THE REGULATORY WEDGE

The evidence for a threat
that ships in minutes.

Thousands of safety-stripped (“abliterated”) finetunes are a download away, and off-the-shelf tools strip a model’s safety in minutes — on a model whose card says nothing about it. That is why “detect what your model does, evaluate it, document it, report incidents” has stopped being optional. Protora’s signed attestation is that evidence artifact — produced as a byproduct of the work.

Evidence and assurance — not legal advice, not a certification, not a guarantee of compliance. Confirm obligations with counsel.

EVIDENCE, NEVER CERTIFICATION

The work — detect, attest, excise — leaves behind exactly the evidence the EU AI Act and NIST reward, as a byproduct. Not legal advice, not a certification.

WHY NOW — THE THREAT, NOT THE MANDATE

Two forces make this the moment.

The threat is real and named

A poisoned open finetune is a supply-chain attack — a small dose of bad data can plant a backdoor in a model whose card says nothing about it. Emergent misalignment can appear from narrow finetuning; “sleeper” behaviors can pass standard evals. These are live, published risks — exactly what DETECT and the drift guard surface, witnessed.

The obligation is arriving

The EU AI Act and NIST now expect model evaluation, provenance, documentation, and incident evidence. A team that downloads, finetunes, and ships open models has to show its work — and today most cannot.

Protora sits precisely on the intersection: it reads what a finetune did — including what it hid — proves it, can cut the bad part out, and hands over a signed evidence artifact.

THE FULL REGULATORY BASIS

The obligations, the timeline, and where Protora fits.

The legal detail, folded — each obligation mapped to the evidence Protora leaves behind, the GPAI timeline, and the NIST complement. Pick a view; every fact stays one click away.

Obligation (directional)The Protora artifact
Technical documentation of the model
documented capabilities, characteristics, limitations
The audit dossier — a witnessed detection of what a finetune did, with published fidelity ceilings.
Model evaluation, incl. adversarial testing
GPAI with systemic risk — evidence of evaluation for risky behavior
DETECT (incl. undisclosed / backdoor behavior) plus the in-loop drift guard — witnessed evaluation and a training-time drift log.
Serious-incident tracking & reporting
GPAI with systemic risk — detection and a record of incidents
The drift guard’s alarms and a signed training-drift attestation, plus a detected backdoor with its witness — a reporting-ready, timestamped record.
Provenance / transparency
traceability of what a model is and how it changed
Witnesses and attestations — replayable provenance of every finding.
Corrective action on a flagged model
show a problem was addressed
The Corrective Patch — witnessed removal, with an attestation that only that changed, to the stated coverage.
Regulation (EU) 2024/1689 · a directional mapping, not legal advice — confirm scope, thresholds, and dates with counsel.

The work Protora does — detect, attest, excise — leaves behind exactly the evaluation, documentation, provenance, incident, and corrective-action evidence the Act rewards. Compliance is a byproduct of using the product, not a separate project.

§ 2.1 — THE EVIDENCE GAP, MEASURED

The wedge is not hypothetical.

A checkbox eval can certify a model SAFE while the model itself emits the harm. Two receipts from this cycle — replayable, coverage-stamped, and honest about the miss.

R-01

The gap a checkbox eval can’t close

● HARM WITNESSED

On a real harmful-compliance regression, the standard eval-harness multiple-choice test certified the model SAFE — while the model’s own free generation emitted the harm: verbatim harmful instructions, zero refusals on the harmful battery. That is precisely the documentation-and-evaluation gap a checkbox eval structurally cannot close.

SAFEcheckbox MCQ eval verdict
vs
0 / 8refusals in free generation — harm emitted

Protora read the same model at precision 1.0 / recall 1.0 with a replayable witness on every positive, and abstained on the control rather than fabricate a finding.

witness-replayability 1.0 where the incumbent instruments sat at 0.0 — the difference between an evaluation artifact a regulator can re-run and a claim they must take on faith.

COVERAGE — single family (SmolLM2 / Llama) · small battery · mechanism-proven · broader-family and live-scale evaluation staged · evidence, never certification.

Every positive here is replayable. Read the full record →

THE BUYER THIS UNLOCKS

The function with a mandate and a budget.

Regulation moves the buyer from the thin-budget individual builder to the function that must produce this evidence — and holds the budget to.

Model-risk · governance · security

Teams that must produce this evidence, and hold the budget for it.

Regulated / high-assurance deployers

Finance, health, public sector, safety-critical — for whom an un-vetted downloaded finetune is a liability.

Providers of open / finetuned models

Who owe downstream documentation and evaluation.

THE HONEST LIMITS

Said out loud.

The calibration-honesty brand applies hardest here — in a compliance sale, overclaiming is both a firewall breach and a legal risk. So the limits are stated, not buried.

EVIDENCE, NOT CERTIFICATION

Not legal advice, not certification. Protora produces evidence; it does not certify compliance, perform a conformity assessment, or replace counsel or a notified body.

Assurance, not a robustness guarantee. DETECT and the drift guard are assurance against drift, misconfiguration, and accidental or planted misalignment, with a provenance record — not a proven defense against a sophisticated, adaptive poisoner. It never claims to catch every backdoor.

Scope: open-weight / self-hosted. Reading a finetune — and, for the guard, its run — needs access. Closed-API models are out of scope.

Coverage-bounded. Every attestation states its ceiling; excision preservation is attested to a stated coverage, never “provably clean.”

Confirm obligations with counsel. Thresholds, scope, and dates evolve; Protora points to the obligations, it does not adjudicate them.

That honesty is not a hedge — in a compliance sale, the vendor who states its limits is the one the risk function trusts.

Have the evidence ready
before the threat does.

Bring one finetune — the one you’re about to ship, or the one you just downloaded. Protora tells you what it did, proves it with a replayable witness, and hands back a signed dossier — evidence, not certification.