Compliance Reports
Audit-ready evidence package for AI governance reviews
RegulateAI Compliance Report
AI Governance & Compliance Assessment
Prepared for Acme Corp · Reporting period: Feb 1–Feb 17, 2026
Executive Summary
RegulateAI monitored 7 production and staging agents over the reporting period. Overall compliance score is 78/100. Two high-risk agents were detected, with 3 open violations requiring remediation. Continuous policy enforcement covered access control, cost governance, and human approval safeguards.
Agent Inventory
| Agent | Framework | Owner | Risk |
|---|---|---|---|
| Customer Support Agent | LangChain | alice@company.com | 82 |
| Code Review Bot | Custom | bob@company.com | 45 |
| Data Pipeline Orchestrator | CrewAI | carol@company.com | 67 |
| Marketing Content Generator | LlamaIndex | diana@company.com | 28 |
| HR Screening Agent | AutoGPT | eve@company.com | 91 |
| Financial Reporting Agent | LangChain | frank@company.com | 76 |
| Legacy Email Parser | Custom | alice@company.com | 15 |
Risk Assessment
- High-risk agents (85+): 1
- Primary risk drivers: uncontrolled PII access, broad write permissions, and spend anomalies.
- Mean time to acknowledge violations: 38 minutes.
- Control maturity: Access (Strong), Monitoring (Strong), Human oversight (Needs improvement).
Violations Log
| ID | Severity | Status | Summary |
|---|---|---|---|
| vio-001 | critical | open | Agent attempted to export PII data to external webhook without authorization |
| vio-002 | high | open | Automated candidate rejection without human review (GDPR Art. 22 violation) |
| vio-003 | medium | acknowledged | Agent exceeded daily cost limit ($100) — spent $147.23 in 24h |
| vio-004 | low | resolved | Agent accessed new API endpoint (jira_api) not in approved resource list |
| vio-005 | high | open | Agent queried 50,000 rows from financials database (10x normal volume) |
Policy Coverage
Current control set enforces PII protection, rate thresholds, cost governance, and human approval for sensitive writes. Coverage is 92% across all critical execution paths with remaining gaps in after-hours outbound traffic controls and role-based access narrowing.