Vivek Kumar

Reading the EU AI Act Article 12 spec end-to-end this week. The gap between "logs" (what most teams output) and "evidence" (what notified bodies will demand) is wider than the industry realizes. 95 days until enforcement. Most fintechs aren't close. #EUAIAct

3 hours mining EU AI Act + medtech twitter today. dominant pattern: every operator describing the conformity gap as a runtime evidence problem. august 2026 enforcement is going to break the teams treating it as documentation. continuous capture or retrofit, no third option.

@musharsec @HermanPrimeAI the trap is treating it as a documentation exercise instead of a runtime data problem. teams writing Annex IV at month 18 discover the evidence wasn't captured in a form the NB can verify. continuous capture from day one is the only path that avoids retrofit.

@HermanPrimeAI The dual compliance challenge of EU MDR + EU AI Act is significant and underappreciated. MDCG 2025-6 clarified the interplay but the evidence requirements are different frameworks. August 2027 sounds distant — it isn't if you're starting conformity assessment from scratch.

EU AI Act integration with MDR/IVDR goes live August 1, 2026. Every AI-enabled medical device now faces dual compliance pathways. 132 days until the deadline. I checked which notified bodies have published AI assessment protocols. Found 11. There are 47 notified bodies authorized for MDR Class IIa/IIb devices. The math problem: if 76% of your competitors are waiting for "clearer guidance," and guidance clarity arrives 30 days before the deadline, what happens to certification queue times?

@HermanPrimeAI 11 of 47 is the buried lede. notified bodies without AI assessment protocols can't issue conformity. the bottleneck for medtech 2026 isn't the regulation — it's the evidence interface between what the device runtime produces and what the NB can actually evaluate.

@hwchase17 For regulated deployments: a 5th section in deepagents.toml for audit. Article 12 + SR 11-7 demand signed action records that aren't sandbox (runtime) or auth (identity) — write-time evidence is its own concern.

Checkout DeepAgents deploy here: docs.langchain.com/oss/python/dee… We're shipping updates every week (almost every day). What would you like to see next?

🚀DeepAgents deploy is a simple, configuration driven way to get an agent harness deployed to the cloud deepagents.toml is the file that configures it. It has four sections: - agent - sandbox - auth -frontend Here's what each one does 🧵

T-12h to YC submit. Doc tree finalized. Demo green on three sample traces. Coffee in the fridge. Sleeping early.

Sample of design partner calls this week: — "We have logs, not evidence." — "Compliance won't accept LangSmith outputs." — "We don't know what Article 12 will demand." — "We're hoping the standards delay." Same room, different verticals.

The Article 12(2)(c) override evidence pattern in one diagram. Three linked records, signed at write time. Most agent observability stacks ship the timestamp and skip the state transitions.

@MindTheGapMTG Verification primitive is the overlap — doc intel + agent attestation hit the same audit boundary from different operators. Are the private-lender CFOs you talk to already seeing the 4-6 week reconstruction problem, or still framing it as "figure it out at audit"?

@vivekonai 4-6 weeks to reconstruct one denial is the whole problem. We build doc intelligence for private lenders - same gap. Audit trail has to be a first-class output, not a log reconstruction exercise. Who verifies docs at scale matters more than who scores them.

A design partner call this week: Bank, $80B+ AUM. AI underwriting in production. How do they produce evidence for an OCC exam on a specific loan denial? "We'd reconstruct it from logs." "How long?" — "4-6 weeks." The whole opportunity is those 4-6 weeks.

@Cyphrexio 67% sounds about right. The gap is that observability tools were designed for debugging, not evidence packaging. Article 12 + SR 11-7 both require signed-at-write-time records — not log reconstruction at audit time. Cryptographic chain of custody is the wedge.

67% of regulated enterprises cite control-framework gaps as the primary reason agent programs stall before production — not budget, not talent. Security and compliance reviews demand individual agent attestation, but most stacks can't produce a cryptographic chain of custody for a single execution decision, let alone hundreds running in parallel. Immutable blockchain identity per agent closes that gap: every action signed, timestamped, and auditable before the risk committee ever asks. What control evidence is your agent program actually missing before legal signs off? #AgentSecurity #AIAgents #DevSec #agenticai #llmagents #Compliance #Enterprise

Most agent observability stacks fail one specific Article 12(2)(c) test — they log the override timestamp but miss the state transitions. The thread below makes the override-evidence pattern concrete:

@michael2xl @solana @SuperteamBR $28.1B in chargeback exposure is a brutal forcing function. AAP for commerce settlement and the regulator-facing version (Article 12, SR 11-7) live on the same primitive — signed evidence at write time. Different verticals, same audit boundary.

At @solana Hacker House in São Paulo with @SuperteamBR and The/Garage, after researching the agent commerce stack, we have found a missing piece/layer: Settlement for autonomous commerce. Introducing AAP: Agent Attestation Protocol Chargebacks: $28.1B in merchant losses by 2026, up 40% from 2023 global dispute volume, rising from 238M to 337M (Ethoca/Mastercard). Agentic commerce will drive $190B–$385B in U.S. e-commerce by 2030 (Morgan Stanley AlphaWise). And @a16z 's Sam Broner argues stablecoins will become the default rail for agent-to-merchant settlement before legacy networks adapt. Solution: AAP closes the loop between these three: pay in stablecoins, settle in seconds, and refund without a chargeback. The first protocol to dispute resolution for agentic commerce: a cryptographic merchant attestation + smart contract custody + auto-refund. More soon, zmert (@mert). Road to @colosseum. See the first results:

The warranted-action 5-tuple from earlier this week applies cleanly: (operator, override, agent-decision, justification, evidence) Three of those per override. Linked by agent-decision id. Signed at write time. The audit query is one join, not a 4-week reconstruction.

What a notified body will accept as evidence: three linked records. Before-state — what the agent was about to do, with inputs. Override decision — who, when, why, with which preconditions waived. After-state — what actually got executed. Each timestamped, signed, queryable.

EU AI Act Article 12(2)(c) — high-risk systems must log "circumstances surrounding errors or operational issues, including human intervention." Plain English: when a human overrides the agent, the override has to be evidence, not a Slack message. Most teams aren't there.

@CostaSga SMTC + Ed25519 + OpenTimestamps anchor = the artifact that ends the audit conversation. Naming the primitive is the move.

@vivekonai SMTC. Show Me The Contract.

A friend just told me about an AI agent that can create an audit trail on a public blockchain. The agent runs a loop: OBSERVE > THINK > ACT > RECORD > BUDGET CHECK OBSERVE: Reads the task, checks memory, reviews context THINK: Calls an LLM via x402 micropayment (no API key, just satoshis) ACT: Executes tool calls (browse, search, analyze, message other agents) RECORD: Writes a BRC-18 proof to the blockchain (cryptographic receipt) BUDGET CHECK: Reviews spend vs. budget, decides whether to continue Every step is paid for, recorded, and verifiable. It records: - What the agent did (hashed) - What model it used - What it cost - When it happened - A chain link to the previous proof Learn more & activate with only one line here: github.com/calhooon/dolph…

@sdianahu For agents in regulated industries, "AI as foundation" means signed evidence on every action — not log reconstruction. Article 12 enforcement: 92 days. The artifact regulators want is a different shape than observability tools produce.

RFS for S26 deadline a week away

@CostaSga Settlement layer becomes the audit boundary. Trustless multi-party vs single-tenant regulator-facing is the fork. Curious which axis the friend you mentioned is optimizing for.

@vivekonai Correct. Same core primitive. Different implementation.

@LUKSOAgent "Who gets yelled at when it spends wrong" is the audit-trail problem. No defendable record without signed action receipts at write time. Scoped permissions prevent the loss; audit trail attributes it. Different problems, both required for production.

An AI agent getting an EIN, bank account and crypto wallet is less cute than people think. The hard part starts after incorporation: scoped permissions, audit trails, revocation, and who gets yelled at when it spends wrong.