AICVS scans your source code for AI-related compliance signals, maps each finding to a specific article of the AI Act, and produces SHA-256-sealed evidence artefacts that support — and are designed to slot into — the technical documentation your compliance officer is already preparing.
It's a tool, not a substitute for a compliance officer. Read what we do and don't do below.
If you're a 10-to-200-person EU company building software that uses AI, the existing market gives you two options. Free generic SAST tools that don't understand the AI Act. Or six-figure GRC platforms aimed at multinationals.
AICVS sits between them. One thing, done well — code-level signal detection mapped to specific articles of Regulation (EU) 2024/1689, with cryptographic evidence chains that your compliance officer or external auditor can use as input to the technical file.
Built and operated in Limerick, Ireland — same time zone, same regulatory regime, same currency.
From this date, Title III obligations for high-risk AI systems become enforceable. Market surveillance authorities can request your technical documentation. The penalty structure in Article 99 is tiered, and proportionality applies — but documentation gaps are visible to auditors regardless of company size.
Risk management (Art.9), data governance (Art.10), technical documentation (Art.11), transparency (Art.13), human oversight (Art.14), and accuracy/robustness (Art.15) all apply to high-risk systems on the EU market.
Article 113 · entry into applicationTier 1 (Art. 5 prohibited practices): up to €35M or 7% turnover. Tier 2 (most provider obligations): up to €15M or 3%. Tier 3 (incorrect information to authorities): up to €7.5M or 1%. SMEs receive proportionality consideration under Art. 99(6).
Article 99 · penaltiesThe technical file under Art. 11 + Annex IV is what market surveillance reviews. Many smaller deployers underestimate this until they're asked. AICVS produces evidence artefacts that are designed to feed into Annex IV documentation, but a qualified human still has to compile the file.
Article 11 · Annex IVSix layers of detection. Cryptographic sealing. Article-level mapping. Plain-English caveat for every finding. All in EU infrastructure.
Drop a file or hit the API from CI. You can attach system context — intended purpose, Annex III category — to weight findings appropriately.
Regex → AST → stylometry → semantic → SBOM → secrets. 116+ rules across 19 languages. Each rule has a measured false-positive rate.
Every finding cites a specific article and paragraph of Reg (EU) 2024/1689. Mapped to your role: Provider · Deployer · Importer · Distributor.
SHA-256 hash chain · RFC 3161 timestamp · evidence bundle for Annex IV. Verifiable at /verify/{id}.
AI-001 · line 1 · Generated by Copilot FPR 3%
AST-001 · line 89 · exec(template_code) FPR 5%
AI-002 · line 34 · openai.ChatCompletion.create() FPR 12% · context: high-risk
AST-005 · lines 4–5 FPR 15%
STAT-002 · σ²=4.2 FPR 20%
AST-007 · lines 22, 56, 91 FPR 40%
Most compliance tools stop here. We start here, because pretending a scanner can replace a compliance officer is how products end up in cease-and-desist letters.
/verify/{id}.AICVS rules map first to the EU AI Act. Where applicable, the same rule emits cross-references to ISO 42001, ISO 27001, and SOC 2 controls — useful for organisations preparing parallel evidence packs.
Regulation (EU) 2024/1689. Provider, Deployer, Importer, and Distributor obligations. 47 articles mapped across Title III, IV, IX.
First international AI management system standard. AICVS findings cross-map to A.6.1 (assessment), A.6.2 (treatment), A.8.2 (development).
Cybersecurity findings under Art. 15 cross-mapped to A.5.7, A.8.25, A.8.28. Not a substitute for a full ISO 27001 audit.
CC6 (logical access), CC7 (operations), CC8 (change management) referenced where applicable. Useful for US-facing buyers; not an audit substitute.
| Capability | Generic SAST Semgrep, CodeQL |
GRC Platform OneTrust, Drata |
AI text detector GPTZero, Copyleaks |
AICVS |
|---|---|---|---|---|
| Analyses source code | ✓ | ✗ | ✗ Text only | ✓ 19 languages |
| EU AI Act article-level mapping | ✗ | Partial | ✗ | ✓ 47 articles |
| Per-rule false-positive rates | ✗ | ✗ | ✗ | ✓ Calibrated |
| SHA-256 evidence chain + RFC 3161 | ✗ | ✗ | ✗ | ✓ |
| Source code never persisted | ✓ | Stored | Stored | ✓ Memory only |
| EU data residency | Varies | US default | US default | ✓ EU-only |
| Entry price (monthly) | Free / $299 | €5,000+ | €8 | €0 → €199 |
AICVS is a product of Rivoryn Limited, a private company registered in Limerick. We chose Ireland deliberately: the Data Protection Commission supervises our data handling, our infrastructure runs entirely on EU soil, and our regulatory home is the same one that produces the supervisory authorities you'll be answering to.
We are early-stage and we say so plainly. The platform is in active development. Our focus is on making the underlying detection demonstrably accurate, the article mappings demonstrably correct, and the evidence chain demonstrably tamper-evident. We will trade a quieter launch for a defensible product every time.
If you'd like to talk to us before subscribing, write to hello@aicvs.io. We answer.
Five free scans a month, no card required. The first scan tells you more than a hundred-page sales deck. If it's useful, upgrade. If not, you've cost us nothing.