Smart City Best Practices
Operational guidance distilled from sovereign and consortium deployments — aligned with EU AI Act, CSRD, GDPR, and DORA.
Conformal calibration per district
Each of the 35 models ships with split-conformal ICP. In practice, calibrate α=0.10 per-district (postal code or ISO 37120 reporting unit) rather than city-wide — heterogeneous residual distributions between dense centre and peri-urban zones will otherwise produce mis-calibrated coverage. Use the /models/calibration/refit endpoint nightly after a 7-day rolling window.
DP-ε tuning for federation (BP-106)
The default Gaussian mechanism runs at ε=0.8, δ=1e-5 per FedAvg round. For consortiums with >8 cities, budget the total ε over the mandated reporting period (RDP composition): ε_total = sqrt(R · ε²) where R is the number of rounds. Exceeding ε_total = 3 over a CSRD reporting year will trigger a mandatory CNIL/DPC disclosure under GDPR Art.89 best practice.
HITL gate ergonomics (EU AI Act Art.14)
For high-risk Annex III models (Flood, Emergency, Crime, City Brain), the HITL override UI must surface: (1) the per-feature SHAP attribution, (2) the conformal band, (3) the Merkle leaf hash of the decision, and (4) the "reject without justification" button. Aim for median override-decision time under 90 s — longer indicates operator fatigue or UI regression.
CSRD evidence chain
Never fabricate ESRS datapoints from model outputs alone. Every E1/E2/E3/E5/S1 figure must trace back to an ingested primary source (smart meter, SCADA tag, WCCD KPI) via the ESGIntelligence model. The auto-exporter refuses to write XBRL rows whose evidence chain is incomplete — do not override this check. The EFRAG submission proves 100% traceability on the first pass.
Air-gapped deployment hygiene
For sovereign sites (BP-105a claim 4): (a) verify the Ed25519 manifest signature on every cold boot, (b) rotate the Dilithium-3 signing key every 180 days, (c) ship calibration updates on write-once media only, (d) never enable the federation join endpoint unless the consortium charter is legally executed. BLP MAC violations should produce zero events in steady state — any non-zero reading is a forensic incident.
MoE expert binding (152-expert router)
Smart City events route to specific experts in the MoE router (Platform.SMART_CITY scope). Do NOT publish generic smart_city.* events without a stable routing_key — the router will fall back to the default expert, incurring a 3–7× latency penalty. Publish typed events: smart_city.traffic.signal.adapt, smart_city.energy.dr.dispatch, smart_city.emergency.flood.predict, etc.
Cross-platform bridges (BP-105a)
Carbon signals (E1) emit to Finance as CSRD accrual entries — do not duplicate emission reporting in both Smart City and Finance dashboards. Flood predictions emit to Risk (impact score) AND Finance (provision accrual) atomically — if one bridge fails, the other rolls back. Monitor the /bridges/*/status endpoints; a single 5xx on either side should page the on-call.
Privacy risk review cadence
Run PrivacyRiskScorer against every new endpoint before first deployment. Per-endpoint DP-ε exposure must be < 0.5 for non-aggregated public endpoints and < 2.0 for aggregated municipal dashboards. GDPR DPIA refresh is required when any datapoint-level ε crosses 1.0 for the first time.
IP Moat enforcement (9-Lock)
Every Smart City deployment automatically binds to locks L1 (Event Bus), L2 (EU AI Act + HITL), L3 (MoE Routing), L4 (Conformal), L5 (DP Federation), L7 (Sovereign Manifest), L8 (DT Federation BP-106), and L9 (Cross-Platform Bridges BP-105a). This is not optional — disabling any lock invalidates the production Art.9 gate and the city loses its AI Act conformity badge.