今日已更新 80 条资讯 | 累计 20052 条内容
关于我们

标签:#compliance

找到 11 篇相关文章

AI 资讯

EU AI Act compliance as API calls

We shipped eight endpoints on api.moltrust.ch (v2.5) this week. Three implement EU AI Act obligations directly. This is the short version for people who want to call them; the full reasoning is on our blog ( https://moltrust.ch/blog/compliance-as-an-api.html ). Why no model in the loop: the Aithos LARA study (May 2026) placed twelve frontier models in simulated workplaces where the task required breaking EU law. Best model: 54% lawful runs. In the Art. 5(1)(f) scenario (emotion inference from workplace communications, prohibited), all twelve committed the violation. So the classifier is deterministic code branching on the pinned EUR-Lex text, and every response carries article references you can check yourself. POST /compliance/assess — use case + intended purpose + declared signals in, risk tier + obligations + article pins out. Evaluation order: Art. 5 prohibitions, Annex I route (Art. 6(1)), Annex III route (Art. 6(2)/(3)), Art. 50 transparency, minimal. The trap worth knowing: Art. 6(3) offers four derogation grounds, and its final subparagraph voids all of them for systems that profile natural persons. In the code that subparagraph is a branch; it cannot be skipped. curl -X POST https://api.moltrust.ch/compliance/assess \ -H "Content-Type: application/json" \ -d '{ "use_case": "Customer-support agent that reads inbound email and drafts replies", "intended_purpose": "Automated first-line support for consumer inquiries", "performs_profiling": false, "interacts_with_humans": true, "emotion_recognition": false }' POST /compliance/declaration — EU declaration of conformity as a W3C Verifiable Credential with the eight Annex V items, Ed25519-signed. Verify offline against https://api.moltrust.ch/.well-known/jwks.json ; no call back to us. anchor: true adds a sha256 commitment for batch anchoring on Base L2. POST /compliance/incident — records Art. 73 serious incidents and computes the deadline from the regulation: 15 days standard, 10 days for a death, 2 days for wid

2026-07-12 原文 →
开源项目

How GitHub gave every repository a durable owner

GitHub had over 14,000 repositories. Fewer than half had clear ownership. Here's how we gave every active repository a validated owner in under 45 days, archived the rest, and made ownership the foundation for everything that followed. The post How GitHub gave every repository a durable owner appeared first on The GitHub Blog .

2026-07-10 原文 →
AI 资讯

How to Automate DNC Removal Requests in Convoso

DNC removal requests shouldn't take more than a few seconds to process. If your ops team is manually logging into each system, finding the number, and removing it one platform at a time, every request is an open compliance window. Here's how to close it automatically. The Problem With Manual DNC Processing A number comes in flagged for removal. Someone on the floor submits it. If you're running Convoso alongside Zoom Contact Center, Zoom Phone, and Telesero, that means logging into each system separately — find the number, remove it, move to the next platform, repeat. At multiple removal requests per week across several systems, you're looking at significant manual work each week. More importantly, every minute between the request and the removal is a minute of active compliance exposure. A TCPA violation starts at $500 per call. When the pattern is systematic — a number that should have been removed staying active across multiple campaigns — class action exposure enters the picture. The gap between when a removal is requested and when it actually completes isn't just inefficiency. It's risk that compounds with every dial attempt on a number that should be off the list. How Automated DNC Removal Works The automated version uses a Slack slash command as the intake point. An ops manager types the number into a command and hits send. The request routes immediately to a cloud service — deployed on Google Cloud Run — that fans out across every active system in parallel. Not sequentially. Simultaneously. In a contact center running multiple Convoso campaigns alongside Zoom Contact Center, Zoom Phone, and Telesero, a single command hits every platform in parallel. Each system processes the removal independently. Results log to cloud storage with a timestamp and each system's individual response recorded separately. A confirmation returns to the Slack channel before the manager has switched back to their next task. Wall-clock time from submission to confirmed removal across

2026-06-19 原文 →
AI 资讯

Why deemed-export law breaks frontier model APIs

So you built your stack on a hosted frontier model. Good throughput, clean API, your foreign-national engineers hit the same endpoint as everyone else. Then on June 12 the US government pulled Claude Fable 5 and Mythos 5 offline for the entire planet, three days after launch, and the reason is a compliance gap baked into how these things actually serve traffic. Here's the thing worth understanding as an engineer: the bug was narrow. The takedown wasn't. The gap between those two facts is where every team running a hosted model should be paying attention. What actually triggered it Commerce hit Anthropic with an order barring access to both models by any foreign national, anywhere, inside or outside the US, including Anthropic's own foreign-national staff. The stated trigger was a jailbreak: point the model at a codebase, ask it to find flaws. That's it. Anthropic reviewed the demo and watched it surface a handful of already-known minor vulns, the kind GPT-5.5 and other public models hand you with no bypass at all. So the capability wasn't exotic. It was automated code review on a Tuesday. The reason it went nuclear is the legal layer sitting on top, not the finding itself. The architecture problem: you can't gate on a passport you can't see Walk it through like any other access-control question. The restriction names a class of users: foreign nationals. Every one of them, globally. Now look at what a model API knows about a session at request time. restriction: deny any foreign national, anywhere session metadata: auth token, IP, usage tier NOT in session: verified nationality isolatable set: ∅ only compliant state: serve nobody An API session doesn't carry a verified passport. IP geolocation is trivially defeated by a VPN and tells you location, not citizenship anyway. There's no field in the request that maps to the restricted class. When you can't isolate the users you're forbidden to serve, the only provably-compliant state is serving no one. Off switch. Global.

2026-06-14 原文 →
AI 资讯

PostgreSQL Partitioning for Multi-Tenant Audit Logs: Querying 100M Events Without Table Scans

PostgreSQL Partitioning for Multi-Tenant Audit Logs: Querying 100M Events Without Table Scans I'll be direct: if you're running a SaaS with compliance requirements and your audit_logs table is approaching 50M rows, you're three months away from pain. I've watched audit queries go from 200ms to 8 seconds in production at 2am because someone ran a "give me all logs for tenant X" report. Partitioning isn't optimization theater—it's table-stakes infrastructure. At CitizenApp, we store 9 months of audit logs across 50+ tenants. Without partitioning, a single compliance query would full-table scan 100M+ rows. With it, we hit the same data in <100ms. This post is exactly how we do it. Why Partitioning Matters (The Reality Check) Most developers treat audit_logs like any other table. You add an index on tenant_id and created_at , call it done, and move on. Then your compliance officer runs a query like: SELECT * FROM audit_logs WHERE tenant_id = 'acme-corp' AND created_at >= '2024-01-01' ORDER BY created_at DESC ; At 50M rows, even with a composite index, PostgreSQL has to: Index scan → finds millions of matching rows Random I/O all over the table Spill to disk if sorting is large Hope the OS cache is warm Partitioning solves this by eliminating the data you don't need from day one . Instead of scanning a 100GB table and filtering it down, PostgreSQL can skip entire partitions. A query against January 2024 data simply ignores partitions for February–December. I prefer partitioning because it's native PostgreSQL—no external caching layer, no read replicas, no Redis gymnastics. It's boring infrastructure that works. The Partitioning Strategy: Composite Partitioning (Range + List) I use a two-level partitioning scheme: Range partition by month ( created_at ) — keeps each partition to ~5–10GB List subpartition by tenant — ensures compliance queries are single-partition scans This is deliberately opinionated. You could do range-only, but then a multi-tenant query still scans the

2026-06-11 原文 →
AI 资讯

I Built a Free Open-Source EU AI Act / NIST AI RMF / ISO 42001 Crosswalk Tool - Here Is What I Found

Every week I see the same question in AI governance communities: "We already have NIST AI RMF implemented. Does that cover our EU AI Act obligations?" The honest answer is: sometimes yes, sometimes partially, and sometimes not at all. The problem is that nobody had built a clean, free, interactive tool that showed exactly which controls map to which, how strong those mappings actually are, and where the genuine gaps are. So I built one. Live tool: suhanasayyad.github.io GitHub: SuhanaSayyad / eu-ai-act-crosswalk-tool Interactive crosswalk mapping EU AI Act obligations to NIST AI RMF and ISO 42001 controls, with mapping strength indicators, gap analysis, and source links. 30 controls mapped. Free and open source. EU AI Act × NIST AI RMF × ISO 42001 - Interactive Compliance Crosswalk Tool An open-source tool that maps EU AI Act obligations to their equivalents in NIST AI RMF and ISO 42001, with mapping strength indicators, gap analysis, and source document links. Built for compliance teams, AI governance practitioners, and anyone trying to understand how these three frameworks relate to each other. Live demo: https://suhanasayyad.github.io/eu-ai-act-crosswalk-tool Built by: Suhana Sayyad | MSc Cybersecurity, TUS Athlone Why I built this Every organisation dealing with the EU AI Act is being asked the same questions: "We already have NIST AI RMF controls in place. Does that cover our EU AI Act obligations?" "We're pursuing ISO 42001 certification. Does that satisfy the regulation?" The honest answer is: sometimes yes, sometimes partially, and sometimes not at all. The problem is that nobody had built a clean, free, interactive tool that showed exactly which… View on GitHub What the tool does The EU AI Act / NIST AI RMF / ISO 42001 Interactive Crosswalk Tool maps 30 EU AI Act obligations to their nearest equivalents in NIST AI RMF and ISO 42001. For each mapping it shows a strength rating - Strong, Partial, Indirect, or No Equivalent - so compliance teams know which map

2026-06-06 原文 →
AI 资讯

HIPAA Risk Assessment in 2026: A Healthcare Engineer's Field Guide

If you build, run, or audit systems that touch protected health information (PHI), the HIPAA risk assessment is the document that quietly decides whether the next OCR investigation ends in a closure letter or a corrective action plan with a six-figure settlement. The proposed 2026 HIPAA Security Rule update (published as an NPRM in January 2025, still pending finalization at OCR) doesn't change the underlying requirement at 45 CFR § 164.308(a)(1)(ii)(A) — and OCR has repeatedly reaffirmed that the absence of a current, written risk analysis is itself the most-frequently-cited Security Rule deficiency . This is the engineering view: what a defensible HIPAA risk assessment actually contains in 2026, how to model it, and what tooling fits the workflow. 1. The asset inventory is non-negotiable Every defensible HIPAA risk assessment starts with a complete inventory of where ePHI lives, where it flows, and who touches it. If you can't enumerate every system, every integration, and every workforce role that creates / receives / maintains / transmits ePHI, the rest of the assessment is built on sand. A minimal asset-inventory record per system: { "system_id" : "ehr-prod-01" , "system_type" : "ehr" , "ephi_states" : [ "create" , "receive" , "maintain" , "transmit" ], "data_classification" : "phi-high" , "hosting" : { "type" : "saas" , "vendor" : "epic" , "region" : "us-east-1" }, "workforce_roles_with_access" : [ "clinician" , "billing" , "admin" ], "integrations" : [ { "to" : "billing-system" , "protocol" : "hl7-fhir" , "direction" : "outbound" }, { "to" : "patient-portal" , "protocol" : "https-rest" , "direction" : "bidirectional" } ], "encryption_at_rest" : true , "encryption_in_transit" : true , "mfa_enforced" : true , "audit_log_destination" : "central-siem" , "ba_agreement_on_file" : true , "last_reviewed" : "2026-05-15" } If you don't have this, build it before you do anything else. The HHS-provided ONC SRA Tool walks through asset enumeration but it's optimized for s

2026-06-06 原文 →
AI 资讯

How I built an FCA Register scraper on Apify (and why it's the B2B data gap nobody talks about)

When most people think about UK data sources to scrape, they go straight to Companies House. And they should — it's an excellent dataset. But there's a more valuable register that compliance teams, fintech sales teams, and KYC workflows desperately need, and it has zero scrapers on the Apify marketplace: the FCA Financial Services Register. The Financial Conduct Authority maintains a live register of every firm authorised to provide financial services in the UK — ~50,000 firms ranging from Barclays Bank to a one-person IFA. It includes their regulated permissions (what they're actually allowed to do), their principal address, trading names, and enforcement history. It's the data source used to verify "is this firm actually regulated?" — a check every fintech, insurance company, and compliance team runs regularly. The opportunity The FCA register has a free official REST API at register.fca.org.uk/Developer . No paid tier, no scraping needed — just register an account, get a key, and start making authenticated requests. Despite this, there was literally no Apify actor for it. The US equivalent — FINRA BrokerCheck — already has two actors with thousands of users. The UK gap was sitting there, unoccupied. The architecture This is one of the simplest actor architectures I've built — no Playwright, no Cheerio, no browser automation. Pure HTTP requests with fetch . The FCA API has a few key endpoints: GET /V0.1/Search?q={query}&type=firm — search for firms by name or keyword, returns FRNs GET /V0.1/Firm/{FRN} — fetch base details for a specific firm GET /V0.1/Firm/{FRN}/Address — registered address + phone + website GET /V0.1/Firm/{FRN}/Names — trading names and historical names GET /V0.1/Firm/{FRN}/Permissions — the full list of FCA-regulated activities All endpoints require X-Auth-Email and X-Auth-Key headers. The rate limit is ~100 requests per 60 seconds, which works out to about 25 fully-enriched firms per minute at 4 API calls each. async function fcaFetch < T > ( p

2026-05-29 原文 →