For AI governance leads
Runtime evidence in the shape your DPO can hand over.
You're carrying Article 9 evidence through the GPAI Code of Practice deadline (2 August 2026). Your platform team has the runtime; you have the regulation. Regulus is the layer that binds them.
The three things every EU AI governance lead is quietly arguing about
- Assured Workloads gives you the substrate. The agent's still flying without a flight recorder. Cloud Audit Logs show you the IAM, the data access, the policy denial — they don't show you the agent's reasoning, the tool calls it made, or the policy that blocked one.
- VPC-SC enforces data residency. It doesn't enforce purpose limitation. GDPR Article 5(1)(b) is a runtime property of the workflow, not a property of the network perimeter.
- The decision plane doesn't have a default story. Org Policy + VPC-SC + Assured Workloads handles the data plane. The agent's decision plane — the policy engine, the model-risk tier, the PII redaction, the kill switch, the residency check that fails closed — is the part that has to land before 2 August 2026, when the GPAI Code of Practice is enforceable and the AI Office expects evidence on demand.
What Regulus emits that your DPO can use
- Article 9 risk-management evidence. Every model invocation tagged with the resolved model-risk tier, the validation evidence pointer, and the framework citation (NIST AI RMF MANAGE-2.1).
- Article 10 data-governance evidence. PII redaction events with the matched pattern, the resolved jurisdiction, and the retention window.
- Article 50 transparency evidence. Auto-generated "this is an AI" disclosures attached to outbound agent messages in user-facing contexts.
- GPAI Code of Practice mapping. Profile
eu-ai-actincludes the GPAI sub-profile; commitments map to specific control IDs in the audit chain. - EU AI Act Annex III scoping evidence. Which use-category your agent falls into, captured at scaffold time and tagged on every event.
What an EU supervisory authority will ask for
The questions you'll see in a real walkthrough, and where to point them in the Regulus audit envelope:
- "Show me your Article 9 risk-management evidence." Filter the audit chain by
framework_citations contains 'eu-ai-act:Article-9'. Export as signed evidence envelope. - "How do you enforce purpose limitation?" The policy plugin denies tool calls whose purpose claim doesn't match the agent's registered purpose. Show the DENY events in the chain.
- "What happens when residency fails?" The residency plugin fails closed. Show the FAIL_CLOSED events; explain that no PII left the region.
- "How do you evidence model risk?" Every model invocation carries
model_tier. Tier-3 invocations require dual-control authorisation, surfaced through ADK's ToolConfirmation primitive.
Where to start
- EU AI Act profile page — 12-section breakdown of the regulation and what Regulus delivers.
- GDPR profile page — same shape, for Article 5(1)(b) purpose limitation and Article 22 automated decisioning.
- Coverage matrix — pick your active regulations, see which Regulus controls deliver which requirements.
- Article 9 in code — the cornerstone article →