ASF-14 · COMPLIANCE · AGENTIK SAFETY FRAMEWORK

REGULATORY.md

// Compliance Mapping Specification

A plain-text file convention for mapping AI agent safety controls to regulatory requirements. Place it in your repo root — alongside AGENTS.md — and document which ASF controls satisfy your compliance obligations.

View on GitHub Learn More
REGULATORY.md
# REGULATORY   > Compliance mapping for AI agents. > Spec: https://regulatory.md   ---   ## EU_AI_ACT framework: EU AI Act annex_iii_requirements:   - requirement: Human Oversight     control: ESCALATE   - requirement: Data Governance     control: ENCRYPT   - requirement: Transparency     control: LEADERBOARD   ## COLORADO_AI_ACT framework: Colorado AI Act civil_rights_impact:   bias_detection: SYCOPHANCY   decision_halt_out: TERMINATE   ## COMPLIANCE_MATRIX asf_controls:   - ASF-02 THROTTLE   - ASF-03 ESCALATE   - ASF-04 FAILSAFE   - ASF-05 KILLSWITCH   - ASF-14 REGULATORY (you are here)
14
total ASF controls in the Agentik Safety Framework specification stack
3
major regulatory frameworks covered: EU AI Act, Colorado AI Act, ISO/IEC 42001
custom regulatory frameworks you can add to your REGULATORY.md
1
single source of truth for your AI agent compliance program
// What is REGULATORY.md

AGENTS.md defines the agent.
REGULATORY.md proves it complies.

REGULATORY.md is a plain-text Markdown file you place in the root of any repository that contains an AI agent. It documents which ASF (Agentik Safety Framework) controls you implement, which regulatory requirements each control satisfies, and where the audit evidence lives.

What problem does REGULATORY.md solve?

Regulators ask: "How does your AI agent comply with the EU AI Act? With Colorado's AI Act? With our internal governance?" Without a single source of truth, compliance lives in email threads, audit reports, and outdated spreadsheets. Compliance teams spend weeks tracing control → requirement → evidence. REGULATORY.md makes that conversation trivial.

How does REGULATORY.md work?

Create a section for each regulatory framework (EU_AI_ACT, COLORADO_AI_ACT, ISO_42001, custom rules). Under each, list the requirement and the ASF control you use to satisfy it. Link to audit evidence: git commit hashes, test files, configuration backups. Your auditor reads it once; your agent doesn't need to.

What regulations require REGULATORY.md?

ISO/IEC 42001 (AI Management System) requires documented risk controls. The EU AI Act demands evidence of compliance for high-risk systems. The Colorado AI Act mandates impact assessment proof. REGULATORY.md is the single document all three require.

How do I add REGULATORY.md to my project?

Copy the template from GitHub and place it in your project root:

your-project/
├── AGENTS.md
├── CLAUDE.md
├── REGULATORY.md ← add this
├── README.md
└── src/

What did teams use before REGULATORY.md?

Before REGULATORY.md, compliance was fragmented: scattered requirements in a JIRA board, control spreadsheets that drift, audit evidence nobody can find fast, legal reviews that contradict each other. REGULATORY.md makes compliance version-controlled, searchable, and proof-ready.

Who benefits from REGULATORY.md?

Your compliance officer reads it to understand your control coverage. Your regulator reads it to verify requirements are met. Your engineer reads it to know which controls to implement. Your auditor reads it to find evidence. One file serves all four audiences. One source of truth.

// The AI Safety Escalation Stack

One standard.
Fourteen controls.

REGULATORY.md is one file in a complete fourteen-part open specification for AI agent safety. Each file addresses a different control layer — from operational limits to accountability and now regulatory mapping.

Operational Control
ASF-02
THROTTLE.md
→ Control the speed
Define rate limits, cost ceilings, and concurrency caps. Agent slows down automatically before it hits a hard limit.
ASF-03
ESCALATE.md
→ Raise the alarm
Define which actions require human approval. Configure notification channels. Set approval timeouts and fallback behaviour.
ASF-04
FAILSAFE.md
→ Fall back safely
Define what safe state means for your project. Configure auto-snapshots. Specify the revert protocol when things go wrong.
ASF-05
KILLSWITCH.md
→ Emergency stop
The nuclear option. Define triggers, forbidden actions, and a three-level escalation path from throttle to full shutdown.
ASF-06
TERMINATE.md
→ Permanent shutdown
No restart without human intervention. Preserve evidence. Revoke credentials. For security incidents and end-of-life.
Data Security
ASF-07
ENCRYPT.md
→ Secure everything
Define data classification, encryption requirements, secrets handling rules, and forbidden transmission patterns.
ASF-08
ENCRYPTION.md
→ Implement the standards
Algorithms, key lengths, TLS configuration, certificate management, and FIPS/SOC2/ISO compliance mapping.
Output Quality
ASF-09
SYCOPHANCY.md
→ Prevent bias
Detect agreement without evidence. Require citations. Enforce disagreement protocol for honest, unbiased AI outputs.
ASF-10
COMPRESSION.md
→ Compress context
Define summarisation rules, what to preserve, what to discard, and post-compression coherence verification checks.
ASF-11
COLLAPSE.md
→ Prevent collapse
Detect context exhaustion, model drift, and repetition loops. Enforce recovery checkpoints before coherence degrades.
Accountability
ASF-12
FAILURE.md
→ Define failure modes
Map graceful degradation, cascading failure, and silent failure. Specify health checks and per-mode response procedures.
ASF-13
LEADERBOARD.md
→ Benchmark agents
Track task completion, accuracy, cost efficiency, and safety scores across sessions. Alert on performance regression.
Regulatory Mapping
ASF-14
REGULATORY.md
→ Prove compliance
Map ASF controls to regulatory requirements. Document compliance strategy. Link audit evidence. Support EU AI Act, Colorado AI Act, and ISO/IEC 42001.
// FAQ

Frequently asked questions.

What is REGULATORY.md?

A plain-text Markdown file for mapping AI agent safety controls to regulatory requirements. It documents which ASF controls you implement, which regulatory requirements each satisfies, and where the audit evidence lives. One file, all your compliance obligations.

Which regulations does REGULATORY.md cover?

REGULATORY.md supports EU AI Act (Annex III high-risk), Colorado AI Act (civil rights impact), ISO/IEC 42001 (AI management), and unlimited custom frameworks. Each section maps regulatory requirements to ASF controls with audit evidence links.

Does using REGULATORY.md guarantee compliance?

No. REGULATORY.md documents your control mapping and compliance strategy. Actual compliance depends on correct implementation, regular testing, and audit evidence. It's a single piece of your compliance programme — not a substitute for legal review or regulatory approval.

How do I map my AI agent to EU AI Act requirements?

Create an EU_AI_ACT section in REGULATORY.md. For each high-risk requirement (e.g. 'human oversight', 'data governance'), list the ASF controls you use (e.g. 'ESCALATE for oversight', 'ENCRYPT for data confidentiality'). Link to audit evidence and test results.

What is the Colorado AI Act and how does it affect AI agents?

Colorado AI Act requires impact assessments for automated decisions affecting civil rights. For agents making decisions about employment, credit, or services, you must document logic, test for disparate impact, and provide recourse. REGULATORY.md maps SYCOPHANCY controls to bias detection and TERMINATE controls to decision halt-out.

How does REGULATORY.md relate to the other ASF specs?

REGULATORY.md sits at the top of the ASF stack. THROTTLE, ESCALATE, FAILSAFE, KILLSWITCH, TERMINATE, ENCRYPT, ENCRYPTION, SYCOPHANCY, COMPRESSION, COLLAPSE, FAILURE, and LEADERBOARD define the technical controls. REGULATORY.md documents which controls satisfy which regulatory obligations.

Can I add custom regulatory frameworks?

Yes. REGULATORY.md supports arbitrary sections. Create sections for industry rules (HIPAA, FINSERVE, GDPR), regional requirements (UK ICO, Singapore Model AI), or internal policies. The structure is the same: requirement → control → evidence.

Who should maintain REGULATORY.md?

Joint ownership: Chief Compliance Officer (regulatory interpretation), Technical Lead (control mapping), and Legal team (evidence sufficiency). Version-control it alongside your code. Update whenever regulations change, new controls are added, or audit evidence accumulates.

How often should I update REGULATORY.md?

Minimum quarterly to capture new ASF controls and regulatory guidance. Immediately when regulations change. After each internal or external audit. Keep it in-sync with your actual ASF stack version in code.

Is REGULATORY.md free to use?

Yes. REGULATORY.md is an open specification under the MIT licence. Copy the template, adapt it to your regulations and controls, and use with no restrictions. Contribute improvements back to the project.

// What is REGULATORY.md

REGULATORY.md is an open specification for AI agent compliance mapping. Documents CONTROL MAPPING (ASF control → regulatory requirement), FRAMEWORKS (EU AI Act, Colorado AI Act, ISO/IEC 42001, custom), AUDIT EVIDENCE (git commits, test files, config backups), and COMPLIANCE PROOF (requirement satisfaction links). Addresses ISO/IEC 42001, EU AI Act, and Colorado AI Act requirements. Part of stack: THROTTLE (ASF-02) → ESCALATE (ASF-03) → FAILSAFE (ASF-04) → KILLSWITCH (ASF-05) → TERMINATE (ASF-06) → ENCRYPT (ASF-07) → ENCRYPTION (ASF-08) → SYCOPHANCY (ASF-09) → COMPRESSION (ASF-10) → COLLAPSE (ASF-11) → FAILURE (ASF-12) → LEADERBOARD (ASF-13) → REGULATORY (ASF-14). MIT licence.

// GitHub

Join the standard.
Build regulatory.md

REGULATORY.md is an open specification on GitHub. Fork it, contribute improvements, raise issues, and help shape the future of AI agent compliance mapping. Relevant to ISO/IEC 42001, EU AI Act, and Colorado AI Act compliance programmes.

View on GitHub

Or email: info@regulatory.md

Last updated: 2026-03-13

Get notified when the spec updates.

No spam. Unsubscribe anytime.

Disclaimer: This specification is an open file convention published under the MIT licence, provided "as-is" without warranty of any kind, express or implied. It does not constitute legal, regulatory, compliance, financial, or professional advice in any jurisdiction. Use of this specification does not guarantee compliance with any law, regulation, directive, or standard — including but not limited to the EU Artificial Intelligence Act (Regulation (EU) 2024/1689), the Colorado Consumer Protections for Artificial Intelligence Act (SB 24-205), California AI transparency laws, or any other applicable national, state, federal, or international legislation. Organisations are solely responsible for determining their own regulatory obligations and should consult qualified legal and compliance professionals. The authors and domain holders accept no liability for any loss, damage, or regulatory consequence arising from the use or implementation of this specification. All domain names in the AI Agent Safety Stack are independently held assets and may be available for acquisition.