++++
ART.9–15 · DEC 2027

Compliance evidence is not a
spreadsheet you fill before an audit.

Incomplete AI inventory. Basic evidence trail. Ten engineering teams running AI in production. Mima scans your codebase, maps every AI call site to four frameworks, and gives you a readiness score to show your CISO in minutes.

For your GRC team: no terminal required.
For your engineers: a CI test they already understand.

Connect GitHub — Get your scoreRead-only. No code stored.
30 min. Leave with a readiness score.
~3m
to first readiness score
4
frameworks mapped per call
100+
controls continuously tracked
WORKS WITH
OpenAI
Anthropic
LiteLLM
+ Gemini, Mistral, Bedrock via LiteLLM
EU AI ActISO 42001SOC 2NIST AI RMF
GOVERNANCE READINESS
++++
BEFORE MIMA

You walked in on day one to gaps.

Incomplete AI inventory. Basic evidence trail. You opened a spreadsheet and started asking engineering managers to fill in columns. Two weeks later you still don't know how many AI systems are in production or what any of them do with user data.

THE EVIDENCE GAP

There is no screenshot that proves oversight happened.

For human oversight decisions, pre-approval gates, prompt version changes — there is no screenshot you could take of those. Code-native evidence is the only kind possible. An email thread doesn't satisfy Article 13. A meeting note doesn't satisfy ISO 42001 A.6.2.

WITH MIMA

The right answer: a number, a gate, and a chain of custody.

With Mima, you say: EU AI Act 67%, gates passing, last evidence record 2 hours ago. Here is the signed audit pack. The chain is cryptographically verifiable. The auditor can dispute the findings; they cannot dispute the maths.

THE DEADLINE

High-risk AI system obligations: December 2027.

Article 5 prohibited practices — enforceable since February 2025. Articles 9–15 for high-risk AI systems — December 2027 (extended 16 months from the original August 2026 date). Annex III full scope also December 2027. The right time to build the evidence chain is before the auditor arrives.

++++

Three steps. No configuration.

Connect GitHub. We scan. You get a readiness score to show your CISO in 30 minutes.

01

Connect

GitHub OAuth. Two clicks. Read-only access — nothing written to your repo.

02

Scan

Every AI library call mapped to compliance controls across EU AI Act, ISO 42001, SOC 2, and NIST AI RMF. Time scales with repo size.

03

Score

Readiness percentage. Real data from your codebase. Share the link with your CISO.

++++

For human oversight decisions —
there is no screenshot you could take.

Code-native evidence is the only kind possible for those controls. An email thread doesn't satisfy Article 13. A meeting note doesn't satisfy ISO 42001 A.6.2.

SCREENSHOT-BASED "EVIDENCE"
From: alice@company.com · Jun 15

"Hi team, we reviewed the model on June 15 and it looked fine. No issues found."

Unverifiable
No controls mapped
Auditor can dispute
Not linked to production code
MIMA EVIDENCE RECORD
{
  record_type: "human_oversight",
  system_name: "inference-service",
  payload: {
    reviewer: "alice@company.com",
    decision: "approved",
    reviewed_at: "2026-06-21T14:32:07Z"
  },
  mapped_controls: [
    "EUAIA_ART13", "EUAIA_ART14",
    "ISO42001_A6_2"
  ],
  merkle_hash: "0x7fa3b...d2c1",
  signed: true
}
Cryptographically signed
3 controls mapped
Chain-of-custody intact
Verifiable by auditor

One is evidence. One is a screenshot.

++++

Works with the tools you already use.
Fills the gaps they can't.

Your existing tools handle:
HR training records
IT security policies
Penetration test reports
Physical access control
Network vulnerability scans
Mima handles:
Human oversight of AI decisions
Model drift events
Training data governance
Pre-approval gates on high-risk AI actions
Third-party AI vendor due diligence
Signed audit packs
The gap this fills:
The controls that didn't exist when your current tools were designed.
Because the AI systems those controls apply to didn't exist yet either.
YOUR EXISTING TOOLS
Prove your governance
process exists.
MIMA
Prove your AI systems
actually followed it.
++++

Three kinds of coverage.
Clearly labelled.

The dashboard never conflates what an auditor will accept with what's indicative. That distinction is the product's integrity.

Code-attested

Evidence from code

Produced by your instrumentation. Earns controls. Highest compliance weight. This is what an auditor signs off on.

@mima.attest("loan-scorer")
mima push human_oversight
require_approval(action="approve")
Inferred

Estate scan signal

Derived from AST discovery. Gives you day-1 visibility. Labelled "indicative only" — upgrade with SDK calls to earn the control.

estate_auto discovery
AST scan: openai.chat detected
Upgrade → @mima.attest()
Evidenced elsewhere

Out of scope

Access reviews, HR training, physical security controls. These belong in your existing GRC tool. Mima works alongside it — doesn't replace it.

→ Vanta: SOC 2 access reviews
→ Drata: security awareness training
→ Your GRC tool: physical controls

Why this matters: Most compliance tools silently treat all three categories as equivalent. A GRC manager who submits an inferred score as if it were attested evidence is exposed the moment an auditor asks for the underlying records. Mima's three-way split makes that distinction visible and unavoidable.

++++

One evidence record.
Multiple frameworks satisfied.

Every record maps across whichever frameworks it's relevant to, automatically. No manual framework-by-framework work.

Control mapping — what each record type evidences
Article and control citations from the actual mapping code
RECORD TYPEEU AI ACTISO 42001SOC 2NIST AI RMF
ai_risk_assessmentART9ART11A.6.1A.9.1CC3.1CC3.2GOV.1MAP.1
human_oversightART13ART14A.6.2A.6.6GOV.1
model_evaluationART9ART15A.6.3A.9.2CC3.2MEA.1
training_data_governanceART10A.5.4A.6.5MAP.1
incident_reportART73A.3.2CC7.3CC7.4MNG.1
model_drift_eventART9ART72A.6.4CC4.1CC4.2MEA.2
++++

Governance becomes a green/red test.

Your trust lead sent you here. Here's what they need from you — and why it's not overhead.

Pythonapp.py
from mima_governance import MimaGovernance
from mima_governance.integrations import LangfuseAdapter

mima = MimaGovernance(api_key="mima_ext_...")

# One decorator = one evidence record
@mima.attest("human_oversight", system_name="inference-service")
def run_inference(prompt: str):
    return client.chat.completions.create(...)

# Langfuse/DeepEval traces → compliance evidence
adapter = LangfuseAdapter(mima_client=mima)
# Every eval run maps to controls automatically
mima gates check
$ mima gates check
 
CERTIFICATION READINESS · threshold: 60% · workspace: a8f3d2b1…
EU AI Act67%████████████░░░░░░✓ pass
ISO 4200158%██████████░░░░░░░░✗ fail
SOC 2 Type II72%█████████████░░░░░✓ pass
NIST AI RMF45%████████░░░░░░░░░░✗ fail
 
Overall: 60% · weakest link: NIST AI RMF
 
QUICKEST WINS
+4 controls mima push ai_risk_assessment
+3 controls mima push human_oversight
+2 controls mima push model_evaluation

Same mechanic as a failing test.

FRAMEWORKSLangChainLlamaIndexAutoGenCrewAI
EVAL + OBSERVABILITYdeepevalLangfuseOpenTelemetry
++++

7 days free to try

Starter covers evidence writes and CI gates for small teams. Pro adds questionnaire automation (DDQ, SIG, CAIQ, ISO 42001), gap reports, pre-approvals, and signed audit packs — everything a compliance team needs to close the loop.

STARTER
€79/moor €790/yr

Evidence writes and CI gates for small teams. Up to 3 AI systems, 10 repos.

Posture dashboard
Readiness score
All 4 frameworks
Evidence ledger (3 AI systems)
Required CI gates
10 repos
Start 7-day trialCancel anytime
PRO
€299/moor €2,990/yr2 months free

Evidence ledger, required CI gates, pre-approvals, and audit automation. Everything to close the loop.

Everything in Starter
Evidence ledger (unlimited writes)
Required CI gates
Pre-approval gates
Signed audit packs
Questionnaire automation (DDQ, SIG, CAIQ)
Gap analysis
Copilot (write mode)
Unlimited repos
Start 7-day trialCancel anytime
ENTERPRISECustom

Dedicated tenant. SAML. Custom frameworks. SLA.

Dedicated tenant
SAML SSO
Custom frameworks
Auditor access portal
SLA + support

A compliance consultant charges €350/hour. Mima Pro is €299/month. Cancel anytime.

++++

Compliance evidence as a log line.
Not a spreadsheet you fill before an audit.

Articles 9–15 high-risk obligations: December 2027. Build the evidence chain now, before the auditor arrives.

Get my readiness score →
Art. 5
Prohibited AI systems
Enforceable now
Art. 9–15
High-risk AI obligations
December 2027
Annex III
General-purpose AI models
December 2027