EU AI Act Compliance Report

System name: Sentinel AI Governance Control Plane
Provider: Sentinel Project
Version: Policy vbd84462bf88a
Intended purpose: AI governance sidecar proxy that enforces safety, security, and compliance policy on LLM requests. Sits between AI agents and LLM providers, applying configurable gate pipelines (PII detection, prompt injection scanning, tool approval, budget limits, model allowlisting) before forwarding allowed requests.

HIGH: 2 LIMITED: 2 MINIMAL: 1

Deployment form: Docker Compose stack (self-hosted), API-based integration — §1(c)
Software dependencies: Python 3.11+, FastAPI, LiteLLM (multi-provider routing), Microsoft Presidio (PII), LLM Guard (injection detection), spaCy (NER), SQLite (audit store), Prometheus (metrics), Langfuse (tracing) — §1(b)
Hardware requirements: Minimum 2 CPU cores, 4GB RAM; no GPU required for governance layer — §1(d)
User interface: Admin web dashboard (Jinja2 + HTMX), REST API for programmatic integration — §1(f)
Instructions for use: Inline dashboard guidance, API documentation, and this compliance report — §1(g)

Architecture: Policy-as-code governance proxy using a sequential gate pipeline. Each inbound request is evaluated by an ordered set of gates; any gate may ALLOW, BLOCK, or escalate to REVIEW.
Key design choice: Deterministic policy evaluation (no ML in the governance layer itself). Gates use rule-based + NLP pattern matching, not generative AI, to avoid recursive trust problems.
Rationale: A governance layer that itself uses LLMs to make safety decisions introduces circular dependency. Deterministic gates provide auditable, reproducible decisions.
Trade-offs: Pattern-based detection may miss novel attack vectors; mitigated by layered defense (multiple gates) and human oversight escalation.

Request flow: Agent → Sentinel Proxy → Gate Pipeline (Input) → LiteLLM Router → LLM Provider → Gate Pipeline (Output) → Response
Components:

• Proxy service (port 8000) — OpenAI-compatible API, request routing, audit logging
• Policy engine — Gate pipeline orchestration, YAML policy loader with hot-reload
• Admin UI (port 8001) — Approval console, monitoring dashboard, this report
• LiteLLM (port 4000) — Multi-provider routing to OpenAI, Anthropic, Groq, etc.
• SQLite — Audit log, agent registry, approval queue (WAL mode for concurrent access)

Training data: Sentinel's governance layer does not use training data. Gates use pre-trained NLP models (spaCy en_core_web_lg for NER, LLM Guard for injection detection) but do not fine-tune or retrain on deployment data.
Input data specifications: OpenAI-compatible chat completion requests (model, messages[], optional tools[]). All input is text-based.
Expected output: Proxied LLM response (200), policy block with reason code (403), or human review ticket (202).
Pre-trained model provenance: spaCy en_core_web_lg (MIT license, trained on OntoNotes 5); LLM Guard (Apache 2.0, deberta-v3-base fine-tuned on injection datasets).

Art. 14(4)(a) — Understand & monitor: Admin dashboard with real-time decision feed, per-agent stats, gate performance
Art. 14(4)(d) — Override/reverse: Approval queue (approve/reject pending requests); individual agent suspend/revoke
Art. 14(4)(e) — Stop button: POST /v1/emergency/suspend-all — immediately suspends all agents
Per-agent overseers: FinanceBot (cfo@acme.com, risk@acme.com), HealthBot (hipaa-officer@hospital.org),

Test framework: sentinel-scenarios — 27 end-to-end scenario executions across 5 agents covering input gates, output gates, approval workflows, emergency controls, budget limits, and model allowlisting.
Test metrics: Pass/fail per scenario, decision correctness (expected vs actual status code and decision), latency (ms), cost attribution.
Test evidence: Scenario results exported as JSON (scenario-results.json) with timestamps, signed by automated runner.

API authentication: Per-agent API keys, hashed with SHA-256 + pepper (SENTINEL_KEY_PEPPER, min 32 chars)
Prompt injection detection: LLM Guard scanner active on all routes
PII detection: Microsoft Presidio with configurable entity types and score thresholds
Input validation: Pydantic models on all API endpoints; no raw SQL string interpolation
Transport: HTTPS recommended for production; Docker internal networking for inter-service communication

Capabilities:

• Real-time policy enforcement on LLM requests (avg 913ms added latency)
• PII detection across 5 gate types with configurable sensitivity
• Human-in-the-loop escalation with sub-0.0s average response time
• Per-agent budget tracking with automatic enforcement
• Multi-provider LLM routing (OpenAI, Anthropic, Groq, OpenRouter, Gemini, Mistral)

Known limitations:

• PII detection accuracy varies by entity type and language — Presidio is English-optimized
• Prompt injection detection uses pattern-based heuristics — novel attack vectors may bypass
• Cost tracking depends on provider-reported token counts — not independently verified
• Output gate scanning adds latency to allowed requests (dual-pass evaluation)
• Single-node SQLite deployment — not horizontally scalable without migration to PostgreSQL

Risk	Impact	Mitigation
False positive PII detection	Legitimate requests blocked	Configurable score thresholds; human review escalation
False negative injection detection	Prompt injection bypasses gate	Layered defense (multiple gates); output gate as second barrier
Governance proxy downtime	All agent requests fail	Prometheus alerting (SentinelProxyDown); health endpoint monitoring
Budget tracking inaccuracy	Cost overruns or premature blocking	Conservative default limits; per-request cost logging for audit

Retention: Unlimited in current deployment. Art. 19 requires minimum 6-month retention — compliant.

Global daily budget: $5.0
Pending approval TTL: 30 minutes
Model allowlist: openrouter/openai/gpt-4o, anthropic/claude-sonnet-4-20250514, groq/llama-3.3-70b-versatile
Policy format: YAML with hot-reload (watchfiles) — no restart required for policy changes

Scenario coverage: 27 requests across 5 agent configurations, covering all 5 gate types.
Test domains: Finance (PII, budget), Healthcare (PII, output gates), Enterprise (tool approval), Security (injection, model allowlist), Governance (kill switch, agent suspension), Stress (budget limits), Regression (canary tests).
Result: All gate decisions validated against expected outcomes with automated assertion checking.

Current policy version: bd84462bf88a
Change mechanism: Policy changes via YAML configuration files only (no hardcoded rules). Policy hash computed per change for audit trail. Hot-reload via watchfiles — no service restart required.
Audit trail: Each audit log entry records the policy_version hash active at the time of evaluation, enabling retrospective analysis of policy changes on decision outcomes.

The following changes are anticipated as part of the system lifecycle and have been designed to maintain continuous compliance:

• Gate addition/removal: New gates can be added to the pipeline via policy YAML without code changes
• Threshold tuning: PII score thresholds, budget limits, and model allowlists are configuration-driven
• Agent registration: New AI systems can be registered with risk classification without service changes
• Provider expansion: New LLM providers added via LiteLLM configuration (no proxy changes required)

Deployment model: Continuously running service (Docker Compose stack)
Maintenance: Dependency updates (Python packages, Docker images), policy tuning based on operational metrics, gate model updates (spaCy, LLM Guard)
Deprecation: Agent revocation via API; policy gates can be disabled without removal

Sentinel Proxy: Policy enforcement layer (FastAPI, Python 3.11+)
LiteLLM: Multi-provider routing with retry and rate limiting
Presidio: Microsoft PII detection engine (Apache 2.0)
LLM Guard: Prompt injection and content safety scanner (Apache 2.0)
Langfuse: LLM observability and tracing (MIT)
Prometheus: Metrics collection and alerting (Apache 2.0)

SentinelProxyDown — Critical: Proxy unreachable for >1 minute
SentinelGateErrorRate — High: Gate errors exceed 5% over 5 minutes
SentinelBlockRateSpike — High: Block rate 2x rolling 1h average
SentinelApprovalQueueBacklog — High: >50 items pending for >10 minutes
SentinelWorkerStalled — High: Rollup worker heartbeat missing for >10 minutes
SentinelLatencyDegraded — Warning: P95 latency exceeds 30 seconds

Webhook event system supports real-time escalation of BLOCK and REVIEW events to external incident management systems. Critical events (emergency suspend, repeated injection attempts, PII leakage in outputs) trigger configurable webhook notifications for immediate human attention.