Buyer's guide · 2026Published July 10, 2026· Last verified July 15, 2026

Best EU AI Act Compliance Software in 2026: 9 Tools Compared

The Digital Omnibus moved the high-risk deadlines to December 2027 and August 2028 — but Article 50 transparency still lands on August 2, 2026, and auditors want evidence, not intentions. This guide splits nine tools into the two families that actually exist: program and documentation platforms, and runtime evidence platforms.

Shopping for 'EU AI Act software' produces a confusing shortlist because two different product families answer to the same keyword. Program and documentation tools — Credo AI, Holistic AI, OneTrust, IBM watsonx.governance, Saidot, trail, Modulos, Vanta — run the compliance program: risk classification questionnaires, control mapping, technical documentation, conformity workflows. Runtime evidence tools sit in the AI data path and generate the operational proof — enforced policies, guardrail events, gateway logs — that the program's paperwork points to. Kosmoy is in the second family, and this guide is honest about that: it will not draft your fundamental-rights impact assessment, and the workflow suites will not block a non-compliant prompt.

The deadline picture changed on May 7, 2026, when the Digital Omnibus agreement rescheduled the high-risk obligations to December 2027 and August 2028. What did not move: Article 50 transparency obligations — including telling users they are interacting with an AI system — kept their August 2, 2026 date. The clock that matters this year is the near one.


What counts as EU AI Act compliance software in 2026

EU AI Act compliance software earns the label by helping with four obligations: classify — determine each AI system's risk tier and your role (provider, deployer, importer); document — technical documentation, risk management records, impact assessments for high-risk systems; operate — enforce the controls the documentation promises, from human oversight to logging; and evidence — produce audit-ready proof, on demand, that all of the above actually happened. Program tools are strongest on the first two; runtime tools on the last two.

The timeline now runs on the Digital Omnibus schedule agreed May 7, 2026: obligations for high-risk AI systems phase in from December 2027, with the remainder following in August 2028, while Article 50 transparency obligations stayed on August 2, 2026. The postponement is a reprieve for documentation deadlines, not for inventory: you cannot classify what you have not found, and building a defensible AI inventory is the slowest step in every program we have seen.

Two adjacent tools deserve a mention without full profiles. LatticeFlow AI's COMPL-AI takes a technical-benchmarking angle — evaluating models themselves against Act-derived requirements — and appears alongside several vendors here in Gartner's 2026 Magic Quadrant for AI Governance Platforms. Drata, like Vanta, approaches the Act from general compliance automation; if you already run one of the two for SOC 2, extending it is the path of least resistance.

A word on how Kosmoy appears in its own guide: it is not a legal-workflow suite. It has no questionnaire engine, no FRIA templates, no regulator-facing report designer. What it has is a built-in EU AI Act risk registry with automated risk classification, policy bundles for the EU AI Act, ISO/IEC 42001 (aligned, not certified) and NIST AI RMF, and evidence exports generated from the same registries and gateway logs that enforce the policy — the layer the program tools assume exists.

How we scored the field

Every product is scored 0–10 on the same ten capability axes. A 10 is reserved for categorical architectural facts; specialists are expected to outscore platforms on their own spoke, and the scores show it.

Compliance & Audit

Depth of EU AI Act tooling: risk classification, control mapping, technical documentation, conformity support and audit-ready evidence — the heaviest-weighted axis on this page.

AI Inventory & Discovery

Whether the tool can build and maintain the register of AI systems the Act's obligations attach to — ideally by discovery, not just intake forms.

Gateway & Policy Control

A runtime enforcement point on AI traffic. Workflow tools without a data path score 0-2 here by design; that is a category fact, not a criticism.

Guardrails & Runtime Safety

In-line blocking of PII leakage, prompt injection and policy violations — controls the Act's risk-management obligations expect to see operating.

Observability & FinOps

Logging and monitoring depth: can the tool show what AI systems did in production, including record-keeping suitable for post-market monitoring?

Agent Containment

Isolation and kill-switch capability for autonomous agents — relevant to human-oversight obligations for agentic systems.

Security & Shadow AI

Shadow-AI discovery and posture — unregistered AI is unclassified AI.

Testing, Evals & Red-teaming

Testing, validation and red-teaming that feed accuracy and robustness documentation.

Agent Building

Largely out of scope for this category; noted where a vendor offers it.

Deployment Sovereignty

Where the platform runs. For EU-regulated buyers, a SaaS-only governance tool can itself become a data-transfer question; self-hosted and air-gap options score high.


The field, scored

EU AI Act compliance software — capability scores, 0–10
Capability (0–10)KosmoyCredo AIHolistic AIOneTrust AI GovernanceIBM watsonx.governanceSaidottrail (trail GmbH)ModulosVanta
AI Inventory & Discovery988896552
Security & Shadow AI837661112
Observability & FinOps733281210
Gateway & Policy Control814320000
Guardrails & Runtime Safety817530000
Agent Containment916120000
Compliance & Audit999998787
Testing, Evals & Red-teaming448282120
Agent Building600110000
Deployment Sovereignty1024271161

Bold marks the highest score on each row. 10 is reserved for categorical architectural facts; specialists are expected to outscore platforms on their own spoke.

Capability shape, vendor by vendor

Each panel shows one vendor across the same ten axes. Read it as area: a specialist climbs on its own spoke and falls away on the rest; a platform holds the frontier. The dashed outline is Kosmoy for reference.

Kosmoy
INVSECOBSGWGRDCTNCMPEVLBLDSOV
Credo AI
INVSECOBSGWGRDCTNCMPEVLBLDSOV
Holistic AI
INVSECOBSGWGRDCTNCMPEVLBLDSOV
OneTrust AI Governance
INVSECOBSGWGRDCTNCMPEVLBLDSOV
IBM watsonx.governance
INVSECOBSGWGRDCTNCMPEVLBLDSOV
Saidot
INVSECOBSGWGRDCTNCMPEVLBLDSOV
trail (trail GmbH)
INVSECOBSGWGRDCTNCMPEVLBLDSOV
Modulos
INVSECOBSGWGRDCTNCMPEVLBLDSOV
Vanta
INVSECOBSGWGRDCTNCMPEVLBLDSOV
dashed = KosmoyINV AI Inventory & Discovery · SEC Security & Shadow AI · OBS Observability & FinOps · GW Gateway & Policy Control · GRD Guardrails & Runtime Safety · CTN Agent Containment · CMP Compliance & Audit · EVL Testing, Evals & Red-teaming · BLD Agent Building · SOV Deployment Sovereignty

The vendors, by buyer type

No single 1-to-N ranking survives contact with a real shortlist — the right pick depends on who is buying. Each vendor below is labeled with the buyer it fits best.

Kosmoy

AI management platform

Runtime evidence: prove your controls operate

A self-hosted control plane for enterprise AI: one inventory, one policy gateway, one audit trail and a containment sandbox for every model, agent and MCP server a company runs.

Kosmoy is the runtime-evidence entry on this list. Every AI system sits in a registry with an owner and an automated EU AI Act risk classification; every call crosses a gateway that enforces guardrails, RBAC and budgets; and the compliance module exports evidence bundles — EU AI Act, ISO/IEC 42001 (aligned), NIST AI RMF — from that single event stream. Because it is single-tenant software in your own Kubernetes (air-gapped if required), the governance layer itself raises no data-residency questions. Italy's central bank and banking regulator runs it in production.

It is not a legal-workflow suite: no FRIA templates, no questionnaire engine, no regulator-report designer, and no eval suite for accuracy documentation. Pair it with a program tool from this page for those.

Strengths

  • Four registries — AI systems, models, MCP servers and a master agent registry that pulls agents from Azure AI Foundry, Bedrock, Vertex, Salesforce and ServiceNow into one list.
  • One OpenAI-compatible gateway enforcing guardrails, RBAC, budgets and logging on every LLM, MCP and A2A call.
  • Action Capsule: kernel-enforced sandboxing for agents, MCP servers and private models, with per-task credentials and a kill switch.

Limits

  • No dedicated evaluation or red-teaming suite — teams pair Kosmoy with a specialist evals tool.
  • The agent builder covers governed internal use cases; dedicated agent-development platforms go deeper.
  • No free or self-service tier — procurement runs through an enterprise sales process.
Deployment: Self-hosted — single-tenant, your own Kubernetes (air-gap capable)Open source: ProprietaryPricing: Enterprise subscription; no self-service tier.

Credo AI

AI governance, risk & compliance platform

The EU AI Act program of record

Credo AI is a SaaS AI-governance platform that inventories AI systems, agents and vendors, applies regulation-derived Policy Packs (EU AI Act, NIST AI RMF, ISO 42001) and produces risk assessments and audit-ready compliance evidence.

Credo AI remains the reference program suite: Policy Packs translate the EU AI Act, NIST AI RMF and ISO 42001 into controls; the intake workflow classifies systems and determines entity roles; and fundamental-rights impact assessments and CE-marking support are built in. A Forrester Wave Leader (Q3 2025) and a Visionary in Gartner's 2026 Magic Quadrant for AI Governance Platforms, it also brings vendor-risk tooling most rivals lack.

It is SaaS-only with no vendor-documented self-hosting, and its own May 2026 GAIA announcement places runtime enforcement on the roadmap rather than in the product — evidence of operation must come from integrations.

Strengths

  • Named a Leader in The Forrester Wave: AI Governance Solutions, Q3 2025, with the highest possible scores in 12 criteria including AI Policy Management and AI Regulatory Compliance Audit (announcement).
  • A Visionary in the inaugural Gartner Magic Quadrant for AI Governance Platforms (June 16, 2026), and No. 6 in Applied AI on Fast Company's Most Innovative Companies of 2026 (recognition page).
  • Deep regulation-to-control translation: Policy Packs for the EU AI Act, NIST AI RMF, ISO 42001, SOC 2 and NYC Local Law 144, with intake-based risk classification, fundamental-rights impact assessments and CE-marking support (EU AI Act tooling).

Limits

  • No shipped runtime enforcement — no gateway, in-line guardrails or agent containment as of July 15, 2026; Credo AI's own GAIA GA announcement (May 2026) describes runtime governance ('policy enforcement and intervention at the point of use') as next on its roadmap.
  • SaaS-first: no vendor-documented self-hosted or air-gapped deployment option as of July 15, 2026; third-party sources conflict on private-cloud availability.
  • No public pricing — enterprise quotes only, with no free tier or self-serve evaluation path.
Deployment: SaaS (AWS & Microsoft marketplaces); self-hosting not documentedOpen source: Proprietary (Lens assessment framework archived 2024)Pricing: Enterprise quote only; no free tier or self-serve.

Holistic AI

AI governance platform with audit & red-teaming heritage

Compliance program with audit and red-team heritage

Holistic AI is a London-founded AI governance platform that grew out of algorithm-audit work (NYC Local Law 144 bias audits) into org-wide AI inventory, risk assessment, red-teaming and EU AI Act / ISO 42001 compliance — adding runtime enforcement in 2026 through its Guardian Agents.

Holistic AI pairs EU AI Act, ISO 42001 and NIST AI RMF frameworks (control mapping, gap analysis, evidence collection) with something rarer: a genuine audit practice — NYC Local Law 144 bias audits, DSA audits, conformity assessments — and published jailbreak audits of frontier models. Gartner placed it as a Challenger in the 2026 Magic Quadrant, and its 2026 Guardian Agents feature adds real-time response actions including a kill switch.

The runtime layer is new relative to its GRC core, there is no LLM gateway or FinOps data path, and on-prem options are referenced but thinly documented.

Strengths

  • Deep regulatory coverage: built-in EU AI Act, NIST AI RMF, ISO 42001 and NYC Local Law 144 frameworks with automated control mapping, gap analysis and audit-ready evidence collection (EU AI Act readiness).
  • Genuine audit heritage: a purpose-built NYC Local Law 144 bias-audit practice recognized in the UK government's AI assurance techniques portfolio, plus EU Digital Services Act audits and conformity assessments (GOV.UK listing).
  • Credible red-teaming: publicly published jailbreak audits of frontier models such as Claude 3.7 Sonnet and Grok-3, jailbreak-resistance testing for platform users, and the LLM Decision Hub for evidence-based model selection (published audit).

Limits

  • No documented LLM gateway — no routing, model failover, budgets or traffic-level RBAC as of July 15, 2026; the runtime data path is limited to AI Safeguard input/output filtering and Guardian Agent interventions.
  • No FinOps or cost observability: token-spend tracking, cost attribution and traces are not documented.
  • No agent-building capability — it governs AI built elsewhere, and Guardian Agents are Holistic AI's own governance agents, not customer sandboxing.
Deployment: SaaS; on-premises options referenced for regulated industries (specifics undocumented)Open source: Proprietary (Apache-2.0 companion assessment library)Pricing: Enterprise sales only; no public pricing as of July 15, 2026.

OneTrust AI Governance

AI governance module of a privacy/GRC suite

EU AI Act inside an existing privacy/GRC estate

The AI governance module of the OneTrust privacy/GRC suite: org-wide AI and agent inventory, assessment workflows and EU AI Act compliance automation, plus an SDK-based runtime layer (AI Guard) that OneTrust scopes to development and testing workloads.

For the ~14,000 organizations already running OneTrust for privacy, its AI Governance module is the shortest path to Act readiness: assessment templates with automated control mapping to the EU AI Act, ISO 42001 and NIST AI RMF, automatic risk re-classification when models or data change, and agent discovery across Bedrock, Azure AI Foundry and Vertex AI (GA Spring 2026).

Its runtime story is emerging: AI Guard, the SDK-based blocking layer, is scoped by OneTrust's own docs to development and testing workloads, and broader guardrail enforcement is public preview as of July 15, 2026. SaaS-only, gateway-less — a program tool with runtime ambitions.

Strengths

  • A very large installed base to attach AI governance to: roughly 14,000 customers and a reported ~$500M ARR on the OneTrust privacy/GRC platform (company profile).
  • Deep compliance automation: EU AI Act, ISO 42001 and NIST AI RMF templates with automated control mapping, regulatory updates and automatic risk re-classification when models, data or agents change (EU AI Act solution).
  • Agent Detection across AWS Bedrock, Azure AI Foundry and Google Vertex AI feeding a searchable org-wide agent inventory — generally available in the Spring '26 release (Winter '26 release blog).

Limits

  • AI Guard, the runtime blocking layer, is scoped by OneTrust's own docs to development and testing workloads — 'not recommended for large classification volumes generally seen in externally facing AI applications or agents' — so production-scale runtime enforcement is not documented as of July 15, 2026.
  • No LLM gateway capabilities: model routing, token/cost tracking, rate limiting and model-level RBAC on LLM traffic are not documented as of July 15, 2026.
  • SaaS-only: no self-hosted, customer-VPC or air-gapped deployment of the platform documented.
Deployment: Multi-tenant SaaS; self-hosting not documentedOpen source: Proprietary (AI Guard SDK is Apache-2.0)Pricing: Enterprise quote; AI Governance pricing not published.

IBM watsonx.governance

AI governance & model risk management platform

Bank-grade model risk and EU AI Act at suite scale

IBM's AI governance platform inventories, documents (AI Factsheets), evaluates and monitors ML, generative and agentic AI across any vendor stack, wired into OpenPages-heritage model-risk workflows and compliance accelerators for the EU AI Act, ISO 42001 and NIST AI RMF.

IBM is the Leader pick for heavyweight programs: OpenPages-heritage model-risk workflows banks already trust, AI Factsheets that document models across vendor stacks, EU AI Act / ISO 42001 / NIST AI RMF compliance accelerators, and a Leader position in Gartner's June 2026 Magic Quadrant. Its sovereignty story is unmatched among program tools — SaaS or self-managed on-prem via Cloud Pak for Data, including air-gapped installs.

It does not sit in the request path (no gateway, no in-line blocking), shadow-AI discovery requires the separate Guardium AI Security product, and packaging complexity is a recurring buyer complaint.

Strengths

  • Named a Leader in the first-ever Gartner Magic Quadrant for AI Governance Platforms (June 16, 2026, 13 vendors assessed) (IBM announcement).
  • Automated AI Factsheets and multi-vendor inventory: model and prompt metadata, metrics, health scores and lineage captured across the lifecycle for models on watsonx.ai, SageMaker, Bedrock, Vertex and Azure (model governance page).
  • Unmatched model-risk heritage: OpenPages Model Risk Governance brings SR 11-7-grade workflows — inventory centralization, RCSA, approvals, risk scorecards — that banks already run, extended to generative AI and agents (OpenPages MRG docs).

Limits

  • No in-line AI gateway or runtime traffic enforcement: watsonx.governance does not sit in the request path to broker or block AI traffic; enforcement runs through lifecycle workflows, evaluations and threshold alerts, with runtime blocking delegated to watsonx.ai guardrails or watsonx Orchestrate — separate products.
  • Shadow-AI discovery and AI security metrics require the separate IBM Guardium AI Security product, surfaced in the watsonx.governance console via integration — extra licensing and deployment complexity.
  • No documented FinOps or AI-spend management (token/cost tracking, budget policy), and no agent sandboxing or containment primitives — agentic coverage is monitoring and evaluation.
Deployment: SaaS (IBM Cloud, AWS incl. FedRAMP Moderate GovCloud) or self-managed on-prem via Cloud Pak for Data / Software Hub on OpenShift (air-gap capable)Open source: ProprietaryPricing: Free trial; usage-metered Essentials plan ($0.60 per Resource Unit); Standard and on-prem tiers by quote.

Saidot

Graph-based AI governance SaaS (EU AI Act focus)

Curated EU regulatory knowledge graph

A Finnish AI governance SaaS platform built around a curated knowledge graph of AI risks, controls and policies, used by enterprises and public organisations to manage AI risk and demonstrate EU AI Act, ISO 42001 and NIST AI RMF compliance.

Helsinki-based Saidot encodes the regulatory landscape as a graph — 260+ risks, 620+ controls, 110+ policies, 170+ third-party models — and auto-recommends the ones that apply to each system, agent or dataset you register. Transparency reports publish directly from governance documentation, and native Azure AI Foundry and Bedrock integrations pull in metadata. Gartner placed it as a Niche Player in the 2026 Magic Quadrant.

It is a small company (seed-funded), SaaS-only, and offers no runtime data path — classification and documentation, not enforcement.

Strengths

  • A curated regulatory knowledge graph — 260+ AI risks, 620+ controls, 110+ policies and 170+ third-party AI models — that auto-recommends applicable risks and controls per AI system (Saidot).
  • Strong EU AI Act depth (handbooks, guided classification, transparency reporting) from a Helsinki-based team close to EU regulation (AI Act handbook).
  • Agent-first positioning: governs agents alongside models, systems and datasets in one connected graph, with native metadata integrations for Azure AI Foundry and Amazon Bedrock plus a REST API and webhooks.

Limits

  • No runtime data path: gateway, runtime guardrails and agent containment are not offered as of July 15, 2026.
  • SaaS-only; does not document a self-hosted or air-gapped deployment as of July 15, 2026.
  • Small vendor by disclosed funding (~€1.75M seed) relative to US competitors.
Deployment: SaaS (also via Microsoft commercial marketplace)Open source: ProprietaryPricing: Tiered subscription by features and usage; enterprise pricing via sales.

trail (trail GmbH)

EU AI Act-focused AI governance copilot / GRC automation

Auto-generated technical documentation (DACH)

trail is a Munich-based AI governance platform — a 'copilot for AI governance' — providing an AI use-case registry, guided EU AI Act risk classification and automated technical documentation generated from connected development environments.

Munich-based trail attacks the most tedious high-risk obligation: technical documentation. It connects to development environments, extracts ML metadata and generates — then maintains — the technical files, alongside guided classification and conformity support. For German and wider-DACH teams that want documentation produced from engineering reality rather than written about it, it is the most distinctive tool here.

It is pre-seed-stage (€1.45M), SaaS-only, and has no runtime, discovery or enforcement capability — a focused documentation copilot, not a platform.

Strengths

  • A developer-adjacent differentiator: connects development environments and knowledge sources, extracts ML metadata and auto-generates — and keeps current — EU AI Act technical documentation (documentation product).
  • Deep EU AI Act workflow: guided classification of use cases, high-risk identification, requirement and control mapping, and conformity assessment support; trail claims up to 80% compliance-time savings (EU AI Act page).
  • Governance agents that automate compliance busywork such as vendor screening and audit documentation preparation (product).

Limits

  • Very early stage: a €1.45M pre-seed (July 2024) and small team; enterprise scalability is publicly unproven.
  • No runtime data path: no gateway, runtime guardrails or agent containment documented as of July 15, 2026.
  • No automated shadow-AI discovery — the registry is populated by workflow, not detection.
Deployment: SaaS; self-hosted options not documentedOpen source: ProprietaryPricing: Tiered subscription; amounts not public — sales contact required.

Modulos

AI governance & EU AI Act compliance platform

ISO 42001-certified product, deployable on-prem

Modulos is a Zurich-based AI governance platform that automates risk and compliance workflows for the EU AI Act, ISO/IEC 42001 and NIST AI RMF, with cloud, on-premises and hybrid deployment and an ISO 42001 product-conformity certification.

Zurich-based Modulos holds two cards no other program tool on this page shows: it was the first AI governance platform to achieve ISO 42001 product-conformity certification — the product itself assessed against the standard it helps you meet — and it documents cloud, on-premises and hybrid deployment, so the governance workflow can run inside a regulated perimeter. Framework automation covers the EU AI Act, ISO/IEC 42001 and NIST AI RMF, and a free Starter plan lowers the entry bar.

It remains an early-scale vendor (CHF 8.7M pre-Series A) with no runtime data path and no shadow-AI discovery.

Strengths

  • The first AI governance platform to achieve ISO 42001 product-conformity certification — the product itself, not just the company, has been assessed against the standard (press release).
  • Documented on-premises and hybrid deployment options — rare in the AI-governance GRC category, where SaaS-only is the norm (platform page).
  • Swiss provenance and an EU AI Act focus positioned for European regulated buyers, with framework coverage spanning the EU AI Act, ISO/IEC 42001 and NIST AI RMF.

Limits

  • No runtime data path: no gateway, runtime guardrails or agent containment documented as of July 15, 2026.
  • No org-wide shadow-AI discovery or AI security posture capability documented.
  • Early-scale company (pre-Series A, CHF 8.7M) versus suite vendors such as IBM or OneTrust.
Deployment: Cloud, on-premises or hybrid (air gap not documented)Open source: ProprietaryPricing: Freemium: free Starter plan; paid enterprise tiers quote-based.

Vanta

Compliance-automation platform with AI-framework modules (ISO 42001 / EU AI Act / NIST AI RMF)

Fastest route to ISO 42001 certification

Vanta is a general compliance-automation ('trust management') platform whose AI-relevant scope is dedicated framework products for ISO/IEC 42001, the EU AI Act and NIST AI RMF, with automated evidence collection and cross-framework control reuse — not a dedicated AI governance or runtime AI-control platform.

Vanta approaches the Act from certification: it shipped the first major ISO 42001 framework product (March 2024), holds the certificate itself, and its EU AI Act module reuses evidence collected automatically across 375+ integrations. If the board's instruction is 'get us certified and Act-ready with the tooling we already have', Vanta is the pragmatic answer — third-party reviewers rate its EU AI Act support among the most complete in compliance automation.

It is a certification tool, not an AI-governance operating system: no risk-classification workflow depth, no AI inventory to speak of, no runtime controls, and multi-tenant SaaS only.

Strengths

  • First major compliance-automation vendor to ship an ISO 42001 framework (March 2024), and itself ISO 42001-certified since April 2025 (third-party review).
  • Automated AI-governance evidence collection across 375+ integrations, continuously mapped to ISO 42001 clauses and Annex A controls (ISO 42001 product).
  • Cross-framework reuse: ISO 42001 evidence applies to the EU AI Act, NIST AI RMF, CPS 234 and more, reducing duplicate audit work (ISO 42001 and EU AI Act).

Limits

  • A certification and audit-readiness tool, not an AI-governance operating system: no AI use-case intake, deep EU AI Act risk-classification workflow, model documentation generation or regulator-facing transparency reporting comparable to dedicated platforms.
  • No runtime AI controls of any kind — gateway, guardrails, observability or containment — as of July 15, 2026.
  • Third-party reviews note some EU AI Act / ISO 42001 evidence still requires manual collection despite automation claims.
Deployment: Multi-tenant SaaS; no self-hosted option documentedOpen source: ProprietaryPricing: Quote-based subscription; scales by frameworks and company size.

Questions buyers ask

What changed with the EU AI Act Digital Omnibus?

Under the agreement reached on May 7, 2026, the obligations for high-risk AI systems were rescheduled to phase in from December 2027, with the remainder following in August 2028. The Article 50 transparency obligations — including disclosing to users that they are interacting with an AI system — were not moved and applied from August 2, 2026. Anything published before May 2026 citing an August 2026 high-risk deadline is out of date.

Do I still need EU AI Act software if the deadlines moved to 2027-2028?

The documentation deadlines moved; the discovery problem did not. You cannot classify systems you have not inventoried, and enterprises consistently find inventory-building the slowest phase — connectors, owner assignment, and shadow-AI reconciliation take quarters, not weeks. Transparency obligations are also already live. Starting in 2027 for a December 2027 obligation is how programs end up buying consulting hours instead of software.

Is Kosmoy an EU AI Act compliance tool?

It is one of two kinds. Kosmoy classifies AI systems by risk in a live registry, enforces policy at a gateway, and exports EU AI Act evidence bundles from its logs — the runtime-evidence side of compliance. It does not provide legal workflows: no fundamental-rights impact assessment templates, questionnaire engines or regulator-report designers. Teams that need both typically pair Kosmoy with a program suite such as Credo AI or Saidot.

Which tool is best for ISO 42001 certification?

Vanta, in most cases — it shipped the first major ISO 42001 framework product, automates evidence collection across 375+ integrations, and reuses that evidence for EU AI Act readiness. Modulos is the strongest alternative when the platform itself must be certified (its ISO 42001 product-conformity certification) or must run on-premises. Kosmoy is ISO 42001 aligned — its features map to the standard's controls — but it is not a certification-workflow tool.

Can I run Credo AI or Saidot together with Kosmoy?

Yes, and it is the pairing this page recommends: the program tool holds classifications, assessments and regulator-facing documentation; Kosmoy supplies the operational layer those documents describe — enforced guardrails, gateway logs, inventory state — and exports the evidence the program tool references. There is no data-path conflict because the program tools do not have one.

What does EU AI Act compliance software cost?

Pricing spans a wide range and is mostly quote-based. Free entry points exist — Modulos' Starter plan and trail's online compliance checker — while IBM publishes consumption pricing for its Essentials tier and the suite vendors (Credo AI, OneTrust, Holistic AI) quote per engagement. Kosmoy is an enterprise subscription with no self-service tier. Check each vendor's pricing page; this guide deliberately avoids repeating third-party estimates.


Methodology

Every vendor claim traces to documentation, product pages or analyst material accessed on July 15, 2026 and listed in Sources; capability gaps are phrased as 'not documented as of' that date. Gartner positions cite the June 2026 Magic Quadrant for AI Governance Platforms.

Radar scores are shared across all Kosmoy comparison pages, so a vendor scores identically here and on the AI governance platforms guide. Workflow tools without a runtime data path score 0-2 on gateway, guardrails and containment by rule — that reflects product architecture, not quality. Kosmoy's own radar concedes evals to IBM and Holistic AI and observability to IBM, and its compliance score ties rather than beats the strongest program suites.

All EU AI Act dates on this page reflect the Digital Omnibus agreement of May 7, 2026. Pages published before that date may still show the earlier timeline; ours is verified against the schedule current as of July 15, 2026.

Sources

Every factual claim about another vendor on this page traces to that vendor's own published material or a named third-party source below.

  1. European Commission — Digital Omnibus (AI Act timeline amendments) — accessed July 15, 2026
  2. Kosmoy AI Compliance — EU AI Act, ISO/IEC 42001, NIST AI RMF policy bundles — accessed July 15, 2026
  3. Credo AI EU AI Act tooling — accessed July 15, 2026
  4. IBM named a Leader in the 2026 Gartner Magic Quadrant for AI Governance Platforms — accessed July 15, 2026
  5. Holistic AI — Gartner Magic Quadrant 2026 recognition — accessed July 15, 2026
  6. OneTrust Spring '26 release notes (AI Guardrail Enforcement public preview) — accessed July 15, 2026
  7. Modulos ISO 42001 product-conformity certification — accessed July 15, 2026
  8. Vanta EU AI Act product page — accessed July 15, 2026
  9. trail EU AI Act workflow — accessed July 15, 2026
  10. Kosmoy Platform — accessed July 15, 2026
  11. Kosmoy AI Gateway — accessed July 15, 2026
  12. Kosmoy Action Capsule — accessed July 15, 2026
  13. Credo AI homepage — accessed July 15, 2026
  14. GAIA general availability announcement (May 13, 2026 — runtime-governance roadmap statement) — accessed July 15, 2026
  15. Credo AI Agent Registry — accessed July 15, 2026
  16. Forrester Wave: AI Governance Solutions, Q3 2025 — Credo AI named a Leader (Businesswire) — accessed July 15, 2026
  17. Gartner Magic Quadrant for AI Governance Platforms 2026 — Credo AI recognition page — accessed July 15, 2026
  18. Credo AI Python SDK launch (January 2026) — accessed July 15, 2026
  19. WorkOS — Credo AI runtime-gap analysis (third party) — accessed July 15, 2026
  20. AWS Marketplace listing (SaaS) — accessed July 15, 2026
  21. Holistic AI homepage — accessed July 15, 2026
  22. Holistic AI Governance Platform — accessed July 15, 2026
  23. Guardian Agents product page — accessed July 15, 2026
  24. Gartner Market Guide for Guardian Agents — Representative Vendor (March 2026) — accessed July 15, 2026
  25. EU AI Act Readiness Assessment — accessed July 15, 2026
  26. Claude 3.7 Sonnet jailbreaking audit — accessed July 15, 2026
  27. GOV.UK AI assurance techniques — Holistic AI NYC bias audits — accessed July 15, 2026
  28. holisticai open-source library (GitHub, Apache-2.0) — accessed July 15, 2026
  29. OneTrust AI Guard docs (developer portal) — accessed July 15, 2026
  30. OneTrust AI Guard FAQ — accessed July 15, 2026
  31. AI Guard SDK (GitHub, Apache-2.0) — accessed July 15, 2026
  32. OneTrust expands AI Governance for real-time AI (press release, March 9, 2026) — accessed July 15, 2026
  33. OneTrust Winter '26 release blog (agent detection, AI inventory analysis) — accessed July 15, 2026
  34. OneTrust EU AI Act compliance solution — accessed July 15, 2026
  35. Gartner Magic Quadrant for AI Governance Platforms (June 2026) — third-party summary — accessed July 15, 2026
  36. OneTrust company profile (customers, ARR) — accessed July 15, 2026
  37. IBM watsonx.governance product page — accessed July 15, 2026
  38. IBM watsonx.governance pricing — accessed July 15, 2026
  39. IBM Docs — model governance with OpenPages Model Risk Governance — accessed July 15, 2026
  40. IBM announcement — agentic AI governance, evaluation and lifecycle — accessed July 15, 2026
  41. IBM announcement — security metrics, agent monitoring and insights in watsonx.governance — accessed July 15, 2026
  42. IBM Think 2026 — from AI governance to AI assurance — accessed July 15, 2026
  43. IBM Newsroom — FedRAMP authorization of 11 solutions incl. watsonx (April 1, 2026) — accessed July 15, 2026
  44. IBM Docs — installing watsonx.governance on Cloud Pak for Data / Software Hub 5.1.x — accessed July 15, 2026
  45. IBM announcement — Agentic Control Plane in watsonx Orchestrate (June 2026) — accessed July 15, 2026
  46. Saidot homepage — accessed July 15, 2026
  47. Saidot product page — accessed July 15, 2026
  48. Saidot pricing page — accessed July 15, 2026
  49. Microsoft marketplace listing (AI Governance by Saidot) — accessed July 15, 2026
  50. Vivicta–Saidot partnership press release (Feb 2026) — accessed July 15, 2026
  51. trail product page — accessed July 15, 2026
  52. trail automated documentation page — accessed July 15, 2026
  53. Pre-seed round coverage (EU-Startups, July 2024) — accessed July 15, 2026
  54. FPT Software collaboration announcement — accessed July 15, 2026
  55. Modulos AI Governance Platform — accessed July 15, 2026
  56. CHF 8.7M pre-Series A (startupticker.ch, July 2025) — accessed July 15, 2026
  57. Free Starter plan launch (EIN Presswire, Jan 2025) — accessed July 15, 2026
  58. Vanta ISO 42001 product page — accessed July 15, 2026
  59. Vanta NIST AI RMF product page — accessed July 15, 2026
  60. Third-party review of Vanta's ISO 42001 / EU AI Act support (aiactindex.eu) — accessed July 15, 2026
  61. Vanta $150M Series D (Business Wire, July 2025) — accessed July 15, 2026

Shortlisting for a regulated environment?

Kosmoy puts an inventory, a policy gateway and a containment sandbox around every AI your teams run — in your own Kubernetes.

Or email sales@kosmoy.com.