Compliance Engine
Regulatory compliance profiles for the Sgraal preflight API
How to use
Add the compliance_profile field to your POST /v1/preflight request:
{
"memory_state": [...],
"action_type": "irreversible",
"domain": "fintech",
"compliance_profile": "EU_AI_ACT"
}The response includes a compliance_result object with compliant, violations,audit_required, and profile_applied. Critical violations automatically override recommended_action to BLOCK.
Profiles
Available values: GENERAL (default), EU_AI_ACT, FDA_510K, HIPAA.
EU AI Act
Article 12 — Logging & Irreversible Actions
When omega_mem_final > 60 AND action_type == "irreversible": non-compliant. Audit trail required. Recommended action overridden to BLOCK.
Article 9 — Risk Management (Medical)
When domain == "medical" AND omega_mem_final > 40: human oversight required. Audit required.
Article 13 — Transparency
Always enforced. Every response includes explainability_note with the highest-risk component and recommended action. No additional action needed.
FDA 510(k)
Predicate Device Comparison
When domain == "medical" AND omega_mem_final > 30: non-compliant. Requires predicate device comparison. Audit required.
Risk Classification
When action_type is irreversible or destructive AND omega_mem_final > 50: Class III review required. Audit required.
HIPAA
PHI Integrity — §164.312
When domain == "medical" AND assurance_score < 70: non-compliant. Protected Health Information integrity cannot be guaranteed. Audit required.
Healing Policy Matrix
The compliance profile also affects the healing tier and approval requirements for repair actions:
| Memory Type | Domain | Profile | Tier | Approval |
|---|---|---|---|---|
| tool_state | medical | FDA_510K | 3 | Required |
| tool_state | fintech | EU_AI_ACT | 2 | Required |
| semantic | fintech | EU_AI_ACT | 2 | No |
| tool_state | general | GENERAL | 1 | No |
Tier 1 = auto-heal, Tier 2 = suggest, Tier 3 = log-only
Contact
For compliance questions, contact us at hello@sgraal.com.