Most compliance programmes produce documents. A policy says data is encrypted. A control narrative says access is restricted. A spreadsheet says the annual review happened. When a supervisory authority asks whether you actually meet an obligation, you hand over the documents and hope the description still matches the system.
The trouble is that systems change faster than documents. Code ships weekly. Configurations drift. A model gets retrained. The PDF that described your controls in January quietly stops being true by March, and nobody notices until an auditor, a breach, or a regulator’s letter forces the question. At that point the work is archaeology: reconstructing, months later, what the system was actually doing on the day that mattered.
Praxis takes a different position. Whether your systems meet a given obligation is for the regulator to decide, but the substrate they will examine is evidence, and evidence is something you can engineer. Instead of describing controls in prose, Praxis wires them into the systems themselves and produces a continuous, verifiable record of what those systems did. The output is not a document a regulator has to trust. It is proof a regulator can check.
The gap between saying and showing
Four regulations are converging on the same demand, and it is not more paperwork. It is demonstrable, technical evidence.
GDPR Article 32 requires “appropriate technical and organisational measures” and, under Article 32(1)(d), “a process for regularly testing, assessing and evaluating the effectiveness” of those measures (European Parliament and Council, 2016). The EU AI Act makes accuracy, robustness, and cybersecurity a binding requirement for high-risk AI systems under Article 15, backed by the technical documentation required under Article 11 and verified through the conformity assessment procedure in Article 43 (European Parliament and Council, 2024). The EU Data Act creates obligations around user authorisation, data lineage, and access constraints for connected products and B2B data flows, principally the right to access product data under Article 4 and the right to share it with third parties on fair, reasonable, and non-discriminatory terms under Article 5 (European Parliament and Council, 2023b). MiCA imposes custody segregation under Article 70(1), market-conduct surveillance under Article 92(1), and transparency obligations under Article 66 on crypto-asset firms (European Parliament and Council, 2023a).
Read together, a pattern emerges. Regulators are no longer satisfied with a description of your intentions. They want to see the control operating, and they want a record that has not been edited after the fact. That is a fundamentally different deliverable from a control narrative, and it is an engineering deliverable, not a legal one.
Engineered controls, continuous evidence
Praxis is the productised core of our Governance, Risk and Compliance service, and it rests on a simple idea: design a control once, evidence it continuously, and map that single piece of evidence to every obligation it answers.
At the centre of every engagement is a domain agent we build and operate on your behalf. It reads the live regulatory text alongside your own systems, policies, and code. It surfaces gaps as they appear rather than at quarter-end, keeps evidence current as your platform changes, and assembles the artefact a supervisory authority will accept when the request comes. It does not replace your compliance officer or your counsel. It removes the parts of the job a machine should be doing: tracking which service logs which fields against which lawful basis, watching for the next authoritative opinion, generating the pack, so your specialists keep the judgement calls that only humans should make.
Underneath the agent sits the part that makes the evidence trustworthy: Sentinel.
Where Sentinel comes in
Praxis answers the compliance question. Sentinel produces the evidence that lets it answer honestly.
Sentinel is our runtime security framework, the enforcement point that sits on the perimeter of your AI and data systems. Every governed action passes through it: a request is checked against policy, allowed or denied, and then recorded. That record is not an ordinary application log. It is written to a hash-chained, cryptographically signed evidence ledger, where each entry is bound to the one before it, so the sequence cannot be silently altered or back-dated. Periodically the ledger is checkpointed and those checkpoints are anchored to an external transparency log, the same class of tamper-evidence technology used to secure the world’s software supply chains.
The effect is that “we enforced this policy” stops being a claim in a document and becomes a fact you can verify. If a single entry were changed after the fact, the chain would break and the anchor would no longer match.
Praxis then consumes that evidence across a deliberate boundary. It reads only the ledger, the standardised, portable evidence format, and never reaches into Sentinel’s internals. It maps each recorded action to the regulatory provisions it demonstrates, runs its analysis deterministically so the same inputs always produce the same output, and generates a regulator-ready evidence pack: the human-readable narrative plus a signed record whose every claim traces back to a specific, tamper-evident ledger entry.
Because the evidence format is open, an auditor does not have to take our word for any of it. They can verify the chain themselves, independently, using a public reference tool. That is the difference between an evidence pack that persuades and one that merely asserts.
Where Praxis fits
The pattern is easiest to see in the situations our clients actually bring us.
Agentic AI reaching into personal data (GDPR Article 32): An enterprise rolls out AI agents that read and update customer records. Every governed action the agent takes is checked and recorded at runtime, and Praxis maps those records to the confidentiality, integrity, and effectiveness-testing duties of Article 32 (European Parliament and Council, 2016). When the data protection authority asks how you ensure ongoing security and regularly test that it works, the evidence is already assembled rather than reconstructed.
A high-risk AI system heading for conformity assessment (AI Act Article 15): A lender runs an AI model in its credit decisions. Praxis operationalises the accuracy, robustness, and cybersecurity obligations the Act imposes under Article 15, documenting the adversarial testing the model is subjected to, enforcing policy at runtime, and producing the Article 11 technical documentation that supports the Article 43 conformity assessment your notified body will expect (European Parliament and Council, 2024).
A connected product that has to share data (EU Data Act): A device manufacturer must give users access to their own product data under Article 4 and, at the user’s direction, make it available to authorised third parties under Article 5, with a defensible record of where the data went (European Parliament and Council, 2023b). Praxis engineers the authorisation capture, the cryptographic lineage, and the access-purpose enforcement in code, so “the user authorised it and the data went only where permitted” is something you can show, not just assert.
A crypto-asset firm under supervision (MiCA): A crypto-asset service provider must demonstrate custody segregation to ESMA and national competent authorities under Article 70(1), maintain market-abuse surveillance under Article 92(1), and meet the client transparency obligations of Article 66 (European Parliament and Council, 2023a). Praxis builds the substrate: provable segregation, real-time surveillance, and transparency artefacts, scaled to the title of MiCA you are in scope of.
Several deadlines at once: A scale-up faces GDPR today, the AI Act as it deploys models, and a MiCA obligation on the horizon. Instead of three separate annual scrambles, Praxis maps the controls those regimes share, keeps the evidence live, and turns each audit into a query against a current record rather than a months-long reconstruction.
Build once, defend everywhere
The commercial argument for engineered compliance is not only that it is more honest. It is that it is dramatically cheaper to maintain across multiple frameworks.
Most enterprises buy compliance one regulation at a time, which produces duplicated controls, duplicated evidence, and duplicated audit cost. But a single encryption-at-rest configuration designed to meet GDPR Article 32 also speaks to the AI Act’s Article 15 cybersecurity obligation, to the Data Act’s access constraints under Articles 4 and 5, and, for a crypto-asset firm, to MiCA’s Article 70 safekeeping requirement. The control is the same. Only the framing changes.
Praxis is built for that reuse. It maps every implemented control to every obligation it answers, so you can show a single piece of evidence discharging duties across four regulations at once. Add a new framework later and most of the substrate already covers it. Build once, evidence once, defend everywhere.
What continuous actually means
A point-in-time audit certifies what was true on the day of the audit. Everything after that is hope.
Praxis treats evidence as a stream instead of a snapshot. In continuous engagements, verification runs against your live systems as they change: every deployment, every policy change, every model update triggers re-attestation, and drift surfaces the moment it appears rather than at the next annual review. Control posture becomes a property of the running system, not a photograph taken from outside it.
That is also where the legal-engineering handoff usually breaks, and where Praxis is designed to sit. Lawyers write requirements engineers cannot implement; engineers build controls lawyers cannot defend. Our team works in that gap, translating in both directions without losing fidelity, so your legal team gets implementations they can stand behind in front of a regulator, and your engineers get requirements they can actually build.
Seeing it end to end
None of this is theoretical. In a single run, Sentinel stands up the governed gateway and makes two decisions: it allows a legitimate read, and it denies an unknown agent attempting a financial action. Both are written to the signed, hash-chained ledger, because a refusal is evidence exactly as much as an approval, and Sentinel verifies the chain and signatures before handing the record on.
Praxis then consumes that ledger alone. It pins the regulatory text to a precise, reproducible version of GDPR Article 32 (European Parliament and Council, 2016), maps the recorded activity to the provisions it demonstrates, and generates the evidence pack: a narrative and a signed record whose every claim traces back to a specific ledger entry.
And then it does the thing a document never will. The same run reports, plainly, that two of the eight requirements Praxis tracks under Article 32 are currently covered by evidence and six are not, ranked by severity so remediation has an order. Praxis does not rubber-stamp. It shows you what you can prove today and, just as clearly, what you cannot yet prove. For a compliance leader, that is the difference between a tool that flatters you and one you can actually run your programme on.
Runtime enforcement on one side, regulator-facing proof on the other, joined by evidence that cannot be quietly rewritten, and an honest, current picture of where the gaps are. Compliance stops being a story you tell once a year and becomes a property of the system you can demonstrate on any given day.
Praxis is the engineered-compliance core of Sakura Sky’s GRC practice, spanning GDPR, the EU AI Act, the EU Data Act, and MiCA. To scope where it fits your systems, book a roadmap engagement.
Praxis and Sentinel, named and described above, are Sakura Sky products developed and sold by Sakura Sky.
References
European Parliament and Council (2016) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). Official Journal of the European Union. https://eur-lex.europa.eu/eli/reg/2016/679/oj [Accessed 5 July 2026].
European Parliament and Council (2023a) Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets (MiCA). Official Journal of the European Union. https://eur-lex.europa.eu/eli/reg/2023/1114/oj/eng [Accessed 5 July 2026].
European Parliament and Council (2023b) Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data (Data Act). Official Journal of the European Union. https://eur-lex.europa.eu/eli/reg/2023/2854/oj [Accessed 5 July 2026].
European Parliament and Council (2024) Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act). Official Journal of the European Union. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng [Accessed 5 July 2026].

