Methodology
How EAU researches vendor AI features
EAU is an information product. It aggregates publicly available research on AI vendor feature behaviour and EU regulatory requirements, structured so enterprise deployers can understand their exposure at a glance.
EAU is not a compliance advisor and does not provide legal services. Nothing on this site constitutes legal advice or a compliance determination for your organisation.
What we assess
EAU focuses on AI features deployed by enterprise software vendors in organisational contexts — specifically features that may constitute high-risk AI systems under Annex III of the EU AI Act. Current coverage prioritises workforce and HR AI categories, which are most immediately relevant to enterprise deployers. Full Annex III coverage is in progress.
For each feature we record:
- Default state — whether the feature is on, off, or opt-in when a customer first enables the product
- Risk classification — our independent assessment against the applicable Annex III category
- Obligation gap — the specific deployer obligations triggered if the feature is active
- Admin path — where in the vendor admin console the feature can be reviewed or disabled (where verified from public documentation)
What “not publicly documented” means
EAU only surfaces what is verifiable from public sources. When we cannot find public documentation for a feature behaviour, we record a documentation gap — not an assertion that the documentation does not exist. Vendors routinely maintain internal documentation, support articles, and contractual commitments that we cannot access.
A documentation gap finding means: this information is not accessible from publicly available sources at the time of our last assessment. It is not a statement about what the vendor does or does not do internally.
Vendors who believe a gap finding is addressable by public documentation are encouraged to submit a correction. See the correction process below.
Source tiers
Every finding is grounded in at least one source, tiered by reliability. The tier is visible on every source record so you can calibrate how much weight to place on each finding.
Official vendor documentation accessed directly. This includes trust centers, responsible AI pages, published product docs, release notes, and conformity assessments. Most reliable — the vendor controls and maintains this content.
- Vendor trust centers and responsible AI pages
- Vendor published product documentation (help.*, docs.*)
- Official release notes and changelogs
- EU AI Act conformity assessments or GPAI model cards published by the vendor
Third-party sources that reference vendor behaviour. Reliable with context — the vendor did not author this material directly.
- Third-party bias audit reports (e.g. NYC Local Law 144 audits)
- Academic studies with verifiable methodology
- Analyst reports and press releases citing specific feature behaviour
- Regulatory guidance documents referencing specific vendor features
Inferred from public product marketing, comparable vendor behaviour, or structural product characteristics. Explicitly marked as inference. These findings should be independently verified before acting on them.
- Feature behaviour inferred from API documentation or SDK behaviour
- Extrapolated from related features with Tier 1 or Tier 2 evidence
- Inferred from comparable vendor behaviour in the same product category
Confidence levels
Each finding carries a confidence level that reflects the strength and recency of our evidence.
Tier 1 source with explicit confirmation of the feature behaviour, reviewed within the last 90 days. The default state and risk classification have been directly confirmed from vendor-controlled documentation.
Tier 2 sources, or Tier 1 without an explicit confirmation of the specific behaviour (e.g. the doc confirms the feature exists but not its default state). The classification is probable but not directly confirmed.
Tier 3 only, or no public sources found yet. The finding represents our current research state — the behaviour may exist but we have not located public documentation confirming it. Should not be relied on without independent verification.
What we don’t assess
EAU is deliberately scoped to what public research can reliably support. We do not:
- Determine whether your organisation is compliant with the EU AI Act or any other regulation. That determination requires legal expertise and context about your specific deployment that EAU does not have.
- Score vendors as compliant or non-compliant. EAU surfaces feature behaviour and obligation exposure — not a verdict. Two organisations deploying the same vendor feature may have different compliance positions.
- Provide legal advice. Nothing on this site is legal advice. Consult qualified legal counsel for compliance decisions.
- Access vendor admin consoles, internal documentation, or non-public agreements. Our research is bounded by what is publicly accessible.
- Cover standalone consumer AI tools, AI infrastructure providers, or model APIs. EAU focuses on enterprise software vendors deploying AI features in customer environments.
How we source findings
For each finding, we work through this hierarchy and stop at the first method that returns meaningful content. The method used is recorded on every source record.
Vendor trust center
Checked first. Trust centers (trust.vendor.com, /trust, /responsible-ai, /security) are the most compliance-relevant source — they often contain explicit AI feature defaults, opt-in/opt-out controls, data training policies, and bias audit commitments.
API or structured feed
RSS, Atom, or JSON changelogs. Machine-readable, low maintenance. Used for high-frequency monitoring of vendor release notes.
Static web fetch
Used when no trust center or feed exists. Content is meaningful when it returns substantive text. Known vendor help doc domains are whitelisted for Tier 1 treatment.
Playwright headless render
Required when the target URL is a JavaScript SPA that returns an empty shell to a static fetch. Used for Conveyor, SafeBase, and similar trust centre platforms.
Gated — flagged as documentation gap
When a page reveals a login wall, registration gate, or NDA requirement. The finding is flagged as a documentation gap. This does not mean the documentation doesn't exist — only that it is not publicly accessible.
Update process
AI vendor features change frequently. EAU monitors publicly accessible vendor documentation for changes. Every finding is stamped with an “EAU last assessed” date reflecting when a researcher last reviewed the relevant sources.
Findings are automatically flagged as stale when the last verified date exceeds 90 days. Stale findings remain published but are visually marked — treat them with additional caution until re-verified.
Re-verification cadence: All findings are scheduled for full re-verification on a 90-day cycle. High-risk findings are re-verified every 30 days. When a vendor publishes a relevant release note or documentation change, affected findings are queued for immediate review.
EAU research may lag vendor product changes. When a vendor updates a feature, there is typically a gap between the change and our re-assessment. We disclose our last assessed date precisely so you can account for this.
Vendor corrections
If you are a vendor and believe a finding is inaccurate or incomplete, EAU welcomes corrections. The process is the same regardless of whether you are a vendor, analyst, or any other party.
- Submit a correction → with the finding name, the specific claim you believe is incorrect, and a link to your public documentation that addresses it.
- We will acknowledge within 2 business days.
- We will review and publish a correction or reasoned rebuttal within 5 business days of receiving sufficient evidence.
- All corrections are logged in the finding’s audit record with the original classification preserved.
Vendor submissions do not receive expedited review. EAU does not accept payment from vendors for classification, editorial review, or preferential placement. No vendor has access to classifications before publication.
Independence
EAU is funded entirely by subscription revenue from deploying organisations — the people whose interests are served by accurate, independent intelligence. No vendor relationship influences classification.
- Trust-center-first sourcing pipeline — 47 vendor trust centers discovered and mapped
- Source integrity overhaul — all sources require a live URL fetch with verbatim excerpt in the same session
- Documentation gap tracking — findings without a public source are flagged and queued for vendor questionnaire outreach
- Source pipeline and methodology now publicly documented
- Multi-framework support — EU AI Act and NIS2 in one platform
- Deployment context layer — organisations can record their own deployment status
- Methodology versioning — every finding now carries the methodology version under which it was classified
- Initial release — EU AI Act heatmap covering 89 vendors and 176 AI features
- Three-tier evidence rubric
- Deployer obligation gap per finding