Compliance

Built to support your
AI compliance programme

If you run Claude (or any frontier model) on regulated data, you are operating an AI system under EU and Norwegian law. Kernal is the governance layer that lets you prove how it was used.

Andes Labs · Oslo, Norway

The shift

Regulators do not ask whether you meet your obligations. They ask you to demonstrate it.

Under the GDPR accountability principle (Article 5(2)), transposed into Norwegian law through Personopplysningsloven, the burden of proof sits with the firm. The controller must be able to demonstrate how personal data was handled, with records, logs, and a documented chain of human oversight. This is a standing obligation that activates the moment someone asks.

Kernal turns "we believe we comply" into "here is our evidence." It does not meet your obligations on its own. It supports your compliance programme by capturing, as you work, the proof that regulators expect you to produce on demand.

Kernal does not make Claude smarter. It makes Claude provable.

Three overlapping laws

Three Norwegian and EU regimes govern how AI may be used on regulated data. Aligning with one does not address the others.

EU AI Act (KI-loven)

EEA transposition, Dec 2027

High-risk classification for recruitment and HR systems brings obligations for documentation, risk assessment, and human oversight. Kernal helps you assemble that record as the system is used, not after the fact.

GDPR (Personopplysningsloven)

In force now

The accountability principle (Art 5(2)), rules on automated decisions (Art 22), and the right of access (Art 15) all require you to demonstrate, with evidence, how personal data was handled. Kernal structures that evidence.

Workplace regulation (Arbeidsmiljoloven Ch. 9)

In force now

Introducing AI that changes how staff work is a workplace control measure, triggering a consultation duty (droftingsplikt) with employee representatives. Kernal documents the controls you put in place.

What Kernal provides

Four capabilities that support your compliance programme, built into the architecture rather than bolted on as policy.

Audit trail

Every interaction logged: input context, AI output, human decision, and timestamps. When the regulator asks what your AI saw, the answer is already structured.

Human oversight by design

Review steps are architecturally enforced, not policy-dependent. Removing the human step is not a setting someone can quietly switch off.

Burden-of-proof evidence packages

Generate a report on demand showing what data was used, what the AI produced, and what the human decided. Show your evidence, do not just assert it.

EEA data residency

AWS Fargate eu-west-1 (Ireland). The Data Processing Agreement runs through AWS as an infrastructure provider, not through the model provider whose terms can change with product updates.

See it applied: Executive Search

The clearest worked example is recruitment, where candidate data, automated decisions, and workplace consultation all meet. Our executive search briefing maps the regulatory landscape and shows how the governance layer supports each obligation in practice.

Read the Executive Search briefing

Deploy in your own cloud

Data residency, access controls, and integration detail matter as much as the regulatory framing. The enterprise page covers deployment in your own EEA-resident infrastructure, identity and access, and the evidence packages your DPIA process can draw on.

See deployment detail

Book a compliance readiness session

Thirty minutes to map your AI usage against EU AI Act (KI-loven) and GDPR (Personopplysningsloven) obligations, and to see how the governance layer supports your programme.

Book a session explore@andes.no

kernal.andes.no · Andes Labs · Oslo, Norway