Skip to content
For Model Risk Officers & GRC at banks · insurers · regulated mid-market

EU AI Act Annex III evidence,
ready for your regulator
with DORA already live.

Dobby produces the auditor-ready evidence pack for every AI workload that touches credit decisions, insurance pricing, or customer-facing risk scoring — mapped to EU AI Act Annex III, ISO 42001, SR 11-7, and Bank of Israel Directive 369.

For finance & insurance · IL + EU mid-market · 200–2,000 employees · SOC 2 Type I in progress

DORA is live now — Annex III high-risk follows in December 2027

DORA's ICT and operational-resilience obligations have applied since January 17, 2025, and your supervisor reviews model risk today. The EU AI Act adds Annex III high-risk obligations for credit-scoring, creditworthiness evaluation, and risk assessment + pricing in life and health insurance — now moving to December 2027 under the Digital Omnibus (penalties up to €15M / 3% of turnover). The teams that build the evidence pipeline now aren't the ones scrambling later.

"What AI is in production, and what evidence do I have?"

Your auditor is asking. Your CRO is asking. The EU AI Act enforcement clock is ticking. If you're like most model-risk teams at mid-market banks and insurers, your honest answer today is:

"We've got the analytical models documented. The AI agents are… complicated."
1

Your model inventory is incomplete.

SR 11-7 / EBA Model Risk asks for a full inventory of models in production. But the new AI workloads — SaaS-embedded copilots, RAG agents, fraud-rule generators, customer-facing chatbots — don't fit your traditional model template. They aren't in the spreadsheet.

2

Your SR 11-7 process doesn't speak Annex III.

Decades of model-risk vocabulary (validation, challenger models, performance monitoring) cover the analytical models. They don't naturally produce the evidence Annex III asks for — risk management system, training-data documentation, human oversight, post-market monitoring. Different artifacts, same evidence-burden.

3

You can't reconstruct what an agent did, after the fact.

When a customer disputes an automated credit decision, when the regulator asks for the audit trail of a flagged transaction, when your CRO asks "what did our AI actually decide last quarter?" — the answer needs to be one query away, not a four-week forensic project.

What you produce. What your auditor receives.

Continuous compliance evidence, generated automatically across every AI workload you own.

Policy Template Library

Annex III + ISO 42001 + SR 11-7 mapping shipped on day one.

Importable, Dobby-authored interpretations of EU AI Act Annex III, ISO 42001, SOC 2, and GDPR — each policy maps to specific articles your auditor recognizes. Cross-framework mapping shows how one Org policy satisfies Annex III Article 12 + ISO 42001 9.1 + SOC 2 CC7.2 at once. HIPAA defers to Year 2 alongside healthcare expansion.

Per-workload compliance scan

Every agent run produces an evidence row — not a weekly aggregate.

On every workload run (CrewAI Cloud first, LangSmith / n8n / GitHub Actions following), the Policy Scanner emits a compliant / violated / needs-review / unverifiable verdict per applicable control, with confidence score and remediation. Article 12 logging, satisfied automatically.

Auditor-ready evidence pack

Hand a regulator a single bundle, not a 12-folder forensic dig.

Per-workload scan history · cross-framework mapping · human-review log · violation remediation trail · workload owner attribution. Exportable as a CSV+PDF bundle scoped by date range and framework. You produce; the auditor decides.

One scan. Four frameworks. Mapped policies.

Your GRC team writes one policy at the Org layer; Dobby surfaces which controls it satisfies across every framework you import.

EU AI Act Annex III

Credit-scoring, creditworthiness evaluation, insurance pricing (life + health)

Sample controls Dobby evaluates: Article 9 (risk management) · Article 10 (data governance) · Article 12 (logging) · Article 14 (human oversight) · Article 15 (accuracy + robustness)

ISO 42001

AI management system — the framework auditors prefer when they want a single international standard

Sample controls Dobby evaluates: 6.1.1 (risk register) · 8.1 (change management) · 8.2 (AI impact assessment) · 9.1 (continuous monitoring) · 10.1 (continual improvement)

SR 11-7 / EBA Model Risk

US Federal Reserve + European Banking Authority — the model-risk vocabulary your CRO already speaks

Sample controls Dobby evaluates: Model inventory · validation · monitoring · documentation — Dobby's per-workload scan + ownership log fills the AI-workload-shaped gap in your existing model-risk process

Bank of Israel Directive 369

IL home market — IT risk management with AI components in scope

Sample controls Dobby evaluates: Audit-committee sign-off on model-risk validation cycle · documented operating procedures · AI vendor risk assessment

Dobby's pack content is paraphrased and adapted, not verbatim regulatory text. Each policy carries a "Dobby's interpretation, not legal advice" disclaimer. Customers can edit any imported policy.

Pricing

Design-partner discount of 50% Year-1 list price available for early Finance/Insurance customers.

Free
$0/mo
3 agents · 10k reqs · 3 controls
Pro
$99/mo
10 agents · 100k reqs · all 19 controls
Team
$499/mo
25 agents · 500k reqs · Fleet dashboard + SSO
Enterprise
$2,500+/mo metered
∞ agents · MCP tools · SIEM · VPC · custom packs

Pricing tiers reflect our published WTP-validation candidates. Final pricing locks once design-partner interviews complete (Q3 2026).

Common questions from model-risk teams

Is Dobby a model validation tool?+
No. Model validation — assessing whether a model performs as claimed against held-out data, challenger models, etc. — stays with your existing model-risk team. Dobby produces the GOVERNANCE evidence around the model: who owns it, what policies it must satisfy, what every run did, whether human oversight was applied. The two functions are complementary; Annex III explicitly requires both.
How does Dobby differ from a traditional model-risk system (SAS MRM, IBM OpenPages, homegrown)?+
Traditional MRM tools manage the model-validation lifecycle: registration → challenger → backtest → approval. Dobby manages the RUNTIME GOVERNANCE of AI workloads: every agent run, every tool call, every prompt, scanned against your policies in near-real-time. You keep your MRM for the analytical models; Dobby covers the new AI agents that don't fit the traditional model template.
Will Dobby pass an EU AI Act audit?+
Dobby doesn't pass audits — auditors and regulators do. What Dobby gives you is the evidence pack the auditor will ask for: per-workload scan history, cross-framework control mapping, human-review log, owner attribution, exportable as a single CSV+PDF bundle. Whether that evidence satisfies a specific regulator is their call. Customers report a 4-6x reduction in evidence-gathering time vs spreadsheet workflows.
What does it look like for an Israeli bank under Bank of Israel Directive 369?+
Directive 369 (IT risk management) requires audit-committee sign-off on a model-risk validation cycle for AI components in production. Dobby's per-workload scan log + ownership trail + violation remediation history IS the artifact the audit committee receives. Same product, same scan, parallel home-market regulatory path to EU AI Act Annex III.
How long is implementation?+
Most mid-market customers run a Discovery scan in their first 30 minutes (Shadow AI inventory). Connecting their first sanctioned workload platform (CrewAI Cloud out of the box; LangSmith / n8n / GitHub Actions following) takes 1-2 hours. First Annex III readiness report generates within a week. Auditor-ready evidence bundle by week 6.
Do you need to be in our data path?+
No. Dobby's Surrounding mode is post-hoc — we read telemetry from your existing platforms (webhook from CrewAI Cloud, log forward from your SIEM), score against your policies, and emit evidence. No proxy, no latency, no architectural change. For customers who do want in-path enforcement (Inline + Hybrid modes), we offer that separately.

13 weeks to Annex III enforcement.

We'll walk through your in-scope AI workloads, your current evidence gaps, and what a readiness report looks like — in 30 minutes, no obligation.

Book your Annex III readiness call

Design-partner discount available·NDA on request

Dobby | EU AI Act Annex III Evidence for Banks & Insurers