Generate evidence packs — EU AI Act, ICO SAR, FCA SYSC, NIST, Insurance, Board

When to use which.

Pack	Audience	Frequency	Inputs
EU AI Act Article 12	EU AI Office / national supervisor	On request or annual	Agent + period
ICO Subject Access	DPO / ICO / data subject	Per SAR request	Data subject ID + period
FCA SYSC 15A	FCA supervisor / s166 reviewer	Annual or on request	Period
NIST AI RMF	US-aligned reviewers, federal contracting	Annual	Period
Insurance Claim	Lloyd's broker / cyber underwriter	Per incident	Incident window (+ optional agent / subject)
Board / Audit Committee	Board / audit committee	Quarterly	Quarter period

How to generate.

Sign in to /dashboard/.
Open Evidence packs.
Click the pack card for the pack you want.
Fill the form (the dates default to the last 30 days; change them).
Click Generate & open. A new tab opens with the printable HTML pack.
From the browser → File → Print → Save as PDF. That PDF is the deliverable.

The same packs are available via REST API for build-pipeline automation — see REST API → Export packs.

Pack-specific notes.

EU AI Act Article 12 — record-keeping evidence

What the AI Office asks for under the August 2026 deadline. One pack per high-risk system per period.

Inputs: the agent_id (one high-risk system at a time), period from/to.
Eight pages: cover, executive summary, system inventory, operational summary, decision drift, tool denials, integrity, manifest + sign-off.
Tip: generate quarterly even if not asked — pre-generated packs surface drift trends you'd otherwise miss.

ICO Subject Access Request (UK GDPR Article 15)

The pack to send the DPO when a data subject asks "what AI processed my data?". Resource-centric, not agent-centric.

Inputs: the data subject's resource_id (your customer/user identifier as it appears in receipts), period.
What to expect: categories of personal data processed, recipients, retention, and the full action ledger paginated 40 rows per page.
Article 22 ADM: any decisions with confidence + outcome attached are highlighted for the automated-decision-making disclosure obligation.

FCA SYSC 15A — operational resilience

For UK FCA-regulated firms. Maps receipts to SYSC 4, 8 and 15A obligations plus PRA SS1/21.

Inputs: period.
Key sections: Important Business Services mapping template (firm completes), latency p50/p95/p99, degraded-service windows (hours with ≥10% error rate over ≥5 receipts), recovery evidence.
For an s166 review: generate for the full year preceding the skilled-person engagement; the rolling baselines surface anomalies the reviewer might otherwise miss.

NIST AI RMF — Govern / Map / Measure / Manage

Evidence organised under NIST AI 100-1's four functions. The format US-aligned reviewers expect.

Inputs: period.
Mapping: policy declarations land under GOVERN; classification touches land under MAP; the full measurement window is MEASURE; material events resolved/open are MANAGE.
Pairs well with: your firm's separate NIST AI RMF profile document — this pack provides the runtime evidence the profile references.

Insurance Claim — cyber / E&O

Incident-centric. The pack reconstructs every AI action that occurred during a declared incident window.

Inputs: incident window (from/to). Optional agent_id and resource_id narrow the scope.
Sections: insured's statement template, incident timeline (top 40 receipts chronologically), material events during the window, affected subjects, integrity proof.
Workflow: generate immediately on incident detection; lodge with the broker alongside the notification.

Board / Audit Committee — quarterly governance

The non-technical summary for board packs. Tenant-wide, no jargon, ~7 pages.

Inputs: quarter from/to.
Sections: executive summary, agent inventory (top 20), material events resolved/open, compliance posture (which packs have been issued), CISO sign-off.
Cadence: schedule for the day before each board meeting; the cover page carries the quarter as the title.

Manifest + verification.

Every pack includes a JSON manifest with the SHA-256 of every receipt and the RFC 3161 notarisation tokens. Auditors verify offline using the agentaudit verify CLI:

pip install agentaudit
agentaudit-verify ./eu-ai-act-12-pack.json

Exit code 0 on a clean chain; 1 on first break with the failing event_id printed to stderr. Never contacts Agent Audit.

Sharing with auditors.

Read-only API key: create a key with only read scope in Settings → API keys, share with the auditor so they can pull packs without seeing the dashboard.
One-off PDF: Print → Save as PDF from the generated HTML pack.
Machine-readable bundle: the manifest JSON is the auditor's reproducibility artefact — share alongside the PDF.