable by hash.

---

Dedup: one AssuranceProgram → two reports

The two commands from the loan scenario demonstrate dedup in practice:

First command (from loan.json scenario)

sei conformance --repo . --standard eu/pren-18228@2026 --out

Second command (from loan.json scenario)

sei conformance --repo . --standard iso/23894@2023

The same sei.yaml and the same .sei/bundle.json produce two distinct reports. The iso/23894@2023 standard projects the bundle onto clause cl.6.5 (risk treatment), which appears as covered because the unfair-credit-exclusion control transitioned from FAIL to PASS (closed treatment). There is no need to create two risk programs or annotate risks with references to clauses from both standards.

---

Integration with the two-phase gate

Per-standard conformance is independent of the risk gate in sei run. The risk gate (phase 2 of the two-phase gate) is binary: blocking if there are block controls in failure. Per-clause conformance is a structured report — more granular — that complements the gate but does not replace it.

sei conformance can be run at any time after sei run; it does not require the gate to be green.

---

References

• Two-phase gate — freshness and risk as separate conditions
• Standards crosswalk — correspondence table between Annex IV, prEN 18228 and ISO 23894
• CLI sei reference — full documentation of sei conformance