DEV Community

João André Gomes Marques
João André Gomes Marques

Posted on • Originally published at asqav.com

One Receipt, Nine Regulators

#ai #security #compliance #opensource

The IETF Internet-Draft for AI agent Compliance Receipts grew up. What started as a binding to EU AI Act Article 12 is now a bindings table across nine regulatory regimes: EU AI Act, DORA, NYDFS Part 500, Colorado AI Act, Texas TRAIGA, NIST AI RMF, CIRCIA, HIPAA Security Rule, and SEC 17 CFR 240.17a-4.

The same wire envelope satisfies all of them. The same conformance vectors prove it. The same Audit Pack export carries the regime mapping a regulator needs without the Deployer writing a per-regime adapter.

Three things that follow

One vocabulary, nine retention floors. A receipt that touches a HIPAA-covered Action retains for the floor HIPAA mandates. A DORA-bound Action retains for the DORA floor. The Audit Pack carries the regime tag inline so the cleanup engine does not need to guess.

Cross-jurisdiction queries. A Deployer subject to EU AI Act Article 26 AND NYDFS Part 500 can answer one query - "show me every Article 26-relevant Action that crossed a NYDFS boundary" - against one receipt store, not two.

Forward-compatible. Adding the next regime is a binding-table edit, not an envelope rewrite. The wire format is stable; the regime mapping is data.

What it looks like

A Compliance Receipt is the same JSON envelope across jurisdictions. The regime tag travels in the Audit Pack metadata; the receipt body stays canonical:

{
  "type": "protectmcp:decision",
  "issuer_id": "lei:529900T8BM49AURSDO55",
  "action_ref": "sha256:9f2e...",
  "previous_receipt_hash": "sha256:6c41...",
  "policy_digest": "sha256:b71a...",
  "decision": "permit",
  "risk_class": "high",
  "incident_class": "minor",
  "signed_at": "2026-05-10T09:14:22Z"
}
Enter fullscreen mode Exit fullscreen mode

The reference implementation runs at api.asqav.com. The conformance harness walks the normative clauses against the live cloud and reports per-clause coverage. Verifying any receipt is a single unauthenticated GET.

Try it 

pip install asqav
asqav demo          # produces a Compliance Receipt against the live cloud
curl https://api.asqav.com/api/v1/verify/<signature_id>
Enter fullscreen mode Exit fullscreen mode

If you build agent governance, the path from "logs everywhere" to "one verifiable receipt" goes through this draft.

Draft: https://datatracker.ietf.org/doc/draft-marques-asqav-compliance-receipts/

Top comments (0)