Compliance
Built to support your
AI compliance programme
If you run Claude (or any frontier model) on regulated data, you are operating an AI system under EU and Norwegian law. Kernal is the governance layer that lets you prove how it was used.
Andes Labs · Oslo, Norway
The shift
Regulators do not ask whether you meet your obligations. They ask you to demonstrate it.
Under the GDPR accountability principle (Article 5(2)), transposed into Norwegian law through Personopplysningsloven, the burden of proof sits with the firm. The controller must be able to demonstrate how personal data was handled, with records, logs, and a documented chain of human oversight. This is a standing obligation that activates the moment someone asks.
Kernal turns "we believe we comply" into "here is our evidence." It does not meet your obligations on its own. It supports your compliance programme by capturing, as you work, the proof that regulators expect you to produce on demand.
Three overlapping laws
Three Norwegian and EU regimes govern how AI may be used on regulated data. Aligning with one does not address the others.
EU AI Act (KI-loven)
EEA transposition, Dec 2027
High-risk classification for recruitment and HR systems brings obligations for documentation, risk assessment, and human oversight. Kernal helps you assemble that record as the system is used, not after the fact.
GDPR (Personopplysningsloven)
In force now
The accountability principle (Art 5(2)), rules on automated decisions (Art 22), and the right of access (Art 15) all require you to demonstrate, with evidence, how personal data was handled. Kernal structures that evidence.
Workplace regulation (Arbeidsmiljoloven Ch. 9)
In force now
Introducing AI that changes how staff work is a workplace control measure, triggering a consultation duty (droftingsplikt) with employee representatives. Kernal documents the controls you put in place.
Obligations by industry
The EU AI Act classifies AI uses as high-risk by sector. See the specific obligations for your industry, drawn live from the Kernal compliance graph, with the 2 August 2026 deadline.
Healthcare
Clinical AI, patient data, and the medical-device overlay.
See obligations →
Finance
Credit scoring, insurance pricing, and the high-risk line.
See obligations →
HR & Recruitment
Hiring, performance monitoring, and worker information duties.
See obligations →
Public Sector
Essential public services and the fundamental-rights duty.
See obligations →
Education
Admission, assessment, and exam proctoring.
See obligations →
What Kernal provides
Four capabilities that support your compliance programme, built into the architecture rather than bolted on as policy.
Audit trail
Every interaction logged: input context, AI output, human decision, and timestamps. When the regulator asks what your AI saw, the answer is already structured.
Human oversight by design
Review steps are architecturally enforced, not policy-dependent. Removing the human step is not a setting someone can quietly switch off.
Burden-of-proof evidence packages
Generate a report on demand showing what data was used, what the AI produced, and what the human decided. Show your evidence, do not just assert it.
EEA data residency
AWS Fargate eu-west-1 (Ireland). The Data Processing Agreement runs through AWS as an infrastructure provider, not through the model provider whose terms can change with product updates.
See it applied: Executive Search
The clearest worked example is recruitment, where candidate data, automated decisions, and workplace consultation all meet. Our executive search briefing maps the regulatory landscape and shows how the governance layer supports each obligation in practice.
Read the Executive Search briefing →Deploy in your own cloud
Data residency, access controls, and integration detail matter as much as the regulatory framing. The enterprise page covers deployment in your own EEA-resident infrastructure, identity and access, and the evidence packages your DPIA process can draw on.
See deployment detail →Book a compliance readiness session
Thirty minutes to map your AI usage against EU AI Act (KI-loven) and GDPR (Personopplysningsloven) obligations, and to see how the governance layer supports your programme.
kernal.andes.no · Andes Labs · Oslo, Norway