Where Google ADK ends,
regulated builds begin.
Google ADK ships AI agents. Regulus ships AI agents your regulator accepts. The open-source EU + UK compliance plane for Google's Agent Development Kit.
- 8 ADK plugins
- 10 regulation profiles
- 6 governance frameworks
- 4 GRC adapters
The compliance plane
A runtime shouldn't be the compliance layer. Google ADK rightly isn't trying to be.
Org Policy, VPC-SC, Assured Workloads, and Sovereign Controls handle the data plane. The agent's decision plane — purpose limitation, residency that fails closed, dual-control kill switches, audit envelopes mapped to EU AI Act Article 9 evidence — is the part that has to land before 2 August 2026, when the GPAI Code of Practice is enforceable.
That's what Regulus is. The control plane that fits the shape of ADK's
own plugin SPI — BeforeAgentCallback, BeforeModelCallback,
BeforeToolCallback, AfterToolCallback — so it
composes cleanly with the runtime instead of forking it.
ADK BasePlugin controls
Policy, privacy, audit, kill switch, model risk, residency, governance evidence, identity expiry guard. Drop in, no runtime fork.
Regulation profiles
EU AI Act, GDPR, DORA, NIS2, FCA SYSC, PRA SS1/23 + SS2/21, NHS DSPT, EHDS, UK GDPR. Composed at runtime.
Governance frameworks
NIST AI RMF + 600-1 GenAI Profile, ISO/IEC 42001 (with SoA generator), ISO 23894, ISO 23053.
GRC adapters
ServiceNow IRM, OneTrust AI Governance, MetricStream, generic HMAC-signed webhook. Signed evidence envelopes with framework citations.
The artefact
When your auditor asks for a 24-month hash-chained event stream of every tool call your agent made — what produces it today?
Most teams shipping Vertex AI agents into regulated EU and UK environments are solving the compliance layer with PDFs. A Notion page mirroring GDPR Article 5. A Confluence runbook describing the kill switch. None of it executable. None of it landing in Cloud Audit Logs in a shape your auditor can reconcile.
Regulus ships the opposite. Every state-changing tool call routes
through one transactional gate. Every event lands in an
append-only hash-chained envelope with the verbatim
policy clause, the resolved jurisdiction, and the framework citation
attached. Verifiable offline with regulus audit verify
chain.jsonl. Your external auditor quotes it; you keep moving.
See the audit envelope side-by-side with what ADK emits on its own →
Three audiences, one framework
Pick the entry path that matches your seat.
Platform engineers
You run Vertex AI Agent Engine in production. You want the plugin SPI deep-dive and the integration story without forking the runtime.
Read the plugin SPI deep-dive →AI governance leads
You're carrying Article 9 evidence through the GPAI Code of Practice deadline. You want the binding from runtime to regulation.
Read the EU AI Act page →MRM / SS1/23 validators
You're carrying LLM agents through PRA SS1/23 tiering and Consumer Duty outcomes monitoring. You want the model-risk plugin and audit trail.
Read the SS1/23 page →FAQ
The questions every team asks first.
What is Regulus?
Regulus is the open-source EU + UK compliance plane for Google ADK (Agent Development Kit). It ships 8 ADK BasePlugin implementations, 6 service extensions, 10 regulation profiles (EU AI Act, GDPR, DORA, FCA SYSC, PRA SS1/23, NHS DSPT, and more), 6 governance frameworks (NIST AI RMF + ISO 42001 family), and 4 GRC adapters (ServiceNow IRM, OneTrust, MetricStream, generic webhook). It's a drop-in for the official ADK plugin SPI — not a fork.
How is Regulus different from a guardrails library like NeMo Guardrails or Guardrails AI?
Guardrails libraries sit on the prompt/response boundary — string in, string out. Regulus plugs into ADK's plugin SPI, so it sees the full agent trajectory: BeforeAgentCallback, BeforeModelCallback, BeforeToolCallback, AfterToolCallback. That's where purpose limitation, fail-closed residency on memory/artifact services, and dual-control on high-risk tools actually live. Regulus also emits a hash-chained audit envelope mapped to specific regulation clauses (EU AI Act Art. 9, GDPR Art. 5(1)(b), PRA SS1/23 Principle 1) and routes signed evidence to GRC tools — a guardrails layer doesn't carry that.
Does Regulus require Google ADK?
Regulus targets Google ADK 1.2.0 as its primary runtime. A legacy LangChain4j module (regulus-ai-llm) is retained as an alternative runtime path, but new development and the full plugin surface land on ADK first. If you're on Vertex AI Agent Engine today, integration is two Maven dependencies and a Spring Boot starter.
Which regulations does Regulus cover out of the box?
Ten regulation profiles ship in v0.2.1: EU AI Act, GDPR, UK GDPR, DORA, NIS2, FCA SYSC, PRA SS1/23, PRA SS2/21, NHS DSPT, and EHDS. Each profile composes into a single resolved policy at runtime — strictest retention wins, intersected residency, union of audit fields. Add or remove profiles via regulus init or application.yaml.
Is Regulus free?
Yes. Regulus is MIT-licensed and free to use forever. The framework, CLI, Gradle plugin, all plugins, all regulation profiles, all GRC adapters — open source on GitHub. Future paid offerings will be limited to managed evidence-pipeline operations for organisations that don't want to self-host the GRC integration loop; nothing in the core framework moves behind a paywall.
Can I run Regulus on Vertex AI Agent Engine?
Yes. The included RegulusVertexAiSessionService extends Google's VertexAiSessionService; RegulusGcsArtifactService extends GcsArtifactService. The adk deploy workflow with Regulus plugins wired in is documented end-to-end and shipped as an example under examples/adk-vertex-agent-engine-deploy in the GitHub repo.
v0.2.1, shipped 2026-05-26
Where Google ADK ends, regulated builds begin.
Install the CLI, scaffold a compliant agent, see the audit envelope before lunch. MIT-licensed. No seat costs. No phone-home telemetry. Your regulator's clauses, your runtime, your evidence.