Governance · Frameworks

Five frameworks. One enforcement engine.

Each rule pack is a production artifact, not a checklist. Article-by-article coverage. Live pack metadata at /registry/jurisdiction/packs.

EU AI Act
European AI Act 2024/1689

The headline regulation. Article 26 enforces 2026-08-02 — high-risk operators must register, maintain logs, identify the operator, and surface AI identity to affected persons.

Articles in the AiEGIS pack:

  • Art. 9 — Risk management system. Covered via L4 (Agent Police) + L12 (Behavioural Intelligence).
  • Art. 10 — Data and data governance. L10 Data Protection (PII / credentials / egress).
  • Art. 11 + 12 — Technical documentation + record keeping. Mapped to /governance/audit-trail signed log.
  • Art. 13 — Transparency to deployers. Surfaced via the agent passport (see /identity/spec).
  • Art. 14 — Human oversight. L3 Compliance Engine + L14 Confidence Scoring (low-confidence routes to human review).
  • Art. 15 — Accuracy, robustness, cybersecurity. L1, L5, L6, L7, L8, L11.
  • Art. 26 — Deployer obligations (HIGH-RISK). Article 26 is the closer for regulated EU enterprises — registration, log retention, operator identification, transparency.
  • Art. 50 — Transparency for general-purpose AI. Enforces 2026-08-02 alongside Art. 26.
  • Art. 72 — Post-market monitoring. L4 + L12 baselines, anomaly detection, multi-agent correlation.

Penalties up to 7% of global revenue for non-compliance with prohibitions (Art. 5), 3% for other infractions, 1.5% for incorrect information.

GDPR
EU 2016/679 General Data Protection Regulation

Lawful basis for processing, data minimisation, automated-decisioning rights, transparency obligations.

  • Art. 5 — Principles relating to processing. Embedded in L10 Data Protection redaction.
  • Art. 6 — Lawfulness of processing. Pack rule requires lawful_basis attestation per agent.
  • Art. 22 — Automated individual decision-making + profiling. L14 Confidence Scoring routes high-impact automated decisions to human review.
  • Art. 30 — Records of processing activities. Signed audit log.
  • Art. 44–49 — Cross-border transfer. Customer-cloud invariant: rule packs evaluate IN your jurisdiction; only signed receipts return to AiEGIS.
NIST AI RMF
NIST AI Risk Management Framework

Govern → Map → Measure → Manage. The four functions translate to live pack behaviour:

  • Govern — policy bundle attached to every passport, rule pack version pinned per deployment.
  • Map — risk classification 4-tier enum (minimal / limited / high / critical) drives which rules apply.
  • Measure — L12 Behavioural Intelligence baselines, anomaly detection, drift signals.
  • Manage — L4 Agent Police quarantine + revocation propagation.
SG MGAIF
Singapore Model AI Governance Framework

IMDA framework for autonomous-AI deployment. Schema lives under jurisdictional_extensions — per the May-2026 audit, 5 required fields are namespace-extended (vs flat).

Cross-border data flow controls + jurisdictional extensions for ASEAN deployments.

ZA POPIA
South African Protection of Personal Information Act

Lawful processing of personal information, special-category data handling, cross-border transfer restrictions. Pack covers s9 (lawful processing) + s26 (special personal information) + s72 (transborder flow).

Pack versions evolve continuously. Cite the live source: /registry/jurisdiction/packs returns the canonical pack metadata for your deployment. Don't hard-code a version on a public surface — it drifts.