Regulus — Where Google ADK ends, regulated builds begin

Regulus — Where Google ADK ends, regulated builds beginRegulus is the open-source EU + UK compliance plane for Google ADK. 8 BasePlugin controls, 6 service extensions, 10 regulation profiles, 6 governance frameworks, 4 GRC adapters — drop into Vertex AI Agent Engine in 60 seconds. Java 21, ADK 1.2, MIT.https://regulus.neullabs.com/en-usAstroAnnex III high-risk: five questions that decide whether your agent is in scopehttps://regulus.neullabs.com/blog/annex-iii-high-risk-classification-five-questions/https://regulus.neullabs.com/blog/annex-iii-high-risk-classification-five-questions/Most agentic AI workflows in production end up high-risk under Annex III. Here are the five concrete questions to ask of your agent — answer yes to any, and the EU AI Act's Article 9 obligations bind.Mon, 01 Jun 2026 00:00:00 GMTeu-ai-actannex-iiihigh-riskclassificationscopeFCA Consumer Duty (GC23/2) outcomes monitoring for AI-driven decisioninghttps://regulus.neullabs.com/blog/fca-consumer-duty-outcomes-monitoring-for-ai-decisioning/https://regulus.neullabs.com/blog/fca-consumer-duty-outcomes-monitoring-for-ai-decisioning/Consumer Duty PRIN 12 demands outcomes monitoring on a cross-cutting basis. For AI agents making retail-customer decisions, this means runtime evidence tagged to the four Duty outcomes.Mon, 01 Jun 2026 00:00:00 GMTfcaconsumer-dutyprin-12outcomes-monitoringgc23-2GDPR Article 5(1)(b) purpose limitation in agentic AI: from PDF to runtimehttps://regulus.neullabs.com/blog/gdpr-article-5-purpose-limitation-from-pdf-to-runtime/https://regulus.neullabs.com/blog/gdpr-article-5-purpose-limitation-from-pdf-to-runtime/GDPR purpose limitation is a runtime check, not a contract clause. Here's how to enforce it at the agent's tool dispatch with a Principal claim and a BeforeToolCallback decision.Mon, 01 Jun 2026 00:00:00 GMTgdprarticle-5purpose-limitationruntimeprincipalEU AI Act Article 9 in code: how to evidence risk management for ADK agentshttps://regulus.neullabs.com/blog/eu-ai-act-article-9-evidence-for-adk-agents/https://regulus.neullabs.com/blog/eu-ai-act-article-9-evidence-for-adk-agents/Article 9 risk management isn't a PDF — it's a continuous runtime obligation. Here's how to evidence it for a Google ADK agent, mapped to specific BasePlugin callbacks and audit envelope fields.Mon, 01 Jun 2026 00:00:00 GMTeu-ai-actarticle-9adkrisk-managementauditgpaiGPAI Code of Practice (2 August 2026): what enforcement actually looks likehttps://regulus.neullabs.com/blog/gpai-code-of-practice-2-august-2026/https://regulus.neullabs.com/blog/gpai-code-of-practice-2-august-2026/The GPAI Code of Practice deadline is 2 August 2026. From that date the AI Office can request evidence from any GPAI-derived agent in the EU. What that means in practice for deployers building on ADK.Mon, 01 Jun 2026 00:00:00 GMTeu-ai-actgpaiai-officecode-of-practiceenforcementGoogle ADK plugin SPI deep-dive: BeforeAgentCallback to AfterToolCallbackhttps://regulus.neullabs.com/blog/google-adk-plugin-spi-deep-dive/https://regulus.neullabs.com/blog/google-adk-plugin-spi-deep-dive/Walking through Google ADK's plugin SPI from BeforeAgentCallback through AfterToolCallback with worked examples. Where to attach policy, where to attach privacy, where to attach the audit envelope.Mon, 01 Jun 2026 00:00:00 GMTgoogle-adkplugin-spibaseplugincallbacksjavaHash-chained audit trails for ADK agents: SHA-256 + RFC 9421 in ~200 lines of Javahttps://regulus.neullabs.com/blog/hash-chained-audit-trails-for-adk-agents/https://regulus.neullabs.com/blog/hash-chained-audit-trails-for-adk-agents/How to build a tamper-evident audit chain for an ADK agent. SHA-256 over the previous event's hash, offline verification, retention policies. Plus where RFC 9421 fits for cross-org agent calls.Mon, 01 Jun 2026 00:00:00 GMTaudithash-chainsha-256rfc-9421integrityjavaIs your LLM agent a 'model' under PRA SS1/23? The five tests that decide ithttps://regulus.neullabs.com/blog/is-your-llm-agent-a-model-under-pra-ss1-23/https://regulus.neullabs.com/blog/is-your-llm-agent-a-model-under-pra-ss1-23/PRA SS1/23's Principle 1 defines a model in broad terms. Five concrete tests applied to a typical LLM-powered agent — the answer is yes in every case. What that means operationally.Mon, 01 Jun 2026 00:00:00 GMTpra-ss1-23model-riskmrmuk-bankingss1-23NHS DSPT + agentic AI: mapping the 10 data security standards to runtime controlshttps://regulus.neullabs.com/blog/nhs-dspt-and-agentic-ai-10-standards-to-runtime-controls/https://regulus.neullabs.com/blog/nhs-dspt-and-agentic-ai-10-standards-to-runtime-controls/The NHS DSPT's 10 standards are the gating compliance asset for AI in NHS settings. Here's the runtime-controls map — which Regulus plugin delivers evidence for each NDG standard.Mon, 01 Jun 2026 00:00:00 GMTnhs-dspthealthcarendgai-in-healthcareehrVertex AI Agent Engine compliance gaps and how to close them without forking the runtimehttps://regulus.neullabs.com/blog/vertex-ai-agent-engine-compliance-gaps/https://regulus.neullabs.com/blog/vertex-ai-agent-engine-compliance-gaps/Vertex AI is the runtime; Org Policy + VPC-SC + Assured Workloads is the data plane. The agent's decision plane has no default story. Where the gaps are and how to close them via the ADK plugin SPI.Mon, 01 Jun 2026 00:00:00 GMTvertex-aiagent-enginegcpcontrol-planedecision-plane