v0.1Draft for Public CommentCC BY 4.0

AI Agent Compliance Data Model

A minimal, interoperable data model for AI agent compliance events — designed to satisfy GDPR Art. 30, EU AI Act Art. 14, and GDPR Chapter V from a single shared schema.

Open an Issue Read on GitHub

Published by: Veridion Nexus
Version: 0.1 — Draft
License: CC BY 4.0
Published: 2026-03-20

Why This Exists

AI agents make autonomous decisions, call external tools, and transfer data across jurisdictions — often faster than any human oversight loop. The compliance infrastructure around them is fragmented: security tools track what tools were called, IT governance tools track which agents exist, and legal/privacy tools track data flows. None of them share a common data model.

This means a DPO auditing an HR screening agent, a regulator assessing an EU AI Act Annex III system, and a CISO investigating a potential prompt injection incident are all looking at different records — or no records at all.

This specification defines a minimal, interoperable data model for AI agent compliance events. It is designed to be:

Implementable by any tool — security, governance, or compliance
Composable — the same event stream should satisfy GDPR Art. 30 (records of processing), EU AI Act Art. 14 (human oversight), and internal audit requirements
Extensible — v0.1 defines the floor, not the ceiling

The goal is not a new standard to replace existing ones. It is a shared vocabulary so that tools operating at different layers of the agent stack can produce records that fit together.

Scope

This version covers five core object types:

Object	What it captures	Primary regulatory relevance
`AgentRecord`	Identity and policy profile of an agent	GDPR Art. 30, EU AI Act Art. 16
`ToolCallEvent`	A single tool invocation by an agent	GDPR Art. 5(1)(c) data minimization, EU AI Act Art. 14
`DataTransferRecord`	A cross-border personal data transfer	GDPR Chapter V (Arts. 44–49)
`ContextTrustAnnotation`	Trust level of data present in agent context at decision time	EU AI Act Art. 14, GDPR Art. 22
`HumanOversightRecord`	A human review or override of an agent decision	EU AI Act Art. 14

1. AgentRecord

Represents a registered AI agent. Should be created when an agent is deployed and updated when its capabilities or policies change.

{
  "schema": "acm/agent-record/v0.1",
  "agent_id": "agt_7f3a9c",
  "display_name": "HR Screening Agent",
  "version": "2.1.0",
  "owner": {
    "organization": "Acme Corp",
    "team": "People Operations",
    "contact": "dpo@acme.com"
  },
  "deployment": {
    "environment": "production",
    "region": "eu-west-1",
    "data_residency": "DE",
    "first_deployed_at": "2026-01-15T09:00:00Z"
  },
  "classification": {
    "eu_ai_act_risk_level": "high",
    "eu_ai_act_annex": "III",
    "processes_personal_data": true,
    "special_categories": ["employment_decisions"],
    "automated_decision_making": true
  },
  "tools_permitted": ["cv_parser", "calendar_api", "email_sender"],
  "transfer_policies": ["policy_eu_only", "policy_scc_us"],
  "a2a_card_url": "https://acme.com/.well-known/agent-cards/hr-screening.json",
  "registered_at": "2026-01-15T09:00:00Z",
  "last_updated_at": "2026-03-01T14:22:00Z"
}

Field reference

Field	Type	Required	Notes
`agent_id`	string	✓	Stable unique identifier for the agent across its lifecycle
`display_name`	string	✓	Human-readable name
`version`	string	✓	Semantic version of the agent
`owner.organization`	string	✓	Legal entity responsible (controller in GDPR terms)
`owner.contact`	string	✓	DPO or responsible team contact
`deployment.data_residency`	ISO 3166-1 alpha-2	✓	Country where agent data is primarily processed
`classification.eu_ai_act_risk_level`	enum: minimal, limited, high, unacceptable	✓ if EU deployment	Self-classification under EU AI Act
`classification.automated_decision_making`	boolean	✓	Triggers GDPR Art. 22 obligations if true
`tools_permitted`	string[]	✓	Allowlist of tool identifiers the agent may call
`transfer_policies`	string[]	○	References to applicable GDPR Chapter V transfer mechanisms
`a2a_card_url`	URL	○	Link to A2A-compatible agent card for interoperability

2. ToolCallEvent

Represents a single tool invocation. Every time an agent calls an external tool, a ToolCallEvent should be emitted. This is the primary record for data minimization audits and AI Act oversight.

{
  "schema": "acm/tool-call-event/v0.1",
  "event_id": "evt_a3f81b",
  "agent_id": "agt_7f3a9c",
  "session_id": "sess_9d2e4f",
  "tool_id": "cv_parser",
  "tool_version": "1.4.2",
  "called_at": "2026-03-20T11:34:52Z",
  "inputs": {
    "fields_requested": ["name", "email", "work_history"],
    "data_subjects": 1,
    "contains_special_categories": false
  },
  "outputs": {
    "fields_returned": ["name", "email", "work_history", "inferred_age"],
    "data_subjects": 1
  },
  "context_trust": {
    "level": "degraded",
    "degraded_by": "external_document",
    "degraded_at": "2026-03-20T11:34:10Z",
    "annotation_ref": "cta_7c1a3e"
  },
  "outcome": {
    "decision_made": true,
    "decision_type": "candidate_shortlisted",
    "human_review_required": true,
    "oversight_record_ref": "hor_2b9f5a"
  },
  "legal_basis": "legitimate_interests",
  "purpose": "employment_screening"
}

Field reference

Field	Type	Required	Notes
`event_id`	string	✓	Unique, immutable identifier for this event
`agent_id`	string	✓	References AgentRecord
`session_id`	string	✓	Groups related events in a single agent session
`tool_id`	string	✓	Must match an entry in `AgentRecord.tools_permitted`
`called_at`	ISO 8601	✓	UTC timestamp
`inputs.fields_requested`	string[]	✓	What the agent asked for — key for minimization audit
`outputs.fields_returned`	string[]	✓	What was actually returned — excess = potential violation
`context_trust.level`	enum: trusted, degraded, untrusted	✓	Trust level of agent context at call time
`outcome.decision_made`	boolean	✓	Whether this call contributed to an automated decision
`outcome.human_review_required`	boolean	✓	Required for EU AI Act Annex III systems
`legal_basis`	string	✓	GDPR Art. 6 legal basis for processing

Implementation note: If context_trust.level is degraded or untrusted and outcome.decision_made is true for a high-risk AI system, this event should be automatically flagged for human review and referenced in the HumanOversightRecord.

3. DataTransferRecord

Represents a personal data transfer to a third country or international organization under GDPR Chapter V. Should be emitted whenever an agent call results in personal data leaving the EEA.

{
  "schema": "acm/data-transfer-record/v0.1",
  "transfer_id": "xfr_5c2d7a",
  "agent_id": "agt_7f3a9c",
  "event_ref": "evt_a3f81b",
  "transferred_at": "2026-03-20T11:34:53Z",
  "origin": {
    "jurisdiction": "EU",
    "data_residency": "DE"
  },
  "destination": {
    "jurisdiction": "US",
    "recipient": "OpenAI Inc.",
    "recipient_country": "US",
    "service_endpoint": "api.openai.com"
  },
  "transfer_mechanism": {
    "type": "scc",
    "scc_version": "2021/914/EU",
    "module": "2",
    "executed_at": "2025-11-01T00:00:00Z",
    "document_ref": "vault://scc/openai-2025-11-01.pdf"
  },
  "data": {
    "categories": ["professional_history", "contact_information"],
    "special_categories": [],
    "data_subjects_count": 1,
    "pseudonymised": false
  },
  "adequacy_decision_applicable": false,
  "dpf_relied_upon": false,
  "blocked": false,
  "block_reason": null
}

Transfer mechanism types

type value	Description	Relevant GDPR Article
`adequacy`	Transfer to adequate country	Art. 45
`scc`	Standard Contractual Clauses	Art. 46(2)(c)
`bcr`	Binding Corporate Rules	Art. 47
`dpf`	EU-US Data Privacy Framework	Art. 45 (adequacy decision 2023)
`derogation`	Specific situation derogation	Art. 49
`blocked`	Transfer blocked — no valid mechanism	—

Implementation note: If dpf_relied_upon is true, implementations should expose a flag to mass-update all affected records in the event of a DPF invalidation (Schrems III scenario). Records relying on DPF should be queryable as a group.

4. ContextTrustAnnotation

Captures the trust state of an agent's context window at a point in time. Inspired by AgentLock v1.1's context trust model. Intended to be referenced by ToolCallEvents and HumanOversightRecords.

{
  "schema": "acm/context-trust-annotation/v0.1",
  "annotation_id": "cta_7c1a3e",
  "agent_id": "agt_7f3a9c",
  "session_id": "sess_9d2e4f",
  "evaluated_at": "2026-03-20T11:34:10Z",
  "trust_level": "degraded",
  "sources_in_context": [
    {
      "source_type": "external_document",
      "source_identifier": "cv_upload_20260320_candidate_88.pdf",
      "introduced_at": "2026-03-20T11:34:08Z",
      "trust_classification": "untrusted"
    },
    {
      "source_type": "internal_system",
      "source_identifier": "hr_database",
      "introduced_at": "2026-03-20T11:33:50Z",
      "trust_classification": "trusted"
    }
  ],
  "degradation_trigger": {
    "source_type": "external_document",
    "introduced_at": "2026-03-20T11:34:08Z",
    "reason": "unverified_external_content_entered_context"
  },
  "session_trust_persistent": true
}

Trust levels

Level	Meaning
`trusted`	All data in context originates from verified internal sources
`degraded`	At least one untrusted external source has entered context this session
`untrusted`	Context is primarily or entirely from external / unverified sources

session_trust_persistent: true means that once degraded, trust does not recover within the session — consistent with AgentLock v1.1 semantics.

5. HumanOversightRecord

Records a human review, intervention, or override of an agent decision. Required for EU AI Act Annex III systems under Art. 14. Should reference the ToolCallEvent that triggered the review.

{
  "schema": "acm/human-oversight-record/v0.1",
  "record_id": "hor_2b9f5a",
  "agent_id": "agt_7f3a9c",
  "event_ref": "evt_a3f81b",
  "reviewer": {
    "reviewer_id": "usr_hr_manager_42",
    "role": "HR Manager",
    "organization": "Acme Corp"
  },
  "review_triggered_by": "degraded_context_trust",
  "review_initiated_at": "2026-03-20T11:40:00Z",
  "review_completed_at": "2026-03-20T11:47:23Z",
  "agent_decision": {
    "decision_type": "candidate_shortlisted",
    "confidence_score": 0.87,
    "reasoning_summary": "Candidate meets 7 of 9 required criteria"
  },
  "reviewer_outcome": {
    "action": "overridden",
    "override_reason": "Candidate's gap year misclassified as unemployment",
    "final_decision": "candidate_shortlisted",
    "notes": "Agent reasoning was valid but factual error in CV parsing triggered manual correction."
  },
  "eu_ai_act_compliance": {
    "art_14_satisfied": true,
    "human_had_meaningful_control": true,
    "override_capability_tested": false
  }
}

review_triggered_by values

Value	Description
`degraded_context_trust`	ContextTrustAnnotation showed degraded/untrusted trust
`high_impact_decision`	Decision type mandates review per agent policy
`anomaly_detected`	Monitoring layer flagged unusual behaviour
`manual_request`	Human proactively requested review
`periodic_audit`	Scheduled sampling review

Event Relationships

AgentRecord
    └── ToolCallEvent (many per agent session)
            ├── ContextTrustAnnotation (one per evaluation)
            ├── DataTransferRecord (zero or many per call)
            └── HumanOversightRecord (zero or one per call)

A single HR screening session might produce:

1 AgentRecord (the agent, registered at deployment)
12 ToolCallEvents (each tool invocation in the session)
1 ContextTrustAnnotation (trust degraded when CV uploaded)
3 DataTransferRecords (calls to US-based LLM API, 3 times)
1 HumanOversightRecord (triggered by degraded trust on the final decision)

Together, these five records constitute a complete Art. 30 processing entry, an Art. 14 oversight log, and a Chapter V transfer audit trail — from a single agent session.

Implementation Guidance

Minimum viable implementation

A tool implementing this spec should, at minimum:

Emit ToolCallEvents with context_trust.level and outcome.decision_made populated
Emit DataTransferRecords for any call that routes personal data outside the EEA
Store records in an append-only, tamper-evident log

Interoperability

Tools may implement any subset of this model. Cross-tool interoperability is achieved by:

Using agent_id as the shared key across all records
Referencing related records by their IDs (event_ref, annotation_ref, oversight_record_ref)
Exposing records via a REST endpoint at /.well-known/acm/ on the implementing service

Suggested endpoint structure

GET /.well-known/acm/agents/{agent_id}           → AgentRecord
GET /.well-known/acm/events?agent_id=&from=&to=  → ToolCallEvent[]
GET /.well-known/acm/transfers?agent_id=          → DataTransferRecord[]
GET /.well-known/acm/oversight?agent_id=          → HumanOversightRecord[]

What This Spec Does Not Cover (v0.2 candidates)

Consent records and withdrawal events
Data subject access request (DSAR) workflow events
Agent-to-agent (A2A) delegation chains and inherited trust
Cryptographic signing of records (tamper evidence)
Retention and deletion schedules per record type
Mapping to specific national DPA reporting formats

Contributions and proposals for v0.2 are welcome via GitHub Issues.

Relationship to Existing Standards

This spec is designed to be complementary, not competing:

Standard / Framework	Relationship
GDPR Art. 30 (Records of Processing)	`AgentRecord` + `DataTransferRecord` together satisfy Art. 30(1) record requirements for AI agents
EU AI Act Art. 14 (Human Oversight)	`HumanOversightRecord` is a direct implementation artifact
A2A Protocol (Google)	`AgentRecord.a2a_card_url` links to A2A agent card; signed card data can extend this record
MCP (Anthropic)	`ToolCallEvent` maps to MCP tool call semantics; MCP server implementations can emit events natively
AgentLock v1.1	`ContextTrustAnnotation` formalises AgentLock's trust level concept as a loggable compliance record
OpenTelemetry	Record IDs and timestamps are compatible with OTel trace/span conventions for correlation

Version History

Version	Date	Summary
0.1	2026-03-20	Initial draft. Five core objects: AgentRecord, ToolCallEvent, DataTransferRecord, ContextTrustAnnotation, HumanOversightRecord.