Overview
A developer at an AI company selling into banks or fintechs will face a wave of oversight requirements from US and EU AI oversight law. The first enforcement dates land in 2027. The laws differ in scope and jurisdiction, but they converge on a single operational spine: route risky AI decisions to a qualified human, prove that the human actually exercised judgment, and keep a tamper-evident evidence chain.
COHESION is patent-pending oversight-measurement middleware. It sits between AI output and the human reviewer interface, scores each decision interaction against the published specification, and produces a signed evidence record. The artifacts described in this guide are designed to support the documentation and auditability obligations that US and EU AI oversight law create -- not to replace the deployer's internal controls or legal counsel.
What counts as high risk
Both US and EU oversight frameworks require heightened human oversight for AI decisions that carry material consequences. The DRS (Decision Risk Score) categories map directly to the risk characteristics that regulators consider high risk across both bodies of law:
- Decision impact. The decision moves real money, affects access to credit or insurance, or touches someone's health or legal standing. Irreversible outcomes and large-magnitude effects raise the DRS.
- Model confidence. The model is unsure of itself -- low confidence score, conflicting signals, or a novel input distribution outside the model's training coverage.
- Data quality. The inputs look off -- missing fields, out-of-range values, or features with known reliability issues in the serving pipeline.
- Bias and fairness. There is a fairness flag -- the input contains a protected class attribute, the domain has known disparate-impact history, or a calibration probe detected demographic signal.
- Policy compliance. The call lands near a policy line -- an internal rule, a regulatory bright line, or a prior enforcement finding relevant to this decision class.
- Operational anomaly. Something in the system's behavior is outside the expected distribution -- unusual latency, unexpected model version, or a pattern that has preceded errors in the incident history.
If any category fires above its threshold, DRS routes the decision to a human reviewer before any downstream action is taken. That routing event is the first artifact in the evidence chain.
Where the laws converge
US state AI statutes, federal guidance from US banking regulators, and EU AI oversight law are written differently, but they resolve to the same three operational requirements for high-risk AI decision systems. Developers building for regulated markets should treat these three as the non-negotiable spine:
Route risky decisions to a human
The system must be able to identify high-risk AI decisions and put a qualified human in the decision path before any consequential action is taken. Passive logging after the fact does not satisfy this requirement.
Prove the human exercised judgment
Routing is not enough. Regulators want evidence that the human reviewer was genuinely deliberating -- not rubber-stamping. They look for behavioral signals: time spent, questions asked, overrides made, errors caught.
Keep a tamper-evident evidence chain
The routing event, the review interaction, and the final decision must be persisted in a signed, non-repudiable audit record. The record must be producible on demand for an auditor, a regulator, or an internal compliance review.
This convergence is not accidental. It reflects a shared view across jurisdictions that the risk of AI systems is not primarily in the model -- it is in the human oversight process that sits above the model. COHESION measures that process.
Requirement-by-requirement mapping
The following table maps the core operational requirements to COHESION artifacts. Each requirement appears across US and EU AI oversight law in one form or another; the wording here is generic and normative, not tied to any single statute.
| Requirement | What regulators expect | COHESION artifact | How it supports the requirement |
|---|---|---|---|
| Effective human oversight design | High-risk AI systems must be designed so that natural persons can effectively oversee them during operation. The oversight path must be structural, not incidental. | DRS routing telemetry Signed Methodology Annex (PDF) | DRS telemetry records every AI decision routed to a human reviewer and the routing rationale, keyed to the six risk categories. The Signed Methodology Annex documents the measurement method. Together they provide a timestamped, tamper-evident record that oversight was structurally in place -- designed to support an auditor's review of oversight design. |
| Proportionate oversight measures | Oversight mechanisms must be proportionate to the risk level and autonomy of the AI system. High-risk decisions require deeper review; routine decisions can pass with lighter oversight. | JIS dimension scores HMAC-chained audit log | The Judgment Independence Score (JIS) dimension scores, particularly J4 (Deliberation Depth) and J5 (Post-Error Recalibration), quantify the depth of reviewer engagement per interaction. The HMAC-chained audit log preserves a tamper-evident sequence of review actions. These records are designed to support evidence that oversight intensity was matched to risk level. |
| Ability to interpret AI output | Reviewers must be able to correctly interpret AI system output -- understanding the system's capabilities, its known limitations, and its potential failure modes. | JIS dimension J2 (Error Detection Capability) JIS dimension J6 (Domain Confidence) Reviewer competence trend | J2 measures whether reviewers demonstrated the ability to detect incorrect or misleading AI output via calibration injections. J6 measures demonstrated domain expertise independent of AI assistance. Competence trend data is designed to support evidence that reviewers were equipped to interpret AI output, not merely accepting it by default. |
| Awareness of automation bias | Reviewers must remain aware of the tendency to rely on AI output automatically -- what regulators and researchers call automation bias. The oversight process must actively counteract it. | JIS dimension J4 (Deliberation Depth) JIS dimension J5 (Post-Error Recalibration) IMP calibration log | J4 scores the cognitive effort invested per interaction, measuring resistance to reflexive acceptance of AI recommendations. J5 scores appropriate trust adjustment after a detected AI error, identifying both under-correction and overcorrection. The IMP calibration log records the stimuli and responses used to maintain both dimensions. These records are designed to support evidence that automation bias was actively monitored. |
| Understanding of system capabilities and limits | Reviewers must understand what the AI system can and cannot do -- including its domain coverage, confidence calibration, and documented failure modes. | JIS dimension J2 (Error Detection Capability) JIS dimension J3 (Independent Performance) JIS dimension J6 (Domain Confidence) | J2 measures whether the reviewer catches incorrect AI output. J3 measures decision quality when AI assistance is withheld, establishing a baseline for independent judgment. J6 measures demonstrated domain expertise. Together they are designed to support evidence that the reviewer understands what the system can and cannot do -- one of the most common regulator inspection points. |
| Override and intervention capability | Reviewers must be able to disregard, override, or reverse AI output, and must be empowered to interrupt system operation. Evidence of that capability being exercised is required. | JIS dimension J1 (Deferral Resistance) JIS dimension J7 (Decision Autonomy) HMAC-chained audit log | J1 scores whether the reviewer maintained an independent position when AI output conflicted with domain knowledge. J7 scores the frequency and quality of overrides, supplementation, and contextual reasoning beyond AI output. The audit log provides a signed, non-repudiable record of override events. These records are designed to support evidence of a functioning intervention capability -- the requirement most commonly cited in enforcement actions. |
| Reviewer competence, authority, and resources | Persons exercising oversight must have sufficient competence, decision-making authority, and allocated time to discharge the oversight function. Nominal review with insufficient capacity does not satisfy the requirement. | JIS dimension J6 (Domain Confidence) JIS dimension J7 (Decision Autonomy) Big-4-compatible artifact bundle (Audited tier) | J6 scores reviewer domain expertise across the assessment window. J7 scores whether decision authority was exercised through substantive overrides and supplementation rather than passive approval. The Big-4-compatible artifact bundle packages these records in a format designed to support third-party review by an auditor or regulatory examiner. |
| Tamper-evident audit chain | All oversight activity -- routing events, review interactions, override decisions, and final outcomes -- must be persisted in a signed, non-repudiable record that can be produced on demand for an auditor or regulator. | HMAC-chained audit log Signed Methodology Annex (PDF) Compliance report export | Every scoring interaction appends a cryptographically chained entry to the audit log. The Methodology Annex is signed to the account that generated it. The compliance report export bundles both with the period-level JIS roll-up and per-operator oversight summary into a single citable artifact with a stable report ID. These records are designed to support auditor and regulator-facing evidence production with a chain of custody from individual interaction to aggregate report. |
Evidence artifacts by tier
COHESION produces different artifact sets depending on the subscription tier. Audit-ready artifacts are available exclusively on paid tiers and are cryptographically signed to the account that generated them.
- Developer (free): Raw JSON API responses only. No PDF generation, no artifact export, no signed evidence. Not designed for audit use.
- Starter ($499/month or $4,990/year): Signed Methodology Annex PDF. HMAC-chained audit log export. Self-Reported assurance level. Designed to support self-attestation in compliance documentation under US and EU AI oversight law.
- Audited ($1,999/month or $19,900/year): All Starter artifacts. Quarterly Methodology Annex refresh. Big-4-compatible artifact bundle with Audited assurance level. Designed to support third-party review and regulator-facing documentation.
- Enterprise (custom quote): All Audited artifacts. Custom cognition probes. Named-auditor coordination. Custom MSA. Designed for complex multi-domain deployments with formal audit and examination requirements.
Integration quickstart
Connecting COHESION to an existing AI decision pipeline takes one SDK call per interaction. The SDKs are available for Python and TypeScript.
Install:
- Python:
pip install cohesion-sdk(Python 3.11 or newer) - TypeScript:
npm install @cohesionauth/sdk(Node.js 20 or newer)
Two calls, two purposes. COHESION has two separate integration surfaces that serve different parts of the oversight spine:
- DRS routing (pre-decision gate): Call
cohesion.gate(client, request, null)before invoking your AI provider. The gate is always fail-closed: any transport failure (network, 5xx, timeout) must be treated as a hard block. If DRS returnsrouting_decision: "policy_blocked", the SDK throwsCohesionPolicyBlockedErrorand the AI call must not proceed. If DRS returnsmust_revieworasync_review, the envelope is returned without throwing -- but you must inspect the routing decision and route to a human reviewer before invoking the AI provider; do not call the AI provider on a non-autoresult. The gate wrapsPOST /v1/decision/score. This is the call that satisfies the "route risky decisions to a human" requirement. See the TypeScript SDK or Python SDK docs for the full gate contract. - JIS telemetry (post-review scoring): Call
client.score()after the human reviewer completes their review, with the session ID, operator ID, domain, and interaction telemetry -- time to decision, whether the recommendation was modified, hover and scroll signals. The response carries the updated JIS, per-dimension breakdown, and compliance flags. This is the call that satisfies the "prove the human exercised judgment" requirement. Full parameter reference is in the quickstart guide and the track AI decisions guide.
Generate a compliance report with client.complianceReport(), passing a period start and end date. The response includes the overall compliance status, per-operator JIS roll-up, and a stable report_id suitable for regulator citation. Full details are in the generate compliance proof guide.
The API endpoint is at cohesionauth.com/api. Scoring, batch scoring, and compliance report endpoints are all authenticated via X-API-Key header. Keys are provisioned at the dashboard after signup.
Scope and limitations
COHESION is patent-pending oversight-measurement middleware. The provisional filings cover the middleware telemetry, scoring, and signed evidence chain. The measurement method is documented in the published Methodology Annex at cohesionauth.com/methodology-annex/.
The first enforcement dates for US and EU AI oversight law land in 2027. Deployers in high-risk domains should begin instrumentation well before that date to build a retrospective evidence record of at least one full assessment window prior to any examination. Buyers should verify their classification status and jurisdictional exposure with qualified legal counsel before relying on any compliance documentation, including COHESION artifacts.
For questions about how COHESION artifacts map to your specific deployment, contact peyton@cohesionauth.com.