Metadata-Version: 2.4
Name: regulated-ai-governance
Version: 0.23.0
Summary: Comprehensive governance framework for AI agents operating in FERPA, HIPAA, GDPR, GLBA, ISO 42001, and 10+ regulated environments
Author-email: Ashutosh Rana <17191144+ashutoshrana@users.noreply.github.com>
License-Expression: MIT
Project-URL: Homepage, https://github.com/ashutoshrana/regulated-ai-governance
Project-URL: Documentation, https://github.com/ashutoshrana/regulated-ai-governance#readme
Project-URL: Issues, https://github.com/ashutoshrana/regulated-ai-governance/issues
Project-URL: Changelog, https://github.com/ashutoshrana/regulated-ai-governance/blob/main/CHANGELOG.md
Keywords: regulated-ai,ai-governance,ferpa,hipaa,glba,gdpr,ccpa,soc2,enterprise-ai,compliance,llm,multi-agent,policy-enforcement,audit-logging,pii-detection,data-lineage,consent-management,crewai,langchain,autogen,semantic-kernel,haystack,llama-index,iso42001,eu-ai-act,dora,nist-ai-rmf,owasp-llm,multi-framework,governance-orchestrator
Classifier: Development Status :: 4 - Beta
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: Education
Classifier: Intended Audience :: Healthcare Industry
Classifier: Intended Audience :: Financial and Insurance Industry
Classifier: Intended Audience :: Legal Industry
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Topic :: Scientific/Engineering :: Artificial Intelligence
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Libraries :: Python Modules
Classifier: Topic :: Office/Business
Requires-Python: >=3.10
Description-Content-Type: text/markdown
License-File: LICENSE
Provides-Extra: crewai
Requires-Dist: crewai>=1.14.0; extra == "crewai"
Provides-Extra: langchain
Requires-Dist: langchain-core>=0.3.0; extra == "langchain"
Provides-Extra: autogen
Requires-Dist: pyautogen>=0.4.0; extra == "autogen"
Provides-Extra: llama-index
Requires-Dist: llama-index-core>=0.12.0; extra == "llama-index"
Provides-Extra: semantic-kernel
Requires-Dist: semantic-kernel>=1.41.0; extra == "semantic-kernel"
Provides-Extra: haystack
Requires-Dist: haystack-ai>=2.20.0; extra == "haystack"
Provides-Extra: maf
Requires-Dist: microsoft-agent-framework>=1.0.0; extra == "maf"
Provides-Extra: all
Requires-Dist: regulated-ai-governance[crewai,haystack,langchain,llama-index,maf,semantic-kernel]; extra == "all"
Provides-Extra: dev
Requires-Dist: pytest>=8.0; extra == "dev"
Requires-Dist: pytest-cov>=4.0; extra == "dev"
Requires-Dist: ruff>=0.4; extra == "dev"
Requires-Dist: mypy>=1.9; extra == "dev"
Dynamic: license-file

# regulated-ai-governance

[![CI](https://github.com/ashutoshrana/regulated-ai-governance/actions/workflows/ci.yml/badge.svg)](https://github.com/ashutoshrana/regulated-ai-governance/actions/workflows/ci.yml)
[![PyPI](https://img.shields.io/pypi/v/regulated-ai-governance.svg)](https://pypi.org/project/regulated-ai-governance/)
[![Python](https://img.shields.io/pypi/pyversions/regulated-ai-governance.svg)](https://pypi.org/project/regulated-ai-governance/)
[![License](https://img.shields.io/badge/license-MIT-green.svg)](LICENSE)
[![Downloads](https://img.shields.io/pypi/dm/regulated-ai-governance.svg)](https://pypi.org/project/regulated-ai-governance/)

---

## The problem this solves

AI agents in regulated environments (FERPA, HIPAA, GLBA) can access and process data they are not authorized to see. Standard agent frameworks — CrewAI, AutoGen, LangChain, Semantic Kernel — have no concept of regulated industry access control. When you deploy an agent in a higher-education, healthcare, or financial-services environment, the framework will not tell you whether the agent is allowed to access a record type, who must approve an export, or how to produce the audit record the regulation requires. This library provides those answers as composable Python primitives, with pre-built policy adapters for each major framework that enforce authorization before any action executes.

---

## Architecture

```
CrewAI / AutoGen / Semantic Kernel / LangChain Agent
     │
     ▼
EnterpriseActionGuard / PolicyEnforcingAgent / GovernanceCallback
(wraps your tool or callback — drop-in replacement)
     │
     ├─ ActionPolicy.can_run(action_name)? ─────────────────────┐
     │        ├─ Permitted ────────────────────► Execute         │
     │        ├─ Escalation required ──────────► Block + notify │
     │        └─ Denied ──────────────────────► PolicyViolation │
     │                                                           │
     └─ GovernanceAuditRecord ───────────────────────────────────┘
          regulation citation + action_name + actor_id
          permitted / denied / escalated + timestamp
          → audit_sink (durable compliance log)
```

---

## Installation

```bash
pip install regulated-ai-governance
```

With framework integrations:

```bash
pip install "regulated-ai-governance[crewai]"
pip install "regulated-ai-governance[langchain]"
pip install "regulated-ai-governance[autogen]"
pip install "regulated-ai-governance[llama-index]"
pip install "regulated-ai-governance[semantic-kernel]"
pip install "regulated-ai-governance[haystack]"
```

---

## 30-second example: CrewAI + FERPA

```python
from regulated_ai_governance.integrations.crewai import EnterpriseActionGuard
from regulated_ai_governance.regulations.ferpa import make_ferpa_student_policy

guard = EnterpriseActionGuard(
    wrapped_tool=MyTranscriptTool(),           # your existing CrewAI tool
    policy=make_ferpa_student_policy(
        allowed_record_categories={"academic_record"}
    ),
    regulation="FERPA",
    actor_id="stu-alice",                      # from verified session token
    audit_sink=lambda rec: write_to_db(rec),   # wire to durable compliance store
    block_on_escalation=True,
)

agent = Agent(tools=[guard], ...)  # drop-in replacement — no other changes needed
```

Every call to `guard` emits a `GovernanceAuditRecord` whether permitted or denied, suitable for direct insert into a 34 CFR § 99.32 disclosure log.

---

## Framework support

| Framework | Adapter Class | Install Extra |
|-----------|--------------|---------------|
| CrewAI | `EnterpriseActionGuard` | `[crewai]` |
| AutoGen | `PolicyEnforcingAgent` | `[autogen]` |
| Semantic Kernel | `PolicyKernelPlugin` | `[semantic-kernel]` |
| LangChain | `GovernanceCallbackHandler` | `[langchain]` |
| Haystack | via enterprise-rag-patterns | — |

---

## Regulations supported

| Regulation | Status | Audit Citation |
|------------|--------|---------------|
| FERPA (34 CFR § 99) | Implemented | 34 CFR § 99.32 disclosure log |
| HIPAA (45 CFR § 164) | Implemented | 45 CFR § 164.312(b) access controls |
| GLBA (16 CFR § 314) | Implemented | 16 CFR § 314.4(e) safeguards |
| GDPR | Implemented | Art. 17, Art. 22 automated decision |
| CCPA | Planned | Cal. Civ. Code § 1798.100 |
| SOC 2 | Planned | CC6.1 logical access controls |

---

## Quick start: HIPAA and GLBA

```python
from regulated_ai_governance.regulations.hipaa import make_hipaa_treating_provider_policy
from regulated_ai_governance import GovernedActionGuard

# HIPAA — clinical decision support agent
policy = make_hipaa_treating_provider_policy(
    escalate_external_share_to="hipaa_privacy_officer"
)
guard = GovernedActionGuard(policy=policy, regulation="HIPAA", actor_id="nurse-001")
result = guard.guard("read_lab_results", lambda: {"hba1c": 6.2})
# → {"hba1c": 6.2}
```

```python
from regulated_ai_governance.regulations.glba import make_glba_customer_service_policy

# GLBA — customer-service chatbot
policy = make_glba_customer_service_policy()
guard = GovernedActionGuard(policy=policy, regulation="GLBA", actor_id="cust-7890")
guard.guard("read_account_balance", lambda: {"balance": "$1,240.00"})
# → {"balance": "$1,240.00"}
```

---

## Audit records

Every guard evaluation emits a `GovernanceAuditRecord`:

```python
print(audit_log[0].to_log_entry())
# {
#   "record_id": "a3f8...",
#   "regulation": "FERPA",
#   "actor_id": "stu-alice",
#   "action_name": "read_academic_record",
#   "permitted": true,
#   "denial_reason": null,
#   "escalation_target": null,
#   "policy_version": "1.0",
#   "timestamp": "2026-04-11T14:30:00+00:00"
# }
```

JSON-serializable, suitable for direct insert into a compliance database per 34 CFR § 99.32 (FERPA), 45 CFR § 164.312(b) (HIPAA), or 16 CFR § 314.4(e) (GLBA).

---

## Ecosystem

See [ECOSYSTEM.md](./ECOSYSTEM.md) for the full regulation and framework coverage matrix.

---

## Contributing

Contributions are welcome. Please read [CONTRIBUTING.md](./CONTRIBUTING.md) for guidelines. Run `pytest tests/ -v` to verify your changes before opening a pull request.

---

## Citation

If you use these patterns in research or production, please cite:

```bibtex
@software{rana2026rag,
  author    = {Rana, Ashutosh},
  title     = {regulated-ai-governance: Policy enforcement for AI agents in regulated environments},
  year      = {2026},
  url       = {https://github.com/ashutoshrana/regulated-ai-governance},
  license   = {MIT}
}
```

Or use GitHub's "Cite this repository" button above (reads `CITATION.cff`).

---

## Part of the enterprise AI patterns trilogy

| Library | Focus | Regulation |
|---------|-------|-----------|
| [enterprise-rag-patterns](https://github.com/ashutoshrana/enterprise-rag-patterns) | What to retrieve | FERPA identity-scoped RAG |
| **regulated-ai-governance** | What agents may do | FERPA, HIPAA, GLBA, GDPR, CCPA, SOC2 |
| [integration-automation-patterns](https://github.com/ashutoshrana/integration-automation-patterns) | How data flows | Event-driven enterprise integration |

---

## License

MIT — see [LICENSE](LICENSE).
