Methodology

How EAU researches vendor AI features

EAU is an information product. It aggregates publicly available research on AI vendor feature behaviour and EU regulatory requirements, structured so enterprise deployers can understand their exposure at a glance.

EAU is not a compliance advisor and does not provide legal services. Nothing on this site constitutes legal advice or a compliance determination for your organisation.

What we assess

EAU focuses on AI features deployed by enterprise software vendors in organisational contexts — specifically features that may constitute high-risk AI systems under Annex III of the EU AI Act. Current coverage prioritises workforce and HR AI categories, which are most immediately relevant to enterprise deployers. Full Annex III coverage is in progress.

For each feature we record:

  • Default state — whether the feature is on, off, or opt-in when a customer first enables the product
  • Risk classification — our independent assessment against the applicable Annex III category
  • Obligation gap — the specific deployer obligations triggered if the feature is active
  • Admin path — where in the vendor admin console the feature can be reviewed or disabled (where verified from public documentation)

What “not publicly documented” means

EAU only surfaces what is verifiable from public sources. When we cannot find public documentation for a feature behaviour, we record a documentation gap — not an assertion that the documentation does not exist. Vendors routinely maintain internal documentation, support articles, and contractual commitments that we cannot access.

A documentation gap finding means: this information is not accessible from publicly available sources at the time of our last assessment. It is not a statement about what the vendor does or does not do internally.

Vendors who believe a gap finding is addressable by public documentation are encouraged to submit a correction. See the correction process below.

Source tiers

Every finding is grounded in at least one source, tiered by reliability. The tier is visible on every source record so you can calibrate how much weight to place on each finding.

Tier 1Vendor documentation

Official vendor documentation accessed directly. This includes trust centers, responsible AI pages, published product docs, release notes, and conformity assessments. Most reliable — the vendor controls and maintains this content.

  • Vendor trust centers and responsible AI pages
  • Vendor published product documentation (help.*, docs.*)
  • Official release notes and changelogs
  • EU AI Act conformity assessments or GPAI model cards published by the vendor
Tier 2Secondary sources

Third-party sources that reference vendor behaviour. Reliable with context — the vendor did not author this material directly.

  • Third-party bias audit reports (e.g. NYC Local Law 144 audits)
  • Academic studies with verifiable methodology
  • Analyst reports and press releases citing specific feature behaviour
  • Regulatory guidance documents referencing specific vendor features
Tier 3Analyst inference

Inferred from public product marketing, comparable vendor behaviour, or structural product characteristics. Explicitly marked as inference. These findings should be independently verified before acting on them.

  • Feature behaviour inferred from API documentation or SDK behaviour
  • Extrapolated from related features with Tier 1 or Tier 2 evidence
  • Inferred from comparable vendor behaviour in the same product category

Confidence levels

Each finding carries a confidence level that reflects the strength and recency of our evidence.

Verified

Tier 1 source with explicit confirmation of the feature behaviour, reviewed within the last 90 days. The default state and risk classification have been directly confirmed from vendor-controlled documentation.

Likely

Tier 2 sources, or Tier 1 without an explicit confirmation of the specific behaviour (e.g. the doc confirms the feature exists but not its default state). The classification is probable but not directly confirmed.

Not yet sourced

Tier 3 only, or no public sources found yet. The finding represents our current research state — the behaviour may exist but we have not located public documentation confirming it. Should not be relied on without independent verification.

What we don’t assess

EAU is deliberately scoped to what public research can reliably support. We do not:

  • Determine whether your organisation is compliant with the EU AI Act or any other regulation. That determination requires legal expertise and context about your specific deployment that EAU does not have.
  • Score vendors as compliant or non-compliant. EAU surfaces feature behaviour and obligation exposure — not a verdict. Two organisations deploying the same vendor feature may have different compliance positions.
  • Provide legal advice. Nothing on this site is legal advice. Consult qualified legal counsel for compliance decisions.
  • Access vendor admin consoles, internal documentation, or non-public agreements. Our research is bounded by what is publicly accessible.
  • Cover standalone consumer AI tools, AI infrastructure providers, or model APIs. EAU focuses on enterprise software vendors deploying AI features in customer environments.

How we source findings

For each finding, we work through this hierarchy and stop at the first method that returns meaningful content. The method used is recorded on every source record.

1

Vendor trust center

Checked first. Trust centers (trust.vendor.com, /trust, /responsible-ai, /security) are the most compliance-relevant source — they often contain explicit AI feature defaults, opt-in/opt-out controls, data training policies, and bias audit commitments.

2

API or structured feed

RSS, Atom, or JSON changelogs. Machine-readable, low maintenance. Used for high-frequency monitoring of vendor release notes.

3

Static web fetch

Used when no trust center or feed exists. Content is meaningful when it returns substantive text. Known vendor help doc domains are whitelisted for Tier 1 treatment.

4

Playwright headless render

Required when the target URL is a JavaScript SPA that returns an empty shell to a static fetch. Used for Conveyor, SafeBase, and similar trust centre platforms.

5

Gated — flagged as documentation gap

When a page reveals a login wall, registration gate, or NDA requirement. The finding is flagged as a documentation gap. This does not mean the documentation doesn't exist — only that it is not publicly accessible.

Update process

AI vendor features change frequently. EAU monitors publicly accessible vendor documentation for changes. Every finding is stamped with an “EAU last assessed” date reflecting when a researcher last reviewed the relevant sources.

Findings are automatically flagged as stale when the last verified date exceeds 90 days. Stale findings remain published but are visually marked — treat them with additional caution until re-verified.

Re-verification cadence: All findings are scheduled for full re-verification on a 90-day cycle. High-risk findings are re-verified every 30 days. When a vendor publishes a relevant release note or documentation change, affected findings are queued for immediate review.

EAU research may lag vendor product changes. When a vendor updates a feature, there is typically a gap between the change and our re-assessment. We disclose our last assessed date precisely so you can account for this.

Vendor corrections

If you are a vendor and believe a finding is inaccurate or incomplete, EAU welcomes corrections. The process is the same regardless of whether you are a vendor, analyst, or any other party.

  1. Submit a correction → with the finding name, the specific claim you believe is incorrect, and a link to your public documentation that addresses it.
  2. We will acknowledge within 2 business days.
  3. We will review and publish a correction or reasoned rebuttal within 5 business days of receiving sufficient evidence.
  4. All corrections are logged in the finding’s audit record with the original classification preserved.

Vendor submissions do not receive expedited review. EAU does not accept payment from vendors for classification, editorial review, or preferential placement. No vendor has access to classifications before publication.

Independence

EAU is funded entirely by subscription revenue from deploying organisations — the people whose interests are served by accurate, independent intelligence. No vendor relationship influences classification.

v2.1May 2026
  • Trust-center-first sourcing pipeline — 47 vendor trust centers discovered and mapped
  • Source integrity overhaul — all sources require a live URL fetch with verbatim excerpt in the same session
  • Documentation gap tracking — findings without a public source are flagged and queued for vendor questionnaire outreach
  • Source pipeline and methodology now publicly documented
v2.0May 2026
  • Multi-framework support — EU AI Act and NIS2 in one platform
  • Deployment context layer — organisations can record their own deployment status
  • Methodology versioning — every finding now carries the methodology version under which it was classified
v1.0April 2026
  • Initial release — EU AI Act heatmap covering 89 vendors and 176 AI features
  • Three-tier evidence rubric
  • Deployer obligation gap per finding