SAIHM × EU AI Act crosswalk
Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 (the “EU AI Act”) was published in the Official Journal on 12 July 2024 and entered into force on 1 August 2024. Application dates phase in: prohibited practices and AI literacy (2 February 2025), GPAI and governance (2 August 2025), the bulk of the high-risk obligations (2 August 2026), and Annex I products (2 August 2027).
SAIHM is a memory-layer protocol, not itself a high-risk AI system. When SAIHM is used as the memory component of a high-risk AI system (Article 6+), the protocol provides evidence directly applicable to a number of the provider and deployer obligations.
High-impact articles
| Article | SAIHM mechanism (provider or deployer evidence) |
|---|---|
| Art 9 — Risk management system. Continuous, iterative process across the AI system life cycle. | Cell lifecycle (remember → recall → share / revoke_share → forget) is explicit and audit-anchored. Each transition supports a documented risk-treatment lever. |
| Art 10 — Data and data governance. Relevant, representative, free of errors, complete; integrity and quality. | Per-cell signature (ML-DSA-65, FIPS-204) at write time; signature verification at read time; provenance from chain receipt; encryption protects against silent tampering at rest. |
| Art 11 — Technical documentation. Documented and kept up to date. | Public protocol spec (Internet-Draft draft-saihm-memory-protocol-00 in preparation); Apache-2.0 source on npm; six crosswalks. |
| Art 12 — Record-keeping. High-risk systems must enable automatic logging of events over their lifetime. | Every SAIHM operation emits a signed receipt anchored on the COTI V2 public chain (chain ID 2632500). The audit log is tamper-evident, time-stamped, reproducible by independent auditors. |
| Art 13 — Transparency and provision of information to deployers. | Public protocol spec; public source; public block explorer; sharing contracts are explicit and revocable; threat model documented in I-D §6.4. |
| Art 14 — Human oversight. Effective oversight by natural persons. | Wallet-bound holder identity: the holder is the natural person (or organisation) with the decryption authority. saihm_forget is the oversight-enforced erasure action. |
| Art 15 — Accuracy, robustness, cybersecurity. Appropriate level throughout the life cycle. | ML-DSA-65 post-quantum identity binding; KEK rotation versioned; HKDF chain documented; encryption-before-egress. Cybersecurity properties are protocol-level, not implementation-policy-level. |
| Art 16 — Obligations of providers of high-risk AI systems. | SAIHM is the memory layer, not the AI system. Providers using SAIHM inherit a documented record-keeping mechanism (Art 12), data-integrity mechanism (Art 10), cybersecurity mechanism (Art 15), and right-to-erasure mechanism (GDPR Art 17 + Art 26 deployer obligations). |
| Art 26 — Obligations of deployers of high-risk AI systems. | Deployer logs are durable, signed, on-chain. saihm_status exposes the deployer-side dashboard. Sharing contracts are revocable. |
| Art 50 — Transparency for certain AI systems. | SAIHM cells themselves are not user-facing AI outputs; the protocol does not generate content. But the audit anchor lets any downstream Art 50 disclosure be backed by verifiable records. |
GPAI considerations (Articles 51—55)
General-Purpose AI Models obligations (effective 2 August 2025) include technical documentation, copyright policy, and transparency about training. SAIHM is not a GPAI model; it is a memory protocol that a GPAI model (or any agent using a GPAI model) can consume. The GPAI-relevant SAIHM properties:
- Memory provenance. Each cell carries holder identity, signature, write timestamp, and storage tier. The GPAI provider's training-data-vs-runtime-memory boundary is auditable via SAIHM receipts.
- Right of withdrawal. A GPAI deployer using SAIHM can act on a user's withdrawal request with cryptographic finality (
saihm_forget). - Cross-vendor portability. SAIHM cells are reachable from any MCP-capable agent — the GPAI vendor cannot lock memory in.
How to cite SAIHM in EU AI Act compliance dossier
- For Article 12 (record-keeping): cite the COTI V2 chain audit anchor (chain ID 2632500, explorer cotiscan.io) and the receipt-id schema in the I-D.
- For Article 15 (cybersecurity): cite FIPS-204 (ML-DSA-65) and the I-D §6 (Security considerations).
- For Article 14 (human oversight): cite the wallet-binding HKDF chain and
saihm_forgetas the oversight-enforced erasure action. - For Article 10 (data governance): cite the per-cell signature scheme and chain provenance.