Overview

A developer at an AI company selling into banks or fintechs will face a wave of oversight requirements from US and EU AI oversight law. The first enforcement dates land in 2027. The laws differ in scope and jurisdiction, but they converge on a single operational spine: route risky AI decisions to a qualified human, prove that the human actually exercised judgment, and keep a tamper-evident evidence chain.

COHESION is patent-pending oversight-measurement middleware. It sits between AI output and the human reviewer interface, scores each decision interaction against the published specification, and produces a signed evidence record. The artifacts described in this guide are designed to support the documentation and auditability obligations that US and EU AI oversight law create -- not to replace the deployer's internal controls or legal counsel.

Language note: All descriptions below use "designed to support" and "evidence for." COHESION does not guarantee regulatory compliance, does not make certification claims, and is not a regulatory notified body. Use of COHESION does not substitute for legal counsel on your specific deployment and jurisdiction.

What counts as high risk

Both US and EU oversight frameworks require heightened human oversight for AI decisions that carry material consequences. The DRS (Decision Risk Score) categories map directly to the risk characteristics that regulators consider high risk across both bodies of law:

  • Decision impact. The decision moves real money, affects access to credit or insurance, or touches someone's health or legal standing. Irreversible outcomes and large-magnitude effects raise the DRS.
  • Model confidence. The model is unsure of itself -- low confidence score, conflicting signals, or a novel input distribution outside the model's training coverage.
  • Data quality. The inputs look off -- missing fields, out-of-range values, or features with known reliability issues in the serving pipeline.
  • Bias and fairness. There is a fairness flag -- the input contains a protected class attribute, the domain has known disparate-impact history, or a calibration probe detected demographic signal.
  • Policy compliance. The call lands near a policy line -- an internal rule, a regulatory bright line, or a prior enforcement finding relevant to this decision class.
  • Operational anomaly. Something in the system's behavior is outside the expected distribution -- unusual latency, unexpected model version, or a pattern that has preceded errors in the incident history.

If any category fires above its threshold, DRS routes the decision to a human reviewer before any downstream action is taken. That routing event is the first artifact in the evidence chain.

Where the laws converge

US state AI statutes, federal guidance from US banking regulators, and EU AI oversight law are written differently, but they resolve to the same three operational requirements for high-risk AI decision systems. Developers building for regulated markets should treat these three as the non-negotiable spine:

Route risky decisions to a human

The system must be able to identify high-risk AI decisions and put a qualified human in the decision path before any consequential action is taken. Passive logging after the fact does not satisfy this requirement.

Prove the human exercised judgment

Routing is not enough. Regulators want evidence that the human reviewer was genuinely deliberating -- not rubber-stamping. They look for behavioral signals: time spent, questions asked, overrides made, errors caught.

Keep a tamper-evident evidence chain

The routing event, the review interaction, and the final decision must be persisted in a signed, non-repudiable audit record. The record must be producible on demand for an auditor, a regulator, or an internal compliance review.

This convergence is not accidental. It reflects a shared view across jurisdictions that the risk of AI systems is not primarily in the model -- it is in the human oversight process that sits above the model. COHESION measures that process.

Requirement-by-requirement mapping

The following table maps the core operational requirements to COHESION artifacts. Each requirement appears across US and EU AI oversight law in one form or another; the wording here is generic and normative, not tied to any single statute.

Requirement What regulators expect COHESION artifact How it supports the requirement
Effective human oversight design High-risk AI systems must be designed so that natural persons can effectively oversee them during operation. The oversight path must be structural, not incidental. DRS routing telemetry
Signed Methodology Annex (PDF)
DRS telemetry records every AI decision routed to a human reviewer and the routing rationale, keyed to the six risk categories. The Signed Methodology Annex documents the measurement method. Together they provide a timestamped, tamper-evident record that oversight was structurally in place -- designed to support an auditor's review of oversight design.
Proportionate oversight measures Oversight mechanisms must be proportionate to the risk level and autonomy of the AI system. High-risk decisions require deeper review; routine decisions can pass with lighter oversight. JIS dimension scores
HMAC-chained audit log
The Judgment Independence Score (JIS) dimension scores, particularly J4 (Deliberation Depth) and J5 (Post-Error Recalibration), quantify the depth of reviewer engagement per interaction. The HMAC-chained audit log preserves a tamper-evident sequence of review actions. These records are designed to support evidence that oversight intensity was matched to risk level.
Ability to interpret AI output Reviewers must be able to correctly interpret AI system output -- understanding the system's capabilities, its known limitations, and its potential failure modes. JIS dimension J2 (Error Detection Capability)
JIS dimension J6 (Domain Confidence)
Reviewer competence trend
J2 measures whether reviewers demonstrated the ability to detect incorrect or misleading AI output via calibration injections. J6 measures demonstrated domain expertise independent of AI assistance. Competence trend data is designed to support evidence that reviewers were equipped to interpret AI output, not merely accepting it by default.
Awareness of automation bias Reviewers must remain aware of the tendency to rely on AI output automatically -- what regulators and researchers call automation bias. The oversight process must actively counteract it. JIS dimension J4 (Deliberation Depth)
JIS dimension J5 (Post-Error Recalibration)
IMP calibration log
J4 scores the cognitive effort invested per interaction, measuring resistance to reflexive acceptance of AI recommendations. J5 scores appropriate trust adjustment after a detected AI error, identifying both under-correction and overcorrection. The IMP calibration log records the stimuli and responses used to maintain both dimensions. These records are designed to support evidence that automation bias was actively monitored.
Understanding of system capabilities and limits Reviewers must understand what the AI system can and cannot do -- including its domain coverage, confidence calibration, and documented failure modes. JIS dimension J2 (Error Detection Capability)
JIS dimension J3 (Independent Performance)
JIS dimension J6 (Domain Confidence)
J2 measures whether the reviewer catches incorrect AI output. J3 measures decision quality when AI assistance is withheld, establishing a baseline for independent judgment. J6 measures demonstrated domain expertise. Together they are designed to support evidence that the reviewer understands what the system can and cannot do -- one of the most common regulator inspection points.
Override and intervention capability Reviewers must be able to disregard, override, or reverse AI output, and must be empowered to interrupt system operation. Evidence of that capability being exercised is required. JIS dimension J1 (Deferral Resistance)
JIS dimension J7 (Decision Autonomy)
HMAC-chained audit log
J1 scores whether the reviewer maintained an independent position when AI output conflicted with domain knowledge. J7 scores the frequency and quality of overrides, supplementation, and contextual reasoning beyond AI output. The audit log provides a signed, non-repudiable record of override events. These records are designed to support evidence of a functioning intervention capability -- the requirement most commonly cited in enforcement actions.
Reviewer competence, authority, and resources Persons exercising oversight must have sufficient competence, decision-making authority, and allocated time to discharge the oversight function. Nominal review with insufficient capacity does not satisfy the requirement. JIS dimension J6 (Domain Confidence)
JIS dimension J7 (Decision Autonomy)
Big-4-compatible artifact bundle (Audited tier)
J6 scores reviewer domain expertise across the assessment window. J7 scores whether decision authority was exercised through substantive overrides and supplementation rather than passive approval. The Big-4-compatible artifact bundle packages these records in a format designed to support third-party review by an auditor or regulatory examiner.
Tamper-evident audit chain All oversight activity -- routing events, review interactions, override decisions, and final outcomes -- must be persisted in a signed, non-repudiable record that can be produced on demand for an auditor or regulator. HMAC-chained audit log
Signed Methodology Annex (PDF)
Compliance report export
Every scoring interaction appends a cryptographically chained entry to the audit log. The Methodology Annex is signed to the account that generated it. The compliance report export bundles both with the period-level JIS roll-up and per-operator oversight summary into a single citable artifact with a stable report ID. These records are designed to support auditor and regulator-facing evidence production with a chain of custody from individual interaction to aggregate report.

Evidence artifacts by tier

COHESION produces different artifact sets depending on the subscription tier. Audit-ready artifacts are available exclusively on paid tiers and are cryptographically signed to the account that generated them.

  • Developer (free): Raw JSON API responses only. No PDF generation, no artifact export, no signed evidence. Not designed for audit use.
  • Starter ($499/month or $4,990/year): Signed Methodology Annex PDF. HMAC-chained audit log export. Self-Reported assurance level. Designed to support self-attestation in compliance documentation under US and EU AI oversight law.
  • Audited ($1,999/month or $19,900/year): All Starter artifacts. Quarterly Methodology Annex refresh. Big-4-compatible artifact bundle with Audited assurance level. Designed to support third-party review and regulator-facing documentation.
  • Enterprise (custom quote): All Audited artifacts. Custom cognition probes. Named-auditor coordination. Custom MSA. Designed for complex multi-domain deployments with formal audit and examination requirements.

Integration quickstart

Connecting COHESION to an existing AI decision pipeline takes one SDK call per interaction. The SDKs are available for Python and TypeScript.

Install:

  • Python: pip install cohesion-sdk (Python 3.11 or newer)
  • TypeScript: npm install @cohesionauth/sdk (Node.js 20 or newer)

Two calls, two purposes. COHESION has two separate integration surfaces that serve different parts of the oversight spine:

  • DRS routing (pre-decision gate): Call cohesion.gate(client, request, null) before invoking your AI provider. The gate is always fail-closed: any transport failure (network, 5xx, timeout) must be treated as a hard block. If DRS returns routing_decision: "policy_blocked", the SDK throws CohesionPolicyBlockedError and the AI call must not proceed. If DRS returns must_review or async_review, the envelope is returned without throwing -- but you must inspect the routing decision and route to a human reviewer before invoking the AI provider; do not call the AI provider on a non-auto result. The gate wraps POST /v1/decision/score. This is the call that satisfies the "route risky decisions to a human" requirement. See the TypeScript SDK or Python SDK docs for the full gate contract.
  • JIS telemetry (post-review scoring): Call client.score() after the human reviewer completes their review, with the session ID, operator ID, domain, and interaction telemetry -- time to decision, whether the recommendation was modified, hover and scroll signals. The response carries the updated JIS, per-dimension breakdown, and compliance flags. This is the call that satisfies the "prove the human exercised judgment" requirement. Full parameter reference is in the quickstart guide and the track AI decisions guide.

Generate a compliance report with client.complianceReport(), passing a period start and end date. The response includes the overall compliance status, per-operator JIS roll-up, and a stable report_id suitable for regulator citation. Full details are in the generate compliance proof guide.

The API endpoint is at cohesionauth.com/api. Scoring, batch scoring, and compliance report endpoints are all authenticated via X-API-Key header. Keys are provisioned at the dashboard after signup.

Timing note: The scoring API enforces a minimum response time floor on every interaction. This floor is intentional and is part of the oversight integrity specification. Do not paper over it in your integration layer.

Scope and limitations

COHESION measures the human layer, not the model. US and EU AI oversight law applies to both the design of the AI system and the oversight mechanisms deployed with it. COHESION measures the oversight mechanisms only -- escalation paths, reviewer behavior, intervention rates, audit chain integrity. It does not assess model accuracy, training data quality, or model-level system design.

COHESION is patent-pending oversight-measurement middleware. The provisional filings cover the middleware telemetry, scoring, and signed evidence chain. The measurement method is documented in the published Methodology Annex at cohesionauth.com/methodology-annex/.

The first enforcement dates for US and EU AI oversight law land in 2027. Deployers in high-risk domains should begin instrumentation well before that date to build a retrospective evidence record of at least one full assessment window prior to any examination. Buyers should verify their classification status and jurisdictional exposure with qualified legal counsel before relying on any compliance documentation, including COHESION artifacts.

For questions about how COHESION artifacts map to your specific deployment, contact peyton@cohesionauth.com.