AI & Machine Learning

The EU AI Act requires you to prove what your system was trained on and could do, and when, at every version.

A model trained on licensed data and one trained without authorisation are technically identical. The difference is what you can prove.

The problem

Compliant AI systems and non-compliant ones are technically identical.

The EU AI Act requires high-risk AI system providers to maintain technical documentation covering training data provenance, performance metrics, testing records, and significant changes, all with precise timestamps showing when each item existed and what it said at that time. Under GDPR Article 22 and the Act's transparency requirements, you must be able to show exactly what your model was trained on, when automated decisions were made by which model version, and that training data was obtained with appropriate authorisation. A model trained on licensed data and one trained without it produce outputs that are technically indistinguishable. What differs is the record that proves which.

€35M
or 7% of global annual turnover: the maximum EU AI Act penalty for breaches of prohibited AI practice requirements, applicable from February 2025
Source: EU AI Act, Article 99; European Commission, 2024.
Real consequences

AI and technology companies have already paid the price.

German courts
GEMA v. OpenAI
Damages + injunction orderedNovember 2025
US District Court (D. Del.)
Thomson Reuters v. ROSS Intelligence
Copyright infringement rulingFebruary 2025
US District Court (S.D.N.Y.)
Tribune Publishing et al. v. Microsoft/OpenAI
Case proceeding to trialMarch 2025
Use cases

Where immut earns its keep in AI.

Every one of these activities already happens in your ML engineering, legal, and compliance teams. immut adds a layer of independently verifiable proof to each one.

Use casePotential impact
Current process

Acquiring, curating, and documenting the datasets used to train foundation models, fine-tuned models, and AI-assisted products.

How immut helps

Timestamp each data licence and dataset snapshot at the moment of acquisition. If a copyright holder, regulator, or court demands to know whether a specific dataset was licenced at the time it was used for training, the blockchain record proves the licence existed before the training run, not that it was obtained retrospectively after a claim.

Bottom line

GEMA successfully sued OpenAI in November 2025 after showing that song lyrics used to train ChatGPT were returned almost identically by the model when requested. The court ordered OpenAI to cease saving the lyrics and pay damages. Thomson Reuters won summary judgment in February 2025 after ROSS Intelligence used Westlaw content without authorisation to train its AI legal research tool.

Source: German courts, GEMA v. OpenAI, November 2025; Thomson Reuters v. ROSS Intelligence, D. Del., February 2025.
How it works

Three steps. Seconds per file.

01

Hash the file.

immut generates a SHA-256 hash of your file on our servers. For sensitive workloads, dedicated servers are available so files stay inside infrastructure you control.

e.g. a training data licence, model card, or conformity assessment document
02

Record on the public ledger.

The hash is committed to the XRP Ledger, a public blockchain, with a precise timestamp.

e.g. XRP Ledger, precise timestamp
03

Timestamped certificate.

immut returns a certificate of the record and its timestamp. Blockchain-anchored evidence of this kind has been accepted in courts across 88 countries and 171 jurisdictions.

e.g. anchored to the XRP Ledger, a public blockchain
Works with your whole stack

immut sits under the records your ML engineering, legal, and compliance teams already produce, in any tool. Files stay where they live; immut writes the proof that anyone can verify.

Source systems
TeamsSlackSharePointDriveGmailNotionGitHubFigmaSalesforceDropboxVanta
The proof layer
immutHash · Anchor · Verify
Verifiers
CustomerCourt / JudgeRegulatorAuditorInvestorInsurer
The four properties

Proof that satisfies the four properties regulators and courts require.

01
Contemporaneous

Timestamped at the moment of creation.

02
Tamper-evident

Any change after creation is detectable by mathematics.

03
Independently verifiable

A regulator, auditor, or court can verify without trusting you or your vendor.

04
Court-ready

Blockchain-anchored timestamps of this kind have been accepted as legal evidence in 88 countries across 171 jurisdictions.

Secondary benefit · IP

Prove it without publishing it.

Because only the hash is ever made public, model weights, training pipelines, and proprietary datasets can be proven to exist on a given date without disclosing the underlying files. Public proof. Private work.

How immut protects AI and model IP
FAQ

Common questions about immut in AI.

Your file is hashed with SHA-256 on immut's servers. Only the hash is committed to the XRP Ledger, a fixed-length string that cannot be reversed to recover the original file. No training data, model weights, or proprietary documentation is ever stored externally. For sensitive workloads, immut offers dedicated servers so files stay inside infrastructure you control.

The EU AI Act requires technical documentation to be maintained in a way that allows regulators to assess compliance. Blockchain-anchored timestamps satisfy the Act's contemporaneous record-keeping requirements: they are tamper-evident, independently verifiable, and court-ready in a way that internal documentation systems controlled by the organisation do not. The US Copyright Office's May 2025 report on AI training concluded that some uses of copyrighted material for training cannot be defended as fair use, making provenance records an essential part of any AI compliance programme.

immut is an independent layer alongside your MLops platform, data governance tools, and legal documentation systems, not a replacement for them. Your internal records are controlled by your own infrastructure. A determined regulator or opposing expert can question whether they were altered. immut's timestamp lives on a public blockchain that neither you, your vendor, nor immut itself can change. It adds the independent verification that internal records structurally cannot provide.

Because the proof lives on the XRP Ledger, a public blockchain no single party controls, every certificate already issued remains independently verifiable by any court, regulator, or auditor. This continues indefinitely, without immut's continued existence.

Start

Start proving your records today.

Only the hash is ever made public.