REFERENCE · v1.0 · LAST REVIEWED 2026-04-27

The Agent Compliance Framework

The Agent Compliance Framework (ACF) is a practical reference for VASPs and financial institutions deploying or evaluating autonomous AI agents in regulated workflows. It maps existing regulatory obligations — under EU AI Act, NIST AI RMF, ISO 42001, FCA AI rules, VARA, and FATF guidance — to twelve agent-specific compliance dimensions. Each section is shippable as a checklist; collectively they form the missing layer most compliance programs lack.

Pair this framework with the Agent Compliance Scorecard to assess your firm’s readiness across all twelve dimensions in 15 minutes.

1. §1

   Identity & Authorisation

   Who or what is permitted to take action; how authorisation flows to agents and is revoked.

2. §2

   Action Perimeter

   What an agent must NOT do — technical and policy guardrails on action space.

3. §3

   Audit Trail

   Every agent action logged with sufficient detail to reconstruct intent and outcome.

4. §4

   Reversibility

   Capability to unwind agent-mediated actions within a defined window.

5. §5

   Vendor Due Diligence

   Foundation model providers, MCP servers, tool authors — third-party risk for the agent stack.

6. §6

   Performance Monitoring

   Drift, hallucinations, and other performance regressions that produce regulatory breaches.

7. §7

   Operational Resilience

   What happens when the agent goes down mid-transaction.

8. §8

   Third-Party Risk

   Outbound API calls made by the agent on behalf of the firm.

9. §9

   Customer Disclosure

   When and how to disclose to end-users that an agent is taking actions on their behalf.

10. §10

    Data Governance

    Training data, prompt caching, retention, and the regulator-facing posture for each.

11. §11

    Sanctions & Screening

    Real-time vs. batch screening for agent-mediated transactions.

12. §12

    Incident Response

    When the agent does the wrong thing — runbook, regulator notification, customer remediation.