Compliance Attestation Template

EU AI Act Article 50 and MiCA Article 70 attestation letter for AI agent operators. Printable PDF template plus machine-readable API endpoint.

Kakunin provides two attestation artefacts for audit submissions:

Machine-readable attestation — GET /api/v1/agents/:id/compliance-report returns structured JSON covering controls, risk summary, and regulatory status.
Printable letter template — /attestation-template is a pre-formatted EU-compliant letter you fill in from the API response and print to PDF.

Quick start

Step 1 — Fetch the machine-readable attestation

curl -X GET "https://www.kakunin.ai/api/v1/agents/AGENT_ID/compliance-report" \
  -H "Authorization: Bearer kak_live_..."

Example response (abbreviated):

{
  "data": {
    "attestation_id": "attest_a1b2c3d4e5f6_1716700000000",
    "generated_at": "2026-05-26T10:00:00.000Z",
    "window_days": 30,
    "template_url": "https://kakunin.ai/attestation-template",
    "agent": {
      "name": "TradeBot v2",
      "model": "gpt-4o",
      "model_hash": "a3f9c2...",
      "status": "active"
    },
    "certificate": {
      "serial_number": "3A:F2:91:CC:...",
      "issued_at": "2026-05-01T00:00:00.000Z",
      "expires_at": "2027-05-01T00:00:00.000Z",
      "status": "active",
      "has_vc": true
    },
    "risk_summary": {
      "current_score": 0.12,
      "band": "low",
      "events_analyzed": 412,
      "high_risk_events": 0,
      "pre_revocation_warnings": 0
    },
    "controls": {
      "pass": 9,
      "fail": 0,
      "not_applicable": 1
    },
    "regulatory": {
      "eu_ai_act": { "status": "compliant" },
      "mica": { "status": "compliant" }
    }
  }
}

Step 2 — Open the printable template

Go to https://kakunin.ai/attestation-template.

Replace each [bracketed field] with the corresponding value from the API response. Use the mapping below.

Step 3 — Print to PDF

Click Print / Save PDF in the top toolbar, or use your browser's Cmd+P / Ctrl+P. Set paper size to A4, margins to default.

Field mapping

Template field	API field
Agent Name	`data.agent.name`
Agent ID (Kakunin)	`data.agent.id`
Model / Weights	`data.agent.model` + `data.agent.version`
Model Hash (SHA-256)	`data.agent.model_hash`
Certificate Serial No.	`data.certificate.serial_number`
Issued At / Expires At	`data.certificate.issued_at` / `expires_at`
Events Ingested	`data.risk_summary.events_analyzed`
Current Risk Score	`data.risk_summary.current_score` + `band`
High-Risk Events	`data.risk_summary.high_risk_events`
EU AI Act Status	`data.regulatory.eu_ai_act.status`
MiCA Status	`data.regulatory.mica.status`
Per-control Status	`data.controls.items[*].status` + `evidence`

RCM control reference

The attestation evaluates 10 Kakunin Risk Control Model (RCM) controls:

ID	Description	Standard
C-A1	Agent cryptographic identity (X.509)	ISO 27001 A.5.15, A.5.16
C-A2	Model hash pinning (SHA-256)	ISO 27001 A.8.9
C-B1	Behavioral event ingestion	ISO 27001 A.8.15
C-B2	Risk scoring engine	ISO 27001 A.5.25
C-B3	Behavioral drift detection	NIST CSF DE.AE-03
C-C1	Certificate revocation	ISO 27001 A.5.17
C-D1	Kill switch / signed halt receipt	NIST CSF RS.RP-01
C-E1	Audit log immutability (WORM)	ISO 27001 A.8.15, A.5.33
C-F1	Compliance report generation	ISO 27001 A.5.36
C-G1	Decision chain integrity (HMAC)	NIST CSF PR.PT-01

A control returns fail only when a prerequisite is missing (no certificate, no model hash, no events). Controls that do not apply to the agent's current state return not_applicable.

Regulatory scope

EU AI Act — Article 50

Article 50 requires operators of AI systems with direct human interaction to ensure transparency and to maintain logs sufficient for post-hoc auditability.

Kakunin satisfies Article 50 by:

Issuing a KMS-signed X.509 certificate binding agent identity to a verified model hash
Recording every behavioral event in an append-only, HMAC-signed audit log
Providing the W3C Verifiable Credential (vc+jwt) as a machine-verifiable identity proof

Status compliant conditions: active certificate + model_hash set + at least 1 ingested event.

MiCA — Article 70

MiCA Article 70 requires crypto-asset service providers using AI agents to implement operational risk controls, including incident detection and reporting.

Kakunin satisfies Article 70 by:

Continuous risk scoring per event with automatic operator notification at score ≥ 0.75
Auto-revocation trigger at score ≥ 0.85
Tamper-evident audit trail with S3 WORM backup

Status compliant conditions: active certificate + model_hash set + zero high-risk events (score ≥ 0.85) in the 30-day window.

LLM-narrated compliance report

For a narrative compliance report suitable for board-level or regulator submissions, use the async report endpoint:

curl -X POST "https://www.kakunin.ai/api/v1/reports/compliance" \
  -H "Authorization: Bearer kak_live_..." \
  -H "Content-Type: application/json" \
  -d '{"agentId": "AGENT_ID", "windowDays": 30, "standardsFrameworks": ["iso_27001", "nist_csf"]}'

Returns 202 Accepted with a report_id. Poll GET /api/v1/reports/:id for status. The report is generated asynchronously by an LLM with full ISO 27001:2022 and NIST CSF 2.0 control mapping.

Compliance Checklist — engineering checklist for EU AI Act readiness
Certificates — X.509 issuance and management
Event Ingest — behavioral monitoring setup
API Reference — full endpoint documentation

On this page