Every ReguNav agent takes inputs + dictionary + rules and returns outputs + evidence trail. Same input, same output, every time. Auditor-defensible.
EU AI Act Annex III + GPAI scoping. Classifies an AI system into minimal / limited / high-risk / prohibited / GPAI.
Cross-walk navigator. Given a control, identifies every framework it satisfies.
Matches uploaded artefacts to controls + emits an evidence-pack.
EU AI Act Art. 27 fundamental-rights impact assessment authoring.
Regulator-shaped notification drafter for breach + AI incident + DORA major incident.
Personalised AI-literacy + role-specific compliance training plan.
Conformity-assessment dossier authoring for high-risk AI deployments.
Foundation-model provider Art. 53 disclosure pack.
Recommends + composes pre-baked workflows from the 20-workflow catalog.
Drafts + version-controls + routes policies through approver chains.
Picks the right report template per stakeholder + composes from McKinsey toolbox.
Surfaces drift, anomalies, and KPI trends from the analytics rail.
Runs the bias-tester engine + writes a natural-language summary citing source clauses.
Drives the red-team-evals engine across the 9-category corpus + reports robustness score.
Renders SHAP/LIME/IG attributions into auditor-readable prose with clause citations.
End-to-end vendor-questionnaire pre-fill: ingests SIG/CAIQ → maps to evidence → emits prefilled response with gap list.
Maintains the tenant risk register: ingests AI systems + vendors + findings + drift, computes ISO 31000 5×5 residual risk, surfaces top-N treatable risks, drafts treatment plans per ISO 27005.
Applies the canonical data-classification dictionary (public / internal / confidential / restricted / regulated) to every asset; flags GDPR Art. 9 special-category data; emits retention floor + lawful-basis recommendation.
Builds the data-concentration + flow map. Given the full asset inventory, surfaces where PII / PHI / regulated data is most concentrated, computes risk-weighted hotspots, draws store-to-store flow edges. The 'where is the data?' answer GDPR Art. 30 expects.
Triages incoming data-subject-access requests by jurisdiction (GDPR / UK GDPR / CCPA / LGPD / DPDP), uses the data-concentration map to enumerate every store the subject's data sits in, drafts the response packet, routes for human DPO sign-off. Tracks SLA per regulator.
Cross-rail compliance search. Translates natural-language queries ("find every open SOC 2 CC1.2 finding across my AI systems") to deterministic BM25 + facet filters against the regunav-* indexes. Lexical layer is audit-pathable; semantic neighbour expansion is advisory.
Engineer + auditor search across runs / findings / installations / fix-PRs / exemptions on the codeconstitution.com surface. Same lexical-search-core under the hood as ReguNav Search; brand voice + result rendering differ.
Same shared engine, third brand facade. Indexes registered later under the kye-* namespace; engine ships ready-to-consume.
Stakeholder-shaped report generator. Pulls compliance posture + framework coverage + audit-trail evidence from the tenant's slice, applies the requested stakeholder accent (regulator / board / Shariah board / audit committee / partner / investor / customer / internal), renders via @regunav/report-templates. Never auto-publishes — always returns a draft + recommended reviewers per the canonical reviewer matrix.
Engineer + executive reports on the codeconstitution.com surface: per-repo posture, org-rollup coverage, framework heat-maps, top-10 failing rules, auto-fix landing rate, monthly compliance digest, exec one-pager. Same canonical engine as ReguNav Reporting; brand voice + section ordering differ.
Same shared engine, third brand facade. KYE-specific templates land alongside the kye-* resource model.
Partner-program reports for MSSPs, consultancies, and resellers. Generates co-branded client rollups, partner-program MRR, joint-customer compliance status, white-label evidence packs. Per-partner attribution + revenue-share calculation pulled from billing ledger. Never auto-publishes; partner-success manager signs off.
Per-engagement reports for individual consultants delivering compliance work on ReguNav. Posture snapshot for the GC/CCO, engagement timeline, library-of-patterns reuse (Murabaha-readiness, SOC 2 readiness, GDPR Art. 32 gap-fill, etc.), CPE-trackable evidence. Sent FROM reports@regunav.com with consultant cc'd.
Cohort + curriculum reports for compliance trainers using ReguNav training surfaces. CPE/CPD credit attestations, learner-cohort performance, curriculum-coverage maps, per-organisation training rollups for L&D leaders. Certificate generation routes through evidence-pack-engine for verifiable claims.
Lighter partner facade for CC: rollups for consultancies that resell or co-deliver CC checks. Per-client repo coverage, auto-fix landing rate by partner, partner-org MRR. Reusing the canonical engine; brand voice + section ordering follow codeconstitution.com.
Bootcamp + dev-rel cohort reporting on CC: per-learner repo coverage, framework-rule pass-rate over the curriculum, before/after fix-PR metrics. Useful for coding-bootcamps embedding CC in capstones + for dev-rel orgs measuring compliance literacy uplift.
Structured JSON describing your AI system, tenant context, and active frameworks. No free-text prompts.
Versioned rule set + the latest framework dictionary. Both are content-addressable and replayable.
Structured output + every rule that fired, with input + dictionary versions baked into the audit trail.
import { Classifier } from "@regunav/agents";
const result = await Classifier.classify({
systemName: "Loan Underwriting v2",
purpose: "Automated credit-decision for retail loans",
affectedPersons: ["natural-persons"],
jurisdictions: ["EU/DE"],
modality: "tabular",
});
// {
// riskLevel: "High",
// rationale: "Annex III(5)(a): credit scoring of natural persons",
// applicableClauses: ["Art. 9", "Art. 10", "Art. 13", "Art. 14",
// "Art. 27", "Art. 72", "Art. 73"],
// evidenceRequired: ["risk-management-system",
// "data-governance",
// "human-oversight",
// "post-market-monitoring"],
// ruleVersion: "annex-iii.v2026.04",
// dictionaryVersion: "eu-ai-act.v2024.07.12"
// }| Dimension | Deterministic (ReguNav) | LLM-only |
|---|---|---|
| Reproducibility | Same input → same output, byte-identical | Stochastic, output varies even with temperature=0 |
| Auditability | Decision trail = input + dictionary version + ruleset hash | Embeddings & weights are opaque |
| Replay | Re-run any decision against any past dictionary version | Replay impossible without identical model checkpoint |
| Cost | Per-decision compute cost approaches zero | Per-token API cost, scales with usage |
| Latency | <5ms p99, runs at edge | 200ms–5s, network-bound |
| Defensibility | Regulator-defensible: 'this is the rule we applied' | Hard to defend: 'the model said so' |
Compliance is a regulator-defensible domain. "The model said so" is not a defense. Every ReguNav agent decision can be re-played byte-for-byte with the input, dictionary version, and rule set used. We log all three.
Apache 2.0 licensed. Available to enterprise customers under BYOC.
Talk to an agent expert. We'll walk you through deterministic vs. LLM, replay, and how to wire agents into your existing controls in 30 minutes.