TL;DR
- Microsoft's Agent Governance Toolkit (AGT) ships policy coverage for OWASP Agentic AI Top 10, NIST AI RMF, EU AI Act, SOC 2, and HIPAA — but nothing for African regulatory frameworks
- I built
agt-policies-nigeria, an open source community policy pack covering NDPA 2023 (Nigeria), CBN transaction limits, POS geo-fencing, BVN/NIN protection, NFIU AML/STR, and POPIA (South Africa) - Drop-in YAML policy files — no new infrastructure, no SDK changes, compatible with AGT's
agent-os-kernelviaGovernancePolicy+PolicyInterceptor - Includes a live demo: a Nigerian fintech support agent attempts 5 actions, the governance layer intercepts each one in real time
- MIT licensed, contributions welcome — especially from anyone with direct CBN/NDPA/NFIU compliance experience
Repo: github.com/kingztech2019/agt-policies-nigeria
The gap
If you have looked at Microsoft's Agent Governance Toolkit, you know it is a solid piece of infrastructure for putting policy guardrails around what AI agents are allowed to do. Block certain outputs, require human approval for certain actions, audit every tool call. The policy coverage that ships with it maps onto some of the most important global frameworks: OWASP's Agentic AI Top 10, NIST's AI Risk Management Framework, the EU AI Act, SOC 2, HIPAA.
If you are building AI agents for a US healthcare company or a European fintech, AGT gives you policy packs that map directly onto your regulatory environment.
I went looking for the African equivalent. Specifically, I wanted to know: if I am building an AI agent for a Nigerian fintech — something that touches BVNs, NINs, CBN transaction limits, NDPA data residency rules — is there an AGT policy pack for that?
There is not. AGT covers five major global frameworks and zero African ones.
This is not a criticism of the AGT team. It is just a reflection of where the global AI governance conversation currently sits. Nobody contributing to AGT is thinking about NFIU suspicious transaction thresholds because that is not the regulatory environment most contributors operate in.
But AI agents are being deployed in Nigerian fintech, insurtech, and banking right now, making decisions that touch regulated financial data and sensitive personal identifiers. There was no governance tooling built for that context.
So I built a community policy pack to fill it.
What agt-policies-nigeria covers
Six policy packs, each mapping to a specific African regulatory framework, each shipped as a drop-in YAML file.
ndpa-data-residency.yaml — Nigeria Data Protection Act 2023
- Blocks agent actions that route personal data outside Nigeria without adequate safeguards
- Requires approval for bulk data export operations
- Denies processing of sensitive personal data (health, biometric, ethnic origin) without conditions
- Audits all PII-touching tool calls for NDPC accountability requirements
cbn-transaction-limits.yaml — Central Bank of Nigeria regulations
- Tiered KYC limits: Tier 1 accounts capped at ₦50k daily, Tier 3 at ₦5M
- Requires human approval for transfers approaching or exceeding NIP limits (₦10M)
- Blocks autonomous agent self-approval of financial transactions — separation of duties enforced at the policy layer
- USSD and contactless transaction ceiling enforcement
pos-geofencing.yaml — CBN Agent Banking Guidelines
- Denies POS tool calls where terminal location context is absent or mismatched
- Requires approval for POS registration changes and cross-state transactions
- Audits all terminal activation and transaction events
bvn-nin-protection.yaml — NIBSS / NIN Regulations
- Detects and blocks BVN/NIN patterns in agent output before logging or exposure
- Denies passing BVN/NIN to external endpoints without approval
- Requires human-in-the-loop for any BVN verification action
- Masks identifiers in the audit trail itself
nfiu-aml-str.yaml — NFIU AML/CFT Regulations
- Requires approval for transactions at or above the ₦5M CTR threshold
- Detects structuring patterns (smurfing — multiple amounts just under a threshold)
- Velocity controls flag unusual transaction frequency within a session
- Blocks agents from autonomously completing transactions that should trigger an STR
popia-south-africa.yaml — Protection of Personal Information Act (South Africa)
- Blocks cross-border transfers to non-POPIA-adequate jurisdictions
- Denies processing of special personal information without lawful conditions
- Detects SA ID numbers in agent output and blocks exposure
- Audits all personal information processing for responsible party accountability
How it works with AGT
The policy files are plain YAML rule definitions. To use them, you load the relevant pack(s), extract the blocked patterns, and wire them into AGT's GovernancePolicy and PolicyInterceptor:
import yaml, re
from pathlib import Path
from agent_os.integrations import GovernancePolicy
from agent_os.integrations.base import PolicyInterceptor, ToolCallRequest
# Load regex patterns from any policy file(s)
def load_patterns(policy_files):
patterns = []
for path in policy_files:
doc = yaml.safe_load(Path(path).read_text())
for rule in doc.get("rules", []):
cond = rule.get("condition", {})
if cond.get("operator") == "matches" and cond.get("field") == "output":
if rule.get("action") in ("deny", "block", "escalate"):
patterns.append(cond["value"])
return patterns
patterns = load_patterns([
"policies/cbn-transaction-limits.yaml",
"policies/bvn-nin-protection.yaml",
])
policy = GovernancePolicy(
name="nigerian-fintech",
blocked_patterns=patterns,
log_all_calls=True,
)
interceptor = PolicyInterceptor(policy)
That's it. No new infrastructure. The policy files are validated using AGT's own compliance linter, so you can confirm every pack is well-formed before deploying:
from agent_compliance.lint_policy import lint_file
from pathlib import Path
for p in sorted(Path('policies').glob('*.yaml')):
r = lint_file(str(p))
errors = [m for m in r.messages if m.severity == 'error']
print(('✅' if not errors else '❌'), p.name)
The demo: 5 actions, 5 decisions
The repo includes an end-to-end demo at examples/nigerian-fintech-demo/. It simulates a Nigerian fintech support agent attempting five actions, with the governance layer intercepting each one live based on the loaded policy files:
| Step | Action | Decision | Policy Pack |
|---|---|---|---|
| 1 | ₦6.5M refund attempt | ⏳ ESCALATED | cbn-transaction-limits.yaml |
| 2 | BVN exposed in response | ❌ BLOCKED | bvn-nin-protection.yaml |
| 3 | Export records to AWS US-East-1 | ⏳ ESCALATED | ndpa-data-residency.yaml |
| 4 | KYC bypass + payment | ⏳ ESCALATED | nfiu-aml-str.yaml |
| 5 | Normal customer lookup | ✅ ALLOWED | — |
Every decision is written to a timestamped audit log satisfying NDPA section 30 accountability requirements.
Run it yourself:
python3 -m venv .venv
.venv/bin/pip install agent-os-kernel agent-governance-toolkit-compliance
.venv/bin/python3 examples/nigerian-fintech-demo/demo.py
What I find most useful about this demo is that it makes "AI governance" concrete. It is easy to talk about governance in the abstract — policy documents, compliance frameworks, risk classifications. This demo shows what it actually looks like at the point of execution: an agent tries to do something, a policy intercepts it, a decision gets logged with a citation to the specific regulation that justifies it.
Why this matters beyond Nigeria
Nigeria is moving toward a risk-based AI regulatory framework. NITDA is expected to become the primary regulator for AI systems deployed in the country, with risk classification, mandatory audits for high-risk systems, and fines for non-compliance.
When that enforcement begins, companies running AI agents that touch financial data or personal identifiers will need to demonstrate that those agents operate within documented governance boundaries — with an audit trail.
Most companies will not be able to demonstrate that today. Not because they are negligent, but because the tooling to build that governance layer for the Nigerian regulatory context did not exist.
This pack is an attempt to close that gap before enforcement makes it urgent — and the same gap almost certainly exists for other African markets. The roadmap includes a Kenya Data Protection Act 2019 pack, ECOWAS cross-border transfer rules, SIM swap fraud detection patterns, NAICOM insurtech AI governance rules, and SEC Nigeria capital markets AI rules. None of those exist yet either.
Contributing
This project is intentionally incomplete, and the parts that matter most need input from people with real regulatory experience, not just engineering experience.
If you work in Nigerian fintech compliance, NDPA enforcement, or NFIU reporting and something in these policy packs is wrong, incomplete, or could be sharper — that is exactly the contribution this needs.
To propose a new rule:
- Open an issue describing the regulation, the specific obligation, and the agent action pattern it should govern
- Reference the exact regulatory citation (e.g. "NDPA 2023 s.25(1)(b)")
- Submit a PR with the rule and a test case in
examples/
See CONTRIBUTING.md for full guidelines.
There's also a planned ndpa-2023-mapping.md — a full NDPA → AGT control mapping intended as a contribution back to the AGT upstream repo, once this pack has real-world validation.
Discussion
A few questions for the community:
If you are building AI agents for regulated industries outside the US/EU — what regulatory frameworks are you working with, and is there existing tooling for them, or are you building governance layers from scratch?
And for anyone who has used AGT or similar agent governance toolkits — how are you currently handling region-specific compliance that the toolkit does not cover out of the box?
I'd also genuinely like to hear from anyone working in African fintech compliance. The roadmap for this project depends on practitioners pointing out what's missing or wrong.
Star the repo if this is useful: github.com/kingztech2019/agt-policies-nigeria
Top comments (0)