Praxara
Back to Trust
One-pager / AI governance
Praxara Ltd · Effective 1 May 2026

AI governance posture

One-page mapping of Praxara controls to EU AI Act Articles 9 / 11 / 13 / 14 + GxP Annex 22

Article 9 -- Risk management system

Praxara ships a tenant-scoped Risk Register covering both platform risks (vendor model drift, hallucination, data leakage) and customer-defined risks. Each entry is graded on likelihood x impact, mitigations, residual risk, owner and review cadence. Entries flow into the Compliance Pack Risk Register artefact.

Article 11 -- Technical documentation (model cards)

  • One model card per (model, version) pair
  • Required fields: intended use, out-of-scope uses, training data summary, evaluation, bias assessment, metrics, human oversight notes, limitations, EU AI Act risk class
  • Guided 4-step wizard at /admin/ai-governance for non-governance staff
  • Segregation of duties: HIGH and UNACCEPTABLE-class cards cannot be approved by their author
  • Unapproved cards do not appear in Compliance Pack exports

Article 13 -- Transparency

  • Every AI output carries a "Draft only -- requires qualified human review" label, contextualised per surface (narrative / MedDRA / duplicate / literature / signal)
  • Reviewer canvas always renders the source-page citation alongside extracted fields
  • The user-facing Help page exposes a registry of every LLM call ever made on behalf of the tenant, by skill

Article 14 -- Human oversight

  • No AI output flows to a regulatory submission, Argus case closure, or PSUR sign-off without an e-signed human approval (21 CFR Part 11 controls)
  • Reviewers can edit, reject, or reclassify every extraction before approval; rejection requires a controlled-vocabulary reason captured on the audit chain
  • Skill drift detection (worker scaffolded) flags accuracy regressions on golden-case sets; affected skills can be paused tenant-wide

Cost controls (operational)

Per-tenant LLM monthly spend caps with soft + hard thresholds. Calls exceeding the hard cap return HTTP 402 and are audited as cap-blocked. Soft-cap notifications email tenant ADMIN. Visible at /settings/usage.

GxP Annex 22 alignment (draft)

Praxara is designed for GxP validation -- the architecture, audit chain, e-signature controls and validation-ready artefacts produced by the Compliance Pack are structured so customer QA teams can validate AI workflows in their own quality framework. Praxara itself is not a regulator-validated product; we provide the evidence trail that customers' own QA teams use.

Provenance + change control

  • Every AI call logged with provider, model, taskKey, prompt-version-hash, tokens, cost, latency, audit-row-id
  • Frozen prompt versioning (PromptVersion model) -- production prompts are not edited in place; new versions go through review
  • Immutable audit chain on AuditLog (SHA-256 chained checksums); tamper-evidence verifier endpoint
Praxara Ltd, registered in England & Wales[email protected] · praxara.io/trust/one-pager-ai-governance