Sphere Quarterly · Issue 03 · Compliance
The audit binder is dead. The ledger is the binder.
Compliance teams write DPIAs in Word. Auditors review snapshots in Excel. Data flows continuously, and the gap between binder and reality is where every enforcement action lives.
If you only read one box on this page.
Every company you deal with — your bank, your insurer, your favorite website — is using AI to make decisions about you. Right now, when you (or a regulator) ask "what does your AI know about me, and what did it decide?", almost none of them can answer truthfully or quickly.
The records exist, but they're scattered across a dozen systems, often editable, and frequently incomplete. This is why GDPR fines keep getting bigger, why useful AI features sit blocked in legal review for months, and why a simple data request from a customer takes thirty days and a team of lawyers to answer.
Sphere takes a different approach. Every time a company's system reads, writes, or decides anything about a person, it leaves a signed entry in a ledger — think of it as a tamper-proof flight recorder for AI. The ledger cannot be edited after the fact; any attempt to alter it breaks a visible cryptographic chain.
The result: data requests that took 30 days take 90 seconds. AI features that stalled in legal review for eight months ship in two weeks. Annual audits that consumed six weeks of engineering time become a thirty-minute saved query.
Chapter 01
Compliance is a property of the runtime, not a document about it.
A tamper-proof diary of everything the AI ever did about every person. Anyone you allow can read it. Nobody — not even the company — can edit it after the fact.
The most important thing about a hash-chained audit log isn't the cryptography. It's the cultural inversion. An entry, once written, can never be quietly amended. A privacy team trying to massage a year-old DPIA cannot. An engineer trying to delete an embarrassing prompt cannot. Every operation against personal data leaves a signed fossil.
This is the property snapshot-based compliance lacks. A DPIA written in Word last year tells you what the privacy team believed the system did. The ledger tells you what actually happened, signed, with a timestamp accurate to the millisecond — and with a parent hash that proves no one rewrote history.
The second move — making the same ledger queryable by the data subject, the company's DPO, the external auditor, and (in zero-knowledge form) the public — is what turns it from internal hygiene into a public proof.
Chapter 02
Every outbound payload, classified and redacted at the wire.
A guard at the door who checks every piece of personal data before it leaves the building. If it shouldn't go to OpenAI, it doesn't. And the check itself is recorded.
Every regulated AI deployment in 2026 has the same hidden weakness: PII reaches the model. A support agent types "my account is john@example.com" into a chat, the application forwards it to OpenAI, and now a US-based AI provider holds a piece of EU personal data — with no transfer impact assessment, no Schrems II analysis, no record of what was sent.
The standard answer is "we'll add a PII scrubber." Probabilistic scrubbers — even GPT-grade ones — miss things. A scrubber that catches 99.5% of names leaks 5,000 names per million prompts. There is no version of compliance where 5,000 leaks per million is acceptable.
Sphere's answer is structural, not statistical. The egress proxy does not guess whether a field is PII — it knows, because every field came in through a consent ledger that labeled it. The redaction is deterministic, complete, and signed at the wire.
Chapter 03
Thirty days statutory. Ninety seconds in practice.
When someone asks "what do you know about me?", you answer in seconds — with cryptographic proof your answer is complete and unaltered. The law gives you 30 days. You don't need them anymore.
The 30-day clock on a data subject access request was designed for a world where requests were rare and the data was on paper. In 2026 EU enterprises receive far more requests than ever, and a hedged 30-day letter quietly tells the supervisory authority where to focus next.
A response in ninety seconds isn't just faster — it changes the nature of the answer. A 30-day letter is a summary. A live-ledger response is a manifest: what the system actually did, signed.
Chapter 04
One ledger. Four readers. Four scopes of disclosure.
Different people see different slices of the same record. The customer sees their decisions in plain language. The compliance officer sees patterns without names. The auditor sees the cryptographic chain without the data. Nobody sees what they shouldn't.
The four-lens projection solves a tension that's been broken since the first data-protection laws. The data subject wants to see everything about them. The internal DPO wants Article 30 records without resolving identities. The external auditor wants to verify the chain, not the contents. The public wants integrity proof with zero leakage.
Sphere collapses the four into one ledger with four read-time projections. The grant that lets each reader see what they see is itself a ledger entry — signed, time-bound, revocable.
Chapter 05
The Article 22 complaint nobody hopes to answer.
When a regulator forwards a complaint — "your AI made a decision about me and I want to know why" — you can show, not tell, exactly what happened. One click. Signed.
Article 22 disclosures are the part of GDPR most companies hope they're never asked to perform. Records exist, scattered across feature flags, model registries, application logs, prompt traces, vendor portals. Assembling the answer costs days of senior engineering time, twice.
A live ledger pre-stages the answer. The decision wasn't logged after the fact — it was constituted in the ledger at the moment it happened. Producing the disclosure isn't gathering evidence. It's reading it.
Chapter 06
Why this, why now: three regulators, one question.
Three big new laws (EU AI Act, NIS2, DORA) all start really enforcing in 2026. They ask the same thing: "show us the records." Companies with a live ledger answer in minutes. Companies with binders get fined.
Three regulatory deadlines collide in 2026. EU AI Act high-risk system obligations begin enforcement on 2 August 2026. NIS2 transposition is past due in every Member State; supervisory authorities are starting to fine. DORA financial-sector resilience requirements went live on 17 January 2025 and are now in their first full audit cycle.
The companies that answer with binders will be fine — eventually — the way mainframe shops were fine, eventually. The companies that answer with a live ledger will be a different category of vendor: the one regulators recommend, the one customers' DPOs greenlight in thirty minutes, the one whose AI features ship instead of stalling in eight-month DPIA review.
The opportunity is the same shape as on-prem to cloud, or waterfall to continuous deployment: replace a snapshot with a runtime.
Chapter 07
This piece is honest about the line.
Several capabilities are running in Sphere's production codebase today. Others are concept-stage extensions of architecture that already exists. The line is drawn explicitly below so you can audit our claims the same way we'd audit yours.