Skip to main content

Compliance Overview

AxonFlow helps teams build AI systems that are easier to govern, audit, and operate in regulated environments. The important distinction is this:

  • the community runtime gives you the technical foundations needed to build compliant systems
  • Evaluation and Enterprise add the regulator-specific workflow modules, APIs, retention controls, and operational features most organizations need before production rollout in regulated environments

That distinction matters because a public docs page should help engineers build with the community product today without overstating what the licensed compliance modules do.

Evaluating AxonFlow for a regulated production path?

Start with the free 90-day Evaluation License if you want a self-hosted compliance review with higher limits. If you already need full enterprise features, longer-term rollout help, or AxonFlow-managed SaaS, apply for the Design Partner Program.

What Community Already Gives You

The community build includes core building blocks that are useful across nearly every compliance framework:

  • audit logging
  • system policy enforcement
  • tenant-policy support
  • PII detection and redaction foundations
  • request tracing and governed runtime boundaries for LLM and MCP access

These capabilities matter even before you adopt a regulator-specific workflow. They are the base layer senior engineers use to make AI systems reviewable and operationally sane.

What Evaluation and Enterprise Add

Evaluation and Enterprise builds add the deeper workflow modules that compliance, risk, and procurement teams usually expect for production:

  • regulator-specific APIs and data models
  • system registries and assessment workflows
  • export and reporting endpoints
  • higher-retention governance use cases
  • approval and operational controls tailored to regulated environments

For a public map of the licensed API families behind those workflows, see the Enterprise Compliance API Surface.

Framework Coverage

Each row below anchors the framework to durable, primary-source facts — publication dates, entry-into-force dates, specific circular or regulation references. For any forthcoming milestones (pending consultations, draft guidelines, finalisation), follow the regulator-specific page linked from the first column; each includes a current-status pointer to the primary source so the status never goes stale here.

FrameworkRegulatory instruments and key datesCommunity CoverageEvaluation / Enterprise Coverage
EU AI Act — Regulation (EU) 2024/1689Published in the OJ on 12 July 2024; entered into force 1 August 2024. Article 113 stages application in four windows: 2 February 2025 (Article 5 prohibitions + Article 4 AI literacy), 2 August 2025 (GPAI, governance, penalties under Articles 99–100), 2 August 2026 (high-risk Annex III obligations), 2 August 2027 (Article 6(1) Annex I safety-component systems; Article 111(3) grace period ends)Audit, policy enforcement, PII and governed runtime foundations; X-AI-* transparency headersExport, conformity-assessment, and accuracy-review workflow APIs
RBI FREE-AIFramework for Responsible and Ethical Enablement of AI — committee report released 13 August 2025 with 7 Sutras, 6 Pillars, and 26 Recommendations. The report is guidance, not a binding circular; RBI may operationalise selected recommendations through Master Directions or circulars — check the RBI Master Directions register for the current statusAudit, policy enforcement, and baseline India-relevant PII protection (PAN + Aadhaar system policies, 12-type India detector)AI system registry, validations, incidents, kill switches, board reports, audit exports
SEBI AI/ML2019 reporting circulars (2019/10, 2019/24, 2019/63) still operative. Regulation 16C — sole-liability rule — inserted by the SEBI (Intermediaries) (Amendment) Regulations, 2025 and in force since 10 February 2025. 20 June 2025 Consultation Paper on responsible AI/ML (comments closed 11 July 2025) — check SEBI's circulars page for the current status of downstream rulesAudit, policy enforcement, and baseline India-relevant PII protectionSEBI audit export + retention + readiness + dashboard workflows
MAS FEATFEAT Principles (MAS Information Paper, 12 November 2018) + Veritas Toolkit 2.0 (26 June 2023) are principles-based guidance. AI Risk Management Guidelines consultation issued 13 November 2025; comment window closed 31 January 2026. Check MAS publications for finalisation statusAudit, policy enforcement, and 5 Singapore PII system policies (NRIC, FIN, UEN, phone, postal)Registry, FEAT assessments, and kill-switch workflows
DPDP Act 2023Assented 11 August 2023. DPDP Rules 2025 notified 13 November 2025 (Gazette G.S.R. 843(E)). Phase 1 procedural provisions commenced 14 November 2025; Phase 2 (Consent Manager registration) 13 November 2026; Phase 3 substantive compliance 13 May 2027Audit, policy enforcement, and baseline India PII detection aligned with DPDP purpose-limitationStructured audit exports that scale to Data Principal rights handling once Phase 3 activates
OJK AI GovernancePOJK 11/POJK.03/2022 (binding, in force) + April 2025 AI Governance guidance (supervisory "pedoman"). Three pillars: reliability, accountability, human oversight. Also covers POJK 10/2022 (P2P lending) and POJK 22/2023 (consumer protection)Audit, policy enforcement, and 8 Indonesia PII system policies (NIK, NPWP legacy + new, phone, BCA, Mandiri, BRI, BNI)OJK audit export + retention + readiness + dashboard + kill-switch workflows
BI Payment SystemPBI 23/6/PBI/2021 (PJP governance) + PBI 23/7/PBI/2021 (PIP governance). IS-audit cadence: annual minimum. QRIS governed by PADG 3/2025 (effective 19 Feb 2025). IDR 7.5M penalty per missed incident reportAudit, policy enforcement, and Indonesia PII protection (bank-account patterns for BCA, Mandiri, BRI, BNI)Audit export with BI_PJP framework, IS-audit evidence workflows
UU PDP — Law 27/2022Law No. 27 of 2022 — 76 articles, 16 chapters. Two-year transition ended 17 October 2024. Art. 46 breach notification: 3 x 24 hours. Art. 56 cross-border transfer: tiered (adequacy / safeguards / consent). DPA not yet constituted; MOCDA holds notification role. Penalties: admin fine ≤2% annual revenue, criminal ≤6 years + IDR 60BAudit, policy enforcement, and Indonesia PII detection (NIK, NPWP, phone, bank accounts — 8 patterns)Breach notification template (Art. 46), cross-border transfer logging (data_residency + transfer_basis), audit export with UU_PDP framework

Region-Specific Detection Available in the Public Runtime

The community runtime already includes regional detection patterns that are useful for regulated applications:

  • India: PAN and Aadhaar system policies, plus broader global PII detection
  • Singapore: NRIC, FIN, UEN, phone, and postal-code system policies
  • Indonesia: NIK, NPWP (legacy 15-digit and new 16-digit), Indonesian mobile (+62), and bank-account patterns for BCA, Mandiri, BRI, and BNI — 8 detection patterns on the pii-indonesia category
  • Europe and global use cases: email, phone, bank-account, IBAN, passport, SSN, card, and related patterns where applicable

This is often enough for teams to validate their product design, prove governance value internally, and demonstrate why a licensed deployment is the right next step before production scale.

What AxonFlow Does Not Certify For You

AxonFlow provides runtime controls, audit records, approval workflows, and evidence surfaces. It does not by itself certify your organization for HIPAA, PCI-DSS, SOC 2, ISO 27001, EU AI Act compliance, or any regulator-specific program.

For regulated rollouts, treat AxonFlow as infrastructure that can support your control environment. Your legal, security, compliance, and assessor teams still decide whether the complete system, people, processes, and deployment satisfy the relevant obligations.

Capability Matrix

CapabilityCommunityEvaluation / Enterprise
Audit loggingYesYes
System policy enforcementYesYes
Tenant-policy workflowsYesYes
Regional PII detection foundationsYesYes
Regulator-specific workflow APIsNoYes
Registry and assessment workflowsNoYes
Regulator-facing exports and dashboardsNoYes — see the Enterprise Compliance API Surface
Advanced regulated operations playbooksNoYes

When Community Is Enough

Community is usually enough when you need to:

  • build and assess a governed AI application
  • test policy behavior against real prompts, responses, and connector traffic
  • prove auditability and PII protection value to platform and security teams
  • validate how AxonFlow fits into your existing multi-agent stack

When Teams Usually Need Evaluation or Enterprise

Most teams start pushing for Evaluation or Enterprise when one or more of these become real:

  • formal compliance review before production go-live
  • regulator- or board-facing reporting expectations
  • human approval or governance workflows beyond basic policy blocking
  • stronger retention, export, and enterprise operations needs
  • wider rollout across multiple internal AI products or business units

That is the point where AxonFlow usually moves from “useful governance layer” to “required AI control plane.”

Industry Examples

IndustryCommon Compliance PressureExample Docs
BankingAuditability, PII handling, incident controlsBanking Example
HealthcareData protection, human review, traceabilityHealthcare Example
TravelCustomer-data protection, governed tool accessTrip Planner Example
E-commerceCustomer-data governance and workflow auditE-commerce Example

Enterprise Operating Model

The licensed workflow surface below is included here so engineers can evaluate both the community baseline and the production operating model from one page.

AxonFlow Enterprise includes a enterprise compliance estate for teams that need more than policy enforcement at request time. In practice, that means compliance teams, platform teams, and audit functions can operate shared workflows for:

  • framework-specific evidence collection
  • approval and oversight queues
  • audit export generation
  • model validation and incident tracking
  • emergency stop and recovery procedures

These workflows sit on top of the core Agent and Orchestrator controls you already use for policy enforcement, redaction, connector governance, and execution logging.

Requires Enterprise license.

What AxonFlow Actually Ships

The current enterprise codebase exposes four dedicated compliance modules plus shared enforcement services:

Framework or controlPrimary runtime surfaceWhat teams use it for
EU AI Act/api/v1/euaiact/*Conformity assessments, exportable evidence, accuracy and bias tracking
RBI FREE-AI/api/v1/rbi/*AI system inventory, validations, incidents, kill switches, board reports, audit exports
SEBI AI/ML/api/v1/sebi/*Audit exports, retention status, readiness checks, dashboard summaries
MAS FEAT/api/v1/masfeat/*AI system registry, FEAT assessments, MAS-oriented kill switch workflows
OJK / BI / UU PDP/api/v1/ojk/*OJK AI governance audit exports, readiness scoring, UU PDP breach notifications, cross-border transfer logging, BI payment IS-audit evidence
Human oversight/api/v1/hitl/*Approval queues for regulated or high-impact decisions
Emergency stop/api/v1/circuit-breaker/*Immediate platform-wide or scoped shutdown for unsafe AI behavior

Shared Operating Model

The framework modules are different, but the working pattern is similar across all of them:

  1. Register or identify the AI system, tenant, or scope you are governing.
  2. Route production traffic through Agent and Orchestrator so policy decisions and execution traces are captured.
  3. Use the framework module to collect evidence, record reviews, and export audit-ready artifacts.
  4. Use HITL and circuit breaker controls when a policy or reviewer needs to slow down or halt the system.

For an enterprise platform team, this is the difference between "we redact PII" and "we can show an auditor how the system was governed, reviewed, and changed over time."

Header And Identity Patterns

The enterprise compliance APIs do not all use the same header contract, so it is worth being explicit:

SurfaceRequired identity headers
EU AI ActX-Org-ID or tenant derived from Basic auth
SEBItenant derived from Basic auth preferred, X-Org-ID accepted as fallback
RBI FREE-AIX-Org-ID
MAS FEATX-Org-ID or tenant derived from Basic auth
OJK / BI / UU PDPtenant derived from Basic auth preferred, X-Org-ID accepted as fallback
HITL createX-Org-ID and tenant derived from Basic auth
Circuit breaker trip/resetX-Org-ID and X-User-ID

Add X-User-ID whenever you want reviewer or user identity captured in the audit trail for actions like approvals, submissions, trips, and resets.

Framework Guide Map

GuideBest fit
EU AI Act Compliance GuideEuropean deployments that need conformity, evidence exports, and model-quality tracking for high-risk systems
RBI FREE-AI Compliance GuideBanks and regulated financial institutions that need system inventory, validations, incidents, and board reporting
SEBI AI/ML Compliance GuideSecurities, advisory, or trading teams that need retention and export evidence
MAS FEAT Compliance GuideSingapore financial services teams that need FEAT assessments, materiality tracking, and scoped kill switches
OJK AI Governance GuideIndonesian banks and financial institutions that need OJK audit evidence, readiness scoring, and AI governance lifecycle controls
BI Payment System GuidePayment service providers and QRIS acquirers that need IS-audit evidence and incident reporting for BI supervision
UU PDP GuideTeams processing Indonesian personal data that need Art. 46 breach notification workflows and Art. 56 cross-border transfer logging

Platform Team View Of The Stack

Request traffic
-> Agent policy enforcement, redaction, and HITL pre-checks
-> Orchestrator execution, routing, and framework-specific evidence services
-> PostgreSQL-backed compliance records and export metadata
-> Optional cloud storage for larger audit exports
-> Protected portal and API workflows for platform teams, reviewers, and auditors

That separation matters:

  • the Agent handles real-time intervention and request blocking
  • the Orchestrator hosts most batch, reporting, and framework-management flows
  • the enterprise portal gives enterprise platform teams a safer operational surface for day-to-day governance tasks

Which Compliance Surfaces Are Strongest Today

The most mature, code-verified framework surfaces in the current build are:

  • RBI FREE-AI: broadest operational footprint, including registry, validations, incidents, kill switches, reports, and exports
  • EU AI Act: strongest for conformity plus model-quality evidence
  • SEBI: strongest for audit export and retention/readiness workflows
  • MAS FEAT: strong for registry, assessment lifecycle, and per-system kill-switch controls
  • OJK / BI / UU PDP: audit export and readiness workflows across three Indonesian frameworks, breach notification with Art. 46 deadline tracking, and cross-border transfer logging

That makes AxonFlow especially useful for enterprises building regulated multi-agent systems where engineering, risk, and audit teams all need access to the same operating evidence.

1. Start with governance on a real tenant

Put one production-like tenant through the full path:

  • protected authentication
  • policy enforcement
  • HITL escalation
  • framework-specific exports or assessments

2. Pick a primary regulatory workflow

Examples:

  • EU AI Act for a lending or hiring assistant in the EU
  • RBI FREE-AI for a banking workflow with board-level review and validation
  • SEBI for advisory, trading, or securities operations that need retention and export evidence
  • MAS FEAT for Singapore financial services AI inventory and assessment governance
  • OJK / BI / UU PDP for Indonesian banking, payment, and data-protection governance with breach notification and cross-border transfer logging

3. Exercise emergency controls before go-live

Before a regulator or internal control function asks, make sure the team can:

  • create and work a HITL queue
  • trip a scoped or global circuit breaker
  • inspect retention or export status
  • trace who approved, rejected, or reset a regulated workflow