Fetching latest headlines…
One Receipt, Nine Regulators
NORTH AMERICA
🇺🇸 United StatesMay 9, 2026

One Receipt, Nine Regulators

0 views0 likes0 comments
Originally published byDev.to

The IETF Internet-Draft for AI agent Compliance Receipts grew up. What started as a binding to EU AI Act Article 12 is now a bindings table across nine regulatory regimes: EU AI Act, DORA, NYDFS Part 500, Colorado AI Act, Texas TRAIGA, NIST AI RMF, CIRCIA, HIPAA Security Rule, and SEC 17 CFR 240.17a-4.

The same wire envelope satisfies all of them. The same conformance vectors prove it. The same Audit Pack export carries the regime mapping a regulator needs without the Deployer writing a per-regime adapter.

Three things that follow

One vocabulary, nine retention floors. A receipt that touches a HIPAA-covered Action retains for the floor HIPAA mandates. A DORA-bound Action retains for the DORA floor. The Audit Pack carries the regime tag inline so the cleanup engine does not need to guess.

Cross-jurisdiction queries. A Deployer subject to EU AI Act Article 26 AND NYDFS Part 500 can answer one query - "show me every Article 26-relevant Action that crossed a NYDFS boundary" - against one receipt store, not two.

Forward-compatible. Adding the next regime is a binding-table edit, not an envelope rewrite. The wire format is stable; the regime mapping is data.

What it looks like

A Compliance Receipt is the same JSON envelope across jurisdictions. The regime tag travels in the Audit Pack metadata; the receipt body stays canonical:

{
  "type": "protectmcp:decision",
  "issuer_id": "lei:529900T8BM49AURSDO55",
  "action_ref": "sha256:9f2e...",
  "previous_receipt_hash": "sha256:6c41...",
  "policy_digest": "sha256:b71a...",
  "decision": "permit",
  "risk_class": "high",
  "incident_class": "minor",
  "signed_at": "2026-05-10T09:14:22Z"
}

The reference implementation runs at api.asqav.com. The conformance harness walks the normative clauses against the live cloud and reports per-clause coverage. Verifying any receipt is a single unauthenticated GET.

Try it 

pip install asqav
asqav demo          # produces a Compliance Receipt against the live cloud
curl https://api.asqav.com/api/v1/verify/<signature_id>

If you build agent governance, the path from "logs everywhere" to "one verifiable receipt" goes through this draft.

Draft: https://datatracker.ietf.org/doc/draft-marques-asqav-compliance-receipts/

Comments (0)

Sign in to join the discussion

Be the first to comment!

🇺🇸

United States

NORTH AMERICA

More news from United States

Related News

How Braze’s CTO is rethinking engineering for the agentic area

How Braze’s CTO is rethinking engineering for the agentic area

10h ago

Amazon Employees Are 'Tokenmaxxing' Due To Pressure To Use AI Tools

Amazon Employees Are 'Tokenmaxxing' Due To Pressure To Use AI Tools

21h ago

Implementing Multicloud Data Sharding with Hexagonal Storage Adapters

Implementing Multicloud Data Sharding with Hexagonal Storage Adapters

15h ago

DeepMind’s CEO Says AGI May Be ~4 Years Away. The Last Three Missing Pieces Are Not What Most People Think.

DeepMind’s CEO Says AGI May Be ~4 Years Away. The Last Three Missing Pieces Are Not What Most People Think.

15h ago

CCSnapshot - A Claude Code Configs Transfer Tool

CCSnapshot - A Claude Code Configs Transfer Tool

21h ago

View all NORTH AMERICA news →