EVE AI Core
EVE AI Core
ECOA, SR 11-7, UDAAP, and FCRA enforcement at the AI decision layer. Every consumer lending decision, every automated underwriting output, every AI-generated communication ships with a signed, verifiable audit certificate — before it reaches your customer.
Financial institutions deploying AI in credit decisions, customer communications, and fraud detection face a layered compliance obligation that most AI vendors do not address.
Prohibits discrimination in credit on the basis of race, sex, national origin, religion, age, or other protected characteristics. Reg B requires that adverse action notices cite specific, accurate reasons — a requirement AI models routinely fail when outputs are opaque. CoreGuard's policy pack detects protected-class proxy usage and generates structured adverse action reasons from model outputs.
The Federal Reserve and OCC's SR 11-7 guidance requires independent model validation, ongoing monitoring, and documentation of model use. AI-powered models deployed without decision-level audit trails fail the ongoing monitoring requirement. CoreGuard produces hash-chained decision certificates that satisfy independent validation documentation needs.
The CFPB applies UDAAP to AI-generated customer communications, chatbot interactions, and automated disclosure generation. A hallucinated fee disclosure or a misleading chatbot explanation of loan terms creates direct UDAAP exposure. CoreGuard enforces accuracy and disclosure completeness at the generation layer.
When AI systems use consumer report data in credit decisions, FCRA requires permissible purpose documentation, adverse action compliance, and accuracy obligations. CoreGuard tracks data lineage through the decision pipeline and ensures FCRA-required disclosures are present in any adverse decision.
The CFPB's 2023 circular clarified that "complex algorithms" are not an acceptable reason to deny specific reasons for adverse action. Lenders must be able to identify which model features drove a denial. CoreGuard enforces feature attribution tracing and adverse reason specificity as a hard policy constraint.
The EU AI Act classifies AI used in creditworthiness assessment and credit scoring as high-risk. This requires conformity assessments, human oversight mechanisms, transparency obligations, and accuracy/robustness documentation. CoreGuard's audit trail and enforcement layer directly supports these obligations for institutions with EU operations.
Nearly every major financial institution has an AI ethics policy, an AI governance committee, and a vendor risk questionnaire that asks LLM providers about bias. What almost none of them have is enforcement at the decision layer.
The gap looks like this: a model is validated before deployment. The validation report documents bias testing, accuracy metrics, and compliance review. The model is approved. Then the model runs in production for eighteen months, the underlying training data shifts, a prompt template gets modified by an engineer, the LLM provider silently updates their model weights — and the validation report is now describing a system that no longer exists.
SR 11-7 requires ongoing monitoring. ECOA enforcement runs against actual decisions, not against the validation report. UDAAP exposure is created by actual customer communications, not by policy documents. The enforcement gap is the absence of a system that checks every decision, in real time, against the rules that actually apply.
CoreGuard's financial services policy pack (lending_v1) implements specific enforcement logic for each regulatory obligation — not generic AI safety checks.
CoreGuard's lending_v1 pack maintains a prohibited feature registry. Any model input or feature that correlates with protected-class status at above-threshold rates is flagged. Decisions using such features are blocked or modified. When a decision constitutes an adverse action, CoreGuard extracts the top contributing features and formats them as Reg B-compliant adverse action reasons that can be consumed by your disclosure workflow.
Every CoreGuard decision certificate includes the model identifier, model version hash, policy pack version, evaluation timestamp, and the complete rule evaluation trace. These certificates are hash-chained so any tampering is detectable. Model risk management teams can pull the certificate for any decision and verify exactly which model version and policy configuration was active at the time of that decision.
CoreGuard evaluates AI-generated customer communications — chatbot messages, automated disclosures, email copy — against a UDAAP rule set before delivery. Rules check for materially false fee statements, missing required disclosures, misleading comparison language, and deceptive urgency framing. Flagged content is blocked or modified with a compliant alternative; the intervention is logged in the decision certificate.
CoreGuard tracks which data sources contributed to each decision and enforces permissible-purpose rules at evaluation time. When consumer report data is used in a decision context without documented permissible purpose, the request is blocked. Adverse decisions using consumer report data automatically trigger FCRA adverse action notice requirements in the decision certificate.
CoreGuard's fair lending extension monitors approval rate disparity by geography across AI lending decisions in near real-time. When disparate impact thresholds are exceeded for any census tract cohort, compliance officers receive an alert before the pattern accumulates to a CRA or HMDA examination problem. Decision-level records support both HMDA data accuracy requirements and fair lending examination preparation.
Every AI lending decision evaluated through CoreGuard produces a signed JSON certificate. This certificate is the single artifact your model risk management, compliance, and legal teams need for examination preparation, adverse action documentation, and audit response.
{
"certificate_id": "cert_7f3a9b2c-1e4d-48f0-a3c2-9d8e7f1a0b5c",
"issued_at": "2026-05-05T14:32:07.841Z",
"policy_set": "lending_v1",
"policy_pack_hash": "sha256:e3b0c44298fc1c149afb...8ded",
"model_id": "credit-underwriting-v4.2.1",
"model_version_hash": "sha256:a665a45920422f9d417e...",
"decision": {
"status": "ALLOWED",
"risk_level": "LOW",
"risk_score": 0.18,
"action_type": "loan_approval",
"adverse_action": false
},
"policy_evaluation": {
"rules_evaluated": 14,
"rules_triggered": 0,
"violations": [],
"protected_class_proxy_check": "PASS",
"feature_attribution_present": true,
"adverse_reason_candidates": []
},
"context": {
"user_role": "loan_officer",
"application_id": "app_4821",
"loan_amount": 45000,
"loan_purpose": "auto"
},
"chain": {
"previous_cert_hash": "sha256:1d996f0cc2d3e...",
"chain_position": 48291
},
"signature": "HMAC-SHA256:7a4b9c1d2e3f..."
}
Certificates are returned synchronously with the decision. Adverse action certificates
include a structured adverse_reason_candidates array formatted for Reg B disclosure.
CoreGuard is designed to sit inside your existing MRM workflow, not replace it. It provides the runtime enforcement layer that pre-deployment validation cannot.
CoreGuard exposes a single REST endpoint (POST /v1/decisions/evaluate) that
fits between your model server and your application layer. Works with any model serving
infrastructure — MLflow, Seldon, BentoML, SageMaker, Azure ML, or custom.
CoreGuard generates MRM documentation packages on demand: aggregate decision statistics, policy rule hit rates, violation distribution reports, and chain integrity verification. These packages are formatted for common MRM platforms and examination response packages.
Decision certificates stream to your SIEM in real time via webhook or Kafka. Built-in connectors for Splunk, Datadog, IBM QRadar, and Microsoft Sentinel. Certificates are also written to an immutable append-only store with chain verification available via API.
Policy packs are versioned and immutable once deployed. Certificates reference the exact policy pack hash active at decision time. Rolling policy updates follow a staged deployment workflow with review and sign-off before the new version enters production. Policy change history is preserved for examination.
When an examiner requests the audit trail for a specific lending decision, your compliance team pulls the certificate by decision ID. The certificate contains the complete evaluation record, model version, policy version, and chain hash. No manual log reconstruction. No gap in the record.
Because every decision certificate includes the model features, the policy evaluation result, and the adverse reason candidates, your fair lending team has structured data for disparity analysis from the first decision — not reconstructed proxies from unstructured logs.
When your compliance and legal teams know that every AI decision is governed by an auditable, enforceable policy layer, the review cycle for new AI deployments shortens. The question changes from "how do we know it will comply?" to "is the policy pack correct?" — a much faster review.
Because CoreGuard evaluates at decision time rather than at validation time, model drift that would create compliance problems is caught as it happens. Violation rate trends in the certificate stream are an early warning system for drift. You know about the problem before the examiner does.
CoreGuard addresses the validation, ongoing monitoring, and audit trail requirements of SR 11-7. Every AI decision produces a signed certificate documenting which policy rules were evaluated, the risk score, the disposition (ALLOWED/BLOCKED/MODIFIED), and a hash-chained record linking back to the model version and policy pack version active at decision time. This gives model risk management teams the independent validation documentation SR 11-7 requires. CoreGuard does not replace a pre-deployment model validation — it extends it with runtime enforcement.
CoreGuard's lending_v1 policy pack detects when an AI decision constitutes an adverse action under Reg B and automatically generates a structured adverse action record including the specific reasons required for the adverse action notice. This record is embedded in the decision certificate and can be consumed directly by your adverse action notice workflow. For complex model outputs where feature attribution is not natively available, CoreGuard supports integration with SHAP or LIME-based explanation layers to generate the required specific reasons.
Yes. CoreGuard exposes a REST API that can be called from any model serving layer, workflow orchestrator, or MRM platform. Decision certificates are returned as structured JSON and can be forwarded to your existing audit log, SIEM, or MRM system. We provide pre-built connectors for major model deployment platforms and documentation for building custom connectors. The API is designed so that CoreGuard sits in the call path without requiring architectural changes to your existing AI infrastructure.
CoreGuard's financial services policy pack addresses the CFPB's guidance on AI/ML credit underwriting, including the requirement to provide specific and accurate reasons for adverse actions when using complex model outputs, the prohibition on using protected class proxies in credit decisions, and UDAAP obligations around deceptive or unfair practices in AI-generated customer communications. The policy pack is updated as CFPB guidance evolves; enterprise customers receive policy pack updates as part of their subscription with a 30-day implementation window.
Yes. CoreGuard's pre-execution evaluation adds under 3 milliseconds of latency in production deployments. The deterministic evaluation engine has no LLM inference in the critical path — it evaluates rule sets against structured request fields, computes a risk score, and returns a disposition. This is compatible with real-time credit scoring systems that have sub-100ms SLA requirements. Enterprise deployments can run CoreGuard as a co-located sidecar to minimize network latency to under 1ms.
Talk to our financial services team about a CoreGuard deployment scoped to your specific regulatory obligations — ECOA, SR 11-7, UDAAP, FCRA, or EU AI Act. We start with a 30-minute architecture review at no cost.
Also see: Healthcare AI Governance | Legal AI Compliance