EU AI Act enforcement for high-risk AI systems starts August 2, 2026. If you're running AI in production for hiring, credit scoring, education, or any of the 8 Annex III categories — you'll need to demonstrate compliance. Fines go up to €35M or 7% of global revenue.
I couldn't find a self-hosted, open-source tool that actually does this at the API level. So I built one.
What is Aulite
Aulite is a transparent HTTP proxy that sits between your application and any AI provider. You change one URL in your code — everything else works exactly as before. Behind the scenes, every request and response is analyzed for compliance risks and logged to a tamper-proof audit trail.
Your app talks to Aulite. Aulite talks to your AI provider. In between, it checks for discrimination, prohibited practices, PII leakage, and human oversight violations.
How it works
Setup:
docker run -d -p 3000:3000 -e ANTHROPIC_API_KEY=sk-ant-... el1ght/aulite
Integration:
from openai import OpenAI
client = OpenAI(
base_url="http://localhost:3000/v1",
api_key="your-aulite-key"
)
That's it. Works with OpenAI, Anthropic, Azure, Ollama, vLLM —anything that speaks the OpenAI API format. Auto-routes by model name: claude-* goes to Anthropic, gpt-* goes to OpenAI.
The analysis pipeline
Two layers:
Layer 1 (deterministic, under 5ms): 143 keyword rules across all 8 Annex III domains, matched against specific EU law articles. Plus 11 EU-specific PII patterns (IBAN, national IDs, BSN, NIR, etc.). Context-aware — "single-threaded" won't trigger a discrimination flag, but "is the candidate single?" will.
Layer 2 (optional, 200-500ms): LLM-based semantic analysis for risks that keyword matching can't catch. Runs async in streaming mode so it never blocks the response.
Every check is mapped to a specific legal article. Not "this might be risky" but "this violates Dir. 2000/78/EC; EU Charter Art. 21 — Age discrimination, score 8/10."
Audit trail
Every interaction goes into a SHA-256 hash-chained log. Each entry contains the hash of the previous entry — like a blockchain but in
SQLite. If anyone tampers with a record, the chain breaks. Verifiable at any time via the /verify endpoint.
This satisfies Art. 12 record-keeping requirements. Minimum 6 months retention per Art. 26(6).
What it covers
All 8 EU AI Act Annex III high-risk categories:
- HR and Employment (33 rules) — recruitment, evaluation, promotion, termination
- Finance (13 rules) — credit scoring, insurance, essential services
- Biometrics (12 rules) — identification, categorisation, emotion recognition
- Education (13 rules) — admission, assessment, proctoring
- Critical Infrastructure (12 rules) — safety components, utilities, transport
- Law Enforcement (14 rules) — risk assessment, profiling, evidence
- Migration (13 rules) — asylum, border control, visa processing
- Justice (14 rules) — judicial decision support, dispute resolution
Base rules (Art. 5 prohibitions, GDPR Art. 9 special categories) are always active regardless of which domains you enable.
Dashboard and reports
Built-in React dashboard on the same port. Real-time overview of risk scores, violation categories, and article references.
PDF reports mapped to specific EU AI Act articles:
- Art. 12 Compliance Audit Report
- Art. 27 Fundamental Rights Impact Assessment (pre-filled draft)
- Art. 72 Post-Market Monitoring Report
- Art. 73 Serious Incident Report
Self-hosted only
Everything runs on your infrastructure. Single Docker container. SQLite database. No telemetry, no external calls (except to your AI provider). Your data never leaves your network.
Stack
TypeScript, Hono, SQLite with WAL mode, React, Recharts, pdfkit. 108 tests. SSE streaming support with zero latency penalty — the response streams to your client immediately, compliance analysis runs async after the stream completes.
Open source
14 months until enforcement. If you're building with AI in the EU, I'd appreciate feedback on the rule coverage and overall approach. Especially interested in hearing from anyone who's already dealing with EU AI Act compliance — what's missing?
Top comments (0)