Compliance Enforcer

operational

The Compliance Enforcer is the governance layer of the NANDA network — a policy decision engine that evaluates every agent interaction against configurable rules for PII protection, regional routing, capability restrictions, and regulatory compliance.

Core Capabilities

Policy Decision Point

Versioned policy documents define allow/deny rules. Each incoming agent interaction is evaluated against the active policy set, producing an allow or deny decision with reasons.

PII Redaction

Automatic detection and redaction of personally identifiable information in agent payloads — enforcing data minimization principles before cross-agent communication.

Regional Routing

Jurisdiction-aware routing rules ensure data residency compliance. Agents in specific jurisdictions are routed to appropriate regional endpoints.

Violation Tracking

Every policy violation is recorded with the offending agent, envelope hash, reason, and timestamp — providing a complete compliance audit trail.

Decision Flow

When an agent interaction is submitted for compliance evaluation:

  1. Envelope received — the interaction payload (from agent, to agent, capability, data) is captured
  2. Policy evaluation — active policies are applied in version order against the envelope
  3. Decision recorded — an allow or deny decision is stored with the full reasoning chain
  4. Violation flagged — if denied, a violation record is created for audit and potential enforcement action

Policy Structure

Policies are stored as versioned JSON rule sets. Each policy contains:

policy_id

Unique identifier for the policy

rules_json

JSON-encoded rule set defining conditions, actions, and enforcement levels

version

Integer version — higher versions take precedence during evaluation

A2A Protocol Actions

The Compliance Enforcer is accessible via the A2A JSON-RPC protocol at /a2a:

policy.eval

Evaluate an interaction envelope against the active policy — returns decision, reasons, and optional PII-redacted envelope

policy.rules.get

Retrieve the current policy rules, optionally filtered by policy ID

policy.violation

Report a policy violation for an agent with reason and severity

Zero Trust Agentic Access (ZTAA)

The Compliance Enforcer implements the ZTAA framework — applying Zero Trust principles to AI agent interactions:

  • Verify Explicitly — every interaction requires cryptographic verification, never implicit trust
  • Least Privilege — agents are granted only the minimum capabilities needed per interaction
  • Assume Breach — continuous monitoring and revocation ensure compromised agents are detected and isolated

Integration with Other Services

See also Trust & Security for ZTAA details · A2A Protocol for compliance actions · Infrastructure Overview
Related reading Governance at Scale — multi-stakeholder governance frameworks for agent ecosystems · Cross-Platform Trust — portable compliance across registries

Coming Soon

By Invitation Only