EU AI Act Annex III evidence,
ready for your regulator
with DORA already live.
Dobby produces the auditor-ready evidence pack for every AI workload that touches credit decisions, insurance pricing, or customer-facing risk scoring — mapped to EU AI Act Annex III, ISO 42001, SR 11-7, and Bank of Israel Directive 369.
For finance & insurance · IL + EU mid-market · 200–2,000 employees · SOC 2 Type I in progress
DORA is live now — Annex III high-risk follows in December 2027
DORA's ICT and operational-resilience obligations have applied since January 17, 2025, and your supervisor reviews model risk today. The EU AI Act adds Annex III high-risk obligations for credit-scoring, creditworthiness evaluation, and risk assessment + pricing in life and health insurance — now moving to December 2027 under the Digital Omnibus (penalties up to €15M / 3% of turnover). The teams that build the evidence pipeline now aren't the ones scrambling later.
"What AI is in production, and what evidence do I have?"
Your auditor is asking. Your CRO is asking. The EU AI Act enforcement clock is ticking. If you're like most model-risk teams at mid-market banks and insurers, your honest answer today is:
"We've got the analytical models documented. The AI agents are… complicated."
Your model inventory is incomplete.
SR 11-7 / EBA Model Risk asks for a full inventory of models in production. But the new AI workloads — SaaS-embedded copilots, RAG agents, fraud-rule generators, customer-facing chatbots — don't fit your traditional model template. They aren't in the spreadsheet.
Your SR 11-7 process doesn't speak Annex III.
Decades of model-risk vocabulary (validation, challenger models, performance monitoring) cover the analytical models. They don't naturally produce the evidence Annex III asks for — risk management system, training-data documentation, human oversight, post-market monitoring. Different artifacts, same evidence-burden.
You can't reconstruct what an agent did, after the fact.
When a customer disputes an automated credit decision, when the regulator asks for the audit trail of a flagged transaction, when your CRO asks "what did our AI actually decide last quarter?" — the answer needs to be one query away, not a four-week forensic project.
What you produce. What your auditor receives.
Continuous compliance evidence, generated automatically across every AI workload you own.
Policy Template Library
Annex III + ISO 42001 + SR 11-7 mapping shipped on day one.
Importable, Dobby-authored interpretations of EU AI Act Annex III, ISO 42001, SOC 2, and GDPR — each policy maps to specific articles your auditor recognizes. Cross-framework mapping shows how one Org policy satisfies Annex III Article 12 + ISO 42001 9.1 + SOC 2 CC7.2 at once. HIPAA defers to Year 2 alongside healthcare expansion.
Per-workload compliance scan
Every agent run produces an evidence row — not a weekly aggregate.
On every workload run (CrewAI Cloud first, LangSmith / n8n / GitHub Actions following), the Policy Scanner emits a compliant / violated / needs-review / unverifiable verdict per applicable control, with confidence score and remediation. Article 12 logging, satisfied automatically.
Auditor-ready evidence pack
Hand a regulator a single bundle, not a 12-folder forensic dig.
Per-workload scan history · cross-framework mapping · human-review log · violation remediation trail · workload owner attribution. Exportable as a CSV+PDF bundle scoped by date range and framework. You produce; the auditor decides.
One scan. Four frameworks. Mapped policies.
Your GRC team writes one policy at the Org layer; Dobby surfaces which controls it satisfies across every framework you import.
EU AI Act Annex III
Credit-scoring, creditworthiness evaluation, insurance pricing (life + health)
Sample controls Dobby evaluates: Article 9 (risk management) · Article 10 (data governance) · Article 12 (logging) · Article 14 (human oversight) · Article 15 (accuracy + robustness)
ISO 42001
AI management system — the framework auditors prefer when they want a single international standard
Sample controls Dobby evaluates: 6.1.1 (risk register) · 8.1 (change management) · 8.2 (AI impact assessment) · 9.1 (continuous monitoring) · 10.1 (continual improvement)
SR 11-7 / EBA Model Risk
US Federal Reserve + European Banking Authority — the model-risk vocabulary your CRO already speaks
Sample controls Dobby evaluates: Model inventory · validation · monitoring · documentation — Dobby's per-workload scan + ownership log fills the AI-workload-shaped gap in your existing model-risk process
Bank of Israel Directive 369
IL home market — IT risk management with AI components in scope
Sample controls Dobby evaluates: Audit-committee sign-off on model-risk validation cycle · documented operating procedures · AI vendor risk assessment
Dobby's pack content is paraphrased and adapted, not verbatim regulatory text. Each policy carries a "Dobby's interpretation, not legal advice" disclaimer. Customers can edit any imported policy.
Pricing
Design-partner discount of 50% Year-1 list price available for early Finance/Insurance customers.
Pricing tiers reflect our published WTP-validation candidates. Final pricing locks once design-partner interviews complete (Q3 2026).
Common questions from model-risk teams
Is Dobby a model validation tool?+
How does Dobby differ from a traditional model-risk system (SAS MRM, IBM OpenPages, homegrown)?+
Will Dobby pass an EU AI Act audit?+
What does it look like for an Israeli bank under Bank of Israel Directive 369?+
How long is implementation?+
Do you need to be in our data path?+
13 weeks to Annex III enforcement.
We'll walk through your in-scope AI workloads, your current evidence gaps, and what a readiness report looks like — in 30 minutes, no obligation.
Book your Annex III readiness callDesign-partner discount available·NDA on request