Regulus
Install See the diff

Compare

Regulus vs Vertex AI alone (no compliance plane)

Vertex AI is the runtime. Org Policy + VPC-SC + Assured Workloads handle the data plane. The agent's decision plane — purpose limitation, audit, kill switch — is the layer Regulus fills.

Pick Regulus when

  • You're shipping a Vertex AI Agent Engine agent into EU or UK production with regulator-facing obligations.
  • Cloud Audit Logs tell you who invoked the agent but not what the agent decided. You need both.
  • Article 9 GPAI Code of Practice deadline (2 Aug 2026) is in your roadmap.

Pick Vertex AI alone when

  • Your agent is purely internal, non-regulated, and your audit obligations are operational rather than regulatory.
  • You've already built a compliance plane in-house and Vertex AI is the data substrate beneath it (in which case you don't really pick 'Vertex AI alone' — you've added the missing layer yourself).

The honest comparison #

This isn’t really a “vs.” — Regulus runs on top of Vertex AI Agent Engine. The comparison is between (a) Vertex AI alone with no agent-layer compliance plane and (b) Vertex AI + Regulus.

What Vertex AI gives you #

Vertex AI Agent Engine + Google Cloud’s broader substrate gives you a strong data plane:

  • Org Policy — organisation-wide policy enforcement on GCP resources.
  • VPC-SC — network-perimeter enforcement around AI services.
  • Assured Workloads — sovereignty controls for EU regions.
  • Sovereign Controls for EU — EU AI Act-adjacent guarantees on data handling.
  • Cloud Audit Logs — Admin Activity, Data Access, Policy Denied.
  • CMEK / EKM — customer-managed and external key management.
  • Vertex AI Model Registry — model inventory + lifecycle.

That’s excellent infrastructure. None of it is the agent’s decision plane.

What Vertex AI alone doesn’t give you #

  • Purpose limitation enforcement at the agent’s tool dispatch.
  • An audit envelope that records the policy clause text the agent’s decision matched against.
  • A hash-chained audit ledger that an external auditor can verify offline.
  • Dual-control kill switches on the agent’s tool surface.
  • Model-risk tier gating tied to validation evidence (more than Model Registry’s metadata).
  • Cross-region residency fail-closed on memory writes.
  • GRC adapter dispatch with framework citations attached.

These are the things the GPAI Code of Practice (2 Aug 2026), Article 9 of the EU AI Act, and SS1/23’s Principle 5 expect on demand.

The control-plane / data-plane split #

Google ships a control plane for the data layer (everything above). What Regulus ships is the same shape applied one layer up — a control plane for the agent’s decision layer, plugged into the runtime’s official extension contract. It’s not a fork. It composes.

Cost #

Vertex AI usage stays the same. Regulus adds zero infrastructure cost. Plugins run in-JVM; audit chain writes to local storage or to the same Cloud Logging you already pay for; GRC adapter dispatch happens on the agent’s egress.

If you’re not regulated #

If your agent is internal tooling or research, Vertex AI alone is probably right. Regulus is the layer that pays back when the regulator is in the room.

Install Regulus More comparisons