Frequently asked questions.

What is the EU AI Act and when does it apply?

The EU AI Act (Regulation (EU) 2024/1689) is the EU's risk-based AI law. Prohibitions of unacceptable-risk AI took effect on 2 February 2025. The bulk of obligations become applicable on 2 August 2026 — including the transparency (Article 50) and AI-literacy (Article 4) duties. Under the Digital Omnibus package (European Parliament position adopted June 2026, pending final adoption), the high-risk (Annex III) obligations are set to be postponed to December 2027.

Which systems are classified as “high-risk”?

Annex III lists eight categories: biometrics, critical infrastructure, education, employment, access to essential services (including credit scoring and insurance pricing), law enforcement, migration, and administration of justice. AI used as a safety component in Annex I products (medical devices, machinery, etc.) is high-risk by reference.

What does Article 12 (logging) require?

Article 12 requires providers of high-risk AI systems to enable automatic logging of events that ensure traceability throughout the lifecycle. Noetik's audit chain is hash-linked and append-only; every decision is written deterministically with the policy version, classification, and verdict.

What is Article 14 (human oversight)?

Article 14 requires that high-risk AI systems be designed for effective oversight by natural persons during use — meaning operators must be able to understand, monitor, override, or stop the system. Noetik's pre-execution gate is the override layer: a request that fails a hard policy never reaches the model.

Who is a “provider” vs. a “deployer”?

The provider develops and places the AI system on the market and bears the heavier documentation and conformity burden. The deployer puts the system to use under their authority, with duties around operating-as-instructed, logging, monitoring, and — in some public-sector cases — fundamental-rights impact assessments. Noetik supports both roles.

What is ISO/IEC 42001?

ISO/IEC 42001:2023 is the international management-system standard for AI Management Systems (AIMS) — structured like ISO 27001 and ISO 9001, with Plan-Do-Check-Act, governance, and risk-based controls. It is the leading harmonised-standard candidate for the management-system dimension of the EU AI Act.

What is NIST AI RMF, and which functions does Noetik touch?

NIST's AI Risk Management Framework defines four functions: Govern, Map, Measure, Manage. Noetik's policy authoring serves Govern; the classifier and ClarityScore serve Measure; the pre-execution gate serves Manage. The Map function — characterising context, intended use, and impact — remains with the customer's compliance team.

What is Pre-Execution Governance?

Pre-Execution Governance evaluates every AI request before it is executed, against a deterministic policy stack. The difference from post-hoc monitoring is causal: pre-execution decides what is allowed to happen; post-hoc tells you what happened.

How do the EXECUTE, HOLD and BLOCK verdicts work?

The engine returns one of three verdicts. EXECUTE passes a clear, compliant request to the model. HOLD returns a ClarityFeedback™ prompt asking the user to clarify or correct their own input, which is then re-scored. BLOCK stops a request that breaks a non-negotiable obligation — legal, regulatory, safety — or the always-on Tier-1 safety floor, with a logged reason. The verdicts are produced in deterministic order on every call, and every evaluation is recorded.

What is ClarityScore?

ClarityScore is a deterministic numerical measure of input clarity, derived from explicit structural signals (syntactic, semantic, affective, policy). Two equivalent inputs always produce the same score, and it drives the EXECUTE-vs-HOLD decision. The score is written to the audit chain alongside the verdict.

What is a tamper-evident audit chain?

Each entry is hash-linked to the previous (Merkle-style) and signed with a per-instance key. Modifying any historical entry invalidates every hash downstream, which is detectable on verification. The chain is append-only and exportable for third-party audit.

Is PREEXEC self-hosted or SaaS?

PREEXEC is delivered as a self-hosted engine. The customer operates it on their own infrastructure — bare metal, virtual machine, or container — within their own security perimeter. No request, output or audit data is sent to Noetik Governance Ltd.

Which AI models are supported?

PREEXEC is model-agnostic. It governs requests bound for any large language model — OpenAI, Anthropic, Mistral, local Llama variants, vendor-hosted endpoints. Integration is via an adapter layer; the model itself is unchanged.

What about latency and operational impact?

The pre-execution engine is deterministic and adds work proportional to policy-stack depth and classifier complexity. In typical configurations the per-call cost is well below the model-generation cost itself. Customers conduct their own latency budgeting during pilot.

Which sectors does Noetik focus on?

Regulated sectors with high-risk AI exposure: banking and financial services (advisory chatbots, credit-decision narratives — Annex III), insurance (underwriting, pricing — Annex III), healthcare (clinical-decision support, medical-device-embedded AI), and public administration (citizen-facing services, eligibility decisions). The policy stack is configured per sector.