For global audit practices · AI Act notified bodies · AI ethics & risk consultancies

AI Act readiness, vendor-neutral.

An open spec and a CLI your audit practice can include in client deliverables without lock-in.

Falsify publishes PRML, a CC BY 4.0 specification for pre-registered machine-learning evaluation manifests, plus four byte-equivalent MIT-licensed reference implementations. It is the layer your AI Act readiness engagements can deploy inside the client environment, cite in the final report, and leave behind for the regulator — without buying SaaS licenses, without naming a vendor, without your team writing the standard from scratch.

01The problem this solves

A client retains your practice for AI Act readiness. They want evidence aligned to Article 12 (automatic logging), Article 17 (quality management), and Article 18 (ten-year retention). Often a high-risk Annex III system. Often six figures of fee at stake.

You build a custom deliverable each time. The deliverable looks competent. Then the client’s general counsel asks the unanswerable question: is this an industry-recognized format? If the template was authored inside your firm for this engagement, the answer is no. If you cite a proprietary tool, the answer becomes a procurement conversation you did not want.

PRML is a published specification with a Zenodo DOI, a CC BY 4.0 license, four reference implementations that produce byte-equivalent output, and an Article 12 / 17 / 18 / 50 / 72 / 73 crosswalk under public review. Your deliverable cites the spec. The artifacts are reproducible offline by the notified body. No proprietary tooling enters the client’s environment.

02What audit firms get

A1A citable specification for Article 12 logging evidence patterns, with a clause-by-clause AI Act crosswalk already drafted for legal review.
A2A reference CLI you ship into client environments: MIT-licensed, ~400 lines of Python, no runtime dependencies beyond the standard library.
A3A public conformance vector suite (20 locked vectors across four language implementations) for assurance and second-opinion work.
A4A GitHub Action and an MLflow plugin so client CI/CD pipelines can verify manifests at build time without bespoke integration.
A5Zero vendor relationship. Clients verify SHA-256 hashes offline against any reference implementation. Nothing phones home, nothing requires an account.

03What we do not do

We do not sell compliance dashboards. There is no SaaS, no login, no enterprise tier.
We do not bid on Big 4 audit engagements. The conformity assessment market is not our market.
We do not white-label the spec for any firm. PRML stays CC BY 4.0 under Studio 11 editorship, attributable by name.

04How a Big 4 engagement uses PRML

During client discovery, identify which Article 12, 17, and 18 evidence the client currently cannot produce for in-scope ML evaluation claims.
Lock a PRML manifest for each in-scope claim during the engagement — metric, comparator, threshold, dataset hash, seed, producer identity — bound to a single SHA-256.
Verify with the CLI (falsify verify) before the regulator does. Exit codes are deterministic: 0 PASS, 10 FAIL, 3 TAMPERED, 11 GUARD.
Cite the specification (spec.falsify.dev/v0.1) and the Zenodo DOI in your final report’s technical-documentation appendix.
Hand the manifest hashes and chain hash to the client for ongoing CI integration and post-market monitoring under Article 72.

The full Article-by-article mapping, with coverage scoring per obligation and open legal questions, is at spec/compliance/AI-Act-mapping-v0.1.md. The v0.2 freeze is targeted 2026-05-22; substantive comments on the clause-level bindings carry weight until that date.

05Partnership

We do not pay for placements and we do not accept payment for inclusion. We do publish a Featured implementers page for firms that contribute back: a notified-body case study, a clause-level mapping document against your existing methodology, or a written RFC comment on the v0.2 draft. Anything that improves the spec is in scope. Anything that brands the spec is not.

Write to [email protected] with subject prefix [AUDIT-FIRM] and one written question. Expect a written response within two working days.

EU AI Act Article 12 logging — working pattern — the technical pattern your engagements cite
ML evaluation reproducibility audit method — what passing a reproducibility audit looks like
Article 12 readiness self-assessment — 10 questions, browser-only, one-page diagnostic
AI Act Article 12/17/18/50/72/73 crosswalk — clause-by-clause mapping (GitHub)
PRML Integrity Index — public scorecard of how 25+ well-known ML eval claims meet the 9 falsifiability criteria. Useful as a baseline reference when scoring a client's own claims.
Cookbook: falsify-cookbook — 10 patterns + 4 anti-patterns. Drop-in examples for engagement deliverables.
Inspect AI adapter: falsify-inspect — if your client uses Inspect AI (the framework UK AISI uses for national-level safety reporting), the bridge is one Python package.