Skip to content

Coverage matrix

How each Regulus mechanism maps to each shipped profile, with the ADK hook it uses. Regenerate with ./gradlew regulusComplianceMatrix.

How to read this

  • Mechanism — the Regulus control name (matches ControlBinding.mechanism).
  • Profile clauses — which articles / paragraphs each profile cites the mechanism against.
  • ADK hook — the official ADK extension point Regulus implements it through.
  • Test fixture — where the unit test for this mechanism lives.

Matrix

Mechanism EU AI Act GDPR / UK GDPR DORA NIS2 FCA SYSC PRA SS1/23 PRA SS2/21 NHS DSPT EHDS ADK hook Test fixture
purpose-binding Art. 5(1)(b) BeforeModelCallback (PolicyPlugin) DefaultPolicyEngineTest#purposeBinding
automated-decisions-safeguards Art. 22 BeforeModelCallback (PolicyPlugin) + ToolConfirmation DefaultPolicyEngineTest#art22Safeguard
privacy-by-design Art. 25 BeforeModelCallback (PrivacyPlugin) RegulusPrivacyPluginTest#redact
pii-redaction Art. 5(1)© DSPT 1.x BeforeModelCallback + AfterModelCallback (PrivacyPlugin) BuiltInPatternsTest
storage-limitation Art. 19 Art. 5(1)(e) Art. 12 SYSC 9 NHS records EHDS retention EventCompactor (RetentionEventCompactor) RegulusRetentionEventCompactorTest
audit-trail Art. 12 Art. 30 Art. 12 Art. 23 SYSC 9 SS1/23 §2-5 SS2/21 §7 DSPT 6.x Art. 56 After*Callback (AuditPlugin) RegulusAuditPluginTest
cross-border-residency Arts. 44-49 Art. 28 SYSC 13 SS2/21 §6 DSPT 8.x Chapter III Startup + BeforeAgentCallback (DataResidencyPlugin) RegulusDataResidencyPluginTest
dual-control-kill-switch Art. 14 (FG22/5) SS1/23 §6 BeforeAgentCallback (KillSwitchPlugin) + ToolConfirmation InMemoryKillSwitchStoreTest
model-risk-tier Art. 9, Annex III SYSC 4 SS1/23 §3 BeforeModelCallback, BeforeToolCallback (ModelRiskPlugin) RegulusModelRiskPluginTest
transparency-disclosure Art. 13 AfterModelCallback (AuditPlugin) RegulusAuditPluginTest#transparency
post-market-monitoring Art. 16 SS1/23 §5 AfterAgentCallback (AuditPlugin) + observability (integration)
deployer-obligations Art. 26 BeforeAgentCallback (KillSwitchPlugin + PolicyPlugin) (integration)
incident-classification Art. 33 Arts. 17-23 Art. 23 DSPT 6.x AfterAgentCallback (AuditPlugin) RegulusAuditPluginTest#incidentSeverity
third-party-risk Arts. 28-30 Art. 21(2)(d) SYSC 13 SS2/21 §3 Model registry + audit linkage (integration)
consumer-duty-good-outcomes FG22/5 BeforeModelCallback (PolicyPlugin) DefaultPolicyEngineTest#consumerDuty
vulnerable-customer-handling FG22/5 §4 BeforeModelCallback (PolicyPlugin) + ToolConfirmation DefaultPolicyEngineTest#vulnerableCustomer
senior-management-arrangements SYSC 4 Audit attribution (smf_holder) RegulusAuditPluginTest#smfAttribution
model-inventory SS1/23 §2 Model registry ModelRegistryTest
kill-switch-readiness Art. 14 SS1/23 §6 BeforeAgentCallback (KillSwitchPlugin) RegulusKillSwitchPluginTest
personal-data-protection DSPT 1.x BeforeModelCallback (PrivacyPlugin) BuiltInPatternsTest#nhsNumber
clinician-identity DSPT 4.x Audit attribution (clinician_smartcard_id) RegulusAuditPluginTest#clinicianIdentity
secondary-use-permit Chapter IV Audit attribution (permit_ref) (integration)
data-quality-labels Art. 56 AfterModelCallback (AuditPlugin) (integration)

Framework bindings

The same Regulus mechanisms above also bind to governance framework control ids. Activate via regulus.governance.frameworks: [...].

Mechanism NIST AI RMF NIST 600-1 GenAI NIST Agent Interop (planned) ISO/IEC 42001 ISO/IEC 23894 ISO/IEC 23053
purpose-binding MAP-1.1 A.9.2
automated-decisions-safeguards GAI-7
privacy-by-design GAI-4 A.7
pii-redaction GAI-4 A.7.3
storage-limitation GOVERN-1.5 A.6.2.7
audit-trail GOVERN-1.5, MEASURE-1.1 GAI-8 AGENT-MONITORING-1 A.6.2.7 CL-6.7 CL-6.5
cross-border-residency MEASURE-2.7 GAI-9 A.6.2.4
dual-control-kill-switch GOVERN-4.1 GAI-2 AGENT-SECURITY-2 A.6.2.8 CL-6.6
model-risk-tier MAP-4.1 GAI-7 AGENT-SECURITY-1 A.5.2 CL-6.3, CL-6.4 CL-7
transparency-disclosure MEASURE-2.8 GAI-7 A.8.5
post-market-monitoring MANAGE-4.1 A.6.2.5
incident-classification MANAGE-2.2 A.8.4
third-party-risk GOVERN-6.1 GAI-12 A.10.3
senior-management-arrangements GOVERN-2.1 A.3.2
model-inventory A.4.4 CL-6.2
policy-engine GOVERN-1.1 GAI-3 AGENT-IDENTITY-2 A.2.2
a2a-envelope AGENT-IDENTITY-1, AGENT-MONITORING-2

Bindings are generated from each GovernanceFramework.bindings(). The NIST AI RMF Agent Interop Profile column uses provisional IDs from the April 2026 concept note; final IDs land when NIST publishes (target Q4 2026).

Notes

  • Empty cells mean the mechanism is not bound to a specific clause of that profile. A cell with means the regulation doesn't require this control — Regulus may still emit it for defence in depth.
  • Profiles bind mechanisms to specific clauses via ControlBinding. The same mechanism can be cited against different clauses in different profiles.
  • The composite profile (built from regulus.compliance.profiles: [...]) unions all bindings.
  • The composite framework (built from regulus.governance.frameworks: [...]) does the equivalent for frameworks; both join into the same audit event via regulation_clause and framework_control_id fields.