Why CarveTrace

The only evidence layer whose verdict survives the vendor

Every AI governance platform on the market — CredoAI, Holistic AI, ModelOp, OneTrust, IBM watsonx.governance — asks your auditor to trust their database. CarveTrace ships evidence your auditor's auditor can re-verify in a browser without phoning us. If we disappear, your evidence still verifies.

Open the verifier Request a pilot

Two properties no competitor ships

1 · Re-verifiable without trusting CarveTrace

Hand any auditor an evidence bundle. They open verify.carvetrace.com in their browser — Chrome, Firefox, Safari, doesn't matter — drag the bundle in, and get a VERIFIED or FAILED verdict in seconds. The verifier is open-source (Apache 2.0). They can fork it, audit the source, and host it themselves. At no point does the auditor's verdict depend on a CarveTrace server, a CarveTrace API key, or a CarveTrace person picking up the phone.

Property: the verdict survives our bankruptcy, a regulator subpoenaing us, or a tenant data breach on our side. The evidence does not live with us.

2 · Article 12 record ↔ Article 14 oversight as one signed atom

Every AI inference event the SDK writes is bound — at write-time, by hash — to the human-oversight event that reviewed it. Not a foreign-key in a database, not a Slack message after the fact: a cryptographic binding the verifier checks by equality. Monitaur logs decisions. TrueScreen certifies data with qualified timestamps. Neither binds the inference and the oversight as a single atom — leaving a gap in your evidence right where Article 14 (human oversight) needs Article 12 (record-keeping) to be airtight.

Property: when a decision is challenged, you can prove which human reviewed which AI verdict, at which timestamp, with which rationale — and prove they did so at the time the decision happened, not reconstructed later.

How CarveTrace compares — honestly

The market has bifurcated into AI Governance Platforms (CredoAI, Holistic AI, ModelOp, Saidot, Lumenova), GRC incumbents with AI modules (OneTrust, ServiceNow, IBM watsonx.governance), and evidence-certification specialists (TrueScreen). Each does something CarveTrace doesn't. Here is the honest mapping.

	CarveTrace	CredoAI / Holistic AI / ModelOp / Saidot	OneTrust / IBM watsonx.governance	TrueScreen (closest direct)	Build it yourself
Third-party re-verifiable without vendor	✓ WASM verifier in any browser, open-source	— vendor-database backed	— vendor-database backed	~ for data certification, not AI binding	~ if you build the verifier too
Article 12 ↔ 14 binding at write-time	✓ single signed atom	— logged separately	— logged separately	— not in scope	~ requires deep crypto + protocol design
Self-hosted, your keys, your data	✓ all tiers	— SaaS-only (mostly)	~ available, often premium	— SaaS	✓ trivially
Pre-built AI Act control library (policies, RFP packs)	~ growing, EU-specific	✓ extensive (CredoAI, Saidot lead)	✓ extensive	~ Article 12-focused	— you'd build it
ISO/IEC 42001 product certification	~ on the ISO 27001 roadmap, target Q1 2027	~ Modulos first to ship May 2026	~ in progress	~ eIDAS QTSP qualified	— you'd build it
EU-domiciled vendor, native data residency	✓ France (SARL)	~ Holistic AI UK, Saidot Finland ; most US	— US-headquartered	✓ Italy	✓ you choose
Typical EU enterprise ACV	€15K–€180K, transparent on this page	€30K–€500K, "contact sales"	€50K–€1M+, "contact sales"	credit-based, "contact sales"	€200K+ in engineering time / yr
Time to first verifiable bundle	days (Starter pilot)	weeks (policy mapping)	months (integration)	weeks	quarters

Honest read: if you need a wall-to-wall AI governance program with pre-built RFP packs, vendor risk workflows, model inventory dashboards, and a Forrester Wave logo on the procurement deck — buy CredoAI or OneTrust. We are not that. If you need evidence that survives a regulator subpoena, a vendor going bankrupt, or a data dispute that lands in court — and the Article 14 human-oversight binding has to be airtight — buy CarveTrace. Most serious EU AI Act programs end up needing both. CarveTrace is the layer underneath whatever governance platform you choose, focused on the evidence and the binding.

Why this matters in 2026

Aug 2, 2026

EU AI Act high-risk obligations bind

Article 12 (record-keeping) and Article 14 (human oversight) become enforceable for providers and deployers of high-risk AI systems. National authorities gain investigative powers ; first warnings and investigations expected through 2026–2027.

Dec 9, 2026

Product Liability Directive applies to AI

PLD 2024/2853 extends strict liability and a presumption of defect to AI software. When a claimant alleges harm, the burden of disclosure shifts to the producer. Evidence that re-verifies without your vendor's cooperation becomes a defense, not a nice-to-have.

Aug 2, 2027

Full AI Act applicability

The remainder of the regulation — including AI systems embedded as safety components in regulated products — comes into force. By this date, every high-risk AI deployment in the EU is meant to be continuously evidenced.

What a pilot looks like

Sixty days. Your real chain (or a staging chain you provision). We instrument one production AI workflow with the SDK, configure the TSA cadence, and generate the first quarter's worth of evidence bundles. You hand a bundle to your internal auditor and they verify it in their browser. If you convert to a paid subscription, the pilot fee credits back against your first annual term.

Request a pilot See pricing

Tip: this page prints to a one-page summary suitable for a procurement file (Ctrl-P → Save as PDF).