DEV Community

Cover image for I Spent Months Building the AI Governance Layer Africa Was Missing. Today It Launches.
Oluwajuwon Omotayo
Oluwajuwon Omotayo

Posted on

I Spent Months Building the AI Governance Layer Africa Was Missing. Today It Launches.

#agents #ai #opensource #showdev

TL;DR

  • comply54 is now live: an open-source AI agent compliance framework built specifically for African regulated industries
  • It enforces African law at runtime, before your agent acts — not after an audit finds the violation
  • 21 policy packs across 12 jurisdictions: NDPA 2023, CBN controls, NIMC Act 2026, NFIU-AML, POPIA, Kenya DPA, and more
  • Works with LangChain, LangGraph, CrewAI, and AutoGen via one import
  • Violations return the exact law, section, and penalty — not a vague error message
  • 100% offline. Full audit trail. Apache 2.0.
  • Website: comply54.io | Repo: github.com/comply54/comply54 | Product Hunt: producthunt.com/products/comply54

The problem I kept running into

I build AI products in Lagos. Over the past year, I kept running into the same gap.

AI agent frameworks like LangChain, LangGraph, CrewAI, and AutoGen are exceptional at giving agents capability. Memory, reasoning, tool use, multi-agent orchestration. They are well-designed, actively maintained, and widely adopted.

None of them knows what the Central Bank of Nigeria says about transaction thresholds. None of them knows that Nigeria's NIMC Act 2026 prohibits retaining NIN data after a verification completes. None of them knows that the NFIU requires a Currency Transaction Report within 24 hours for transactions above a defined threshold.

This is not a criticism of those frameworks. They were built for general capability, not jurisdiction-specific compliance. But it creates a real problem for anyone building AI agents that operate in African regulated industries.

The agent can transfer money, access customer records, store identity data, and make financial decisions, all correctly from the framework's perspective, and still violate the law in ways that carry fines in the tens of millions of naira and criminal liability for responsible individuals.

Every team building in this space is solving this problem on their own, from scratch, in ways that drift and accumulate technical debt. That is the infrastructure gap comply54 exists to close.

What comply54 does

comply54 is a runtime policy enforcement layer for AI agents. It sits between your agent's decision to act and the tool execution that carries it out.

Before any action runs, comply54 evaluates it against the applicable policy packs and returns one of four decisions:

  • allow — proceed
  • audit — proceed but log with full regulatory context
  • escalate — pause and request human approval
  • block — prevent execution and return the exact violation with citation

When a violation fires, the response is not a generic error. It is a structured object containing the regulation name, the specific section, the penalty clause, a unique audit ID, and the remediation guidance. Your compliance team can produce it to a regulator. Your engineering team can write tests against it.

from comply54 import ComplyEngine

engine = ComplyEngine(jurisdictions=["NG", "ZA", "KE"])

result = engine.evaluate(
    action="transfer_funds",
    context={
        "amount": 6_500_000,
        "currency": "NGN",
        "customer_tier": 2
    }
)

print(result.decision)      # "block"
print(result.regulation)    # "CBN NIP Framework 2023"
print(result.section)       # "Schedule 2, Tier 2 Transaction Limits"
print(result.penalty)       # "Regulatory sanction, licence review"
print(result.audit_id)      # "cmp_01J3X..."
Enter fullscreen mode Exit fullscreen mode

For JavaScript and TypeScript developers, the same API is available via the npm package:

import { ComplyEngine } from "comply54";

const engine = new ComplyEngine({ jurisdictions: ["NG", "KE"] });

const result = await engine.evaluate({
  action: "export_customer_data",
  context: {
    destination: "us-east-1",
    dataCategories: ["personal", "biometric"],
    customerCount: 15000
  }
});

// result.decision === "block"
// result.regulation === "NDPA 2023"
// result.section === "Section 25 — Cross-border Data Transfer"
Enter fullscreen mode Exit fullscreen mode

Framework integrations

comply54 ships integration adapters for the four major agent frameworks. The goal is that adding compliance to an existing agent should take minutes, not days.

LangGraph:

from comply54.integrations.langgraph import comply54_node

graph = StateGraph(AgentState)
graph.add_node("comply54", comply54_node(engine))
graph.add_edge("agent", "comply54")
graph.add_conditional_edges(
    "comply54",
    lambda state: state["comply_decision"],
    {"allow": "tools", "block": END, "escalate": "human_review"}
)
Enter fullscreen mode Exit fullscreen mode

CrewAI:

from comply54.integrations.crewai import Comply54Tool

compliance_tool = Comply54Tool(engine=engine, jurisdiction="NG")
agent = Agent(tools=[compliance_tool, ...other_tools])
Enter fullscreen mode Exit fullscreen mode

AutoGen and LangChain follow the same pattern with their respective adapters.

What is covered: 21 policy packs, 12 jurisdictions

Every policy pack ships with the full regulatory citations embedded. Here is what is live today:

Nigeria (7 packs)

  • NDPA 2023 — data residency, consent, cross-border transfer controls
  • CBN Transaction Controls — tiered KYC limits, NIP thresholds, agent banking rules
  • NIMC Act 2026 — NIN data prohibition post-verification, retention controls
  • NFIU AML/STR — CTR thresholds, structuring detection, velocity controls
  • BVN/NIN Protection — exposure blocking, log sanitization, verification gating
  • POS Geo-Fencing — terminal location controls, cross-state transaction rules
  • CBN Open Banking — consent validation, data minimisation

South Africa (2 packs)

  • POPIA — special information, cross-border adequacy, responsible party audit
  • FSCA AI Conduct — suitability controls for financial AI recommendations

Kenya (2 packs)

  • KDPA 2019 — transfer restrictions, sensitive data, data minimisation
  • CBK Digital Credit — credit scoring controls, disclosure requirements

Regional and additional (10 packs)

  • ECOWAS cross-border transfer rules
  • Rwanda, Ghana, Ethiopia, Tanzania, Uganda, Botswana, Mauritius, Egypt data protection

Why 100% offline matters

comply54 evaluates entirely in-process. No network call is made during enforcement. No third-party API is consulted.

This matters for three reasons.

First, latency. A compliance check that adds 200ms to every tool call is a compliance check that engineers will route around. In-process evaluation adds single-digit milliseconds.

Second, reliability. A governance layer that requires a network call to function will fail when the network fails. That is the worst possible time for your compliance layer to go offline.

Third, data sovereignty. In jurisdictions with strict data residency requirements, sending decision context to an external service to evaluate compliance may itself be a compliance violation. Offline evaluation avoids this entirely.

The audit trail

Every evaluation — allow, audit, escalate, or block — generates a structured audit entry:

{
  "audit_id": "cmp_01J3XKRM...",
  "timestamp": "2026-06-29T08:42:11.203Z",
  "action": "transfer_funds",
  "decision": "block",
  "regulation": "CBN NIP Framework 2023",
  "section": "Schedule 2, Tier 2 Transaction Limits",
  "penalty": "Regulatory sanction, licence review",
  "jurisdiction": "NG",
  "agent_id": "payment-agent-v2",
  "session_id": "sess_8f2k...",
  "context_hash": "sha256:4a9c...",
  "evaluation_ms": 3
}
Enter fullscreen mode Exit fullscreen mode

The context_hash is a SHA-256 of the sanitised evaluation context — PII is never stored in the audit log, only its hash. This satisfies the NDPA's accountability requirements without creating a new data protection liability.

What comes from the earlier work

comply54 did not appear from nowhere. The policy corpus builds directly on work I have been doing in public over the past few months.

The African regulatory policy pack I contributed to Microsoft's Agent Governance Toolkit — which was merged into microsoft/agent-governance-toolkit as PR #3077 — is the upstream source of the policy logic in comply54. The agt-policies-nigeria repo, which covers nine African countries and ECOWAS in OPA/Rego format, is the foundation that comply54's Python and TypeScript implementations are built on.

If you contributed to, starred, or used any of those earlier projects, comply54 is the production-ready version of that work.

What is next

The roadmap includes sector-specific profiles for fintech, healthtech, insurtech, and government AI deployments. The @comply54/adapter-eve package for Vercel's Eve framework is in active development. Support for additional East and West African jurisdictions is planned based on community interest.

The project is fully open source under Apache 2.0. Issues, PRs, and regulatory corrections from practitioners with real compliance domain expertise are the most valuable contributions.

Discussion

Two questions I genuinely want input on from this community:

First, if you are building AI agents for regulated industries outside Africa — in US healthcare, EU financial services, or similar — what does your compliance layer currently look like? Are you building it from scratch, using an existing tool, or deferring it?

Second, if you work in Nigerian or African fintech and have spotted a regulatory gap in the policy packs, I want to hear about it. The most valuable thing a compliance practitioner can contribute is a citation: which regulation, which section, which agent action pattern it should govern.

If comply54 is useful, an upvote on Product Hunt today would mean a lot. And a star on GitHub helps other developers find it.

Thank you for reading.

Top comments (0)