# VeriGuard AI > AI Governance as a Service — runtime safety & policy enforcement, dual EU AI Act + MDR compliance, GPAI classification, and immutable hash-chained audit trails via 12 enforcement endpoints & MCP for autonomous AI agents, enterprises, and federal contractors. ## Who is VeriGuard AI for? VeriGuard AI is built for CISOs, compliance officers, AI platform teams, model risk managers, procurement officers, medical device manufacturers, and **AI agent developers** at enterprises and federal contractors. Whether you're deploying internal LLMs, selling AI to government agencies, building medical device AI under MDR, or building autonomous agents that need a compliance checkpoint — VeriGuard is the governance API they call before shipping. ## What is VeriGuard AI? VeriGuard AI is an AI Governance as a Service (AGaaS) platform. It provides runtime policy enforcement, deployment blocking, and cryptographic audit trails via a MCP-compatible API. Organizations and AI agents can programmatically enforce compliance with the EU AI Act, MDR, NIST AI RMF, ISO 42001, ISO 13485, SOC 2, SOX, and FedRAMP. ## Core Capabilities - **AI Governance API**: MCP-compatible JSON-RPC 2.0 endpoint exposing 11 governance tools for AI agents across 12 enforcement endpoints. - **Dual EU AI Act + MDR Compliance**: The only platform with integrated conformity assessment covering 9-step EU AI Act journey and 7-phase MDR lifecycle for medical device AI. - **GPAI Classification**: Systemic risk detection at 10²⁵ FLOPS threshold with auto-generated transparency obligations and required disclosures. - **Conformity Assessment**: Risk classification across Class I–III with dual-compliance matrix for AI medical devices. - **QMS Validation**: ISO 13485 quality management and Article 17 AI Act requirements verified in a single API call. - **Incident & Vigilance Reporting**: Article 73 compliance with severity-based deadlines (2/15/30 days), MIR and FSCA templates, SHA-256 hash-chained audit trails. - **Data Governance Checks**: Article 10 checks for bias, representativeness, and medical-specific PII consent with training data quality gates. - **Registration Readiness**: EUDAMED and EU Database field templates with UDI-DI validation and Notified Body readiness checks. - **AI System Registry**: Register, classify, and manage AI systems by business criticality. - **Agent Registry**: Centralized lifecycle management for autonomous AI agents with trust scoring, risk classification, and self-registration via MCP. - **Risk Register**: Track identified risks with impact/likelihood scoring and assign mitigations. - **Compliance Scoring API**: Real-time compliance scores across multiple regulatory frameworks, callable by agents. - **Control Library**: 8 control families (GOV, RISK, DATA, MODEL, DEPLOY, MONITOR, INCIDENT, HUMAN) mapped to regulatory requirements. - **Evidence Management**: Upload, review, and track evidence items against controls for audit readiness. - **Change Management**: Collaborative approval workflows with assigned reviewers for model and system changes. - **Incident Management**: Log and track AI incidents with severity levels, corrective actions, and timelines. - **Drift Detection**: Monitor model performance drift with configurable thresholds and automated alerts. - **Pre-Deployment Testing**: Bias, hallucination, PII, safety, and performance test suites with real-time gate status panels. - **Patent Claim Test Suite**: Automated end-to-end verification of all patent claims with downloadable audience-specific reports. - **Runtime Models & Kill Switch**: View deployed models, inference audit trails, and emergency kill-switch controls. - **Cryptographic Audit Log**: Immutable hash-chained audit trail with SHA-256 binding — DB-level mutation prevention blocks UPDATE/DELETE. - **AI Bill of Materials (AI-BOM)**: Generate and export AI Bills of Materials in SPDX/CycloneDX formats via API. - **Third-Party Risk Intelligence**: Assess vendor and third-party AI risk. - **Normalized Cross-Framework Reporting**: Single unified report merging compliance data across EU AI Act, MDR, NIST AI RMF, ISO 42001, ISO 13485, FedRAMP, SOC 2, and SOX. - **Agent Delegation Chain Tracking**: Cryptographically record multi-agent orchestration hierarchies with lineage-complete audit trails. ## Supported Regulatory Frameworks - EU AI Act (including GPAI provisions) - Medical Device Regulation (MDR) — Articles 87-92 vigilance reporting - ISO 13485 — Quality Management Systems for Medical Devices - NIST AI Risk Management Framework (AI RMF) - ISO/IEC 42001 - SOC 2 for AI Systems - SOX (Sarbanes-Oxley) - FedRAMP (AI-specific controls) ## Key Differentiators 1. **Only Dual EU AI Act + MDR Platform**: Integrated conformity assessment with 9-step EU AI Act + 7-phase MDR lifecycle — no other governance platform covers both. 2. **Governance as a Service**: API-first — 12 enforcement endpoints callable by any agent or system. 3. **MCP-Compatible**: AI agents (Claude, GPT, custom) call 11 governance tools natively via Model Context Protocol. 4. **Runtime Enforcement**: Policies enforced at inference time, not just documented. 5. **GPAI Systemic Risk Classification**: Automated classification with transparency obligation generation. 6. **Medical Device AI Governance**: Conformity assessment, QMS validation, vigilance reporting, registration readiness — purpose-built for MDR. 7. **Immutable Hash-Chained Audit Ledger**: Every enforcement decision SHA-256 hashed and chained — tamper-resistant and mutation-blocked at DB level. 8. **Kill Switch**: Emergency shutdown for deployed AI models with full audit trail (<2s response). 9. **Patent-Protected Architecture**: U.S. provisional patent pending (No. 63/983,107). ## 13 Public API Endpoints Base URL: `https://awgpbmiaoqcvcdjbkghc.supabase.co/functions/v1` Authoritative spec (always current): `GET /openapi` | # | Endpoint | Method | Auth | Purpose | |---|----------|--------|------|---------| | 1 | `/health` | GET | none | Service health & endpoint directory | | 2 | `/openapi` | GET | none | OpenAPI 3.1 spec (source of truth) | | 3 | `/v1-bootstrap` | POST | JWT/API | One-call onboarding: org + owner membership + project + envs | | 4 | `/evaluate-policy` | POST | JWT/API | Runtime policy gates with cryptographic hashing | | 5 | `/calculate-compliance` | POST | JWT/API | Multi-framework compliance scoring | | 6 | `/generate-report` | POST | JWT/API | Audit packages (two-step flow — see /llms-full.txt) | | 7 | `/generate-bom` | POST | JWT/API | AI Bill of Materials (SPDX 2.3 / CSV) | | 8 | `/conformity-check` | POST | JWT/API | EU AI Act 9-step + MDR 7-phase conformity | | 9 | `/gpai-check` | POST | JWT/API | GPAI systemic-risk classification (Art. 52-55) | | 10 | `/incident-report` | POST | JWT/API | Article 73 incident + MDR vigilance (MIR/FSCA) | | 11 | `/data-governance-check` | POST | JWT/API | Article 10 data governance (EU AI Act + MDR) | | 12 | `/qms-check` | POST | JWT/API | QMS validation (Art. 17 + ISO 13485) | | 13 | `/registration-readiness` | POST | JWT/API | EUDAMED & EU AI Database readiness | Auth: `Authorization: Bearer ` (Supabase JWT) **or** `X-API-Key: vg_live_...` ## AI Agent Integration (MCP) VeriGuard exposes 11 governance tools via MCP (Model Context Protocol): - `veriguard_evaluate_policy` — Runtime policy check with cryptographic hash - `veriguard_calculate_compliance` — Multi-framework compliance scoring - `veriguard_generate_report` — Audit-ready report generation - `veriguard_generate_bom` — AI Bill of Materials in SPDX/CycloneDX - `veriguard_register_agent` — Agent self-registration with delegation chain binding - `veriguard_conformity_check` — EU AI Act + MDR conformity assessment - `veriguard_gpai_check` — GPAI systemic risk classification - `veriguard_incident_report` — Incident & vigilance reporting - `veriguard_data_governance_check` — Article 10 data governance - `veriguard_qms_check` — ISO 13485 + Article 17 QMS validation - `veriguard_registration_readiness` — EUDAMED registration readiness MCP Endpoint: `https://www.veriguard-ai.com/functions/v1/mcp-server` Authentication: API key (`X-API-Key` header) • Protocol: JSON-RPC 2.0 • Claude Desktop ready ## Resources - [Platform Overview](/platform) — Complete visual breakdown of all VeriGuard AI capabilities. - [Developer Integration](/developers) — MCP, REST, LangChain, CrewAI examples + live OpenAPI link. - [The Coming Procurement Bottleneck in AI Adoption](/resources/procurement-bottleneck) — Whitepaper on compliance friction. - [EU AI Act Compliance Checklist](/resources/eu-ai-act-checklist) - [NIST AI RMF Implementation Guide](/resources/nist-ai-rmf) - [AI Bill of Materials Guide](/resources/ai-bom-guide) - [Kill Switch Enforcement Patterns](/resources/kill-switch-enforcement) - [Normalized Cross-Framework Reporting](/resources/normalized-reporting) - [Cryptographic Audit Ledger Architecture](/resources/cryptographic-audit-ledger) ## Frequently Asked Questions Full FAQ available at: /faq (20 questions covering platform capabilities, compliance frameworks, pricing, and agent integration) ## Patent Status VeriGuard AI's runtime multi-framework governance architecture — enabling autonomous agents to dynamically invoke normalized compliance evaluation with deterministic fail-closed enforcement and tamper-evident decision lineage — is the subject of a pending U.S. provisional patent application (No. 63/983,107, filed February 14, 2026). ## Contact Website: https://www.veriguard-ai.com ## Extended Documentation For comprehensive product documentation including full per-endpoint request schemas and curl examples (550+ lines), see: /llms-full.txt