Compliance Overview
AxonFlow helps teams build AI systems that are easier to govern, audit, and operate in regulated environments. The important distinction is this:
- the community runtime gives you the technical foundations needed to build compliant systems
- Evaluation and Enterprise add the regulator-specific workflow modules, APIs, retention controls, and operational features most organizations need before production rollout in regulated environments
That distinction matters because a public docs page should help engineers build with the community product today without overstating what the licensed compliance modules do.
Start with the free 90-day Evaluation License if you want a self-hosted compliance review with higher limits. If you already need full enterprise features, longer-term rollout help, or AxonFlow-managed SaaS, apply for the Design Partner Program.
What Community Already Gives You
The community build includes core building blocks that are useful across nearly every compliance framework:
- audit logging
- system policy enforcement
- tenant-policy support
- PII detection and redaction foundations
- request tracing and governed runtime boundaries for LLM and MCP access
These capabilities matter even before you adopt a regulator-specific workflow. They are the base layer senior engineers use to make AI systems reviewable and operationally sane.
What Evaluation and Enterprise Add
Evaluation and Enterprise builds add the deeper workflow modules that compliance, risk, and procurement teams usually expect for production:
- regulator-specific APIs and data models
- system registries and assessment workflows
- export and reporting endpoints
- higher-retention governance use cases
- approval and operational controls tailored to regulated environments
For a public map of the licensed API families behind those workflows, see the Enterprise Compliance API Surface.
Framework Coverage
Each row below anchors the framework to durable, primary-source facts — publication dates, entry-into-force dates, specific circular or regulation references. For any forthcoming milestones (pending consultations, draft guidelines, finalisation), follow the regulator-specific page linked from the first column; each includes a current-status pointer to the primary source so the status never goes stale here.
| Framework | Regulatory instruments and key dates | Community Coverage | Evaluation / Enterprise Coverage |
|---|---|---|---|
| EU AI Act — Regulation (EU) 2024/1689 | Published in the OJ on 12 July 2024; entered into force 1 August 2024. Article 113 stages application in four windows: 2 February 2025 (Article 5 prohibitions + Article 4 AI literacy), 2 August 2025 (GPAI, governance, penalties under Articles 99–100), 2 August 2026 (high-risk Annex III obligations), 2 August 2027 (Article 6(1) Annex I safety-component systems; Article 111(3) grace period ends) | Audit, policy enforcement, PII and governed runtime foundations; X-AI-* transparency headers | Export, conformity-assessment, and accuracy-review workflow APIs |
| RBI FREE-AI | Framework for Responsible and Ethical Enablement of AI — committee report released 13 August 2025 with 7 Sutras, 6 Pillars, and 26 Recommendations. The report is guidance, not a binding circular; RBI may operationalise selected recommendations through Master Directions or circulars — check the RBI Master Directions register for the current status | Audit, policy enforcement, and baseline India-relevant PII protection (PAN + Aadhaar system policies, 12-type India detector) | AI system registry, validations, incidents, kill switches, board reports, audit exports |
| SEBI AI/ML | 2019 reporting circulars (2019/10, 2019/24, 2019/63) still operative. Regulation 16C — sole-liability rule — inserted by the SEBI (Intermediaries) (Amendment) Regulations, 2025 and in force since 10 February 2025. 20 June 2025 Consultation Paper on responsible AI/ML (comments closed 11 July 2025) — check SEBI's circulars page for the current status of downstream rules | Audit, policy enforcement, and baseline India-relevant PII protection | SEBI audit export + retention + readiness + dashboard workflows |
| MAS FEAT | FEAT Principles (MAS Information Paper, 12 November 2018) + Veritas Toolkit 2.0 (26 June 2023) are principles-based guidance. AI Risk Management Guidelines consultation issued 13 November 2025; comment window closed 31 January 2026. Check MAS publications for finalisation status | Audit, policy enforcement, and 5 Singapore PII system policies (NRIC, FIN, UEN, phone, postal) | Registry, FEAT assessments, and kill-switch workflows |
| DPDP Act 2023 | Assented 11 August 2023. DPDP Rules 2025 notified 13 November 2025 (Gazette G.S.R. 843(E)). Phase 1 procedural provisions commenced 14 November 2025; Phase 2 (Consent Manager registration) 13 November 2026; Phase 3 substantive compliance 13 May 2027 | Audit, policy enforcement, and baseline India PII detection aligned with DPDP purpose-limitation | Structured audit exports that scale to Data Principal rights handling once Phase 3 activates |
| OJK AI Governance | POJK 11/POJK.03/2022 (binding, in force) + April 2025 AI Governance guidance (supervisory "pedoman"). Three pillars: reliability, accountability, human oversight. Also covers POJK 10/2022 (P2P lending) and POJK 22/2023 (consumer protection) | Audit, policy enforcement, and 8 Indonesia PII system policies (NIK, NPWP legacy + new, phone, BCA, Mandiri, BRI, BNI) | OJK audit export + retention + readiness + dashboard + kill-switch workflows |
| BI Payment System | PBI 23/6/PBI/2021 (PJP governance) + PBI 23/7/PBI/2021 (PIP governance). IS-audit cadence: annual minimum. QRIS governed by PADG 3/2025 (effective 19 Feb 2025). IDR 7.5M penalty per missed incident report | Audit, policy enforcement, and Indonesia PII protection (bank-account patterns for BCA, Mandiri, BRI, BNI) | Audit export with BI_PJP framework, IS-audit evidence workflows |
| UU PDP — Law 27/2022 | Law No. 27 of 2022 — 76 articles, 16 chapters. Two-year transition ended 17 October 2024. Art. 46 breach notification: 3 x 24 hours. Art. 56 cross-border transfer: tiered (adequacy / safeguards / consent). DPA not yet constituted; MOCDA holds notification role. Penalties: admin fine ≤2% annual revenue, criminal ≤6 years + IDR 60B | Audit, policy enforcement, and Indonesia PII detection (NIK, NPWP, phone, bank accounts — 8 patterns) | Breach notification template (Art. 46), cross-border transfer logging (data_residency + transfer_basis), audit export with UU_PDP framework |
Region-Specific Detection Available in the Public Runtime
The community runtime already includes regional detection patterns that are useful for regulated applications:
- India: PAN and Aadhaar system policies, plus broader global PII detection
- Singapore: NRIC, FIN, UEN, phone, and postal-code system policies
- Indonesia: NIK, NPWP (legacy 15-digit and new 16-digit), Indonesian mobile (+62), and bank-account patterns for BCA, Mandiri, BRI, and BNI — 8 detection patterns on the
pii-indonesiacategory - Europe and global use cases: email, phone, bank-account, IBAN, passport, SSN, card, and related patterns where applicable
This is often enough for teams to validate their product design, prove governance value internally, and demonstrate why a licensed deployment is the right next step before production scale.
What AxonFlow Does Not Certify For You
AxonFlow provides runtime controls, audit records, approval workflows, and evidence surfaces. It does not by itself certify your organization for HIPAA, PCI-DSS, SOC 2, ISO 27001, EU AI Act compliance, or any regulator-specific program.
For regulated rollouts, treat AxonFlow as infrastructure that can support your control environment. Your legal, security, compliance, and assessor teams still decide whether the complete system, people, processes, and deployment satisfy the relevant obligations.
Capability Matrix
| Capability | Community | Evaluation / Enterprise |
|---|---|---|
| Audit logging | Yes | Yes |
| System policy enforcement | Yes | Yes |
| Tenant-policy workflows | Yes | Yes |
| Regional PII detection foundations | Yes | Yes |
| Regulator-specific workflow APIs | No | Yes |
| Registry and assessment workflows | No | Yes |
| Regulator-facing exports and dashboards | No | Yes — see the Enterprise Compliance API Surface |
| Advanced regulated operations playbooks | No | Yes |
When Community Is Enough
Community is usually enough when you need to:
- build and assess a governed AI application
- test policy behavior against real prompts, responses, and connector traffic
- prove auditability and PII protection value to platform and security teams
- validate how AxonFlow fits into your existing multi-agent stack
When Teams Usually Need Evaluation or Enterprise
Most teams start pushing for Evaluation or Enterprise when one or more of these become real:
- formal compliance review before production go-live
- regulator- or board-facing reporting expectations
- human approval or governance workflows beyond basic policy blocking
- stronger retention, export, and enterprise operations needs
- wider rollout across multiple internal AI products or business units
That is the point where AxonFlow usually moves from “useful governance layer” to “required AI control plane.”
Industry Examples
| Industry | Common Compliance Pressure | Example Docs |
|---|---|---|
| Banking | Auditability, PII handling, incident controls | Banking Example |
| Healthcare | Data protection, human review, traceability | Healthcare Example |
| Travel | Customer-data protection, governed tool access | Trip Planner Example |
| E-commerce | Customer-data governance and workflow audit | E-commerce Example |
Enterprise Operating Model
The licensed workflow surface below is included here so engineers can evaluate both the community baseline and the production operating model from one page.
AxonFlow Enterprise includes a enterprise compliance estate for teams that need more than policy enforcement at request time. In practice, that means compliance teams, platform teams, and audit functions can operate shared workflows for:
- framework-specific evidence collection
- approval and oversight queues
- audit export generation
- model validation and incident tracking
- emergency stop and recovery procedures
These workflows sit on top of the core Agent and Orchestrator controls you already use for policy enforcement, redaction, connector governance, and execution logging.
Requires Enterprise license.
What AxonFlow Actually Ships
The current enterprise codebase exposes four dedicated compliance modules plus shared enforcement services:
| Framework or control | Primary runtime surface | What teams use it for |
|---|---|---|
| EU AI Act | /api/v1/euaiact/* | Conformity assessments, exportable evidence, accuracy and bias tracking |
| RBI FREE-AI | /api/v1/rbi/* | AI system inventory, validations, incidents, kill switches, board reports, audit exports |
| SEBI AI/ML | /api/v1/sebi/* | Audit exports, retention status, readiness checks, dashboard summaries |
| MAS FEAT | /api/v1/masfeat/* | AI system registry, FEAT assessments, MAS-oriented kill switch workflows |
| OJK / BI / UU PDP | /api/v1/ojk/* | OJK AI governance audit exports, readiness scoring, UU PDP breach notifications, cross-border transfer logging, BI payment IS-audit evidence |
| Human oversight | /api/v1/hitl/* | Approval queues for regulated or high-impact decisions |
| Emergency stop | /api/v1/circuit-breaker/* | Immediate platform-wide or scoped shutdown for unsafe AI behavior |
Shared Operating Model
The framework modules are different, but the working pattern is similar across all of them:
- Register or identify the AI system, tenant, or scope you are governing.
- Route production traffic through Agent and Orchestrator so policy decisions and execution traces are captured.
- Use the framework module to collect evidence, record reviews, and export audit-ready artifacts.
- Use HITL and circuit breaker controls when a policy or reviewer needs to slow down or halt the system.
For an enterprise platform team, this is the difference between "we redact PII" and "we can show an auditor how the system was governed, reviewed, and changed over time."
Header And Identity Patterns
The enterprise compliance APIs do not all use the same header contract, so it is worth being explicit:
| Surface | Required identity headers |
|---|---|
| EU AI Act | X-Org-ID or tenant derived from Basic auth |
| SEBI | tenant derived from Basic auth preferred, X-Org-ID accepted as fallback |
| RBI FREE-AI | X-Org-ID |
| MAS FEAT | X-Org-ID or tenant derived from Basic auth |
| OJK / BI / UU PDP | tenant derived from Basic auth preferred, X-Org-ID accepted as fallback |
| HITL create | X-Org-ID and tenant derived from Basic auth |
| Circuit breaker trip/reset | X-Org-ID and X-User-ID |
Add X-User-ID whenever you want reviewer or user identity captured in the audit trail for actions like approvals, submissions, trips, and resets.
Framework Guide Map
| Guide | Best fit |
|---|---|
| EU AI Act Compliance Guide | European deployments that need conformity, evidence exports, and model-quality tracking for high-risk systems |
| RBI FREE-AI Compliance Guide | Banks and regulated financial institutions that need system inventory, validations, incidents, and board reporting |
| SEBI AI/ML Compliance Guide | Securities, advisory, or trading teams that need retention and export evidence |
| MAS FEAT Compliance Guide | Singapore financial services teams that need FEAT assessments, materiality tracking, and scoped kill switches |
| OJK AI Governance Guide | Indonesian banks and financial institutions that need OJK audit evidence, readiness scoring, and AI governance lifecycle controls |
| BI Payment System Guide | Payment service providers and QRIS acquirers that need IS-audit evidence and incident reporting for BI supervision |
| UU PDP Guide | Teams processing Indonesian personal data that need Art. 46 breach notification workflows and Art. 56 cross-border transfer logging |
Platform Team View Of The Stack
Request traffic
-> Agent policy enforcement, redaction, and HITL pre-checks
-> Orchestrator execution, routing, and framework-specific evidence services
-> PostgreSQL-backed compliance records and export metadata
-> Optional cloud storage for larger audit exports
-> Protected portal and API workflows for platform teams, reviewers, and auditors
That separation matters:
- the Agent handles real-time intervention and request blocking
- the Orchestrator hosts most batch, reporting, and framework-management flows
- the enterprise portal gives enterprise platform teams a safer operational surface for day-to-day governance tasks
Which Compliance Surfaces Are Strongest Today
The most mature, code-verified framework surfaces in the current build are:
- RBI FREE-AI: broadest operational footprint, including registry, validations, incidents, kill switches, reports, and exports
- EU AI Act: strongest for conformity plus model-quality evidence
- SEBI: strongest for audit export and retention/readiness workflows
- MAS FEAT: strong for registry, assessment lifecycle, and per-system kill-switch controls
- OJK / BI / UU PDP: audit export and readiness workflows across three Indonesian frameworks, breach notification with Art. 46 deadline tracking, and cross-border transfer logging
That makes AxonFlow especially useful for enterprises building regulated multi-agent systems where engineering, risk, and audit teams all need access to the same operating evidence.
Recommended Rollout Sequence
1. Start with governance on a real tenant
Put one production-like tenant through the full path:
- protected authentication
- policy enforcement
- HITL escalation
- framework-specific exports or assessments
2. Pick a primary regulatory workflow
Examples:
- EU AI Act for a lending or hiring assistant in the EU
- RBI FREE-AI for a banking workflow with board-level review and validation
- SEBI for advisory, trading, or securities operations that need retention and export evidence
- MAS FEAT for Singapore financial services AI inventory and assessment governance
- OJK / BI / UU PDP for Indonesian banking, payment, and data-protection governance with breach notification and cross-border transfer logging
3. Exercise emergency controls before go-live
Before a regulator or internal control function asks, make sure the team can:
- create and work a HITL queue
- trip a scoped or global circuit breaker
- inspect retention or export status
- trace who approved, rejected, or reset a regulated workflow
