AnthonyD.C.
@anthonydc81.bsky.social
AI Governance Architect. Auditing US Vendors for Swiss Banking Compliance.
🔗 linkedin.com/in/anthonycata
🔗 huggingface.co/Cata-Risk-Lab
🔗 github.com/dcata004
🔗 linkedin.com/in/anthonycata
🔗 huggingface.co/Cata-Risk-Lab
🔗 github.com/dcata004
"We don't have an EU office" is my favorite famous last words.
Does your AI touch data from someone in Munich? Cool. You're now subject to the EU AI Act. €35M fines don't care where your HQ is.
Geography is dead. Jurisdiction is everything.
#EUAIAct
Does your AI touch data from someone in Munich? Cool. You're now subject to the EU AI Act. €35M fines don't care where your HQ is.
Geography is dead. Jurisdiction is everything.
#EUAIAct
January 15, 2026 at 12:14 AM
"We don't have an EU office" is my favorite famous last words.
Does your AI touch data from someone in Munich? Cool. You're now subject to the EU AI Act. €35M fines don't care where your HQ is.
Geography is dead. Jurisdiction is everything.
#EUAIAct
Does your AI touch data from someone in Munich? Cool. You're now subject to the EU AI Act. €35M fines don't care where your HQ is.
Geography is dead. Jurisdiction is everything.
#EUAIAct
boards don't read 40-page risk assessments. they check out by page 3.
what works: one page. red/amber/green. that's it.
red = stop immediately
amber = fix within 30 days
green = proceed
released a sanitized template. link in reply.
what works: one page. red/amber/green. that's it.
red = stop immediately
amber = fix within 30 days
green = proceed
released a sanitized template. link in reply.
January 14, 2026 at 10:02 PM
boards don't read 40-page risk assessments. they check out by page 3.
what works: one page. red/amber/green. that's it.
red = stop immediately
amber = fix within 30 days
green = proceed
released a sanitized template. link in reply.
what works: one page. red/amber/green. that's it.
red = stop immediately
amber = fix within 30 days
green = proceed
released a sanitized template. link in reply.
compliance audit: £4.5k
exposure it addressed: £400k+
m&a deal that didn't stall in due diligence: £2.8m
governance isn't a cost center. it's the cheapest insurance you can buy.
exposure it addressed: £400k+
m&a deal that didn't stall in due diligence: £2.8m
governance isn't a cost center. it's the cheapest insurance you can buy.
January 14, 2026 at 10:30 AM
compliance audit: £4.5k
exposure it addressed: £400k+
m&a deal that didn't stall in due diligence: £2.8m
governance isn't a cost center. it's the cheapest insurance you can buy.
exposure it addressed: £400k+
m&a deal that didn't stall in due diligence: £2.8m
governance isn't a cost center. it's the cheapest insurance you can buy.
swiss nfadp wants explainability.
eu ai act wants risk classification.
australian soci act wants forensic proof of data residency.
one policy document cannot satisfy three incompatible frameworks. you need a jurisdictional heatmap, not a generic compliance binder.
eu ai act wants risk classification.
australian soci act wants forensic proof of data residency.
one policy document cannot satisfy three incompatible frameworks. you need a jurisdictional heatmap, not a generic compliance binder.
January 14, 2026 at 8:45 AM
swiss nfadp wants explainability.
eu ai act wants risk classification.
australian soci act wants forensic proof of data residency.
one policy document cannot satisfy three incompatible frameworks. you need a jurisdictional heatmap, not a generic compliance binder.
eu ai act wants risk classification.
australian soci act wants forensic proof of data residency.
one policy document cannot satisfy three incompatible frameworks. you need a jurisdictional heatmap, not a generic compliance binder.
hot take: compliance should be an asset you own, not a service you rent.
released our audit tools as open source:
- wattle-guard (australian soci/app 8)
- swiss risk calculator (nfadp/eu ai act)
- veritas (rag hallucination auditor)
repos in reply. use them. fork them. improve them.
released our audit tools as open source:
- wattle-guard (australian soci/app 8)
- swiss risk calculator (nfadp/eu ai act)
- veritas (rag hallucination auditor)
repos in reply. use them. fork them. improve them.
January 14, 2026 at 2:32 AM
hot take: compliance should be an asset you own, not a service you rent.
released our audit tools as open source:
- wattle-guard (australian soci/app 8)
- swiss risk calculator (nfadp/eu ai act)
- veritas (rag hallucination auditor)
repos in reply. use them. fork them. improve them.
released our audit tools as open source:
- wattle-guard (australian soci/app 8)
- swiss risk calculator (nfadp/eu ai act)
- veritas (rag hallucination auditor)
repos in reply. use them. fork them. improve them.
Swiss folks, a warning: nFADP Article 21 is nastier than it looks.
You can't just run an AI credit scorer. You have to explain its logic to the customer. In writing. On demand.
One firm just ate CHF 250k because their vendor was a black box.
If you can't explain the sausage, don't serve it.
You can't just run an AI credit scorer. You have to explain its logic to the customer. In writing. On demand.
One firm just ate CHF 250k because their vendor was a black box.
If you can't explain the sausage, don't serve it.
January 14, 2026 at 1:32 AM
Swiss folks, a warning: nFADP Article 21 is nastier than it looks.
You can't just run an AI credit scorer. You have to explain its logic to the customer. In writing. On demand.
One firm just ate CHF 250k because their vendor was a black box.
If you can't explain the sausage, don't serve it.
You can't just run an AI credit scorer. You have to explain its logic to the customer. In writing. On demand.
One firm just ate CHF 250k because their vendor was a black box.
If you can't explain the sausage, don't serve it.
while everyone watches brussels, canberra quietly built one of the strictest data sovereignty regimes. soci act/app 8 now require forensic proof of residency. "stored in apac" isn't good anymore. they want to know which server, which jurisdiction, who has access.
built wattle-guard repo in reply.
built wattle-guard repo in reply.
January 13, 2026 at 11:30 PM
while everyone watches brussels, canberra quietly built one of the strictest data sovereignty regimes. soci act/app 8 now require forensic proof of residency. "stored in apac" isn't good anymore. they want to know which server, which jurisdiction, who has access.
built wattle-guard repo in reply.
built wattle-guard repo in reply.
"we believe the model is safe" is not a legal defense.
built veritas to fix this. it runs a judge protocol against your rag system, flags every claim that can't trace back to a source doc.
turns "we think it works" into "here's the quantified error rate."
repo in reply.
built veritas to fix this. it runs a judge protocol against your rag system, flags every claim that can't trace back to a source doc.
turns "we think it works" into "here's the quantified error rate."
repo in reply.
January 13, 2026 at 12:15 PM
"we believe the model is safe" is not a legal defense.
built veritas to fix this. it runs a judge protocol against your rag system, flags every claim that can't trace back to a source doc.
turns "we think it works" into "here's the quantified error rate."
repo in reply.
built veritas to fix this. it runs a judge protocol against your rag system, flags every claim that can't trace back to a source doc.
turns "we think it works" into "here's the quantified error rate."
repo in reply.
swiss nfadp article 21: if you can't explain how the algorithm decided, you can't legally use the decision.
a geneva firm's credit scoring ai was accurate and profitable. but when a rejected applicant asked "why?" they couldn't answer.
penalty. ai offline. still.
a geneva firm's credit scoring ai was accurate and profitable. but when a rejected applicant asked "why?" they couldn't answer.
penalty. ai offline. still.
January 13, 2026 at 9:01 AM
swiss nfadp article 21: if you can't explain how the algorithm decided, you can't legally use the decision.
a geneva firm's credit scoring ai was accurate and profitable. but when a rejected applicant asked "why?" they couldn't answer.
penalty. ai offline. still.
a geneva firm's credit scoring ai was accurate and profitable. but when a rejected applicant asked "why?" they couldn't answer.
penalty. ai offline. still.
read your ai vendor's indemnity clause carefully.
almost all of them shift regulatory liability entirely to you. they provide the tool. you absorb the fine.
a zurich client learned this for €850k. the vendor was safe in california.
check your jurisdiction clause before renewal.
almost all of them shift regulatory liability entirely to you. they provide the tool. you absorb the fine.
a zurich client learned this for €850k. the vendor was safe in california.
check your jurisdiction clause before renewal.
January 12, 2026 at 11:14 PM
read your ai vendor's indemnity clause carefully.
almost all of them shift regulatory liability entirely to you. they provide the tool. you absorb the fine.
a zurich client learned this for €850k. the vendor was safe in california.
check your jurisdiction clause before renewal.
almost all of them shift regulatory liability entirely to you. they provide the tool. you absorb the fine.
a zurich client learned this for €850k. the vendor was safe in california.
check your jurisdiction clause before renewal.
People ask why we use particle physics protocols for compliance audits. Fair question.
Here's the thing: "We're pretty sure it's fine" doesn't hold up in court. You need reproducible evidence chains.
If you can't prove it to a regulator, you can't deploy it. Full stop.
Here's the thing: "We're pretty sure it's fine" doesn't hold up in court. You need reproducible evidence chains.
If you can't prove it to a regulator, you can't deploy it. Full stop.
January 12, 2026 at 10:14 PM
People ask why we use particle physics protocols for compliance audits. Fair question.
Here's the thing: "We're pretty sure it's fine" doesn't hold up in court. You need reproducible evidence chains.
If you can't prove it to a regulator, you can't deploy it. Full stop.
Here's the thing: "We're pretty sure it's fine" doesn't hold up in court. You need reproducible evidence chains.
If you can't prove it to a regulator, you can't deploy it. Full stop.
Boards don't read your 40-page technical PDF. They just don't.
You know what they do read? A one-page heatmap. Red means liable. Yellow means fix it. Green means move on.
Showed one to a CEO last week. He killed three projects before lunch.
Clarity wins.
You know what they do read? A one-page heatmap. Red means liable. Yellow means fix it. Green means move on.
Showed one to a CEO last week. He killed three projects before lunch.
Clarity wins.
January 11, 2026 at 2:30 PM
Boards don't read your 40-page technical PDF. They just don't.
You know what they do read? A one-page heatmap. Red means liable. Yellow means fix it. Green means move on.
Showed one to a CEO last week. He killed three projects before lunch.
Clarity wins.
You know what they do read? A one-page heatmap. Red means liable. Yellow means fix it. Green means move on.
Showed one to a CEO last week. He killed three projects before lunch.
Clarity wins.
open sourced the core stack:
- wattle-guard (AU compliance forensics)
- swiss risk calculator (nFADP/EU AI Act)
- veritas (hallucination auditor)
compliance should require evidence, not a retainer.
repos in thread.
- wattle-guard (AU compliance forensics)
- swiss risk calculator (nFADP/EU AI Act)
- veritas (hallucination auditor)
compliance should require evidence, not a retainer.
repos in thread.
January 10, 2026 at 10:01 PM
open sourced the core stack:
- wattle-guard (AU compliance forensics)
- swiss risk calculator (nFADP/EU AI Act)
- veritas (hallucination auditor)
compliance should require evidence, not a retainer.
repos in thread.
- wattle-guard (AU compliance forensics)
- swiss risk calculator (nFADP/EU AI Act)
- veritas (hallucination auditor)
compliance should require evidence, not a retainer.
repos in thread.
standard US vendor clause: "customer assumes sole responsibility for compliance with applicable regulations"
translation: they provide software, you absorb enforcement risk.
zurich client learned this at €850k. data routed through virginia. nFADP applied anyway.
swiss risk calculator on HF.
translation: they provide software, you absorb enforcement risk.
zurich client learned this at €850k. data routed through virginia. nFADP applied anyway.
swiss risk calculator on HF.
January 10, 2026 at 3:39 PM
standard US vendor clause: "customer assumes sole responsibility for compliance with applicable regulations"
translation: they provide software, you absorb enforcement risk.
zurich client learned this at €850k. data routed through virginia. nFADP applied anyway.
swiss risk calculator on HF.
translation: they provide software, you absorb enforcement risk.
zurich client learned this at €850k. data routed through virginia. nFADP applied anyway.
swiss risk calculator on HF.
Switzerland tightening nFADP. UK rewriting its AI framework. Australia's OAIC suddenly growing teeth.
Three regulators. Three different screwdrivers. One multinational trying to use a single compliance playbook.
I've started calling it the Regulatory Pincer. It's not a compliment.
Three regulators. Three different screwdrivers. One multinational trying to use a single compliance playbook.
I've started calling it the Regulatory Pincer. It's not a compliment.
January 10, 2026 at 2:39 PM
Switzerland tightening nFADP. UK rewriting its AI framework. Australia's OAIC suddenly growing teeth.
Three regulators. Three different screwdrivers. One multinational trying to use a single compliance playbook.
I've started calling it the Regulatory Pincer. It's not a compliment.
Three regulators. Three different screwdrivers. One multinational trying to use a single compliance playbook.
I've started calling it the Regulatory Pincer. It's not a compliment.
new wattle-guard release
python forensic tool for australian SOCI Act and APP 8. maps actual server jurisdiction against regulatory requirements.
OAIC now requires evidence of data residency, not vendor attestation.
open source. repo in reply.
python forensic tool for australian SOCI Act and APP 8. maps actual server jurisdiction against regulatory requirements.
OAIC now requires evidence of data residency, not vendor attestation.
open source. repo in reply.
January 10, 2026 at 2:10 AM
new wattle-guard release
python forensic tool for australian SOCI Act and APP 8. maps actual server jurisdiction against regulatory requirements.
OAIC now requires evidence of data residency, not vendor attestation.
open source. repo in reply.
python forensic tool for australian SOCI Act and APP 8. maps actual server jurisdiction against regulatory requirements.
OAIC now requires evidence of data residency, not vendor attestation.
open source. repo in reply.
Got a panicked call from a pharma CEO on Monday. EU AI Act letter had landed.
We scoped the exposure by Tuesday. Fixed it by Wednesday. Total cost: £4.5k.
The fine they sidestepped? North of £400k.
Sometimes the math is just... obvious.
We scoped the exposure by Tuesday. Fixed it by Wednesday. Total cost: £4.5k.
The fine they sidestepped? North of £400k.
Sometimes the math is just... obvious.
January 10, 2026 at 1:10 AM
Got a panicked call from a pharma CEO on Monday. EU AI Act letter had landed.
We scoped the exposure by Tuesday. Fixed it by Wednesday. Total cost: £4.5k.
The fine they sidestepped? North of £400k.
Sometimes the math is just... obvious.
We scoped the exposure by Tuesday. Fixed it by Wednesday. Total cost: £4.5k.
The fine they sidestepped? North of £400k.
Sometimes the math is just... obvious.
"no EU office" does not preclude EU AI Act applicability.
system processes data from munich user? extraterritorial provisions apply. €35M fines or 7% revenue.
UK SaaS company: 40% EU users, zero documentation, unaware of exposure.
geography is not determinative.
system processes data from munich user? extraterritorial provisions apply. €35M fines or 7% revenue.
UK SaaS company: 40% EU users, zero documentation, unaware of exposure.
geography is not determinative.
January 9, 2026 at 10:01 PM
"no EU office" does not preclude EU AI Act applicability.
system processes data from munich user? extraterritorial provisions apply. €35M fines or 7% revenue.
UK SaaS company: 40% EU users, zero documentation, unaware of exposure.
geography is not determinative.
system processes data from munich user? extraterritorial provisions apply. €35M fines or 7% revenue.
UK SaaS company: 40% EU users, zero documentation, unaware of exposure.
geography is not determinative.
boards rarely read 40-page technical assessments.
what moves decisions: single-page heatmap. red/yellow/green.
UK industrial client terminated three AI deployments before lunch using this format.
clarity, not volume.
what moves decisions: single-page heatmap. red/yellow/green.
UK industrial client terminated three AI deployments before lunch using this format.
clarity, not volume.
January 9, 2026 at 11:15 AM
boards rarely read 40-page technical assessments.
what moves decisions: single-page heatmap. red/yellow/green.
UK industrial client terminated three AI deployments before lunch using this format.
clarity, not volume.
what moves decisions: single-page heatmap. red/yellow/green.
UK industrial client terminated three AI deployments before lunch using this format.
clarity, not volume.
nFADP Article 21 requires explainability for automated decisions. in writing. on request.
geneva firm incurred CHF 250k. their AI credit scorer held vendor certification. decision logic remained unexplainable.
certification ≠ compliance
swiss risk calculator maps this gap. HF link in reply.
geneva firm incurred CHF 250k. their AI credit scorer held vendor certification. decision logic remained unexplainable.
certification ≠ compliance
swiss risk calculator maps this gap. HF link in reply.
January 9, 2026 at 2:46 AM
nFADP Article 21 requires explainability for automated decisions. in writing. on request.
geneva firm incurred CHF 250k. their AI credit scorer held vendor certification. decision logic remained unexplainable.
certification ≠ compliance
swiss risk calculator maps this gap. HF link in reply.
geneva firm incurred CHF 250k. their AI credit scorer held vendor certification. decision logic remained unexplainable.
certification ≠ compliance
swiss risk calculator maps this gap. HF link in reply.
My favorite contract clause: "Customer assumes all responsibility for regulatory compliance in applicable jurisdictions."
Translation: We sell you the software. You eat the fine.
A Zurich client learned this at €850k. Read your T&Cs, people.
#DataSovereignty
Translation: We sell you the software. You eat the fine.
A Zurich client learned this at €850k. Read your T&Cs, people.
#DataSovereignty
January 9, 2026 at 1:46 AM
My favorite contract clause: "Customer assumes all responsibility for regulatory compliance in applicable jurisdictions."
Translation: We sell you the software. You eat the fine.
A Zurich client learned this at €850k. Read your T&Cs, people.
#DataSovereignty
Translation: We sell you the software. You eat the fine.
A Zurich client learned this at €850k. Read your T&Cs, people.
#DataSovereignty
pushed an update to veritas
RAG hallucination auditor. runs secondary "judge" LLM against AI outputs. flags claims without source data traceability. outputs quantified hallucination rate for board reporting.
evidence, not attestation.
repo in reply.
RAG hallucination auditor. runs secondary "judge" LLM against AI outputs. flags claims without source data traceability. outputs quantified hallucination rate for board reporting.
evidence, not attestation.
repo in reply.
January 8, 2026 at 10:01 PM
pushed an update to veritas
RAG hallucination auditor. runs secondary "judge" LLM against AI outputs. flags claims without source data traceability. outputs quantified hallucination rate for board reporting.
evidence, not attestation.
repo in reply.
RAG hallucination auditor. runs secondary "judge" LLM against AI outputs. flags claims without source data traceability. outputs quantified hallucination rate for board reporting.
evidence, not attestation.
repo in reply.
three frameworks tightening simultaneously:
- nFADP (switzerland)
- EU AI Act (extraterritorial)
- SOCI Act (australia)
regulators coordinate across borders. vendor compliance frameworks typically do not.
single-framework approaches fail in at least two regions.
- nFADP (switzerland)
- EU AI Act (extraterritorial)
- SOCI Act (australia)
regulators coordinate across borders. vendor compliance frameworks typically do not.
single-framework approaches fail in at least two regions.
January 8, 2026 at 10:15 AM
three frameworks tightening simultaneously:
- nFADP (switzerland)
- EU AI Act (extraterritorial)
- SOCI Act (australia)
regulators coordinate across borders. vendor compliance frameworks typically do not.
single-framework approaches fail in at least two regions.
- nFADP (switzerland)
- EU AI Act (extraterritorial)
- SOCI Act (australia)
regulators coordinate across borders. vendor compliance frameworks typically do not.
single-framework approaches fail in at least two regions.
recent client engagement:
assessment cost: £4.5k
fine avoided: £400k
M&A deal preserved: £2.8M
compliance functions as insurance when approached as evidence-gathering rather than documentation.
veritas repo in thread.
assessment cost: £4.5k
fine avoided: £400k
M&A deal preserved: £2.8M
compliance functions as insurance when approached as evidence-gathering rather than documentation.
veritas repo in thread.
January 8, 2026 at 9:00 AM
recent client engagement:
assessment cost: £4.5k
fine avoided: £400k
M&A deal preserved: £2.8M
compliance functions as insurance when approached as evidence-gathering rather than documentation.
veritas repo in thread.
assessment cost: £4.5k
fine avoided: £400k
M&A deal preserved: £2.8M
compliance functions as insurance when approached as evidence-gathering rather than documentation.
veritas repo in thread.
infrastructure review last week identified 47 undocumented AI tools at a single client. finance had deployed three LLM wrappers without security awareness.
78% of enterprises carry similar exposure. regulators call it Shadow AI.
wattle-guard repo maps this. link in reply.
78% of enterprises carry similar exposure. regulators call it Shadow AI.
wattle-guard repo maps this. link in reply.
January 8, 2026 at 2:14 AM
infrastructure review last week identified 47 undocumented AI tools at a single client. finance had deployed three LLM wrappers without security awareness.
78% of enterprises carry similar exposure. regulators call it Shadow AI.
wattle-guard repo maps this. link in reply.
78% of enterprises carry similar exposure. regulators call it Shadow AI.
wattle-guard repo maps this. link in reply.