Regulus
Install See the diff

Show me — the diff

Same agent. Same prompt. With Regulus wired in.

Two side-by-side code blocks. The audit events each one produces. The GRC envelope only the second one emits. Done.

Vanilla ADK No compliance plane wired in 
App.builder()
  .name("credit-decision")
  .agent(agent)
  .runner(new Runner())
  // No plugins, no service extensions
  .sessionService(new VertexAiSessionService())
  .build()
  .run(invocation);

Runs. Returns a credit decision. Logs nothing useful for the AI Office or the FCA.

ADK + Regulus EU AI Act + UK GDPR + FCA SYSC profiles 
App.builder()
  .name("credit-decision")
  .agent(agent)
  .runner(new Runner())
  .plugins(RegulusPlugins.builder()
    .profile("eu-ai-act")
    .profile("uk-gdpr")
    .profile("fca-sysc")
    .framework("nist-ai-rmf")
    .grcAdapter(ServiceNowIrm.fromYaml())
    .build())
  .sessionService(new RegulusVertexAiSessionService())
  .build()
  .run(invocation);

Same run. Now every decision lands as a signed audit event with the matched policy clause + framework citation.

What gets emitted

On a prompt asking the agent to "book the credit limit increase for customer 0042 above their stated income", the same model invocation produces two very different evidence trails.

Vanilla ADK 
{
  "ts": "2026-06-01T22:14:03Z",
  "agent": "credit-decision",
  "tool": "ledger.book_transfer",
  "status": "ok"
}

Four fields. No policy decision recorded. No principal. No jurisdiction. No way to evidence Article 9.

ADK + Regulus 
{
  "ts": "2026-06-01T22:14:03Z",
  "agent": "credit-decision",
  "tool": "ledger.book_transfer",
  "policy": "DENY",
  "policy_clause": "fca-sysc-4.1.7: lending decisions outside stated income require independent review",
  "framework_citations": [
    "nist-ai-rmf:MANAGE-2.1",
    "eu-ai-act:Article-9.4",
    "iso-42001:8.4"
  ],
  "jurisdiction": "uk",
  "region": "europe-west2",
  "principal": "sub:dipankar · tenant:42 · purpose:CREDIT_DECISION",
  "model_tier": 2,
  "prev_hash": "c4f3a91b...",
  "hash": "e9d4f72a..."
}

Twelve fields, ten of which an auditor will ask for. Hash chains to the previous event.

And the chain it lives in

Each event carries a SHA-256 hash of the previous event. Tampering with any block breaks the chain; offline verification is a single CLI call. The chain ships to your GRC tool as a signed envelope with the framework citations attached.

Hash-chained audit envelope from Regulus Three sequential blocks, each carrying a SHA-256 hash of the previous block. The middle block is expanded to show the event metadata fields. Event N−1 tool.call: pricing.query policy: ALLOW prev: ab12… hash: c4f3… Event N — RegulusEvent ts 2026-06-01T22:14:03Z agent credit-decision-eu tool ledger.book_transfer policy DENY · gdpr-art-22 framework nist-ai-rmf · MANAGE-2.1 jurisdiction eu · europe-west3 principal sub:dipankar · tenant:42 prev_hash c4f3a91b… hash e9d4f72a… Event N+1 a2a.send: peer.eu-1 policy: ALLOW prev: e9d4… hash: 7a82… 
# Verify the chain offline at any time
$ regulus audit verify chain-2026-06-01.jsonl

✓ 4,128 events
✓ chain intact (root → 7a82e9d4...)
✓ 1 DENY decisions (fca-sysc-4.1.7 × 1)
✓ 0 broken links

That's the difference.

Three lines of wiring. The full audit envelope your auditor will ask for. The matched clause text quoted verbatim. The framework citations attached. Everything else stays where it was.

Install in 60 seconds See the architecture