Compliance

AI compliance starts with your approved AI, not just your shadow AI

The EU AI Act and GDPR ask organisations to evidence human oversight, logging, and accountability for AI systems that process personal data and take consequential actions. The AI tools you have already sanctioned are where that obligation lives. MCP One provides the control and audit-evidence infrastructure to help you meet and evidence it.

Talk to us Start free

The part nobody governed: what your approved AI is allowed to do

Your sanctioned AI tools — the ones IT approved, the ones on the vendor contracts, the ones your teams use every day — already connect to your CRM, your project management systems, your code repositories, and your internal knowledge bases. They can query records, surface personal data, draft communications, and in some configurations take direct actions in business systems on behalf of users.

For the overwhelming majority of that activity, there is no capability-level approval record. No human signed off on the specific scope of what the Salesforce connector is permitted to read, or whether the document intelligence capability is allowed to process HR records, or which actions the internal agent is authorised to take. The approval happened at the tool level — “yes, we use this platform” — not at the capability level that regulators now ask you to account for.

The EU AI Act and GDPR operate at the capability level. They ask whether the organisation can produce evidence of human oversight before deployment, records of processing, and audit trails of consequential AI actions. That evidence cannot be reconstructed from tool-level licensing records or vendor-native dashboards. It has to be created at the point where capabilities are approved and invoked.

MCP One creates that evidence structurally — because it sits in the control path.

88%

of enterprises report regular AI use.

McKinsey State of AI, 2025

33%

of enterprise applications will include agentic AI by 2028, up from less than 1% in 2024.

Gartner, 2025

Who bears the obligation

You are the deployer. MCP One is your control layer.

Under the EU AI Act, the company that licences an AI system from a vendor and puts it to work in their organisation is the deployer. The deployer — not the AI vendor — bears the obligations for human oversight, log retention, and risk management under Articles 9, 12, 14, and 26.

MCP One provides the technical and organisational infrastructure that helps deployers implement those obligations: a governed capability registry, a reviewed-and-approved record for each AI capability, brokered execution with first-party evidence records, and structured audit output.

MCP One does not make a customer compliant. Compliance is the customer’s responsibility. MCP One is the control layer and evidence system the accountable party relies on.

What the regulations ask for — and what MCP One provides

The table below maps EU AI Act and GDPR obligations to the specific MCP One capabilities that address them. Where your AI deployments qualify as high-risk AI systems under the EU AI Act, these obligations apply to you as the deployer.

EU AI Act — Deployer Obligations

Article	Obligation (deployer)	What it requires you to evidence	MCP One capability	Evidence type
Art. 9 — Risk Management	Maintain a continuous risk management process; document and review risks	Capability Registry: risk class, data sensitivity, action risk per capability; Approval Workflow as deployment gate	Structured inventory; approval records	Structured inventory; approval records
Art. 12 — Record-Keeping	Retain automatically generated AI system logs for ≥ 6 months	Immutable execution records (who, what capability, which system, when, allowed/denied); exportable	First-party event records	First-party event records
Art. 14 — Human Oversight	Assign competent humans to oversee; detect anomalies, override, and discontinue	Approval Workflow (human gate before deployment); Revocation; ABAC rules; execution evidence trail	Approval records; lifecycle events	Approval records; lifecycle events
Art. 26(1) — Use per instructions	Document the purpose and authorised use for each AI system	Capability Registry: purpose, owner, intended users, connected systems, approved actions	Capability metadata	Capability metadata
Art. 26(3) — Monitor for deviations	Monitor operation; report deviations to provider	Execution records show approved scope vs. actual invocations; ABAC enforces scope at runtime	Execution records	Execution records
Art. 26(6) — Log retention	Keep logs ≥ 6 months	Configurable retention on execution records; exportable	Event store	Event store
Art. 50 — Transparency	Inform users they are interacting with AI	Employee Catalogue: plain-language capability descriptions, owner, intended use	Catalogue metadata	Catalogue metadata

Arts. 9, 12, 14, and 26 apply to high-risk AI systems as defined in Annex III. Not all AI capabilities a company deploys are high-risk. Whether a specific deployment qualifies requires legal assessment.

GDPR — Controller Obligations

Article	Obligation (controller)	What it requires you to evidence	MCP One capability	Evidence type
Art. 5(2) — Accountability	Demonstrate compliance with all GDPR principles	Capability Registry (purpose, data sensitivity, owner); Approval Records; Execution Evidence	Registry + approval + execution records	Registry + approval + execution records
Art. 25 — Data Protection by Design	Integrate data protection from design; default to minimal processing	ABAC classification labels limit access to sensitive data; sensitive payload non-storage by default	Architecture + configuration	Architecture + configuration
Art. 30 — Records of Processing Activities	Document processing: purpose, data categories, recipients, retention, security	Capability Registry: connected systems, data sensitivity, purpose, owner — structured input for RoPA	Capability metadata	Capability metadata
Art. 32 — Security of Processing	Risk-proportionate technical and organisational security measures	Brokered execution; ABAC; credential holding (no per-user credentials); execution evidence for incident response	Architecture + records	Architecture + records
Art. 22 — Automated Decision-Making	Data subjects' right to human intervention for solely automated decisions with legal/significant effects	Approval Workflow (documents human review); Revocation; Execution Evidence	Approval records + execution records	Approval records + execution records

Art. 22 applies only where AI processing constitutes solely automated decision-making with legal or similarly significant effects. This is a legal judgement per use case, not a product determination.

MCP One does not provide legal advice and this table is not a legal opinion. Organisations remain responsible for assessing whether their specific AI deployments fall within the scope of these regulations and for maintaining appropriate legal and compliance counsel. MCP One is a technical control and audit-evidence platform; it helps organisations produce the evidence these obligations require. Whether that evidence satisfies a regulator’s assessment in a specific case is for the organisation and its advisers to determine.

The control and evidence infrastructure for governed AI

MCP One is not a compliance documentation tool. It is a technical control layer that sits in the execution path for approved AI capabilities — and produces compliance evidence as a structural byproduct of being in that path.

Capability registry

Every AI capability your organisation creates or enables — connectors, skills, MCP-served actions, internal tools — is recorded with an owner, a business purpose, the systems it touches, a data sensitivity classification, and its current approval status.

When a regulator or auditor asks what AI capabilities exist and what personal data they can access, this is the source of truth. Not a spreadsheet reconstructed after the fact. A live, governed inventory.

Relevant to: EU AI Act Art. 26 (deployer obligations — know what you have deployed); GDPR Art. 30 (records of processing activities).

Approval workflow

No capability is broadly available until it has passed through a documented review. The approval decision, the reviewer, the date, the risk classification, and the connected systems are part of the permanent record.

For high-risk capabilities — those touching personal data, financial records, or regulated processes — you can require a second reviewer and mandate policy rules before brokering is enabled.

Relevant to: EU AI Act Art. 14 (human oversight — documented before deployment); GDPR Art. 35 (DPIA trigger — structured risk assessment at capability level before data processing begins).

Brokered execution

For brokered capabilities, MCP One sits directly in the execution path. When an AI agent invokes a capability, MCP One checks approval state, enforces the applicable policy rules, allows or denies the invocation, and creates an execution event.

The execution record is a structural byproduct of brokered control — not a log collected from the outside. It captures the capability, the caller, the action, the connected system, the timestamp, and the policy decision applied.

Relevant to: EU AI Act Art. 12 (logging capabilities for high-risk AI systems); GDPR Art. 5(2) (accountability — demonstrable technical controls on personal data processing).

Immutable execution evidence

Every brokered invocation produces a structured audit record. MCP One stores these records in a tamper-evident log and supports export in formats suitable for security reviews, regulatory enquiries, and internal governance reporting.

When a regulator asks for evidence of how an AI capability was used and what data it accessed, that record exists in one place — independent of any AI vendor’s logs, which may not cover cross-tool usage or may be unavailable after tool changes.

Relevant to: EU AI Act Art. 29 / Annex IV (technical documentation requirements for deployers); GDPR Art. 30 (records of processing activities — exportable evidence of AI data processing).

About compliance claims on this page

MCP One helps organisations meet and evidence obligations under the EU AI Act, GDPR, and related regulatory frameworks by providing technical control and audit-evidence infrastructure. It does not guarantee regulatory compliance, and use of MCP One does not constitute legal advice.

Whether a specific AI deployment falls within the scope of the EU AI Act (including whether it constitutes a high-risk AI system under Annex III), and the specific obligations that apply as a result, is a determination for the organisation and its legal advisers to make. The regulatory obligation → capability mapping on this page is provided for illustrative orientation only and does not constitute a legal opinion.

The customer organisation remains the accountable party as deployer. MCP One is a technical platform that provides the control, approval, and audit-evidence layer. The organisation’s compliance posture depends on how MCP One is configured and used within the full governance programme the organisation maintains.

MCP One is a brand of eBulldog Ltd.

Start building the evidence layer for your AI governance programme

MCP One is available to a focused group of organisations establishing governed AI capability. If you are working through EU AI Act readiness, GDPR accountability for AI processing, or a board-level AI governance programme, we would like to hear about your setup.

Talk to us Start free

We are building with a small group of IT, AI Platform, and compliance leaders. Adam will be in touch directly.