AI Compliance Hub — NEW
EU AI Act compliance.
From your infrastructure up.
The only compliance toolkit that starts at the server level. Detect unauthorized AI deployments, track every external AI API call, generate audit-ready Bill of Materials documents, and monitor your internal MCP fleet — all from one platform.
Standard
EU AI Act
Export
CycloneDX 1.5
Pillars
4
Agents
1
Why this exists
2026 is the compliance year for AI.
The EU AI Act has been in full force since February 2025. GPAI transparency obligations are biting. SOC 2 auditors now ask about AI asset inventories. CISOs are fielding questions about shadow LLMs on production servers. And every compliance tool on the market treats AI as an afterthought bolted onto endpoint monitoring — or sells you a Langfuse-style wrapper that only sees what your apps tell it.
HostAtlas sees everything your servers see. Every model file, every API call, every running runtime, every internal MCP server. That's compliance from the infrastructure up — the only angle that actually holds up at an audit.
Four pillars
Everything auditors ask for.
One agent, one platform, four compliance-grade capabilities. Each solves a problem your current tooling either ignores or handles poorly.
01
Shadow-AI Detection
Every 5 minutes, the HostAtlas agent scans each server for LLM runtimes (Ollama, vLLM, llama.cpp, ComfyUI, LM Studio), large model files in HuggingFace/Ollama caches, AI Python packages, and CUDA stacks. Unauthorized finds fire alerts. Approved components auto-whitelist via pattern rules.
- check Process signatures, model files >100MB, pip packages, CUDA
- check Auto-extracts provenance from HuggingFace cache paths
- check Tenant-wide whitelist patterns (exact, glob, regex)
02
AI Spend Tracker
Every outbound AI API call tracked at the network level. Classify connections to OpenAI, Anthropic, Azure OpenAI, Bedrock, Gemini, Groq, Mistral, Cohere, and more. Cost estimation via seeded pricing tables. Per-service, per-server, per-provider breakdowns with monthly budgets and alerts.
- check 12 providers detected out of the box
- check Budgets with threshold alerts (global, per-provider, per-server)
- check Answers "who called what AI, when, with what data flow"
03
AI Bill of Materials
Compliance-ready inventory aggregated from Shadow-AI detections. Risk classification per EU AI Act (minimal / limited / high / unacceptable). Human-entered purpose, data inputs, and license. One-click CycloneDX 1.5 JSON export (Dependency-Track compatible) or corporate-branded PDF report.
- check EU AI Act risk classification workflow
- check CycloneDX 1.5 AI/ML BOM spec (the emerging standard)
- check Reviewer audit trail: who classified what, when
04
MCP Fleet Monitoring
Every Model Context Protocol server in your organization, discovered and monitored. Agent auto-detects local MCP servers via process signatures and port probes. Manual registration for external endpoints. Tool inventory per server, with security alerts when new tools appear (tool-injection detection).
- check 60-second health checks, 100-point uptime sparklines
- check Dev-facing registry with Claude Desktop config snippets
- check Encrypted bearer/api-key credentials at rest
Audit hooks
Ready for the questions you'll actually be asked.
EU AI Act Art. 16
"Which AI systems are in production, at what risk level, and with what data inputs?"
Answer with the AI Bill of Materials PDF export. Risk classifications, purposes, data flows, all human-reviewed with audit trail.
SOC 2 CC1.4 (Asset Inventory)
"Provide a complete inventory of AI frameworks deployed across your infrastructure."
Shadow-AI Detection + AI-BOM combined, filtered by server tag, exported as CycloneDX JSON. Auditor imports directly into Dependency-Track.
ISO 27001 A.8.1 (AI Governance)
"How do you prevent unauthorized AI from being deployed on production systems?"
Shadow-AI scans every 5 minutes. Whitelist approved components once. Unauthorized finds fire alerts immediately via your existing notification channels.
DPIA / Schrems-II
"Which services transmit what types of data to which AI providers?"
AI Spend Tracker logs every outbound connection with provider classification. Per-service breakdown answers data-flow questions at audit time.
How we differ
Not a wrapper. Not a gateway. An agent.
Other AI compliance tools need your apps to opt in by instrumenting code, deploying a proxy, or connecting through a vendor gateway. That misses everything your apps don't tell it about — the very things auditors care about.
| HostAtlas | Langfuse / Helicone | Datadog LLM Obs | Portkey / LiteLLM | |
|---|---|---|---|---|
| Sees unauthorized local LLMs (Ollama, vLLM) | Yes | No | No | No |
| Works without app instrumentation | Yes | No | Partial | No (proxy required) |
| EU AI Act BOM export (CycloneDX) | Yes | No | No | No |
| Server-side asset inventory (SOC 2) | Yes | No | Partial | No |
| MCP fleet monitoring | Yes | No | No | No |
| Integrated with server monitoring | Yes | No | Yes | No |
Get started
Get AI-ready compliance in an afternoon.
Install the HostAtlas agent on your servers. Within minutes, every LLM runtime, model file, AI framework, outbound API call, and MCP server on your infrastructure is visible. Classify, export, and audit with one click. Works with your existing monitoring, alerting, and notification channels.