The EU AI Act arrives — cost, or routine? Your call
A regulation is arriving, and you have already decided how it will feel — you just may not know it yet. The EU AI Act, and frameworks like it, expect teams that build on AI to do a few reasonable things: evaluate their models, document what those models are, trace how they changed, and keep evidence when something goes wrong. Whether that expectation lands as a cost or as routine is not set by the law. It is set by how you produce the evidence.
The reason isn't the statute. It's the download.
Start with why this matters now, because the honest answer is not "because Brussels said so." The honest answer is a threat. Thousands of open models have had their safety deliberately stripped — the "abliterated" finetunes — and any one of them is a single download from your stack. Poisoning a finetune is a supply-chain attack in miniature: a modest amount of tainted data plants a hidden behavior the model's card never mentions. These are live, published risks, not hypotheticals.
The regulation is the world catching up to that threat. "Detect what your model does, evaluate it, document it, report incidents" stopped being a paperwork exercise the moment a safety-stripped model became something your team could deploy by accident. The Act rewards the discipline you would want anyway.
Two ways to meet the same obligation
There are two ways to arrive at that evidence.
The first is the project. You notice the deadline, you scope a compliance initiative, you hire the consultant, you assemble a binder, and you hope the binder still describes reality by the time anyone reads it. It is expensive, it is slow, and it produces a document, not an assurance.
The second is the byproduct. You do the work you should be doing anyway — reading a finetune before you ship it — and the evidence falls out of that work already signed. No separate project. No binder that drifts out of date. The evaluation, the documentation of what the model is, the provenance of what changed: each is a natural output of auditing the model, not a task bolted on afterward.
Evidence as a byproduct
That second path is the one Protora is built for. When you audit a downloaded or finetuned model, the dossier it produces is the artifact — a witnessed account of what the finetune did, with every finding replayable and its limits stated. When a flagged model is corrected, the correction carries its own proof that only the bad part changed. Compliance is not a deliverable you commission; it is a residue of using the tool. We lay the obligation-to-evidence mapping out plainly on the compliance page.
The timing is directional but close enough to plan around. Provider obligations for general-purpose AI models phase in from around August 2025, with enforcement powers arriving about a year later. The exact thresholds, scope, and dates are for your counsel to confirm — not for a blog post to promise.
What it is, and what it isn't
Here the discipline matters more than the pitch. Protora produces evidence. It does not certify compliance, it does not perform a conformity assessment, and it does not replace your lawyers or a notified body. It points to obligations; it does not adjudicate them. Confirm what applies to you with counsel — every time.
It is also honest about coverage. Every attestation states its ceiling. It does not promise to catch every backdoor, and it does not declare a model provably clean. It works only on the open-weight, self-hosted models you run yourself; a closed API stays beyond it. That candor is not a weakness in a compliance setting — it is the reason a risk function can lean on the record at all. A tool that overclaims in front of a regulator is a liability, not an asset.
Cost or routine, then. The law is the same for everyone. The difference is whether you generate the evidence as a project you dread or a byproduct you barely notice.




