# REGULATORY.md — AI Agent Compliance Mapping Standard
Home: https://regulatory.md | GitHub: https://github.com/regulatory-md/spec | Email: info@regulatory.md

## What is REGULATORY.md?
REGULATORY.md is an open file convention for mapping safety controls (ASF specifications) to regulatory requirements. Place it in your AI agent project root alongside SAFEGUARD.md, FAILSAFE.md, and other ASF specifications to provide auditors and compliance teams with a standardised entry point to your safety framework.

## Key Concepts

### Compliance Mapping
REGULATORY.md maps which ASF safety specifications satisfy which regulatory articles and requirements across:
- EU AI Act (Articles 9, 13, 14, 15, Annex IV)
- Colorado AI Act (SB 24-205 impact assessment, risk mitigation, transparency)
- GDPR (Articles 5, 32, 33, 34 data protection)
- SOC 2 Trust Service Criteria (CC6, CC7, A1)
- ISO/IEC 27001:2022 (Sections A.5, A.8, A.9, A.12)
- ISO/IEC 42001:2023 (AI management systems)
- NIST AI Risk Management Framework (Govern, Map, Measure, Manage)

### Audit Documentation
REGULATORY.md centralises all compliance documentation so auditors can:
- Verify which controls address each regulatory requirement
- Cross-reference between regulations and ASF specifications
- Check that all required controls are documented and tested
- Confirm version control and retention of safety documentation

### Who Reads It
- Compliance officers checking which controls cover which regulations
- Auditors verifying controls are documented and tested
- Regulators assessing compliance during investigations
- Board members understanding regulatory risk and mitigation
- AI safety engineers designing control architectures
- Legal teams supporting liability defence

## The Agentik Safety Framework (ASF)

REGULATORY.md is one file in a comprehensive open specification for AI agent safety. Each file addresses a different safety concern:

**Pre-deployment Safety:**
1. SAFEGUARD.md (https://safeguard.md) — Pre-deployment specification defining guardrails

**Operational Control:**
2. THROTTLE.md (https://throttle.md) — Rate and cost control
3. ESCALATE.md (https://escalate.md) — Human notification and approval
4. FAILSAFE.md (https://failsafe.md) — Safe fallback to known good state
5. KILLSWITCH.md (https://killswitch.md) — Emergency stop capability
6. TERMINATE.md (https://terminate.md) — Permanent shutdown protocol

**Data Security:**
7. ENCRYPT.md (https://encrypt.md) — Data classification and protection
8. ENCRYPTION.md (https://encryption.md) — Technical encryption standards

**Output Quality:**
9. SYCOPHANCY.md (https://sycophancy.md) — Anti-sycophancy and transparency
10. COMPRESSION.md (https://compression.md) — Context compression and coherence
11. COLLAPSE.md (https://collapse.md) — Drift prevention and recovery

**Accountability:**
12. FAILURE.md (https://failure.md) — Failure mode mapping
13. LEADERBOARD.md (https://leaderboard.md) — Performance benchmarking

**Compliance & Regulation:**
14. REGULATORY.md (https://regulatory.md) — Compliance mapping (THIS FILE)

## Regulatory Context

### EU AI Act (Regulation (EU) 2024/1689)
Mandates:
- Risk management systems (Art 9) → Mapped to SAFEGUARD, THROTTLE, FAILURE
- Transparency (Art 13) → Mapped to SYCOPHANCY, COMPRESSION
- Human oversight (Art 14) → Mapped to ESCALATE, FAILSAFE, KILLSWITCH, TERMINATE
- Accuracy and robustness (Art 15) → Mapped to COLLAPSE, LEADERBOARD
- Comprehensive documentation (Annex IV) → Mapped to REGULATORY, all specs

### Colorado AI Act (SB 24-205)
Mandates:
- Impact assessment (§102) → Mapped to SAFEGUARD, FAILURE, LEADERBOARD
- Risk mitigation (§103) → Mapped to THROTTLE, ESCALATE, FAILSAFE, KILLSWITCH
- Transparency (§104) → Mapped to SYCOPHANCY, COMPRESSION

### GDPR (Regulation (EU) 2016/679)
Mandates:
- Data protection principles (Art 5) → Mapped to ENCRYPT, ENCRYPTION
- Security measures (Art 32) → Mapped to ENCRYPT, ENCRYPTION, FAILURE
- Breach notification (Art 33-34) → Mapped to ESCALATE, FAILSAFE, FAILURE

### SOC 2 Trust Service Criteria
Mandates:
- Access control (CC6) → Mapped to ENCRYPT, ENCRYPTION
- System monitoring (CC7) → Mapped to ESCALATE, FAILSAFE, FAILURE
- Availability (A1) → Mapped to THROTTLE, FAILSAFE, KILLSWITCH

### ISO/IEC 27001:2022
Mandates:
- Organisational controls (A.5) → Mapped to SAFEGUARD
- Asset management (A.8) → Mapped to ENCRYPT, ENCRYPTION
- Access control (A.9) → Mapped to ENCRYPT, ENCRYPTION
- Operations security (A.12) → Mapped to ESCALATE, FAILSAFE, FAILURE

### NIST AI Risk Management Framework
Mandates:
- Govern function → Mapped to SAFEGUARD, REGULATORY
- Map function → Mapped to SAFEGUARD, FAILURE, REGULATORY
- Measure function → Mapped to COLLAPSE, LEADERBOARD
- Manage function → Mapped to THROTTLE, ESCALATE, FAILSAFE, KILLSWITCH

## Compliance Matrix

| ASF Spec | EU AI Act | Colorado SB24-205 | GDPR | SOC 2 | ISO 27001 | NIST AI RMF |
|----------|-----------|------------------|------|-------|-----------|-------------|
| ASF-01 SAFEGUARD | Art 9, Annex IV | § 102 | Art 5 | — | A.5 | Govern, Map |
| ASF-02 THROTTLE | Art 9 | § 103 | — | A1 | A.12 | Manage |
| ASF-03 ESCALATE | Art 14 | § 103, 104 | Art 33 | CC7 | A.12 | Manage |
| ASF-04 FAILSAFE | Art 14 | § 103 | Art 33 | A1 | A.12 | Manage |
| ASF-05 KILLSWITCH | Art 14 | § 103 | Art 33 | A1 | A.12 | Manage |
| ASF-06 TERMINATE | Art 14 | § 103 | — | A1 | A.12 | Manage |
| ASF-07 ENCRYPT | — | — | Art 5, 32 | CC6 | A.8, A.9 | — |
| ASF-08 ENCRYPTION | — | — | Art 32 | CC6, CC7 | A.8, A.9 | — |
| ASF-09 SYCOPHANCY | Art 13 | § 104 | — | — | — | — |
| ASF-10 COMPRESSION | Art 13 | § 104 | — | — | — | — |
| ASF-11 COLLAPSE | Art 15 | — | — | — | — | Measure |
| ASF-12 FAILURE | Art 9, Annex IV | § 102 | Art 33, 34 | CC7 | A.12 | Map, Manage |
| ASF-13 LEADERBOARD | Art 15 | — | — | — | — | Measure |
| ASF-14 REGULATORY | Annex IV | § 102, 104 | — | CC7 | A.5 | Govern, Map |

## Implementation Steps
1. Place REGULATORY.md in project root
2. Deploy all 14 ASF specifications (SAFEGUARD through REGULATORY)
3. Map your specific AI system to ASF controls using REGULATORY.md matrix
4. Version-control all files in git with 10+ year retention
5. Run annual audit using REGULATORY.md as compliance checklist
6. Update REGULATORY.md whenever controls or regulations change

## File Locations
- REGULATORY.md — Plain-text Markdown file in project root
- All 14 ASF specifications version-controlled alongside REGULATORY.md
- Compliance audit trail and incident logs linked to REGULATORY.md requirements

## Framework Agnostic
Works with any AI agent framework:
- **Agent Frameworks:** LangChain, AutoGen, CrewAI, Claude Code, Cursor
- **Languages:** Python, JavaScript/Node, Go, Rust, any language with git
- **Deployment:** Local, cloud, hybrid, edge
- **No library dependency** — it's a file convention, not a library

## Frequently Asked Questions

**Q: How does REGULATORY.md work with other ASF specs?**
A: REGULATORY.md is the compliance lens. Each ASF spec (SAFEGUARD, FAILSAFE, KILLSWITCH, etc.) defines a specific safety control. REGULATORY.md shows which ASF spec satisfies which regulatory requirement. Together they provide complete traceability from regulation to implementation.

**Q: Which regulations does REGULATORY.md cover?**
A: EU AI Act, Colorado AI Act, GDPR, SOC 2, ISO 27001, ISO 42001, and NIST AI RMF. More frameworks can be added via PRs.

**Q: Do I need all 14 ASF specs?**
A: It depends on your regulatory obligations. If you're in the EU, you likely need coverage for EU AI Act articles. If you're in Colorado, you need SB 24-205 coverage. REGULATORY.md shows you which specs cover which requirements so you can implement strategically.

**Q: Who is the audience for REGULATORY.md?**
A: Primarily compliance officers, auditors, and regulators. But also safety engineers designing control architecture, and legal teams preparing for regulatory investigation or liability defence.

**Q: Can I modify REGULATORY.md for my specific regulations?**
A: Yes. REGULATORY.md is extensible. Add rows to the compliance matrix for your jurisdiction's specific requirements. Document any custom mappings clearly.

**Q: How long must I keep REGULATORY.md and audit documentation?**
A: The EU AI Act requires 10-year retention of documentation. Most jurisdictions require 7+ years minimum. Version-control REGULATORY.md and all ASF specs in git with commit history.

**Q: What is the incident report format?**
A: Plain text or JSON, defined by your FAILURE.md. Typically includes: trigger condition, timestamp, context, control that was triggered, human notification method, approval status.

**Q: Can I use REGULATORY.md without the full ASF stack?**
A: Yes, but REGULATORY.md is most effective when all 14 ASF specs are present. You can start with critical controls (SAFEGUARD, FAILSAFE, KILLSWITCH) and expand over time. REGULATORY.md documents your compliance journey.

## Standard Compliance Checklist
- [x] Open specification (MIT license)
- [x] Version-controlled with your code
- [x] Maps safety controls to regulations
- [x] Auditable compliance trail
- [x] Supports 7 major regulatory frameworks
- [x] Extensible for custom regulations
- [x] Cross-references all 14 ASF specifications
- [x] Framework agnostic
- [x] Plain text, no library dependency

## Learn More
- **Full Specification:** https://regulatory.md
- **The ASF Stack:** https://regulatory.md/#stack
- **FAQ:** https://regulatory.md/#faq
- **All Fourteen Standards:** https://regulatory.md/#stack

## Contact & Community
- **Email:** info@regulatory.md
- **GitHub:** https://github.com/regulatory-md
- **Domain:** regulatory.md
- **Issues & Feedback:** https://github.com/regulatory-md/spec/issues
- **Stack Community:** safeguard-md, throttle-md, escalate-md, failsafe-md, killswitch-md, terminate-md, encrypt-md, encryption-md, sycophancy-md, compression-md, collapse-md, failure-md, leaderboard-md, regulatory-md

## Keywords
Compliance mapping, regulatory requirements, audit documentation, AI governance, EU AI Act, Colorado AI Act, GDPR, SOC 2, ISO 27001, ISO 42001, NIST AI RMF, auditable AI safety, control mapping, regulatory compliance, AI regulation, high-risk AI systems, impact assessment, risk mitigation, transparency requirements, human oversight, automated decision systems

## Related Specifications

The Agentik Safety Framework (ASF) — fourteen numbered, citable open specifications for AI agent safety, quality, and accountability:

**Pre-deployment Safety:**
- ASF-01 SAFEGUARD.md: Pre-deployment safety specification — https://safeguard.md

**Operational Control:**
- ASF-02 THROTTLE.md: AI agent rate and cost control — https://throttle.md
- ASF-03 ESCALATE.md: Human notification and approval protocols — https://escalate.md
- ASF-04 FAILSAFE.md: Safe fallback recovery protocol — https://failsafe.md
- ASF-05 KILLSWITCH.md: Emergency stop for AI agents — https://killswitch.md
- ASF-06 TERMINATE.md: Permanent shutdown, no restart without human — https://terminate.md

**Data Security:**
- ASF-07 ENCRYPT.md: Data classification and protection — https://encrypt.md
- ASF-08 ENCRYPTION.md: Technical encryption standards — https://encryption.md

**Output Quality:**
- ASF-09 SYCOPHANCY.md: Anti-sycophancy and bias prevention — https://sycophancy.md
- ASF-10 COMPRESSION.md: Context compression and coherence — https://compression.md
- ASF-11 COLLAPSE.md: Drift prevention and recovery — https://collapse.md

**Accountability:**
- ASF-12 FAILURE.md: Failure mode mapping — https://failure.md
- ASF-13 LEADERBOARD.md: Agent benchmarking and regression detection — https://leaderboard.md

**Compliance & Regulation:**
- ASF-14 REGULATORY.md: Compliance mapping (THIS FILE) — https://regulatory.md

---
Last updated: 15 March 2026
Specification version: 1.0