Blog
Long-form on regulated AI agents.
Field notes from building Regulus and shipping compliance planes into EU + UK financial services, healthcare, and public sector. Subscribe via RSS.
-
Annex III high-risk: five questions that decide whether your agent is in scope
Most agentic AI workflows in production end up high-risk under Annex III. Here are the five concrete questions to ask of your agent — answer yes to any, and the EU AI Act's Article 9 obligations bind.
-
FCA Consumer Duty (GC23/2) outcomes monitoring for AI-driven decisioning
Consumer Duty PRIN 12 demands outcomes monitoring on a cross-cutting basis. For AI agents making retail-customer decisions, this means runtime evidence tagged to the four Duty outcomes.
-
GDPR Article 5(1)(b) purpose limitation in agentic AI: from PDF to runtime
GDPR purpose limitation is a runtime check, not a contract clause. Here's how to enforce it at the agent's tool dispatch with a Principal claim and a BeforeToolCallback decision.
-
EU AI Act Article 9 in code: how to evidence risk management for ADK agents
Article 9 risk management isn't a PDF — it's a continuous runtime obligation. Here's how to evidence it for a Google ADK agent, mapped to specific BasePlugin callbacks and audit envelope fields.
-
GPAI Code of Practice (2 August 2026): what enforcement actually looks like
The GPAI Code of Practice deadline is 2 August 2026. From that date the AI Office can request evidence from any GPAI-derived agent in the EU. What that means in practice for deployers building on ADK.
-
Google ADK plugin SPI deep-dive: BeforeAgentCallback to AfterToolCallback
Walking through Google ADK's plugin SPI from BeforeAgentCallback through AfterToolCallback with worked examples. Where to attach policy, where to attach privacy, where to attach the audit envelope.
-
Hash-chained audit trails for ADK agents: SHA-256 + RFC 9421 in ~200 lines of Java
How to build a tamper-evident audit chain for an ADK agent. SHA-256 over the previous event's hash, offline verification, retention policies. Plus where RFC 9421 fits for cross-org agent calls.
-
Is your LLM agent a 'model' under PRA SS1/23? The five tests that decide it
PRA SS1/23's Principle 1 defines a model in broad terms. Five concrete tests applied to a typical LLM-powered agent — the answer is yes in every case. What that means operationally.
-
NHS DSPT + agentic AI: mapping the 10 data security standards to runtime controls
The NHS DSPT's 10 standards are the gating compliance asset for AI in NHS settings. Here's the runtime-controls map — which Regulus plugin delivers evidence for each NDG standard.
-
Vertex AI Agent Engine compliance gaps and how to close them without forking the runtime
Vertex AI is the runtime; Org Policy + VPC-SC + Assured Workloads is the data plane. The agent's decision plane has no default story. Where the gaps are and how to close them via the ADK plugin SPI.