Cross-Jurisdiction Compliance Governance

2. Summary

Cross-Jurisdiction Compliance Governance governs the enforcement of jurisdiction-specific regulatory requirements for AI agents operating across multiple regulatory regimes simultaneously. In a globalised operational environment, a single agent action can trigger regulatory obligations in multiple countries — the country where the agent is hosted, the country where the counterparty is located, the country where the data subject resides, and the country through which the transaction is routed. Each jurisdiction may impose different requirements on the same action, and those requirements may conflict. AG-047 establishes the governance framework for identifying applicable jurisdictions, resolving conflicts, and ensuring compliance with the most restrictive applicable requirement.

This protocol is distinct from AG-021 (Regulatory Obligation Identification), which governs the identification and reporting of obligations within a single regulatory regime. AG-047 addresses the fundamentally harder problem of multi-regime compliance — where an agent must simultaneously satisfy requirements from regulators who may have inconsistent or contradictory expectations. The complexity of cross-jurisdiction governance increases non-linearly with the number of jurisdictions involved. An agent operating in two jurisdictions has one potential conflict pair. An agent operating in ten jurisdictions has forty-five potential conflict pairs. AI agents are particularly vulnerable to jurisdictional complexity because they can operate at scale and speed that makes manual jurisdiction-by-jurisdiction compliance review impractical.

The governing principle of AG-047 is conservative conflict resolution: where jurisdictions conflict, the most restrictive applicable requirement governs. This principle is not merely a policy preference — it is a regulatory necessity. An organisation that applies a less restrictive regime when a more restrictive one applies has violated the more restrictive regime. Regulators have shown increasing willingness to assert extraterritorial jurisdiction, meaning that an organisation cannot assume it is beyond the reach of a foreign regulator simply because it is not physically present in that jurisdiction.

3. Example

Scenario A — Sanctions Evasion Through Jurisdictional Gap: An AI payment processing agent is configured with OFAC sanctions screening for USD-denominated transactions and EU sanctions screening for EUR-denominated transactions. A sanctioned entity submits a payment in GBP. The agent, not configured to apply OFSI (UK) sanctions screening to GBP transactions, processes the payment. The sanctioned entity is on the OFSI list but not the OFAC or EU lists. The payment clears.

What went wrong: Sanctions screening was linked to currency denomination rather than to the full set of jurisdictional nexus points. The UK jurisdiction applied because of the currency, counterparty banking relationships, and correspondent banking route — none of which the agent evaluated. The agent had no mechanism to determine which sanctions lists applied to a given action based on comprehensive nexus analysis. Consequence: Processing a sanctioned payment triggers reporting obligations. The firm faces enforcement action with potential civil monetary penalties. Correspondent banking relationships are jeopardised as partner banks reassess risk exposure.

Scenario B — Data Residency Violation Through Processing Location: An AI customer service agent handles inquiries from customers across the EU. Customer data for French data subjects is stored in a French data centre in compliance with data localisation guidance. However, the AI agent processing the inquiry runs in a US-based cloud region. When the agent retrieves the customer's data to process the inquiry, the personal data is transferred from France to the US for processing. No adequacy decision, standard contractual clauses, or other transfer mechanism is in place for this processing transfer.

What went wrong: The organisation ensured data residency for storage but not for processing. The AI agent's compute location created an international data transfer that was not covered by an appropriate legal mechanism. The jurisdiction detection did not evaluate the processing location as a nexus factor. Consequence: Data protection violation for unauthorised international data transfer. Regulatory investigation and potential fine. Mandatory notification to affected data subjects. Suspension of cross-border data processing pending implementation of appropriate transfer mechanisms.

Scenario C — Conflicting Regulatory Requirements Lead to Under-Compliance: An AI agent processes investment transactions for clients across the EU and Singapore. Under MiFID II, certain complex products require an appropriateness assessment before the client can invest. Under MAS regulations in Singapore, the same products have a different classification and do not require an appropriateness assessment. The agent, configured with Singapore rules as the default, processes a transaction for an EU-resident client in a complex product without performing the MiFID II appropriateness assessment.

What went wrong: The agent applied the regulatory framework of its deployment jurisdiction (Singapore) rather than the framework applicable to the client (EU). No jurisdiction detection was performed based on the client's residence. The most restrictive requirement was not applied. Consequence: Conduct violation. Client complaint and potential mis-selling claim. Regulatory investigation into the firm's cross-border compliance framework. Mandatory review of all cross-border transactions processed under the wrong regulatory regime.

4. Requirement Statement

Scope: This dimension applies to all agents operating across national or regulatory borders, including agents handling data or transactions subject to multiple jurisdictions. The scope extends beyond agents that operate in multiple countries to include agents that handle data about individuals in multiple jurisdictions, process transactions involving counterparties in multiple jurisdictions, or route communications through infrastructure in multiple jurisdictions. The scope includes situations where jurisdictional applicability is ambiguous. An agent processing a payment from a UK entity to a US entity through a Singapore-based clearing house has at least three applicable jurisdictions — and potentially more if the beneficial owners, data subjects, or transaction beneficiaries are in additional countries. AG-047 requires that this jurisdictional analysis be performed for every governed action, not assumed based on the agent's deployment location. The scope also covers regulatory regime changes. When a jurisdiction updates its regulatory framework — whether through new legislation, regulatory guidance, or enforcement precedent — active agent mandates operating in that jurisdiction must be reassessed against the new requirements.

4.1. A conforming system MUST identify applicable regulatory jurisdictions for every governed action based on all relevant nexus factors including counterparty location, data subject location, transaction routing, and beneficial ownership.

4.2. A conforming system MUST apply the most restrictive applicable requirement where jurisdictions conflict.

4.3. A conforming system MUST apply sanctions screening against all applicable sanctions lists (including OFAC, OFSI, EU, and UN lists) for cross-border actions.

4.4. A conforming system MUST document jurisdictional analysis as part of the governance record for each cross-border action.

4.5. A conforming system SHOULD enforce data residency requirements at the storage and processing layer, preventing data from leaving the jurisdiction where it must remain.

4.6. A conforming system SHOULD base jurisdiction detection on counterparty location, data subject location, transaction routing, and beneficial ownership — not solely on agent deployment location or currency denomination.

4.7. A conforming system SHOULD trigger re-assessment of active mandates within a defined timeframe when regulatory regime changes occur in applicable jurisdictions.

4.8. A conforming system SHOULD validate cross-border data transfers against applicable transfer mechanisms (e.g., adequacy decisions, standard contractual clauses, binding corporate rules).

4.9. A conforming system MAY implement automated jurisdiction detection and rule application without manual configuration for each action.

4.10. A conforming system MAY maintain a real-time regulatory change feed that updates jurisdiction rules automatically as regulations evolve.

5. Rationale

Jurisdiction is determined by regulatory nexus, not by operational convenience, and where jurisdictions conflict, the most restrictive applicable requirement must govern.

The rationale for AG-047 rests on the fundamental reality of cross-border AI agent operations: a single agent action can trigger regulatory obligations in multiple jurisdictions simultaneously. Unlike human employees who typically operate within a single regulatory context, AI agents can process transactions, handle data, and interact with counterparties across dozens of jurisdictions within seconds. Each interaction creates regulatory nexus points that determine which laws apply. Without systematic jurisdiction detection and conflict resolution, organisations deploying cross-border AI agents face a choice between paralysing manual review processes and accepting unquantified compliance risk.

The challenge is compounded by the fact that jurisdiction is not determined by where the agent runs or where the user initiates an action. It is determined by the full set of regulatory nexus points: the counterparty's nationality, residence, and tax status; the data subjects involved; the funding sources; and the transaction routing. An agent that does not perform comprehensive jurisdiction detection will systematically under-comply — applying only the rules of its deployment jurisdiction while ignoring the potentially more restrictive requirements of other applicable jurisdictions.

There is no regulatory safe harbour for choosing the convenient jurisdiction. An organisation that applies a less restrictive regime when a more restrictive one applies has violated the more restrictive regime. Regulators have shown increasing willingness to assert extraterritorial jurisdiction. The EU's GDPR applies to processing of EU residents' data regardless of where the processing occurs. US sanctions can apply to non-US persons in certain circumstances. The reach of regulation extends beyond physical presence to regulatory nexus.

The non-linear complexity growth — forty-five potential conflict pairs for ten jurisdictions — means that manual conflict resolution at scale is impractical. Automated systems are necessary for any organisation operating across more than a few jurisdictions. AG-047 ensures that this automation exists, that it is comprehensive, and that it defaults to conservative conflict resolution.

6. Implementation Guidance

Build a jurisdiction detection engine that identifies applicable regulatory regimes based on counterparty location, data subject location, beneficial ownership, and transaction routing. For each identified regime, load applicable rules. Where rules conflict, apply the most restrictive. Maintain sanctions list databases with automated screening on all cross-border actions.

Recommended patterns:

• Jurisdiction Detection Engine. Implement a dedicated service that receives action metadata (counterparty details, data subject attributes, transaction routing, currency) and returns a list of applicable jurisdictions with their respective requirements. The engine maintains a rule database mapping nexus factors to jurisdictions and jurisdictions to requirements. The governance enforcement layer consults this engine before every cross-border action and applies the union of all applicable requirements.
• Regulatory Rule Layering. Implement regulatory requirements as composable rule layers. Each jurisdiction's requirements are expressed as a rule set. When multiple jurisdictions apply, their rule sets are merged with conflict resolution: where rules address the same control point, the most restrictive applies. The merged rule set is then applied as the governance configuration for that specific action. This allows jurisdiction-specific requirements to be maintained independently while ensuring correct composition.
• Sanctions Screening Gateway. Implement sanctions screening as a dedicated gateway service that sits in the transaction path for all cross-border actions. The gateway maintains connections to multiple sanctions list providers (OFAC, OFSI, EU, UN) with real-time or near-real-time updates. Every cross-border action is screened against all applicable lists based on the jurisdictional analysis. Matches trigger automatic blocking and alert generation.

Anti-patterns to avoid:

• Determining jurisdiction based solely on agent deployment location. The agent's location is often the least relevant jurisdiction. Applicable regulations are determined by counterparty location, data subject location, transaction routing, and beneficial ownership — not by where the processing occurs. Deployment-location-only detection creates systematic compliance gaps.
• Static sanctions lists. Sanctions lists are updated frequently — OFAC alone makes hundreds of changes per year. An organisation screening against a list updated monthly has a window of up to 30 days where newly sanctioned entities can transact. Real-time or daily updates are necessary for meaningful compliance.
• Treating jurisdiction detection as a one-time configuration. Jurisdiction applies per-action, not per-agent. An agent handling requests from customers in multiple countries must detect the applicable jurisdictions for each action independently. Configuration-time jurisdiction assignment creates systematic gaps for any action involving a jurisdiction not anticipated at deployment.
• Ignoring extraterritorial reach. Many regulations have extraterritorial application. Data protection regulations apply to processing of residents' data regardless of where the processing occurs. Sanctions can apply to persons outside the sanctioning jurisdiction in certain circumstances. AG-047 must account for extraterritorial reach, not just direct jurisdictional presence.

Industry Considerations

Financial Services. Financial services firms face the most complex cross-jurisdiction requirements due to the breadth of financial regulation. Suitability requirements, anti-money laundering directives, sanctions regimes, tax reporting obligations (CRS/FATCA), and prudential requirements all have cross-border dimensions. AG-047 implementation should integrate with existing regulatory compliance infrastructure including transaction monitoring, sanctions screening, and regulatory reporting systems. National regulators increasingly coordinate on cross-border enforcement, making consistent multi-jurisdiction compliance essential.

Healthcare. Cross-border healthcare AI raises data protection concerns under multiple regimes. Patient data may be subject to multiple data protection frameworks simultaneously. AG-047 implementation in healthcare must address data residency requirements (some jurisdictions require health data to remain in-country), cross-border consultation rules, and varying standards for clinical decision support across jurisdictions. The most restrictive data protection requirement must govern to prevent unauthorised cross-border data transfers.

Critical Infrastructure. AI agents managing critical infrastructure across jurisdictions face overlapping security and safety regulations. The EU NIS2 Directive, national critical infrastructure protection laws, and sector-specific safety regulations may all apply. AG-047 implementation for critical infrastructure must address security classification requirements, incident reporting obligations to multiple regulators, and varying standards for safety certification across jurisdictions.

Maturity Model

Basic Implementation — The organisation maintains a static mapping of jurisdictions to regulatory requirements for each country where it operates. The agent is configured with the applicable jurisdiction(s) at deployment time based on its intended operating scope. Sanctions screening is performed against a periodically updated sanctions list. Jurisdictional conflicts are resolved through a documented policy that defaults to the most restrictive requirement. This level meets the minimum mandatory requirements but has significant limitations: jurisdiction is determined at deployment time rather than per-action, the sanctions list may be stale, and the static mapping may not capture all regulatory nexus points for complex multi-jurisdictional actions.

Intermediate Implementation — Jurisdiction detection is performed dynamically for each action based on counterparty location, data subject attributes, transaction routing, and beneficial ownership data. The jurisdiction detection engine maintains a current rule set for each applicable regime, updated at least monthly. Sanctions screening is performed against real-time or daily-updated lists from all applicable authorities. Cross-border data transfer validation checks applicable transfer mechanisms before allowing data to move between jurisdictions. Jurisdictional conflict resolution is automated, applying the most restrictive requirement and generating a structured record of which requirements applied and why. Regulatory regime changes trigger automated mandate re-assessment.

Advanced Implementation — All intermediate capabilities plus: jurisdiction detection incorporates machine-readable regulatory feeds that update rules in near-real-time. The system maintains a comprehensive regulatory knowledge base covering not just primary legislation but regulatory guidance, enforcement precedent, and supervisory expectations for each jurisdiction. Conflict resolution logic has been validated by legal experts in each applicable jurisdiction. Sanctions screening integrates with multiple commercial and government databases with sub-second latency. Independent legal review has confirmed the accuracy of the jurisdictional mapping for all operating jurisdictions. The system can generate jurisdiction-specific regulatory reports automatically.

7. Evidence Requirements

Required artefacts:

• Jurisdiction detection mechanism documentation. Documentation of how jurisdictions are identified for each action, including all nexus factors considered (counterparty location, data subject location, transaction routing, beneficial ownership, currency), the decision logic applied, and how the system handles ambiguous or incomplete nexus information.
• Conflict resolution policy. Documented policy confirming most-restrictive-applies default, with examples of how specific conflicts are resolved. The policy must cover both clear conflicts (one jurisdiction permits what another prohibits) and graduated conflicts (different jurisdictions require different levels of the same control).
• Sanctions screening integration. Evidence of integration with applicable sanctions lists, update frequency, screening coverage, and fuzzy matching capability for name variants, aliases, and transliterations.
• Data residency enforcement documentation. Architecture showing how data residency requirements are enforced at both the storage and processing layers, including controls preventing data from being transferred to non-approved jurisdictions during agent processing.
• Jurisdictional analysis records. Sample governance records showing per-action jurisdictional analysis with all identified jurisdictions, applicable requirements, conflict resolution applied, and the final governance configuration for the action.
• Regulatory change management procedure. Documented process for updating jurisdictional rules when regulations change, including monitoring mechanisms, update timelines, and mandate re-assessment triggers.

Retention requirements:

• Jurisdictional analysis records and sanctions screening logs: minimum 7 years for regulated financial services; minimum 5 years for other regulated sectors; minimum 3 years otherwise.

Access requirements:

• Producible to regulators or auditors within 48 hours of request. Evidence must exist as retained artefacts, not be reconstructable after the fact.

8. Test Specification

Testing AG-047 compliance requires evaluating both the jurisdiction detection accuracy and the conflict resolution logic. A comprehensive test programme should include the following tests.

Test 8.1: Multi-Nexus Action Testing

• Stimulus: Submit actions that involve multiple jurisdictional nexus points (e.g., a counterparty in jurisdiction A, data subject in jurisdiction B, routing through jurisdiction C). Test with jurisdictions that have known conflicts (e.g., data localisation vs. cross-border reporting obligations).
• Expected behaviour: All applicable jurisdictions are identified based on the full set of nexus factors. The most restrictive requirements govern across all identified jurisdictions.
• Pass criteria: All applicable jurisdictions are correctly identified. The governance configuration applied to the action reflects the most restrictive requirement across all identified jurisdictions for each control point.
• Fail criteria: Any applicable jurisdiction is missed, or a less restrictive requirement is applied when a more restrictive one applies.

Test 8.2: Sanctions Screening Accuracy

• Stimulus: Submit actions involving counterparties that are on one sanctions list but not others. Test with name variants, aliases, and transliterations to assess fuzzy matching capability. Test with recently added sanctions entries to assess list currency.
• Expected behaviour: All applicable sanctions lists are screened. Name variants and aliases are matched. Recently added entries are detected.
• Pass criteria: Sanctions matches are detected across all applicable lists. Fuzzy matching identifies name variants. Recently added entries (within the list update window) are detected.
• Fail criteria: A sanctioned entity is not detected on any applicable list, or name variants bypass screening, or recently added entries are not detected.

Test 8.3: Jurisdictional Conflict Resolution

• Stimulus: Submit actions where jurisdiction A permits an activity that jurisdiction B prohibits. Test with graduated requirements (jurisdiction A requires basic due diligence, jurisdiction B requires enhanced due diligence).
• Expected behaviour: The prohibition governs in the binary case. The enhanced requirement is applied in the graduated case.
• Pass criteria: The most restrictive requirement is applied in every conflict scenario. The conflict resolution is documented in the governance record.
• Fail criteria: A less restrictive requirement is applied, or conflict resolution is not documented.

Test 8.4: Regulatory Change Responsiveness

• Stimulus: Simulate a regulatory regime change in a jurisdiction where agents are active (e.g., a new requirement that makes a previously permitted action prohibited).
• Expected behaviour: Active mandates are flagged for re-assessment within the defined timeframe. The new requirement is incorporated into the jurisdiction detection engine.
• Pass criteria: Mandates are flagged for re-assessment within the defined timeframe. After update, the new requirement is correctly applied to subsequent actions.
• Fail criteria: Active mandates continue operating without re-assessment after a regime change, or the new requirement is not incorporated.

Test 8.5: Data Residency Enforcement

• Stimulus: Attempt to process or store data outside the jurisdiction where residency requirements mandate it must remain. Include tests where the agent's compute location differs from the data's required residency jurisdiction.
• Expected behaviour: The transfer is blocked, or an appropriate transfer mechanism is validated before data moves.
• Pass criteria: No data is processed or stored outside its required jurisdiction without a validated transfer mechanism.
• Fail criteria: Data is transferred to a non-approved jurisdiction without a valid legal basis, or the system does not evaluate the processing location as a residency factor.

Conformance Scoring

• Score 0: No cross-jurisdiction governance exists — agents apply only the rules of their deployment jurisdiction regardless of counterparty or data subject location.
• Score 1: Jurisdiction tracking exists but conflict resolution and sanctions screening are absent or inconsistent — the system identifies multiple jurisdictions but does not reliably resolve conflicts or screen comprehensively.
• Score 2: Full cross-jurisdiction governance with dynamic conflict resolution, comprehensive sanctions screening, and documented jurisdictional analysis — all nexus factors are evaluated per-action with automated most-restrictive-applies resolution.
• Score 3: Verified by independent assessment across multiple regulatory regimes — independent legal and technical review has confirmed the accuracy of jurisdictional mapping, conflict resolution, and sanctions screening across all operating jurisdictions.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
GDPR	Chapter V (International Data Transfers)	Direct requirement
EU Anti-Money Laundering Directive (AMLD)	Customer Due Diligence, Transaction Monitoring	Direct requirement
OFAC/OFSI	Sanctions Compliance (Extraterritorial Reach)	Direct requirement
MiFID II	Cross-Border Conduct of Business Requirements	Direct requirement
EU AI Act	Article 9 (Risk Management System)	Supports compliance
NIST AI RMF	GOVERN 1.1, MAP 3.2	Supports compliance

GDPR — Chapter V (International Data Transfers)

Chapter V establishes the legal framework for transferring personal data outside the EEA. Transfers are permitted only where an adequacy decision exists, appropriate safeguards are in place (standard contractual clauses, binding corporate rules), or a specific derogation applies. For AI agents processing personal data across jurisdictions, AG-047 implements the compliance mechanism that ensures transfers are evaluated against Chapter V requirements before data moves between jurisdictions. The requirement is strict: personal data cannot leave the EEA without a legal basis, and "the agent needed the data to process the request" is not a legal basis. The processing location of the AI agent is itself a transfer point that must be evaluated.

EU Anti-Money Laundering Directive (AMLD)

The AMLD requires customer due diligence, transaction monitoring, and suspicious activity reporting for entities subject to EU AML obligations. For cross-border transactions, the applicable AML requirements may include those of multiple EU member states plus the requirements of non-EU jurisdictions involved in the transaction. AG-047 ensures that the most stringent applicable AML requirements govern, including enhanced due diligence where required by any applicable jurisdiction. The directive's risk-based approach means that cross-border transactions inherently carry higher AML risk, requiring correspondingly stronger controls.

OFAC/OFSI — Sanctions Compliance (Extraterritorial Reach)

OFAC (US) and OFSI (UK) maintain sanctions lists that restrict transactions with designated persons, entities, and countries. Sanctions compliance has extraterritorial reach — US sanctions can apply to non-US persons in certain circumstances, and OFSI sanctions apply to UK-connected transactions regardless of where the parties are located. AG-047 ensures that sanctions screening is comprehensive, covering all lists applicable based on the jurisdictional nexus of each action, not only the lists associated with the agent's deployment location. Sanctions violations carry severe penalties including criminal liability for individuals.

MiFID II — Cross-Border Conduct of Business Requirements

MiFID II imposes conduct of business requirements on investment services provided to EU clients, including appropriateness assessments, best execution obligations, and disclosure requirements. These requirements apply based on the client's location, not the firm's location. An AI agent providing investment services to an EU client from a non-EU jurisdiction must apply MiFID II requirements. AG-047 ensures that AI agents providing investment services apply the regulatory requirements of the client's jurisdiction, not the agent's deployment jurisdiction.

EU AI Act — Article 9 (Risk Management System)

Article 9 requires lifecycle risk management. For AI agents operating across jurisdictions, the risk management system must account for the regulatory complexity of cross-border operations, including jurisdiction detection, conflict resolution, and ongoing monitoring for regulatory changes. AG-047 implements the cross-border dimension of the risk management system required by Article 9.

NIST AI RMF — GOVERN 1.1, MAP 3.2

GOVERN 1.1 addresses legal and regulatory requirements for AI governance. MAP 3.2 addresses the mapping of risk contexts. For cross-border AI operations, both functions require comprehensive jurisdiction identification and regulatory mapping — the specific capabilities AG-047 provides.

10. Failure Severity

Field	Value
Severity Rating	Critical
Blast Radius	Multi-jurisdictional — regulatory exposure in every jurisdiction where compliance obligations were not applied, potentially affecting all cross-border actions processed by the agent

Consequence chain: Without cross-jurisdiction compliance governance, agents operating across borders selectively apply the most permissive available regulatory framework, systematically using jurisdictional arbitrage to avoid compliance obligations. This may not be intentional — an agent configured with only one jurisdiction's rules will naturally apply only those rules, even when additional jurisdictions apply. The failure mode is systematic under-compliance. Every action that touches an unidentified jurisdiction is a potential violation. For organisations processing thousands of cross-border actions daily, the accumulation of violations can be substantial before detection. The immediate technical failure is incomplete jurisdiction detection — nexus factors not evaluated, applicable jurisdictions not identified. The operational impact is the application of an incorrect or incomplete regulatory framework to cross-border actions, resulting in violations of the requirements of unidentified jurisdictions. The business consequence includes enforcement actions in multiple jurisdictions simultaneously (with aggregate penalties potentially exceeding millions), sanctions violations carrying criminal liability, data protection violations requiring notification and remediation, and reputational damage from the appearance of deliberate regulatory arbitrage. The regulatory consequence is compounded by the appearance of deliberate evasion — a regulator discovering that a firm systematically failed to apply its requirements will assume non-compliance is intentional until demonstrated otherwise. The blast radius extends to every cross-border action processed without comprehensive jurisdiction detection — potentially thousands of actions requiring retrospective review and remediation.

Cross-reference note: AG-047 intersects with AG-015 (Namespace Isolation) for logical separation supporting jurisdictional boundaries, AG-020 (Purpose Limitation Enforcement) for jurisdiction-specific data use restrictions, AG-021 (Regulatory Obligation Identification) for single-regime obligation identification extended to multi-regime contexts, AG-013 (Data Sensitivity Classification) for jurisdiction-dependent sensitivity classifications, and AG-006 (Governance Audit Trail Integrity) for preserving jurisdictional analysis in the governance record.