The signed record of human oversight on AI-generated work.

Join the waitlist

Aug 2

EU AI Act high-risk obligations enter active enforcement. Reg. EU 2024/1689 · 2026

€35M

Maximum fine for failing to prove human oversight of AI outputs. EU AI Act · Article 99

23%

of organisations have already shipped AI-assisted work with realised defects. McKinsey 2024 · n=876

02 The problem

AI ships. Nobody signs for it.

When production breaks

"Who reviewed this — and what did they think?"

No defensible answer exists at artifact resolution.

When a candidate sues

"Show that a named human stood behind this shortlist."

A review policy is not the same as a review record.

When the auditor calls

"Evidence of Article 14 oversight on this feature, please."

Multi-week scramble across Slack, Notion, GitHub, email.

Every AI tool ships output into a workflow. The frameworks that govern that workflow — Article 14 of the EU AI Act, ISO 42001 Control 8.4, SOC 2 CC2.1 — each ask the same question: can you show that a named human reviewed this specific artifact and stood behind the decision to ship it?

Nothing fills the gap between them.

03 Use cases

Same mechanic. Different stakes.

UC—01

For

The senior engineer in a regulated repo.

Stop AI-generated code from shipping without a name attached to it.

Plenio detects AI-authored hunks in the PR, gates the merge, and writes diff hash + reviewer + rationale to the chain before the merge button unlocks. Producer ≠ reviewer enforced.

Anchored on Annex III Art. 14 McKinsey · 23% inaccuracy

UC—02

For

The head of hiring using AI to rank candidates.

Defend an AI-ranked shortlist when a rejected candidate's lawyer asks.

Sign-off captured against the exact ranking version, with high_risk_domain = employment and AI tool version pinned. Tribunal-defensible. Regulator-defensible.

Anchored on Annex III · employment Art. 14 + 26(2)

UC—03

For

The head of compliance preparing for an audit.

Answer an auditor's specific question before the call ends.

One query. One snapshot. Sixty seconds. Filter by feature, risk tier, domain, reviewer, AI tool. Export PDF for the auditor and multi-framework JSON for Vanta or Drata.

Anchored on Art. 14 ISO 42001 · 8.4 SOC 2 · CC2.1

04 Definition

One mechanic. Stated precisely.

The mechanic

A forced sign-off at the moment AI output transitions from draft to shipped.

The evidentiary unit

A signed log entry — append-only, hash-chained, citable across multiple frameworks at once.

05 Regulatory grounding

What the law actually demands.

Source

Requirement

Plenio

EU AI Act · Art. 14

Reg. EU 2024/1689

Human oversight must be identified and demonstrable — not policy alone.

Direct · Core

EU AI Act · Art. 26(2)

Deployer duties

Qualified personnel must actually exercise oversight on each high-risk use.

Direct

Annex III · Art. 6

High-risk classification

Per-use-case classification across five named domains: administrative, judiciary, employment, education, health.

Direct

ISO 42001 · 8.4

AI Management System

Documented evidence of human oversight, retained for audit.

Direct

SOC 2 · CC2.1

Information & communication

Evidence of human review on AI-assisted controls.

Direct

EU AI Act · Art. 99

Penalties

€35M / 7% turnover for prohibited practices · €15M / 3% for high-risk failures.

Exposure

06 Architecture

The signed entry is the spine.

Step one · automatic

Capture everything machine-readable.

Artifact hash, AI tool, producer, timestamp, risk tier, domain. The reviewer is not asked.

Step two · attestation

Reviewer adds rationale and signs.

Free text. Under thirty seconds. Producer ≠ reviewer enforced at the gate.

Integrity · cryptographic

Append-only. Hash-chained. Tamper-evident.

An auditor can walk the chain back to genesis. Nothing modified, deleted, or reordered.

entry · 0xa7f3c91e2bd... Signed

Schemaplenio.entry/v1.0

Risk tierhigh_risk_art_6

Domainemployment

Artifactcandidate_rank_v4.json

Hashsha256:0x7f3a91e2bd4c...b21c

AI toolinternal_llm/3.2 (gpt-5-mini)

Producera.lee@ · talent_ops

Reviewerm.chen@ · head_of_hiring

SoDproducer ≠ reviewer · enforced

t · sign2026-04-30T14:21:33Z (25s)

Rationale"Reviewed top-12 ranked candidates. Removed two false positives. Cleared shortlist for outreach."

Cited undereu_ai_act/art_14 · iso_42001/8.4 · soc2/cc2.1

Prev hashsha256:0x4b1f...8c9a

chain integrity ✓ verified block 1,847,229

07 Market position

Three categories. One stack.

Axis 01 · GRC automation

Trust management

Vanta · Drata

Evidence shape: policy-level.

Axis 02 · AI-native governance

AI system governance

Credo AI · Holistic AI

Evidence shape: system-level.

Axis 03 · Artifact attestation

Captured human oversight

Plenio

Evidence shape: artifact-level.

Article 14 read with Article 26(2) requires all three.

08 Validation

Two sources. Same observation.

Source A · Enterprise survey

McKinsey Global Survey on AI

n = 876 · Feb–Mar 2024 · realised generative-AI consequences

Source B · Regulatory keynote

Carme Artigas · EU AI Act lead negotiator

MSP GLOBAL · December 2025 · why enterprise AI adoption stalled

Blocker

McKinsey · realised harm

Artigas · keynote phrasing

Plenio

Inaccuracy

23%

lack of accuracy

Addressed

Cybersecurity

16%

cyber security potential issues

Addressed

Explainability

12%

explainability

Addressed

IP infringement

11%

intellectual property infringement

— Adjacent

Regulatory

10%

regulatory compliance

— Pre-2026 baseline

Two sources, eighteen months apart, same five blockers in the same order. Three of them are exactly what Plenio's mechanic produces evidence against.

09 Engage

Join the waitlist. Or just say hi.

Be early. Stay close to the build.

Join the waitlist for v1 access and one quarterly note — the next PRD revision, what we're shipping, what we're rejecting, and why. Auditors, advisors, and prospective design partners can use the same form to reach us — just leave a note in the message field.

✓ You're on the list

Thank you. We have your details.

You'll hear from hello@plenio.io with the next quarterly note. If you left a message, we'll reply personally within 48 hours.

Reference · sent