AnthonyD.CATA
@catarisklab.com
AI Governance Architect. Auditing US Vendors for Swiss Banking Compliance.
🔗 https://catarisklab.com
🔗 linkedin.com/in/anthonycata
🔗 huggingface.co/Cata-Risk-Lab
🔗 github.com/dcata004
🔗 https://catarisklab.com
🔗 linkedin.com/in/anthonycata
🔗 huggingface.co/Cata-Risk-Lab
🔗 github.com/dcata004
we don't sell consulting. we sell regulatory immunity. if you need a slide deck, hire the big 4. if you need to prove to a regulator that your model isn't racist, call the lab. link in reply.
January 24, 2026 at 10:39 PM
we don't sell consulting. we sell regulatory immunity. if you need a slide deck, hire the big 4. if you need to prove to a regulator that your model isn't racist, call the lab. link in reply.
swiss board directors: under nfadp, you are personally liable for data egress. not the company. you. if your team is pasting ibans into chatgpt, you are financing the fine.
January 24, 2026 at 3:39 PM
swiss board directors: under nfadp, you are personally liable for data egress. not the company. you. if your team is pasting ibans into chatgpt, you are financing the fine.
stop calling it "ai hallucination." call it "liability generation." when your rag bot invents a refund policy, that's a binding contract in some jurisdictions. veritas catches the lie before the user does.
January 24, 2026 at 2:39 PM
stop calling it "ai hallucination." call it "liability generation." when your rag bot invents a refund policy, that's a binding contract in some jurisdictions. veritas catches the lie before the user does.
new florida law (hb 527) means "the ai did it" is no longer a valid legal defense for insurance denials. if you can't explain the black box, you lose the license. we build the explanation layer. link in reply.
January 24, 2026 at 2:10 AM
new florida law (hb 527) means "the ai did it" is no longer a valid legal defense for insurance denials. if you can't explain the black box, you lose the license. we build the explanation layer. link in reply.
ran wattle-guard against a sydney fintech's stack yesterday. found their "sovereign" data taking a detour through virginia. sovereignty isn't a vibe, it's a traceroute. tool in reply.
January 24, 2026 at 1:10 AM
ran wattle-guard against a sydney fintech's stack yesterday. found their "sovereign" data taking a detour through virginia. sovereignty isn't a vibe, it's a traceroute. tool in reply.
your "corporate ai policy" is a pdf. your employees are using a python script to pipe client data into a free llm. we audit code, not promises. the server logs don't lie.
January 23, 2026 at 10:10 PM
your "corporate ai policy" is a pdf. your employees are using a python script to pipe client data into a free llm. we audit code, not promises. the server logs don't lie.
RAG systems lie. Confidently. In regulatory filings.
We built Veritas—a Judge LLM that catches hallucinations before your compliance team doesn't.
Open source. Because "trust me" isn't an audit trail.
#InfoSec #OpenSource #AI
We built Veritas—a Judge LLM that catches hallucinations before your compliance team doesn't.
Open source. Because "trust me" isn't an audit trail.
#InfoSec #OpenSource #AI
January 22, 2026 at 10:01 PM
RAG systems lie. Confidently. In regulatory filings.
We built Veritas—a Judge LLM that catches hallucinations before your compliance team doesn't.
Open source. Because "trust me" isn't an audit trail.
#InfoSec #OpenSource #AI
We built Veritas—a Judge LLM that catches hallucinations before your compliance team doesn't.
Open source. Because "trust me" isn't an audit trail.
#InfoSec #OpenSource #AI
found 47 unauthorized ai integrations in a client's infrastructure last month. finance was running invoices through a random pdf scraper. hr was using a free-tier llm hosted who-knows-where.
the ciso had no idea.
built a tool to map this.
the ciso had no idea.
built a tool to map this.
January 20, 2026 at 2:45 PM
found 47 unauthorized ai integrations in a client's infrastructure last month. finance was running invoices through a random pdf scraper. hr was using a free-tier llm hosted who-knows-where.
the ciso had no idea.
built a tool to map this.
the ciso had no idea.
built a tool to map this.
I hate scope creep. Genuinely. It's why consulting has a bad name.
So we fixed it: £4.5k for due diligence. £12.5k for the full governance suite. Fixed price. No "Phase 2" upsells. No hourly billing surprises.
Just the data you need. Clean, fast, done.
So we fixed it: £4.5k for due diligence. £12.5k for the full governance suite. Fixed price. No "Phase 2" upsells. No hourly billing surprises.
Just the data you need. Clean, fast, done.
January 17, 2026 at 1:10 AM
I hate scope creep. Genuinely. It's why consulting has a bad name.
So we fixed it: £4.5k for due diligence. £12.5k for the full governance suite. Fixed price. No "Phase 2" upsells. No hourly billing surprises.
Just the data you need. Clean, fast, done.
So we fixed it: £4.5k for due diligence. £12.5k for the full governance suite. Fixed price. No "Phase 2" upsells. No hourly billing surprises.
Just the data you need. Clean, fast, done.
"We don't have an EU office" is my favorite famous last words.
Does your AI touch data from someone in Munich? Cool. You're now subject to the EU AI Act. €35M fines don't care where your HQ is.
Geography is dead. Jurisdiction is everything.
#EUAIAct
Does your AI touch data from someone in Munich? Cool. You're now subject to the EU AI Act. €35M fines don't care where your HQ is.
Geography is dead. Jurisdiction is everything.
#EUAIAct
January 15, 2026 at 12:14 AM
"We don't have an EU office" is my favorite famous last words.
Does your AI touch data from someone in Munich? Cool. You're now subject to the EU AI Act. €35M fines don't care where your HQ is.
Geography is dead. Jurisdiction is everything.
#EUAIAct
Does your AI touch data from someone in Munich? Cool. You're now subject to the EU AI Act. €35M fines don't care where your HQ is.
Geography is dead. Jurisdiction is everything.
#EUAIAct
boards don't read 40-page risk assessments. they check out by page 3.
what works: one page. red/amber/green. that's it.
red = stop immediately
amber = fix within 30 days
green = proceed
released a sanitized template. link in reply.
what works: one page. red/amber/green. that's it.
red = stop immediately
amber = fix within 30 days
green = proceed
released a sanitized template. link in reply.
January 14, 2026 at 10:02 PM
boards don't read 40-page risk assessments. they check out by page 3.
what works: one page. red/amber/green. that's it.
red = stop immediately
amber = fix within 30 days
green = proceed
released a sanitized template. link in reply.
what works: one page. red/amber/green. that's it.
red = stop immediately
amber = fix within 30 days
green = proceed
released a sanitized template. link in reply.
compliance audit: £4.5k
exposure it addressed: £400k+
m&a deal that didn't stall in due diligence: £2.8m
governance isn't a cost center. it's the cheapest insurance you can buy.
exposure it addressed: £400k+
m&a deal that didn't stall in due diligence: £2.8m
governance isn't a cost center. it's the cheapest insurance you can buy.
January 14, 2026 at 10:30 AM
compliance audit: £4.5k
exposure it addressed: £400k+
m&a deal that didn't stall in due diligence: £2.8m
governance isn't a cost center. it's the cheapest insurance you can buy.
exposure it addressed: £400k+
m&a deal that didn't stall in due diligence: £2.8m
governance isn't a cost center. it's the cheapest insurance you can buy.
swiss nfadp wants explainability.
eu ai act wants risk classification.
australian soci act wants forensic proof of data residency.
one policy document cannot satisfy three incompatible frameworks. you need a jurisdictional heatmap, not a generic compliance binder.
eu ai act wants risk classification.
australian soci act wants forensic proof of data residency.
one policy document cannot satisfy three incompatible frameworks. you need a jurisdictional heatmap, not a generic compliance binder.
January 14, 2026 at 8:45 AM
swiss nfadp wants explainability.
eu ai act wants risk classification.
australian soci act wants forensic proof of data residency.
one policy document cannot satisfy three incompatible frameworks. you need a jurisdictional heatmap, not a generic compliance binder.
eu ai act wants risk classification.
australian soci act wants forensic proof of data residency.
one policy document cannot satisfy three incompatible frameworks. you need a jurisdictional heatmap, not a generic compliance binder.
hot take: compliance should be an asset you own, not a service you rent.
released our audit tools as open source:
- wattle-guard (australian soci/app 8)
- swiss risk calculator (nfadp/eu ai act)
- veritas (rag hallucination auditor)
repos in reply. use them. fork them. improve them.
released our audit tools as open source:
- wattle-guard (australian soci/app 8)
- swiss risk calculator (nfadp/eu ai act)
- veritas (rag hallucination auditor)
repos in reply. use them. fork them. improve them.
January 14, 2026 at 2:32 AM
hot take: compliance should be an asset you own, not a service you rent.
released our audit tools as open source:
- wattle-guard (australian soci/app 8)
- swiss risk calculator (nfadp/eu ai act)
- veritas (rag hallucination auditor)
repos in reply. use them. fork them. improve them.
released our audit tools as open source:
- wattle-guard (australian soci/app 8)
- swiss risk calculator (nfadp/eu ai act)
- veritas (rag hallucination auditor)
repos in reply. use them. fork them. improve them.
Swiss folks, a warning: nFADP Article 21 is nastier than it looks.
You can't just run an AI credit scorer. You have to explain its logic to the customer. In writing. On demand.
One firm just ate CHF 250k because their vendor was a black box.
If you can't explain the sausage, don't serve it.
You can't just run an AI credit scorer. You have to explain its logic to the customer. In writing. On demand.
One firm just ate CHF 250k because their vendor was a black box.
If you can't explain the sausage, don't serve it.
January 14, 2026 at 1:32 AM
Swiss folks, a warning: nFADP Article 21 is nastier than it looks.
You can't just run an AI credit scorer. You have to explain its logic to the customer. In writing. On demand.
One firm just ate CHF 250k because their vendor was a black box.
If you can't explain the sausage, don't serve it.
You can't just run an AI credit scorer. You have to explain its logic to the customer. In writing. On demand.
One firm just ate CHF 250k because their vendor was a black box.
If you can't explain the sausage, don't serve it.
while everyone watches brussels, canberra quietly built one of the strictest data sovereignty regimes. soci act/app 8 now require forensic proof of residency. "stored in apac" isn't good anymore. they want to know which server, which jurisdiction, who has access.
built wattle-guard repo in reply.
built wattle-guard repo in reply.
January 13, 2026 at 11:30 PM
while everyone watches brussels, canberra quietly built one of the strictest data sovereignty regimes. soci act/app 8 now require forensic proof of residency. "stored in apac" isn't good anymore. they want to know which server, which jurisdiction, who has access.
built wattle-guard repo in reply.
built wattle-guard repo in reply.
"we believe the model is safe" is not a legal defense.
built veritas to fix this. it runs a judge protocol against your rag system, flags every claim that can't trace back to a source doc.
turns "we think it works" into "here's the quantified error rate."
repo in reply.
built veritas to fix this. it runs a judge protocol against your rag system, flags every claim that can't trace back to a source doc.
turns "we think it works" into "here's the quantified error rate."
repo in reply.
January 13, 2026 at 12:15 PM
"we believe the model is safe" is not a legal defense.
built veritas to fix this. it runs a judge protocol against your rag system, flags every claim that can't trace back to a source doc.
turns "we think it works" into "here's the quantified error rate."
repo in reply.
built veritas to fix this. it runs a judge protocol against your rag system, flags every claim that can't trace back to a source doc.
turns "we think it works" into "here's the quantified error rate."
repo in reply.
swiss nfadp article 21: if you can't explain how the algorithm decided, you can't legally use the decision.
a geneva firm's credit scoring ai was accurate and profitable. but when a rejected applicant asked "why?" they couldn't answer.
penalty. ai offline. still.
a geneva firm's credit scoring ai was accurate and profitable. but when a rejected applicant asked "why?" they couldn't answer.
penalty. ai offline. still.
January 13, 2026 at 9:01 AM
swiss nfadp article 21: if you can't explain how the algorithm decided, you can't legally use the decision.
a geneva firm's credit scoring ai was accurate and profitable. but when a rejected applicant asked "why?" they couldn't answer.
penalty. ai offline. still.
a geneva firm's credit scoring ai was accurate and profitable. but when a rejected applicant asked "why?" they couldn't answer.
penalty. ai offline. still.
read your ai vendor's indemnity clause carefully.
almost all of them shift regulatory liability entirely to you. they provide the tool. you absorb the fine.
a zurich client learned this for €850k. the vendor was safe in california.
check your jurisdiction clause before renewal.
almost all of them shift regulatory liability entirely to you. they provide the tool. you absorb the fine.
a zurich client learned this for €850k. the vendor was safe in california.
check your jurisdiction clause before renewal.
January 12, 2026 at 11:14 PM
read your ai vendor's indemnity clause carefully.
almost all of them shift regulatory liability entirely to you. they provide the tool. you absorb the fine.
a zurich client learned this for €850k. the vendor was safe in california.
check your jurisdiction clause before renewal.
almost all of them shift regulatory liability entirely to you. they provide the tool. you absorb the fine.
a zurich client learned this for €850k. the vendor was safe in california.
check your jurisdiction clause before renewal.
People ask why we use particle physics protocols for compliance audits. Fair question.
Here's the thing: "We're pretty sure it's fine" doesn't hold up in court. You need reproducible evidence chains.
If you can't prove it to a regulator, you can't deploy it. Full stop.
Here's the thing: "We're pretty sure it's fine" doesn't hold up in court. You need reproducible evidence chains.
If you can't prove it to a regulator, you can't deploy it. Full stop.
January 12, 2026 at 10:14 PM
People ask why we use particle physics protocols for compliance audits. Fair question.
Here's the thing: "We're pretty sure it's fine" doesn't hold up in court. You need reproducible evidence chains.
If you can't prove it to a regulator, you can't deploy it. Full stop.
Here's the thing: "We're pretty sure it's fine" doesn't hold up in court. You need reproducible evidence chains.
If you can't prove it to a regulator, you can't deploy it. Full stop.
Boards don't read your 40-page technical PDF. They just don't.
You know what they do read? A one-page heatmap. Red means liable. Yellow means fix it. Green means move on.
Showed one to a CEO last week. He killed three projects before lunch.
Clarity wins.
You know what they do read? A one-page heatmap. Red means liable. Yellow means fix it. Green means move on.
Showed one to a CEO last week. He killed three projects before lunch.
Clarity wins.
January 11, 2026 at 2:30 PM
Boards don't read your 40-page technical PDF. They just don't.
You know what they do read? A one-page heatmap. Red means liable. Yellow means fix it. Green means move on.
Showed one to a CEO last week. He killed three projects before lunch.
Clarity wins.
You know what they do read? A one-page heatmap. Red means liable. Yellow means fix it. Green means move on.
Showed one to a CEO last week. He killed three projects before lunch.
Clarity wins.
open sourced the core stack:
- wattle-guard (AU compliance forensics)
- swiss risk calculator (nFADP/EU AI Act)
- veritas (hallucination auditor)
compliance should require evidence, not a retainer.
repos in thread.
- wattle-guard (AU compliance forensics)
- swiss risk calculator (nFADP/EU AI Act)
- veritas (hallucination auditor)
compliance should require evidence, not a retainer.
repos in thread.
January 10, 2026 at 10:01 PM
open sourced the core stack:
- wattle-guard (AU compliance forensics)
- swiss risk calculator (nFADP/EU AI Act)
- veritas (hallucination auditor)
compliance should require evidence, not a retainer.
repos in thread.
- wattle-guard (AU compliance forensics)
- swiss risk calculator (nFADP/EU AI Act)
- veritas (hallucination auditor)
compliance should require evidence, not a retainer.
repos in thread.
standard US vendor clause: "customer assumes sole responsibility for compliance with applicable regulations"
translation: they provide software, you absorb enforcement risk.
zurich client learned this at €850k. data routed through virginia. nFADP applied anyway.
swiss risk calculator on HF.
translation: they provide software, you absorb enforcement risk.
zurich client learned this at €850k. data routed through virginia. nFADP applied anyway.
swiss risk calculator on HF.
January 10, 2026 at 3:39 PM
standard US vendor clause: "customer assumes sole responsibility for compliance with applicable regulations"
translation: they provide software, you absorb enforcement risk.
zurich client learned this at €850k. data routed through virginia. nFADP applied anyway.
swiss risk calculator on HF.
translation: they provide software, you absorb enforcement risk.
zurich client learned this at €850k. data routed through virginia. nFADP applied anyway.
swiss risk calculator on HF.
Switzerland tightening nFADP. UK rewriting its AI framework. Australia's OAIC suddenly growing teeth.
Three regulators. Three different screwdrivers. One multinational trying to use a single compliance playbook.
I've started calling it the Regulatory Pincer. It's not a compliment.
Three regulators. Three different screwdrivers. One multinational trying to use a single compliance playbook.
I've started calling it the Regulatory Pincer. It's not a compliment.
January 10, 2026 at 2:39 PM
Switzerland tightening nFADP. UK rewriting its AI framework. Australia's OAIC suddenly growing teeth.
Three regulators. Three different screwdrivers. One multinational trying to use a single compliance playbook.
I've started calling it the Regulatory Pincer. It's not a compliment.
Three regulators. Three different screwdrivers. One multinational trying to use a single compliance playbook.
I've started calling it the Regulatory Pincer. It's not a compliment.
new wattle-guard release
python forensic tool for australian SOCI Act and APP 8. maps actual server jurisdiction against regulatory requirements.
OAIC now requires evidence of data residency, not vendor attestation.
open source. repo in reply.
python forensic tool for australian SOCI Act and APP 8. maps actual server jurisdiction against regulatory requirements.
OAIC now requires evidence of data residency, not vendor attestation.
open source. repo in reply.
January 10, 2026 at 2:10 AM
new wattle-guard release
python forensic tool for australian SOCI Act and APP 8. maps actual server jurisdiction against regulatory requirements.
OAIC now requires evidence of data residency, not vendor attestation.
open source. repo in reply.
python forensic tool for australian SOCI Act and APP 8. maps actual server jurisdiction against regulatory requirements.
OAIC now requires evidence of data residency, not vendor attestation.
open source. repo in reply.