AnthonyD.CATA
@catarisklab.com
AI Governance Architect. Auditing US Vendors for Swiss Banking Compliance.
🔗 https://catarisklab.com
🔗 linkedin.com/in/anthonycata
🔗 huggingface.co/Cata-Risk-Lab
🔗 github.com/dcata004
🔗 https://catarisklab.com
🔗 linkedin.com/in/anthonycata
🔗 huggingface.co/Cata-Risk-Lab
🔗 github.com/dcata004
you don't need an eu office to get fined by the eu.
the ai act applies to any system processing eu resident data. doesn't matter where you're incorporated.
audited a uk saas with 40% eu users. zero documentation. penalties up to 7% of global turnover.
check your user geography.
the ai act applies to any system processing eu resident data. doesn't matter where you're incorporated.
audited a uk saas with 40% eu users. zero documentation. penalties up to 7% of global turnover.
check your user geography.
January 27, 2026 at 10:01 AM
you don't need an eu office to get fined by the eu.
the ai act applies to any system processing eu resident data. doesn't matter where you're incorporated.
audited a uk saas with 40% eu users. zero documentation. penalties up to 7% of global turnover.
check your user geography.
the ai act applies to any system processing eu resident data. doesn't matter where you're incorporated.
audited a uk saas with 40% eu users. zero documentation. penalties up to 7% of global turnover.
check your user geography.
veritas protocol v2.0 is live. now using judge models to mechanically score hallucination rates in financial summaries. human review is too slow for high-frequency compliance. repo in reply.
January 27, 2026 at 1:14 AM
veritas protocol v2.0 is live. now using judge models to mechanically score hallucination rates in financial summaries. human review is too slow for high-frequency compliance. repo in reply.
if your ai audit report doesn't include a code review of the model card and a token egress log, you bought a placebo. demand the raw data.
January 26, 2026 at 11:14 PM
if your ai audit report doesn't include a code review of the model card and a token egress log, you bought a placebo. demand the raw data.
deployed the swiss risk calculator to hugging face. maps your nfadp exposure in 30 seconds. no email required. open-source validation, not gatekeeping safety. link in reply.
January 26, 2026 at 10:14 PM
deployed the swiss risk calculator to hugging face. maps your nfadp exposure in 30 seconds. no email required. open-source validation, not gatekeeping safety. link in reply.
data sovereignty is the new oil rights. where your vectors sit determines who can seize them. if your rag database is in us-east-1, you're subject to the cloud act. physics matters.
January 25, 2026 at 5:30 PM
data sovereignty is the new oil rights. where your vectors sit determines who can seize them. if your rag database is in us-east-1, you're subject to the cloud act. physics matters.
shadow ai find: a "pdf summarizer" browser extension harvesting proprietary trading data from a tier-1 bank. it wasn't malware. it was "productivity software." check your endpoints.
January 25, 2026 at 4:30 PM
shadow ai find: a "pdf summarizer" browser extension harvesting proprietary trading data from a tier-1 bank. it wasn't malware. it was "productivity software." check your endpoints.
audited a "compliance" tool today. it was just a wrapper for gpt-4 with a system prompt saying "be safe." that is not governance. that is a wish. real safety requires hard constraints.
January 25, 2026 at 2:30 PM
audited a "compliance" tool today. it was just a wrapper for gpt-4 with a system prompt saying "be safe." that is not governance. that is a wish. real safety requires hard constraints.
we don't sell consulting. we sell regulatory immunity. if you need a slide deck, hire the big 4. if you need to prove to a regulator that your model isn't racist, call the lab. link in reply.
January 24, 2026 at 10:39 PM
we don't sell consulting. we sell regulatory immunity. if you need a slide deck, hire the big 4. if you need to prove to a regulator that your model isn't racist, call the lab. link in reply.
swiss board directors: under nfadp, you are personally liable for data egress. not the company. you. if your team is pasting ibans into chatgpt, you are financing the fine.
January 24, 2026 at 3:39 PM
swiss board directors: under nfadp, you are personally liable for data egress. not the company. you. if your team is pasting ibans into chatgpt, you are financing the fine.
stop calling it "ai hallucination." call it "liability generation." when your rag bot invents a refund policy, that's a binding contract in some jurisdictions. veritas catches the lie before the user does.
January 24, 2026 at 2:39 PM
stop calling it "ai hallucination." call it "liability generation." when your rag bot invents a refund policy, that's a binding contract in some jurisdictions. veritas catches the lie before the user does.
new florida law (hb 527) means "the ai did it" is no longer a valid legal defense for insurance denials. if you can't explain the black box, you lose the license. we build the explanation layer. link in reply.
January 24, 2026 at 2:10 AM
new florida law (hb 527) means "the ai did it" is no longer a valid legal defense for insurance denials. if you can't explain the black box, you lose the license. we build the explanation layer. link in reply.
ran wattle-guard against a sydney fintech's stack yesterday. found their "sovereign" data taking a detour through virginia. sovereignty isn't a vibe, it's a traceroute. tool in reply.
January 24, 2026 at 1:10 AM
ran wattle-guard against a sydney fintech's stack yesterday. found their "sovereign" data taking a detour through virginia. sovereignty isn't a vibe, it's a traceroute. tool in reply.
your "corporate ai policy" is a pdf. your employees are using a python script to pipe client data into a free llm. we audit code, not promises. the server logs don't lie.
January 23, 2026 at 10:10 PM
your "corporate ai policy" is a pdf. your employees are using a python script to pipe client data into a free llm. we audit code, not promises. the server logs don't lie.
RAG systems lie. Confidently. In regulatory filings.
We built Veritas—a Judge LLM that catches hallucinations before your compliance team doesn't.
Open source. Because "trust me" isn't an audit trail.
#InfoSec #OpenSource #AI
We built Veritas—a Judge LLM that catches hallucinations before your compliance team doesn't.
Open source. Because "trust me" isn't an audit trail.
#InfoSec #OpenSource #AI
January 22, 2026 at 10:01 PM
RAG systems lie. Confidently. In regulatory filings.
We built Veritas—a Judge LLM that catches hallucinations before your compliance team doesn't.
Open source. Because "trust me" isn't an audit trail.
#InfoSec #OpenSource #AI
We built Veritas—a Judge LLM that catches hallucinations before your compliance team doesn't.
Open source. Because "trust me" isn't an audit trail.
#InfoSec #OpenSource #AI
found 47 unauthorized ai integrations in a client's infrastructure last month. finance was running invoices through a random pdf scraper. hr was using a free-tier llm hosted who-knows-where.
the ciso had no idea.
built a tool to map this.
the ciso had no idea.
built a tool to map this.
January 20, 2026 at 2:45 PM
found 47 unauthorized ai integrations in a client's infrastructure last month. finance was running invoices through a random pdf scraper. hr was using a free-tier llm hosted who-knows-where.
the ciso had no idea.
built a tool to map this.
the ciso had no idea.
built a tool to map this.
I hate scope creep. Genuinely. It's why consulting has a bad name.
So we fixed it: £4.5k for due diligence. £12.5k for the full governance suite. Fixed price. No "Phase 2" upsells. No hourly billing surprises.
Just the data you need. Clean, fast, done.
So we fixed it: £4.5k for due diligence. £12.5k for the full governance suite. Fixed price. No "Phase 2" upsells. No hourly billing surprises.
Just the data you need. Clean, fast, done.
January 17, 2026 at 1:10 AM
I hate scope creep. Genuinely. It's why consulting has a bad name.
So we fixed it: £4.5k for due diligence. £12.5k for the full governance suite. Fixed price. No "Phase 2" upsells. No hourly billing surprises.
Just the data you need. Clean, fast, done.
So we fixed it: £4.5k for due diligence. £12.5k for the full governance suite. Fixed price. No "Phase 2" upsells. No hourly billing surprises.
Just the data you need. Clean, fast, done.
"We don't have an EU office" is my favorite famous last words.
Does your AI touch data from someone in Munich? Cool. You're now subject to the EU AI Act. €35M fines don't care where your HQ is.
Geography is dead. Jurisdiction is everything.
#EUAIAct
Does your AI touch data from someone in Munich? Cool. You're now subject to the EU AI Act. €35M fines don't care where your HQ is.
Geography is dead. Jurisdiction is everything.
#EUAIAct
January 15, 2026 at 12:14 AM
"We don't have an EU office" is my favorite famous last words.
Does your AI touch data from someone in Munich? Cool. You're now subject to the EU AI Act. €35M fines don't care where your HQ is.
Geography is dead. Jurisdiction is everything.
#EUAIAct
Does your AI touch data from someone in Munich? Cool. You're now subject to the EU AI Act. €35M fines don't care where your HQ is.
Geography is dead. Jurisdiction is everything.
#EUAIAct
boards don't read 40-page risk assessments. they check out by page 3.
what works: one page. red/amber/green. that's it.
red = stop immediately
amber = fix within 30 days
green = proceed
released a sanitized template. link in reply.
what works: one page. red/amber/green. that's it.
red = stop immediately
amber = fix within 30 days
green = proceed
released a sanitized template. link in reply.
January 14, 2026 at 10:02 PM
boards don't read 40-page risk assessments. they check out by page 3.
what works: one page. red/amber/green. that's it.
red = stop immediately
amber = fix within 30 days
green = proceed
released a sanitized template. link in reply.
what works: one page. red/amber/green. that's it.
red = stop immediately
amber = fix within 30 days
green = proceed
released a sanitized template. link in reply.
compliance audit: £4.5k
exposure it addressed: £400k+
m&a deal that didn't stall in due diligence: £2.8m
governance isn't a cost center. it's the cheapest insurance you can buy.
exposure it addressed: £400k+
m&a deal that didn't stall in due diligence: £2.8m
governance isn't a cost center. it's the cheapest insurance you can buy.
January 14, 2026 at 10:30 AM
compliance audit: £4.5k
exposure it addressed: £400k+
m&a deal that didn't stall in due diligence: £2.8m
governance isn't a cost center. it's the cheapest insurance you can buy.
exposure it addressed: £400k+
m&a deal that didn't stall in due diligence: £2.8m
governance isn't a cost center. it's the cheapest insurance you can buy.
swiss nfadp wants explainability.
eu ai act wants risk classification.
australian soci act wants forensic proof of data residency.
one policy document cannot satisfy three incompatible frameworks. you need a jurisdictional heatmap, not a generic compliance binder.
eu ai act wants risk classification.
australian soci act wants forensic proof of data residency.
one policy document cannot satisfy three incompatible frameworks. you need a jurisdictional heatmap, not a generic compliance binder.
January 14, 2026 at 8:45 AM
swiss nfadp wants explainability.
eu ai act wants risk classification.
australian soci act wants forensic proof of data residency.
one policy document cannot satisfy three incompatible frameworks. you need a jurisdictional heatmap, not a generic compliance binder.
eu ai act wants risk classification.
australian soci act wants forensic proof of data residency.
one policy document cannot satisfy three incompatible frameworks. you need a jurisdictional heatmap, not a generic compliance binder.
hot take: compliance should be an asset you own, not a service you rent.
released our audit tools as open source:
- wattle-guard (australian soci/app 8)
- swiss risk calculator (nfadp/eu ai act)
- veritas (rag hallucination auditor)
repos in reply. use them. fork them. improve them.
released our audit tools as open source:
- wattle-guard (australian soci/app 8)
- swiss risk calculator (nfadp/eu ai act)
- veritas (rag hallucination auditor)
repos in reply. use them. fork them. improve them.
January 14, 2026 at 2:32 AM
hot take: compliance should be an asset you own, not a service you rent.
released our audit tools as open source:
- wattle-guard (australian soci/app 8)
- swiss risk calculator (nfadp/eu ai act)
- veritas (rag hallucination auditor)
repos in reply. use them. fork them. improve them.
released our audit tools as open source:
- wattle-guard (australian soci/app 8)
- swiss risk calculator (nfadp/eu ai act)
- veritas (rag hallucination auditor)
repos in reply. use them. fork them. improve them.
Swiss folks, a warning: nFADP Article 21 is nastier than it looks.
You can't just run an AI credit scorer. You have to explain its logic to the customer. In writing. On demand.
One firm just ate CHF 250k because their vendor was a black box.
If you can't explain the sausage, don't serve it.
You can't just run an AI credit scorer. You have to explain its logic to the customer. In writing. On demand.
One firm just ate CHF 250k because their vendor was a black box.
If you can't explain the sausage, don't serve it.
January 14, 2026 at 1:32 AM
Swiss folks, a warning: nFADP Article 21 is nastier than it looks.
You can't just run an AI credit scorer. You have to explain its logic to the customer. In writing. On demand.
One firm just ate CHF 250k because their vendor was a black box.
If you can't explain the sausage, don't serve it.
You can't just run an AI credit scorer. You have to explain its logic to the customer. In writing. On demand.
One firm just ate CHF 250k because their vendor was a black box.
If you can't explain the sausage, don't serve it.
while everyone watches brussels, canberra quietly built one of the strictest data sovereignty regimes. soci act/app 8 now require forensic proof of residency. "stored in apac" isn't good anymore. they want to know which server, which jurisdiction, who has access.
built wattle-guard repo in reply.
built wattle-guard repo in reply.
January 13, 2026 at 11:30 PM
while everyone watches brussels, canberra quietly built one of the strictest data sovereignty regimes. soci act/app 8 now require forensic proof of residency. "stored in apac" isn't good anymore. they want to know which server, which jurisdiction, who has access.
built wattle-guard repo in reply.
built wattle-guard repo in reply.
"we believe the model is safe" is not a legal defense.
built veritas to fix this. it runs a judge protocol against your rag system, flags every claim that can't trace back to a source doc.
turns "we think it works" into "here's the quantified error rate."
repo in reply.
built veritas to fix this. it runs a judge protocol against your rag system, flags every claim that can't trace back to a source doc.
turns "we think it works" into "here's the quantified error rate."
repo in reply.
January 13, 2026 at 12:15 PM
"we believe the model is safe" is not a legal defense.
built veritas to fix this. it runs a judge protocol against your rag system, flags every claim that can't trace back to a source doc.
turns "we think it works" into "here's the quantified error rate."
repo in reply.
built veritas to fix this. it runs a judge protocol against your rag system, flags every claim that can't trace back to a source doc.
turns "we think it works" into "here's the quantified error rate."
repo in reply.
swiss nfadp article 21: if you can't explain how the algorithm decided, you can't legally use the decision.
a geneva firm's credit scoring ai was accurate and profitable. but when a rejected applicant asked "why?" they couldn't answer.
penalty. ai offline. still.
a geneva firm's credit scoring ai was accurate and profitable. but when a rejected applicant asked "why?" they couldn't answer.
penalty. ai offline. still.
January 13, 2026 at 9:01 AM
swiss nfadp article 21: if you can't explain how the algorithm decided, you can't legally use the decision.
a geneva firm's credit scoring ai was accurate and profitable. but when a rejected applicant asked "why?" they couldn't answer.
penalty. ai offline. still.
a geneva firm's credit scoring ai was accurate and profitable. but when a rejected applicant asked "why?" they couldn't answer.
penalty. ai offline. still.