AnthonyD.C.
@anthonydc81.bsky.social
AI Governance Architect. Auditing US Vendors for Swiss Banking Compliance.
🔗 linkedin.com/in/anthonycata
🔗 huggingface.co/Cata-Risk-Lab
🔗 github.com/dcata004
🔗 linkedin.com/in/anthonycata
🔗 huggingface.co/Cata-Risk-Lab
🔗 github.com/dcata004
"we believe the model is safe" is not a legal defense.
built veritas to fix this. it runs a judge protocol against your rag system, flags every claim that can't trace back to a source doc.
turns "we think it works" into "here's the quantified error rate."
repo in reply.
built veritas to fix this. it runs a judge protocol against your rag system, flags every claim that can't trace back to a source doc.
turns "we think it works" into "here's the quantified error rate."
repo in reply.
January 13, 2026 at 12:15 PM
"we believe the model is safe" is not a legal defense.
built veritas to fix this. it runs a judge protocol against your rag system, flags every claim that can't trace back to a source doc.
turns "we think it works" into "here's the quantified error rate."
repo in reply.
built veritas to fix this. it runs a judge protocol against your rag system, flags every claim that can't trace back to a source doc.
turns "we think it works" into "here's the quantified error rate."
repo in reply.
swiss nfadp article 21: if you can't explain how the algorithm decided, you can't legally use the decision.
a geneva firm's credit scoring ai was accurate and profitable. but when a rejected applicant asked "why?" they couldn't answer.
penalty. ai offline. still.
a geneva firm's credit scoring ai was accurate and profitable. but when a rejected applicant asked "why?" they couldn't answer.
penalty. ai offline. still.
January 13, 2026 at 9:01 AM
swiss nfadp article 21: if you can't explain how the algorithm decided, you can't legally use the decision.
a geneva firm's credit scoring ai was accurate and profitable. but when a rejected applicant asked "why?" they couldn't answer.
penalty. ai offline. still.
a geneva firm's credit scoring ai was accurate and profitable. but when a rejected applicant asked "why?" they couldn't answer.
penalty. ai offline. still.
read your ai vendor's indemnity clause carefully.
almost all of them shift regulatory liability entirely to you. they provide the tool. you absorb the fine.
a zurich client learned this for €850k. the vendor was safe in california.
check your jurisdiction clause before renewal.
almost all of them shift regulatory liability entirely to you. they provide the tool. you absorb the fine.
a zurich client learned this for €850k. the vendor was safe in california.
check your jurisdiction clause before renewal.
January 12, 2026 at 11:14 PM
read your ai vendor's indemnity clause carefully.
almost all of them shift regulatory liability entirely to you. they provide the tool. you absorb the fine.
a zurich client learned this for €850k. the vendor was safe in california.
check your jurisdiction clause before renewal.
almost all of them shift regulatory liability entirely to you. they provide the tool. you absorb the fine.
a zurich client learned this for €850k. the vendor was safe in california.
check your jurisdiction clause before renewal.
People ask why we use particle physics protocols for compliance audits. Fair question.
Here's the thing: "We're pretty sure it's fine" doesn't hold up in court. You need reproducible evidence chains.
If you can't prove it to a regulator, you can't deploy it. Full stop.
Here's the thing: "We're pretty sure it's fine" doesn't hold up in court. You need reproducible evidence chains.
If you can't prove it to a regulator, you can't deploy it. Full stop.
January 12, 2026 at 10:14 PM
People ask why we use particle physics protocols for compliance audits. Fair question.
Here's the thing: "We're pretty sure it's fine" doesn't hold up in court. You need reproducible evidence chains.
If you can't prove it to a regulator, you can't deploy it. Full stop.
Here's the thing: "We're pretty sure it's fine" doesn't hold up in court. You need reproducible evidence chains.
If you can't prove it to a regulator, you can't deploy it. Full stop.
Boards don't read your 40-page technical PDF. They just don't.
You know what they do read? A one-page heatmap. Red means liable. Yellow means fix it. Green means move on.
Showed one to a CEO last week. He killed three projects before lunch.
Clarity wins.
You know what they do read? A one-page heatmap. Red means liable. Yellow means fix it. Green means move on.
Showed one to a CEO last week. He killed three projects before lunch.
Clarity wins.
January 11, 2026 at 2:30 PM
Boards don't read your 40-page technical PDF. They just don't.
You know what they do read? A one-page heatmap. Red means liable. Yellow means fix it. Green means move on.
Showed one to a CEO last week. He killed three projects before lunch.
Clarity wins.
You know what they do read? A one-page heatmap. Red means liable. Yellow means fix it. Green means move on.
Showed one to a CEO last week. He killed three projects before lunch.
Clarity wins.
open sourced the core stack:
- wattle-guard (AU compliance forensics)
- swiss risk calculator (nFADP/EU AI Act)
- veritas (hallucination auditor)
compliance should require evidence, not a retainer.
repos in thread.
- wattle-guard (AU compliance forensics)
- swiss risk calculator (nFADP/EU AI Act)
- veritas (hallucination auditor)
compliance should require evidence, not a retainer.
repos in thread.
January 10, 2026 at 10:01 PM
open sourced the core stack:
- wattle-guard (AU compliance forensics)
- swiss risk calculator (nFADP/EU AI Act)
- veritas (hallucination auditor)
compliance should require evidence, not a retainer.
repos in thread.
- wattle-guard (AU compliance forensics)
- swiss risk calculator (nFADP/EU AI Act)
- veritas (hallucination auditor)
compliance should require evidence, not a retainer.
repos in thread.
standard US vendor clause: "customer assumes sole responsibility for compliance with applicable regulations"
translation: they provide software, you absorb enforcement risk.
zurich client learned this at €850k. data routed through virginia. nFADP applied anyway.
swiss risk calculator on HF.
translation: they provide software, you absorb enforcement risk.
zurich client learned this at €850k. data routed through virginia. nFADP applied anyway.
swiss risk calculator on HF.
January 10, 2026 at 3:39 PM
standard US vendor clause: "customer assumes sole responsibility for compliance with applicable regulations"
translation: they provide software, you absorb enforcement risk.
zurich client learned this at €850k. data routed through virginia. nFADP applied anyway.
swiss risk calculator on HF.
translation: they provide software, you absorb enforcement risk.
zurich client learned this at €850k. data routed through virginia. nFADP applied anyway.
swiss risk calculator on HF.
Switzerland tightening nFADP. UK rewriting its AI framework. Australia's OAIC suddenly growing teeth.
Three regulators. Three different screwdrivers. One multinational trying to use a single compliance playbook.
I've started calling it the Regulatory Pincer. It's not a compliment.
Three regulators. Three different screwdrivers. One multinational trying to use a single compliance playbook.
I've started calling it the Regulatory Pincer. It's not a compliment.
January 10, 2026 at 2:39 PM
Switzerland tightening nFADP. UK rewriting its AI framework. Australia's OAIC suddenly growing teeth.
Three regulators. Three different screwdrivers. One multinational trying to use a single compliance playbook.
I've started calling it the Regulatory Pincer. It's not a compliment.
Three regulators. Three different screwdrivers. One multinational trying to use a single compliance playbook.
I've started calling it the Regulatory Pincer. It's not a compliment.
new wattle-guard release
python forensic tool for australian SOCI Act and APP 8. maps actual server jurisdiction against regulatory requirements.
OAIC now requires evidence of data residency, not vendor attestation.
open source. repo in reply.
python forensic tool for australian SOCI Act and APP 8. maps actual server jurisdiction against regulatory requirements.
OAIC now requires evidence of data residency, not vendor attestation.
open source. repo in reply.
January 10, 2026 at 2:10 AM
new wattle-guard release
python forensic tool for australian SOCI Act and APP 8. maps actual server jurisdiction against regulatory requirements.
OAIC now requires evidence of data residency, not vendor attestation.
open source. repo in reply.
python forensic tool for australian SOCI Act and APP 8. maps actual server jurisdiction against regulatory requirements.
OAIC now requires evidence of data residency, not vendor attestation.
open source. repo in reply.
Got a panicked call from a pharma CEO on Monday. EU AI Act letter had landed.
We scoped the exposure by Tuesday. Fixed it by Wednesday. Total cost: £4.5k.
The fine they sidestepped? North of £400k.
Sometimes the math is just... obvious.
We scoped the exposure by Tuesday. Fixed it by Wednesday. Total cost: £4.5k.
The fine they sidestepped? North of £400k.
Sometimes the math is just... obvious.
January 10, 2026 at 1:10 AM
Got a panicked call from a pharma CEO on Monday. EU AI Act letter had landed.
We scoped the exposure by Tuesday. Fixed it by Wednesday. Total cost: £4.5k.
The fine they sidestepped? North of £400k.
Sometimes the math is just... obvious.
We scoped the exposure by Tuesday. Fixed it by Wednesday. Total cost: £4.5k.
The fine they sidestepped? North of £400k.
Sometimes the math is just... obvious.
"no EU office" does not preclude EU AI Act applicability.
system processes data from munich user? extraterritorial provisions apply. €35M fines or 7% revenue.
UK SaaS company: 40% EU users, zero documentation, unaware of exposure.
geography is not determinative.
system processes data from munich user? extraterritorial provisions apply. €35M fines or 7% revenue.
UK SaaS company: 40% EU users, zero documentation, unaware of exposure.
geography is not determinative.
January 9, 2026 at 10:01 PM
"no EU office" does not preclude EU AI Act applicability.
system processes data from munich user? extraterritorial provisions apply. €35M fines or 7% revenue.
UK SaaS company: 40% EU users, zero documentation, unaware of exposure.
geography is not determinative.
system processes data from munich user? extraterritorial provisions apply. €35M fines or 7% revenue.
UK SaaS company: 40% EU users, zero documentation, unaware of exposure.
geography is not determinative.
boards rarely read 40-page technical assessments.
what moves decisions: single-page heatmap. red/yellow/green.
UK industrial client terminated three AI deployments before lunch using this format.
clarity, not volume.
what moves decisions: single-page heatmap. red/yellow/green.
UK industrial client terminated three AI deployments before lunch using this format.
clarity, not volume.
January 9, 2026 at 11:15 AM
boards rarely read 40-page technical assessments.
what moves decisions: single-page heatmap. red/yellow/green.
UK industrial client terminated three AI deployments before lunch using this format.
clarity, not volume.
what moves decisions: single-page heatmap. red/yellow/green.
UK industrial client terminated three AI deployments before lunch using this format.
clarity, not volume.
nFADP Article 21 requires explainability for automated decisions. in writing. on request.
geneva firm incurred CHF 250k. their AI credit scorer held vendor certification. decision logic remained unexplainable.
certification ≠ compliance
swiss risk calculator maps this gap. HF link in reply.
geneva firm incurred CHF 250k. their AI credit scorer held vendor certification. decision logic remained unexplainable.
certification ≠ compliance
swiss risk calculator maps this gap. HF link in reply.
January 9, 2026 at 2:46 AM
nFADP Article 21 requires explainability for automated decisions. in writing. on request.
geneva firm incurred CHF 250k. their AI credit scorer held vendor certification. decision logic remained unexplainable.
certification ≠ compliance
swiss risk calculator maps this gap. HF link in reply.
geneva firm incurred CHF 250k. their AI credit scorer held vendor certification. decision logic remained unexplainable.
certification ≠ compliance
swiss risk calculator maps this gap. HF link in reply.
My favorite contract clause: "Customer assumes all responsibility for regulatory compliance in applicable jurisdictions."
Translation: We sell you the software. You eat the fine.
A Zurich client learned this at €850k. Read your T&Cs, people.
#DataSovereignty
Translation: We sell you the software. You eat the fine.
A Zurich client learned this at €850k. Read your T&Cs, people.
#DataSovereignty
January 9, 2026 at 1:46 AM
My favorite contract clause: "Customer assumes all responsibility for regulatory compliance in applicable jurisdictions."
Translation: We sell you the software. You eat the fine.
A Zurich client learned this at €850k. Read your T&Cs, people.
#DataSovereignty
Translation: We sell you the software. You eat the fine.
A Zurich client learned this at €850k. Read your T&Cs, people.
#DataSovereignty
pushed an update to veritas
RAG hallucination auditor. runs secondary "judge" LLM against AI outputs. flags claims without source data traceability. outputs quantified hallucination rate for board reporting.
evidence, not attestation.
repo in reply.
RAG hallucination auditor. runs secondary "judge" LLM against AI outputs. flags claims without source data traceability. outputs quantified hallucination rate for board reporting.
evidence, not attestation.
repo in reply.
January 8, 2026 at 10:01 PM
pushed an update to veritas
RAG hallucination auditor. runs secondary "judge" LLM against AI outputs. flags claims without source data traceability. outputs quantified hallucination rate for board reporting.
evidence, not attestation.
repo in reply.
RAG hallucination auditor. runs secondary "judge" LLM against AI outputs. flags claims without source data traceability. outputs quantified hallucination rate for board reporting.
evidence, not attestation.
repo in reply.
three frameworks tightening simultaneously:
- nFADP (switzerland)
- EU AI Act (extraterritorial)
- SOCI Act (australia)
regulators coordinate across borders. vendor compliance frameworks typically do not.
single-framework approaches fail in at least two regions.
- nFADP (switzerland)
- EU AI Act (extraterritorial)
- SOCI Act (australia)
regulators coordinate across borders. vendor compliance frameworks typically do not.
single-framework approaches fail in at least two regions.
January 8, 2026 at 10:15 AM
three frameworks tightening simultaneously:
- nFADP (switzerland)
- EU AI Act (extraterritorial)
- SOCI Act (australia)
regulators coordinate across borders. vendor compliance frameworks typically do not.
single-framework approaches fail in at least two regions.
- nFADP (switzerland)
- EU AI Act (extraterritorial)
- SOCI Act (australia)
regulators coordinate across borders. vendor compliance frameworks typically do not.
single-framework approaches fail in at least two regions.
recent client engagement:
assessment cost: £4.5k
fine avoided: £400k
M&A deal preserved: £2.8M
compliance functions as insurance when approached as evidence-gathering rather than documentation.
veritas repo in thread.
assessment cost: £4.5k
fine avoided: £400k
M&A deal preserved: £2.8M
compliance functions as insurance when approached as evidence-gathering rather than documentation.
veritas repo in thread.
January 8, 2026 at 9:00 AM
recent client engagement:
assessment cost: £4.5k
fine avoided: £400k
M&A deal preserved: £2.8M
compliance functions as insurance when approached as evidence-gathering rather than documentation.
veritas repo in thread.
assessment cost: £4.5k
fine avoided: £400k
M&A deal preserved: £2.8M
compliance functions as insurance when approached as evidence-gathering rather than documentation.
veritas repo in thread.
infrastructure review last week identified 47 undocumented AI tools at a single client. finance had deployed three LLM wrappers without security awareness.
78% of enterprises carry similar exposure. regulators call it Shadow AI.
wattle-guard repo maps this. link in reply.
78% of enterprises carry similar exposure. regulators call it Shadow AI.
wattle-guard repo maps this. link in reply.
January 8, 2026 at 2:14 AM
infrastructure review last week identified 47 undocumented AI tools at a single client. finance had deployed three LLM wrappers without security awareness.
78% of enterprises carry similar exposure. regulators call it Shadow AI.
wattle-guard repo maps this. link in reply.
78% of enterprises carry similar exposure. regulators call it Shadow AI.
wattle-guard repo maps this. link in reply.
Aussie founders, real talk: Your US vendor's SOC2 cert means nothing to the OAIC if it doesn't map to Australian Privacy Principles. You're caught between Silicon Valley's product roadmap and Canberra's new enforcement mood.
Localize your compliance stack or pause the rollout. Those are your options
Localize your compliance stack or pause the rollout. Those are your options
January 8, 2026 at 12:24 AM
Aussie founders, real talk: Your US vendor's SOC2 cert means nothing to the OAIC if it doesn't map to Australian Privacy Principles. You're caught between Silicon Valley's product roadmap and Canberra's new enforcement mood.
Localize your compliance stack or pause the rollout. Those are your options
Localize your compliance stack or pause the rollout. Those are your options
Ran an audit last month. Found 47 unauthorized AI tools. Forty-seven.
The CISO thought the perimeter was locked down. Meanwhile, accounting was pasting P&L statements into some free ChatGPT wrapper they found on Product Hunt.
We call it Shadow AI. I call it inevitable.
The CISO thought the perimeter was locked down. Meanwhile, accounting was pasting P&L statements into some free ChatGPT wrapper they found on Product Hunt.
We call it Shadow AI. I call it inevitable.
January 8, 2026 at 12:14 AM
Ran an audit last month. Found 47 unauthorized AI tools. Forty-seven.
The CISO thought the perimeter was locked down. Meanwhile, accounting was pasting P&L statements into some free ChatGPT wrapper they found on Product Hunt.
We call it Shadow AI. I call it inevitable.
The CISO thought the perimeter was locked down. Meanwhile, accounting was pasting P&L statements into some free ChatGPT wrapper they found on Product Hunt.
We call it Shadow AI. I call it inevitable.
AI hallucinations = liability. 🛑
Meet Veritas: A Zero-Trust RAG auditor. It forces AI to cite sources or return "FAIL"—no guessing allowed.
See it reject a "Mars Weather" trick question below. 👇
Demo: huggingface.co/spaces/Cata-...
#AIGovernance #FinTech #RAG #OpenSource
Meet Veritas: A Zero-Trust RAG auditor. It forces AI to cite sources or return "FAIL"—no guessing allowed.
See it reject a "Mars Weather" trick question below. 👇
Demo: huggingface.co/spaces/Cata-...
#AIGovernance #FinTech #RAG #OpenSource
Veritas Auditor - a Hugging Face Space by Cata-Risk-Lab
Veritas: AI Compliance & Hallucination Auditor 🛡️
huggingface.co
January 7, 2026 at 8:12 PM
AI hallucinations = liability. 🛑
Meet Veritas: A Zero-Trust RAG auditor. It forces AI to cite sources or return "FAIL"—no guessing allowed.
See it reject a "Mars Weather" trick question below. 👇
Demo: huggingface.co/spaces/Cata-...
#AIGovernance #FinTech #RAG #OpenSource
Meet Veritas: A Zero-Trust RAG auditor. It forces AI to cite sources or return "FAIL"—no guessing allowed.
See it reject a "Mars Weather" trick question below. 👇
Demo: huggingface.co/spaces/Cata-...
#AIGovernance #FinTech #RAG #OpenSource
Stop shipping AI that lies. 🛑
I built Veritas to audit financial RAG. It forces source citation. If the data isn't there, it FAILS. No guessing.
Demo: huggingface.co/spaces/Cata-Risk-Lab/Veritas-Auditor
Repo: github.com/dcata004/Veritas-RAG-Auditor
I built Veritas to audit financial RAG. It forces source citation. If the data isn't there, it FAILS. No guessing.
Demo: huggingface.co/spaces/Cata-Risk-Lab/Veritas-Auditor
Repo: github.com/dcata004/Veritas-RAG-Auditor
Veritas Auditor - a Hugging Face Space by Cata-Risk-Lab
Veritas: AI Compliance & Hallucination Auditor 🛡️
huggingface.co
January 7, 2026 at 3:15 PM
Stop shipping AI that lies. 🛑
I built Veritas to audit financial RAG. It forces source citation. If the data isn't there, it FAILS. No guessing.
Demo: huggingface.co/spaces/Cata-Risk-Lab/Veritas-Auditor
Repo: github.com/dcata004/Veritas-RAG-Auditor
I built Veritas to audit financial RAG. It forces source citation. If the data isn't there, it FAILS. No guessing.
Demo: huggingface.co/spaces/Cata-Risk-Lab/Veritas-Auditor
Repo: github.com/dcata004/Veritas-RAG-Auditor
Swiss Compliance ≠ US Practice.
Onboarding US AI vendors without Data Sovereignty checks? You are likely non-compliant.
I built a tool at Cata Risk Lab to pre-screen them in 30 seconds.
🛡️ Risk Calculator: huggingface.co/spaces/Cata-...
#nFADP #EUAIAct #Cybersecurity
Onboarding US AI vendors without Data Sovereignty checks? You are likely non-compliant.
I built a tool at Cata Risk Lab to pre-screen them in 30 seconds.
🛡️ Risk Calculator: huggingface.co/spaces/Cata-...
#nFADP #EUAIAct #Cybersecurity
AI Compliance Risk Calculator - a Hugging Face Space by Cata-Risk-Lab
Instant Technical Risk Assessment for Swiss nFADP & EU AI Ac
huggingface.co
January 6, 2026 at 7:23 PM
Swiss Compliance ≠ US Practice.
Onboarding US AI vendors without Data Sovereignty checks? You are likely non-compliant.
I built a tool at Cata Risk Lab to pre-screen them in 30 seconds.
🛡️ Risk Calculator: huggingface.co/spaces/Cata-...
#nFADP #EUAIAct #Cybersecurity
Onboarding US AI vendors without Data Sovereignty checks? You are likely non-compliant.
I built a tool at Cata Risk Lab to pre-screen them in 30 seconds.
🛡️ Risk Calculator: huggingface.co/spaces/Cata-...
#nFADP #EUAIAct #Cybersecurity
Swiss Compliance ≠ US Practice.
Onboarding US AI vendors without Data Sovereignty checks? You are likely non-compliant.
I built a tool at Cata Risk Lab to pre-screen them in 30 seconds.
🛡️ Risk Calculator: huggingface.co/spaces/Cata-...
#nFADP #EUAIAct #Cybersecurity
Onboarding US AI vendors without Data Sovereignty checks? You are likely non-compliant.
I built a tool at Cata Risk Lab to pre-screen them in 30 seconds.
🛡️ Risk Calculator: huggingface.co/spaces/Cata-...
#nFADP #EUAIAct #Cybersecurity
AI Compliance Risk Calculator - a Hugging Face Space by Cata-Risk-Lab
Instant Technical Risk Assessment for Swiss nFADP & EU AI Ac
huggingface.co
January 6, 2026 at 7:16 PM
Swiss Compliance ≠ US Practice.
Onboarding US AI vendors without Data Sovereignty checks? You are likely non-compliant.
I built a tool at Cata Risk Lab to pre-screen them in 30 seconds.
🛡️ Risk Calculator: huggingface.co/spaces/Cata-...
#nFADP #EUAIAct #Cybersecurity
Onboarding US AI vendors without Data Sovereignty checks? You are likely non-compliant.
I built a tool at Cata Risk Lab to pre-screen them in 30 seconds.
🛡️ Risk Calculator: huggingface.co/spaces/Cata-...
#nFADP #EUAIAct #Cybersecurity