Regulations Hyperaxis Satisfies
Hyperaxis is designed against ten named regulation and standards frameworks. This page summarises how the product aligns to each. Detailed compliance mappings are provided to design partners and customers under NDA; this page is the public summary.
EU AI Act, Article 12 (logging and traceability)
The EU AI Act enters its high-risk system enforcement window on 2 August 2026. Article 12 requires that providers of high-risk AI systems maintain automatic, traceable, tamper-evident logs of model inputs, outputs, and governance decisions for a minimum retention window. Hyperaxis produces exactly that artefact: every call routed through the gateway is recorded on a signed, hash-chained audit log that is independently verifiable. The retention window is configurable per tenant with a default of seven years.
FCA SS1/23 (model risk management for banks)
The Bank of England's Prudential Regulation Authority published Supervisory Statement SS1/23 in May 2023, with the model risk management expectations effective from 17 May 2024. For UK banks and significant insurers using AI in customer-facing or regulatory-affecting contexts, SS1/23 requires documented governance of model performance, model risk, and model-decision evidence. Hyperaxis's audit chain, narrative engine, and approval workflow give the required documentation primitive that satisfies the SS1/23 model-record obligations.
FCA Consumer Duty
The Financial Conduct Authority's Consumer Duty requires firms to evidence that products and services deliver good outcomes for retail customers. AI-driven decisions are explicitly in scope. Hyperaxis records the inputs, model, policy verdict, and explanation for every customer-affecting decision; the plain-English narrative renderer (Auditor view) makes the evidence trail intelligible to a non-technical reviewer including the FCA itself. Compliance view surfaces "vulnerable-customer signal" flags from the guardrail layer for senior management oversight.
NHS Data Security and Protection Toolkit (DSPT v8)
The NHS DSPT is the assurance framework for organisations processing NHS patient data, refreshed annually. Version 8 incorporates expectations on AI-system traceability and clinical-decision audit. Hyperaxis is designed to plug into NHS-tenant environments with UK South residency and ICO-registered data handling. The Approvals queue supports clinical-governance sign-off workflows for AI-driven recommendations.
ISO/IEC 42001 (AI management system standard)
Published in December 2023, ISO/IEC 42001 is the first international management-system standard specifically for AI. It requires documented AI policies, lifecycle management of AI components, incident-response procedures, and continuous improvement. Hyperaxis provides the operational audit-log spine on which an ISO 42001 management system can be built. Aperintel's own ISO 42001 mapping is in progress and will be available as a customer-facing artefact in v1.5.
ISO/IEC 23894 (AI risk management)
The companion to ISO 42001, ISO/IEC 23894 specifies AI-specific risk management practices. Hyperaxis's anomaly detection (Phase 6.3) surfaces drift across eight event types: cost drift, latency drift, refusal-rate change, scope deviation, prompt-injection attempts, model-output sentiment shift, guardrail-bypass attempts, and shadow-AI discovery. These are the empirical inputs an ISO 23894 risk register needs.
NIST AI RMF
The US National Institute of Standards and Technology AI Risk Management Framework (1.0, January 2023) defines four functions (Govern, Map, Measure, Manage) for trustworthy AI. Hyperaxis provides the Measure and Manage instrumentation: continuous logging, drift detection, approval workflows, and incident records on the same signed chain. For US tenants, particularly federal-adjacent and regulated-industry buyers, this is the canonical framework alignment.
SOC 2 Type II
SOC 2 Type II is the operational-controls audit attestation that US enterprise buyers routinely require. Aperintel's SOC 2 Type II is in scope for v1.5 (post first paying customer). Until the attestation is issued, design partners receive an interim trust report covering the equivalent control areas (security, availability, processing integrity, confidentiality, privacy). The audit chain itself satisfies several SOC 2 processing-integrity criteria by construction.
MiFID II
The Markets in Financial Instruments Directive II requires record-keeping of communications and decision processes by investment firms. Where AI is involved in research generation, advisory content, or trading-decision support, the same record-keeping obligations apply. Hyperaxis's audit chain, anchored externally, satisfies the seven-year MiFID II record-retention requirement with tamper-evident assurance that conventional log archives cannot match.
GDPR Article 22 (automated decision-making)
UK GDPR and EU GDPR Article 22 grants data subjects rights when significant decisions are made about them by automated processing alone, including AI. Controllers must provide meaningful information about the logic, the significance, and the consequences of the processing. Hyperaxis's plain-English narrative renderer produces exactly the artefact a Data Protection Officer needs to discharge the Article 22 explanation obligation, in a form that a data subject can also read directly.
Continuous alignment, not a one-time tick
Compliance is a living posture, not a certificate. As frameworks evolve we publish updates here and to the in-product Compliance view. If you need a detailed compliance mapping for procurement or internal sign-off, email hyperaxis@aperintel.com and we will share the relevant artefact under NDA.