Skip to content

Regulatory Disclosure

This page documents Bukti's current posture on relevant regulatory frameworks. It is not legal advice. Bukti's regulatory posture will be reviewed with qualified counsel before any deployment in regulated hiring contexts.

EU AI Act — Article 14 (high-risk AI systems)

The EU AI Act (Regulation 2024/1689, effective August 2026 for most provisions) defines certain AI systems as "high-risk" under Annex III. Systems used for "employment, workers management and access to self-employment" are included in Annex III, Category 4.

Is Bukti a high-risk AI system under the EU AI Act?

Bukti is a capability evidence aggregation and scoring platform. Its outputs (tier labels, evidence scores, provenance chains) may be used as inputs to employment decisions. Whether Bukti itself constitutes a "high-risk AI system" under the Act, or whether the obligation falls on employers who use Bukti's outputs, depends on the deployment context and is a question for legal counsel.

What Bukti does to prepare for Article 14 compliance (human oversight requirement):

Article 14 requires that high-risk AI systems be designed with human oversight measures that allow authorized persons to monitor, understand, and intervene in the AI system's operation.

Bukti's current implementation addresses this requirement through:

  1. Structured tier rationale. Every entity-capability pair includes a structured human-readable explanation of why the tier was assigned (which row of the joint matrix, which specific thresholds were or were not met). This is the adverse-action disclosure mechanism. It provides the human decision-maker the information needed to evaluate and override the system's output.

  2. Provenance chain accessibility. A per-capability provenance endpoint exposes the full VOI chain underlying any score, enabling human review of individual evidence items.

  3. calibrated: false flag. All responses disclose current calibration status, providing human reviewers with the system's own assessment of its epistemic limitations.

  4. Reliability diagrams (planned). Once calibration data from the first pilot cohort is available, Bukti will publish reliability diagrams per evidence type per cluster. These are the standard regulatory artifact for demonstrating calibration under Article 14.

EEOC four-fifths rule — disparate impact analysis

Under US Title VII and the EEOC's Uniform Guidelines on Employee Selection Procedures (29 CFR Part 1607), selection procedures must be validated for predictive validity and must not produce disparate impact on protected groups without demonstrated job-relatedness.

Before any regulated-hiring deployment, Bukti will conduct a disparate-impact analysis using pilot data. The analysis will compute tier assignment rates broken down by demographic group (where pilot data permits) and will test whether the four-fifths rule is satisfied: the selection rate for any group must not be less than 80% of the selection rate for the highest-rate group.

No disparate-impact analysis has been conducted yet. The weights and thresholds are derived from the predictive-validity literature (Sackett 2022, Arthur 1998), which itself has limitations in demographic representativeness. Until that analysis is complete, Bukti should not be used as a sole or primary determinant in hiring decisions in US employment contexts where disparate-impact analysis would be required.

Structural mitigants already in place:

  • The identity-grade requirement for the "Verified" tier is a content-neutral procedural gate (it requires OIDC account binding, not demographic characteristics). This reduces the risk that the Verified tier is systematically withheld from specific demographic groups due to differential OIDC account adoption.
  • Evidence weights are grounded in general-population predictive-validity coefficients (Sackett 2022), not weights derived from a proprietary model trained on a particular company's hiring outcomes.

FCRA-style adverse action — tier rationale

The Fair Credit Reporting Act (15 USC §1681 et seq.) requires that when a consumer report is used in a decision that adversely affects a person, the affected person must receive notification including the specific factor(s) that adversely affected the decision.

Bukti is not a consumer reporting agency and Bukti's outputs are not "consumer reports" under FCRA. However, the adverse-action principle is sound policy: a person who is not "Verified" should be able to understand why, in plain language, without being told only "your score was insufficient."

The structured tier-rationale field implements this principle: every API response and MCP tool response includes a plain-language string explaining the tier assignment. End-user-facing products built on Bukti should surface this string when a user asks "why am I not Verified?" The string is generated deterministically from the joint matrix and is not an LLM-generated explanation — it is grounded directly in the formula.