HookBus Enterprise is the same Apache 2.0 bus, plus the Enterprise dashboard, the compliance subscriber bundle regulated enterprises actually need, commercial-use licence, SLA, dedicated support, and regulatory updates as the EU AI Act, DORA, and NIS2 evolve.
EU AI Act high-risk obligations enforce 2 August 2026. Fine ceiling €15 million or 3% of global annual turnover under Article 99. Each obligation in our coverage table maps to a named subscriber, deployed on-premise, in your VPC, or air-gapped.
Eight checkpoints in one pipeline: CRE-AgentProtect Enterprise, Auditor, DLP Filter, KB Injector, Session Memory, Workflow, Agent Delegated Approval, and Compliance Notifier. One contract, one SLA, one escalation path. Each obligation in the coverage table below maps to a named subscriber in the bundle. Pick the ones you need, turn the others off.
Returns approve or deny on every tool call. Escalates to ask only when a rule requires human approval. Two-layer policy engine: L1 deterministic sub-10ms + L2 Granite LLM intent reasoning. The flagship enforcement subscriber.
SHA-256 hash-chained SQLite log of every agent lifecycle event. Tamper-evident via chain verification. CSV export per date range. Produces the event-level record your SOC 2 Type II, ISO/IEC 42001, or EU AI Act Article 12 evidence pack is built on.
Redacts API keys (OpenAI, Anthropic, AWS, GitHub PAT, bearer tokens, private keys), PII (UK NI, email, UK phone), financial data (credit card, IBAN), and infrastructure strings (connection strings, private IPs). 15 curated regex patterns. Bidirectional on tool_input and tool_result. Allowlist and ignore-pattern configurable.
Injects organisation-specific policy, compliance, and context packages into every prompt before it reaches the LLM. Rule-authoring UI. Deterministic matching. Sub-millisecond overhead.
Cross-session context recall with per-agent isolation and per-team retention. Dual sync and async subscriber. Postgres-backed. Audit-trail linked so memory recall itself is an auditable event.
Batch approval queue for high-risk actions emitted by AI systems. Holds state durably while a human reviews. Hash-chained approval audit. Two-person verification with distinct-actor enforcement for biometric and financial controls.
Optional subscriber for cases where a human process owner delegates an approval review to a trusted AI agent. Records the handoff, recommendation, authority boundary, and final workflow decision as runtime evidence.
Async observer that watches the bus for incident-shaped events, dispatches operational alerts (Slack, email, PagerDuty), and generates regulator-format incident reports with deadline countdown clocks.
High-risk AI obligations enforce on 2 August 2026. The Enterprise bundle maps to specific articles by design. Where coverage is on the roadmap rather than shipping, we say so.
| Regulation | Obligation | Covered by |
|---|---|---|
| EU AI Act Art 12 | Automatic record-keeping over system lifetime | ShippingAuditor |
| Art 14(1)-(3) | Human oversight design | ShippingCRE-AgentProtect Enterprise · Aug 2026Workflow |
| Art 14(4)(d) | Decide not to use, disregard, override AI output | ShippingCRE-AgentProtect Enterprise (override via ask, edit before approve) |
| Art 14(4)(e) | Intervene or interrupt | ShippingCRE-AgentProtect Enterprise · Aug 2026Workflow |
| Art 14(5) | Biometric ID two-person verification (publicly accessible spaces) | Aug 2026Workflow |
| Art 19 | Provider keeps logs ≥ 6 months | Aug 2026Auditor (retention pack) |
| Art 20(2) | Duty to inform authorities of corrective action | Aug 2026Compliance Notifier |
| Art 26(5) | Deployer monitors operation, suspends if risk | Aug 2026Compliance Notifier |
| Art 26(6) | Deployer keeps logs ≥ 6 months | Aug 2026Auditor (deployer mode) |
| Art 50 | Transparency obligations (AI labelling, deepfake watermarks) | Aug 2026Transparency subscriber |
| Art 72 | Provider operates post-market monitoring system | Aug 2026Post-market Monitor |
| Art 73 | Serious incident reporting (15 days, 2 days fatal) | Aug 2026Compliance Notifier |
| Art 79 | Procedure for AI presenting a risk | Aug 2026Compliance Notifier |
| DORA Art 19 | ICT incident reporting (financial services, 4-hour initial) | Aug 2026Compliance Notifier |
| NIS2 Art 23 | Significant incident notification (24-hour) | Aug 2026Compliance Notifier |
HookBus Enterprise is the same Apache 2.0 bus that HookBus Light runs. The differentiation lives in the compliance subscriber bundle, the Enterprise dashboard, the commercial-use licence, the support contract, and the regulatory updates that come with it.
Every target environment a regulated buyer will ask for, supported at day one. No architecture detour required. The product was built for this.
Runs entirely inside your data centre. No outbound connections required for decisions.
Deploys into your AWS, Azure, or GCP VPC. Private subnets only. No public endpoint required.
Both L1 and L2 decisions run locally. Granite 4 runs on CPU or your own GPU. Works fully offline.
Events, memory, audit chain, policy packs all stay where you put them. No telemetry calls home.
Agentic Thinking Limited does not currently hold third-party compliance certifications. The products are built to the evidence standards that SOC 2 Type II, ISO/IEC 42001, and EU AI Act Article 12 require, so customers can adopt them inside their own compliance programmes today. Full security posture documentation is available under NDA. See the Trust Center.
One demo, 30 minutes. With your CISO, DPO, and Head of AI Governance on the call. You see which workflows trigger Article 14 human-oversight obligations, which carry Article 73 serious-incident reporting exposure, and which subscriber in the bundle covers each. Call for details.