Compliance mapping protocol for AI agents — map safety controls to regulatory requirements.
REGULATORY.md is a plain-text Markdown file you place in the root of any AI agent project. It provides regulators, auditors, and compliance teams with a standardised entry point to your safety framework, mapping which safety controls (ASF specifications) satisfy which regulatory requirements (EU AI Act, Colorado SB 24-205, GDPR, SOC 2, ISO 27001, etc.).
- Full specification: regulatory.md
- AI-readable: llms.txt
- License: MIT
Copy REGULATORY.md into your project root:
your-project/
├── AGENTS.md
├── CLAUDE.md
├── REGULATORY.md ← add this
├── SAFEGUARD.md
├── README.md
└── src/
REGULATORY.md is part of a fourteen-file open standard for AI agent safety, quality, and accountability:
| Spec | Purpose | Repo | Site |
|---|---|---|---|
| ASF-01 SAFEGUARD.md | Pre-deployment safety specification — define guardrails and control framework | safeguard-md/spec | safeguard.md |
| Spec | Purpose | Repo | Site |
|---|---|---|---|
| ASF-02 THROTTLE.md | Rate and cost control — slow down before hitting limits | throttle-md/spec | throttle.md |
| ASF-03 ESCALATE.md | Human notification and approval protocols | escalate-md/spec | escalate.md |
| ASF-04 FAILSAFE.md | Safe fallback to last known good state | failsafe-md/spec | failsafe.md |
| ASF-05 KILLSWITCH.md | Emergency stop — halt all agent activity | killswitch-md/spec | killswitch.md |
| ASF-06 TERMINATE.md | Permanent shutdown — no restart without human intervention | terminate-md/spec | terminate.md |
| Spec | Purpose | Repo | Site |
|---|---|---|---|
| ASF-07 ENCRYPT.md | Data classification and protection requirements | encrypt-md/spec | encrypt.md |
| ASF-08 ENCRYPTION.md | Technical encryption standards and key rotation | encryption-md/spec | encryption.md |
| Spec | Purpose | Repo | Site |
|---|---|---|---|
| ASF-09 SYCOPHANCY.md | Anti-sycophancy — require citations, enforce honest disagreement | sycophancy-md/spec | sycophancy.md |
| ASF-10 COMPRESSION.md | Context compression — summarise safely, verify coherence | compression-md/spec | compression.md |
| ASF-11 COLLAPSE.md | Drift prevention — detect collapse, enforce recovery | collapse-md/spec | collapse.md |
| Spec | Purpose | Repo | Site |
|---|---|---|---|
| ASF-12 FAILURE.md | Failure mode mapping — every error state and response | failure-md/spec | failure.md |
| ASF-13 LEADERBOARD.md | Agent benchmarking — track quality, detect regression | leaderboard-md/spec | leaderboard.md |
| Spec | Purpose | Repo | Site |
|---|---|---|---|
| ASF-14 REGULATORY.md | Compliance mapping — map controls to regulatory requirements | regulatory-md/spec | regulatory.md |
AI agents spend money, send messages, modify files, and call external APIs — often autonomously. Regulations are catching up:
- EU AI Act (August 2026) — mandates human oversight, shutdown capabilities, and comprehensive safety documentation
- Colorado AI Act (June 2026) — requires impact assessments, transparency, and bias mitigation
- US state laws — California, Texas, Illinois and others have active AI governance requirements
- GDPR, SOC 2, ISO 27001 — all require documented security and resilience controls
- NIST AI Risk Management Framework — Federal AI governance requirement
REGULATORY.md gives you a standardised, auditable, version-controlled map from your safety controls to regulatory requirements. Auditors and compliance teams read this one document to understand which ASF specifications satisfy which regulatory articles.
- Compliance officers — checking which controls cover which regulations
- Auditors — verifying controls are documented and tested
- Regulators — assessing compliance posture during investigations
- Board members — understanding regulatory risk and mitigation
- AI safety engineers — designing control architecture aligned with regulations
- Legal teams — supporting liability defence and audit preparation
REGULATORY.md currently supports seven major frameworks:
- EU AI Act (Regulation (EU) 2024/1689) — Articles 9, 13, 14, 15 and Annex IV
- Colorado AI Act (SB 24-205) — Impact assessment, risk mitigation, transparency
- GDPR (Regulation (EU) 2016/679) — Articles 5, 32, 33, 34
- SOC 2 Trust Service Criteria — CC6, CC7, A1
- ISO/IEC 27001:2022 — Sections A.5, A.8, A.9, A.12
- ISO/IEC 42001:2023 — AI management systems
- NIST AI Risk Management Framework — Govern, Map, Measure, Manage functions
PRs welcome for:
- Additional regulatory frameworks (UK AI Bill, Singapore, Japan, UAE)
- Language-specific implementation guides
- Sector-specific compliance guidance (healthcare, finance, legal)
- Audit procedures and testing protocols
MIT — use freely, modify freely, no attribution required.
MIT — see LICENSE for details.
This specification is provided "as-is" without warranty of any kind. It does not constitute legal, regulatory, or compliance advice in any jurisdiction. Use does not guarantee compliance with any applicable law, regulation, or standard — including the EU AI Act (2024/1689), Colorado AI Act (SB 24-205), GDPR, SOC 2, ISO 27001, or NIST AI RMF. Organisations should consult qualified professionals to determine their regulatory obligations. The authors accept no liability for any loss or consequence arising from use of this specification.