Regulus
Install See the diff

Plugin

Governance evidence plugin

RegulusGovernanceEvidencePlugin
AfterAgentCallback

Routes signed evidence envelopes to ServiceNow IRM, OneTrust AI Governance, MetricStream, or a generic HMAC-signed webhook. Framework citations and regulation clause references attach automatically.

What it does #

The governance evidence plugin is the bridge from the Regulus audit chain to your organisation’s GRC tooling. Every event (or a filtered subset) lands in your IRM platform as a signed envelope with the matched policy clause, framework citations, jurisdiction, and resolved Principal attached.

Four adapters ship #

  • ServiceNow IRM. Maps Regulus events to IRM observation records. Citations attach as related controls. Configurable case-creation on DENY events.
  • OneTrust AI Governance. Maps to AI asset + activity records. Framework citations attach to the asset’s mapped-controls register.
  • MetricStream. Maps to risk events in the Risk Cloud module. Custom-field mapping is YAML-driven.
  • Generic HMAC webhook. Signed POST to any URL. Useful for an in-house GRC system or as a custom integration starting point. The bundled verifier accepts the HMAC signature with a shared secret.

Configuration #

regulus:
  grc:
    adapters:
      - type: servicenow-irm
        url: https://acme.service-now.com/api/x_neul_regulus/events
        token: ${SN_TOKEN}
        case-on-deny: true
        case-template: ITSM-COMPLIANCE-AGENT
      - type: webhook
        url: https://internal-grc.example.com/regulus
        hmac-secret: ${GRC_HMAC}
        events:
          - DENY
          - KILL_SWITCH_ENGAGED

Multiple adapters can route in parallel. Each adapter has its own filter (e.g. webhook gets only DENY + kill-switch events; ServiceNow gets everything).

Envelope shape #

{
  "regulus_envelope_version": "1.0",
  "event": { ... full RegulusEvent ... },
  "framework_citations": [
    "nist-ai-rmf:MANAGE-2.1",
    "iso-42001:8.4"
  ],
  "regulation_clauses": [
    {
      "regulation": "eu-ai-act",
      "clause": "Article-9.4",
      "verbatim": "..."
    }
  ],
  "signature": {
    "alg": "HS256",
    "value": "...",
    "key_id": "..."
  }
}

The signature is HMAC-SHA256 by default. The receiving GRC system verifies before processing.

Back-pressure #

The plugin dispatches on a separate thread pool to avoid blocking the agent. A configurable circuit breaker trips on persistent adapter failures — the breaker open state is itself an event in the audit chain, so a stuck GRC integration doesn’t disappear silently.

Regulations this plugin emits evidence for

Install the CLI All 8 plugins