AG-228: Regulatory Horizon Scanning Governance

2. Summary

Regulatory Horizon Scanning Governance requires that organisations continuously detect and assess new laws, regulatory guidance, technical standards, and supervisory expectations that affect AI agent governance. The regulatory landscape for AI is evolving at unprecedented speed — the EU AI Act, national implementing legislation, sector-specific guidance, supervisory expectations, and international standards are all in active development. An organisation that implements governance controls based on today's regulatory landscape and does not scan for changes will find itself non-compliant when new requirements take effect. Horizon scanning MUST be a systematic, documented, and accountable process that identifies upcoming changes, assesses their impact on the governance framework, and triggers adaptation before compliance deadlines arrive.

3. Example

Scenario A — Missed Regulatory Deadline Creates Immediate Non-Compliance: An organisation deploys AI agents in EU financial services. In March 2025, the European Banking Authority (EBA) publishes final guidelines on AI governance for credit institutions, with a compliance deadline of January 2026. The guidelines introduce 8 new requirements not covered by the organisation's existing governance framework, including mandatory real-time agent monitoring with a 15-minute alerting SLA. The organisation has no horizon scanning process. The guidelines are discovered in November 2025 — 2 months before the deadline — when a compliance analyst reads a trade press article. Implementation of the 8 requirements is estimated at 9 months. The organisation faces a choice: deploy non-compliant agents from January 2026 or suspend agent operations until the requirements are met.

What went wrong: No systematic process existed to detect new regulatory requirements. The guidelines were published 10 months before the deadline but discovered only 2 months before — leaving insufficient time for implementation. Consequence: Either regulatory non-compliance from January 2026 or suspension of agent operations, estimated revenue impact £1.8 million for a 7-month suspension.

Scenario B — Inconsistent Scanning Across Jurisdictions Creates Asymmetric Compliance: A multinational organisation deploys AI agents in the UK, EU, Singapore, and the US. The UK compliance team tracks FCA publications; the EU team tracks EU AI Act developments; the Singapore team tracks MAS guidance. No one tracks US state-level AI legislation. In July 2025, Colorado enacts an AI governance law requiring specific documentation and testing for high-risk AI decision-making systems, with a 6-month compliance deadline. The US-deployed agents are affected but no one in the organisation detects the requirement. The organisation's US operations become non-compliant in January 2026. The non-compliance is discovered when a US client's legal team asks for Colorado AI Act conformance evidence.

What went wrong: Horizon scanning was inconsistent across jurisdictions. Each regional team tracked its own primary regulator but no coordination mechanism existed to ensure comprehensive coverage, particularly for subnational legislation. Consequence: Non-compliance with Colorado AI Act, client contract at risk (worth £3.4 million annually), urgent remediation costing £280,000.

Scenario C — Standard Evolution Not Tracked Creates Framework Obsolescence: An organisation adopts the Agent Governance Standard at version 2.0. Over 18 months, the standard evolves: 12 new control dimensions are added, 5 existing controls are significantly revised, and the conformance scoring methodology is updated. The organisation does not track standard evolution because it views the standard as a static reference. At the next external assessment, the assessor uses the current version (which the organisation has not adopted) and identifies 17 conformance gaps — 12 from new controls and 5 from revised controls. The organisation disputes the assessment, arguing that it adopted v2.0 and should be assessed against v2.0. The assessor responds that the certification body requires assessment against the current version, and the organisation's failure to track standard evolution is itself a governance gap.

What went wrong: The organisation treated the governance standard as static and did not monitor for updates. Standard evolution is a form of regulatory change that requires the same horizon scanning discipline as legislative changes. Consequence: 17 conformance gaps at assessment, dispute with the certification body, 6-month remediation programme.

4. Requirement Statement

Scope: This dimension applies to every organisation operating governed AI agents, regardless of sector or jurisdiction. The scope covers four categories of regulatory change: (1) legislation — new laws and amendments to existing laws affecting AI governance; (2) regulatory guidance — guidelines, supervisory statements, and expectations published by regulators; (3) technical standards — updates to standards (including the Agent Governance Standard itself) referenced in the governance framework; (4) judicial and enforcement precedent — court decisions and regulatory enforcement actions that establish or modify compliance expectations. The scope covers the detection, assessment, communication, and response to changes across all categories and all jurisdictions where the organisation operates governed agents.

4.1. A conforming system MUST implement a documented horizon scanning process that systematically monitors for new and changed laws, regulatory guidance, technical standards, and supervisory expectations affecting AI agent governance, covering all jurisdictions where the organisation deploys governed agents.

4.2. A conforming system MUST assign accountability for horizon scanning to a named individual or team with defined responsibilities, sufficient authority to trigger governance framework changes, and a reporting line to the Board or risk committee.

4.3. A conforming system MUST perform impact assessments for identified regulatory changes within 30 days of detection, determining: which governance controls are affected, what changes are required to the governance framework, the compliance deadline, and the estimated implementation effort.

4.4. A conforming system MUST maintain a regulatory change register listing all identified changes with: source, date detected, impact assessment status, affected controls, compliance deadline, remediation plan, and current status.

4.5. A conforming system MUST escalate regulatory changes with compliance deadlines within 12 months to the Board or risk committee within 30 days of detection, as part of the reporting requirements under AG-225.

4.6. A conforming system MUST monitor for updates to the Agent Governance Standard itself, including new control dimensions, revised controls, scoring methodology changes, and profile updates, treating standard evolution with the same urgency as regulatory changes.

4.7. A conforming system SHOULD establish a scanning cadence of at least monthly for legislative and regulatory sources, and at least quarterly for standards and enforcement precedent.

4.8. A conforming system SHOULD participate in industry forums, regulatory consultations, and standards development processes to gain early visibility of upcoming changes before formal publication.

4.9. A conforming system MAY implement automated regulatory intelligence — using regulatory technology (RegTech) tools to automatically detect, classify, and preliminary-assess regulatory changes from monitored sources.

5. Rationale

The regulatory landscape for AI is in a period of intense development. The EU AI Act entered into force in 2024 with phased compliance deadlines through 2027. National implementing legislation is being drafted across EU member states. The UK, Singapore, Canada, Brazil, and numerous other jurisdictions are developing AI-specific regulations. US states are enacting AI laws at an accelerating pace. Sector-specific regulators (financial services, healthcare, critical infrastructure) are publishing AI governance guidance. International standards (ISO 42001, NIST AI RMF) are being updated. The Agent Governance Standard itself evolves as new control dimensions are added and existing controls are refined.

An organisation that does not systematically scan this landscape will be surprised by requirements it did not anticipate, deadlines it cannot meet, and compliance gaps it did not know existed. The cost of reactive compliance — discovering a requirement after or near its deadline — is typically 3-5x the cost of proactive compliance, because urgent implementation commands premium rates, shortcuts create technical debt, and regulatory penalties may apply for the non-compliant period.

Horizon scanning transforms compliance from reactive ("what do we need to fix?") to proactive ("what is coming and how do we prepare?"). It gives the organisation lead time to plan, budget, and implement changes before deadlines arrive. It enables the organisation to influence emerging regulation through consultation responses and industry engagement. And it ensures that the governance framework remains current rather than ossifying at the point of initial adoption.

6. Implementation Guidance

Horizon scanning should be implemented as a continuous process, not a periodic project. The process should have defined inputs (sources), processing (detection and assessment), outputs (register updates and impact reports), and feedback (implementation tracking).

Recommended patterns:

Multi-source monitoring matrix. Define a matrix of sources to monitor, organised by category and jurisdiction. Categories: legislation (government gazette, parliamentary proceedings), regulatory guidance (regulator websites, publication feeds), technical standards (ISO, NIST, industry consortia), enforcement (regulator enforcement databases, legal databases). Jurisdictions: all jurisdictions where the organisation deploys agents, plus jurisdictions likely to influence the regulatory direction (EU for global standard-setting, US for sector-specific regulation). Assign monitoring responsibility for each cell in the matrix. Review the matrix quarterly to add new sources and retire defunct ones.
Traffic-light impact classification. Classify identified regulatory changes using a traffic-light system: Red — material impact on the governance framework, compliance deadline within 12 months, requires immediate Board notification and remediation planning. Amber — moderate impact, compliance deadline 12-24 months out, requires governance committee review and budget allocation. Green — minor impact or no compliance deadline, requires governance team tracking and periodic review. This classification drives the urgency and escalation of the response.
Regulatory change pipeline. Treat regulatory changes like a software development pipeline: Detection (source monitoring identifies a change) → Triage (initial assessment of relevance and impact) → Impact Assessment (detailed analysis of affected controls, required changes, and implementation effort) → Planning (remediation plan with milestones and budget) → Implementation (changes to the governance framework) → Verification (conformance testing against the new requirement). Each stage has defined SLAs and accountability.
Early warning through engagement. Participate in regulatory consultations, industry working groups, and standards development committees. This provides visibility of upcoming changes months or years before formal publication. It also gives the organisation an opportunity to influence the final requirements based on practical implementation experience. Assign a named individual to lead regulatory engagement and report insights to the governance team.

Anti-patterns to avoid:

Reactive scanning. Discovering regulatory changes through incident response, client requests, or trade press articles rather than systematic monitoring. Reactive discovery provides insufficient lead time and creates compliance surprises.
Single-jurisdiction focus. Monitoring the primary regulator but ignoring secondary regulators, cross-border requirements, or subnational legislation. AI regulation is proliferating across jurisdictions; single-jurisdiction focus creates blind spots.
Scanning without assessment. Monitoring sources and collecting regulatory changes without performing impact assessments. A list of changes without impact analysis does not inform governance decisions.
Assessment without action. Performing impact assessments but not tracking remediation to completion. Impact assessments that produce reports but do not trigger implementation create a false sense of preparedness.

Maturity Model

Basic Implementation — A documented horizon scanning process exists with defined sources, scanning cadence (at least monthly for legislation and regulatory guidance), and accountable personnel. A regulatory change register is maintained with all identified changes and their impact assessment status. Changes with near-term deadlines are escalated to the Board. Standard evolution is monitored. Impact assessments are completed within 30 days.

Intermediate Implementation — Scanning covers all jurisdictions where agents are deployed, including subnational legislation. A multi-source monitoring matrix is maintained and reviewed quarterly. Impact classification (traffic-light or equivalent) drives escalation and response urgency. The regulatory change pipeline tracks changes from detection through implementation. The organisation participates in at least one regulatory consultation or industry forum. Horizon scanning outputs feed directly into Board reporting (AG-225).

Advanced Implementation — All intermediate capabilities plus: automated regulatory intelligence tools augment manual monitoring. Predictive horizon scanning identifies probable regulatory directions based on consultation documents, enforcement trends, and political developments. The organisation leads or contributes to industry standards development (including the Agent Governance Standard). Cross-organisation regulatory intelligence sharing provides broader visibility. The horizon scanning process is independently audited for coverage and effectiveness.

7. Evidence Requirements

Required artefacts:

Horizon scanning process documentation. Document defining: sources monitored, scanning cadence, accountable personnel, impact assessment methodology, escalation criteria, and review cadence.
Regulatory change register. Current register listing all identified regulatory changes with: source, detection date, classification, impact assessment status, affected controls, compliance deadline, remediation plan, and current status.
Impact assessment records. Completed impact assessments for all identified regulatory changes during the assessment period, showing: affected controls, required governance framework changes, implementation effort estimate, and compliance timeline.
Source monitoring matrix. The current matrix of monitored sources by category and jurisdiction, with monitoring responsibility assignments.
Escalation records. Records of regulatory changes escalated to the Board or risk committee, with the escalation timeline and Board response.
Standard evolution tracking records. Records demonstrating monitoring of the Agent Governance Standard's evolution, including new or revised control dimensions identified and impact assessed.

Retention requirements:

Regulatory change register and impact assessments: minimum 7 years for regulated financial services; minimum 5 years for other regulated sectors; minimum 3 years otherwise.

Access requirements:

Producible to regulators or auditors within 48 hours of request.

8. Test Specification

Test 8.1: Scanning Coverage Verification

Stimulus: Identify 5 regulatory changes published during the assessment period across different jurisdictions and categories (legislation, guidance, standards, enforcement). Verify that each was detected and recorded in the regulatory change register.
Expected behaviour: All 5 regulatory changes are present in the register with detection dates.
Pass criteria: All 5 changes are recorded. Detection dates are within 30 days of publication for legislation and regulatory guidance, within 60 days for standards and enforcement precedent.
Fail criteria: Any of the 5 changes is not recorded, or detection lag exceeds the defined thresholds.

Test 8.2: Impact Assessment Timeliness

Stimulus: Review all regulatory changes detected during the assessment period. Verify that impact assessments were completed within 30 days of detection.
Expected behaviour: Impact assessments are completed within 30 days.
Pass criteria: At least 90% of detected changes have impact assessments completed within 30 days. All Red-classified changes have assessments within 14 days.
Fail criteria: More than 10% of changes lack impact assessments at 30 days, or any Red-classified change lacks an assessment at 14 days.

Test 8.3: Escalation Compliance

Stimulus: Identify all regulatory changes with compliance deadlines within 12 months. Verify that each was escalated to the Board or risk committee within 30 days of detection.
Expected behaviour: Near-deadline changes are escalated per Requirement 4.5.
Pass criteria: 100% of changes with deadlines within 12 months were escalated within 30 days. Escalation records exist showing the recipient and date.
Fail criteria: Any qualifying change was not escalated within 30 days.

Test 8.4: Register Completeness and Accuracy

Stimulus: Review the regulatory change register for completeness of required fields: source, date detected, impact assessment status, affected controls, compliance deadline, remediation plan, and current status.
Expected behaviour: All register entries have all required fields populated.
Pass criteria: 100% of register entries have all required fields. No field contains placeholder or obviously incomplete data.
Fail criteria: Any register entry is missing required fields or contains placeholder data.

Test 8.5: Standard Evolution Monitoring

Stimulus: Verify that the organisation monitors updates to the Agent Governance Standard itself. Identify any standard updates published during the assessment period and verify they are recorded in the register with impact assessments.
Expected behaviour: Standard evolution is tracked with the same rigour as regulatory changes.
Pass criteria: All standard updates are recorded. Impact assessments identify affected controls and required framework changes.
Fail criteria: Standard updates are not tracked, or tracked without impact assessment.

Test 8.6: Accountability Assignment Verification

Stimulus: Verify that horizon scanning accountability is assigned to a named individual or team with documented responsibilities and a reporting line to the Board or risk committee.
Expected behaviour: Accountability is formally assigned and documented.
Pass criteria: A named individual or team is designated with documented responsibilities. The reporting line to the Board or risk committee is documented and functional (evidenced by reporting records).
Fail criteria: No formal accountability assignment exists, or the assigned individual/team has no documented responsibilities or reporting line.

Conformance Scoring

Score 0: No horizon scanning — regulatory changes are discovered reactively through incidents, client requests, or ad hoc reading.
Score 1: Some monitoring exists but is informal, inconsistent across jurisdictions, and does not include impact assessment, escalation, or register management. Standard evolution is not tracked.
Score 2: Systematic horizon scanning with defined sources, cadence, and accountability. A regulatory change register tracks all changes with impact assessments. Escalation to the Board is defined and followed. Standard evolution is monitored. All jurisdictions with deployed agents are covered.
Score 3: Verified by independent audit — an independent party has validated scanning coverage, impact assessment timeliness, and escalation compliance. Automated regulatory intelligence augments manual monitoring. The organisation participates in standards development and regulatory consultations. Predictive horizon scanning identifies probable regulatory directions.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
EU AI Act	Article 9(9) (Risk Management — Monitoring Changes)	Direct requirement
EU AI Act	Article 82 (Transitional Provisions)	Supports compliance
ISO 42001	Clause 4.1 (Understanding the Organisation and Its Context)	Direct requirement
ISO 42001	Clause 6.1 (Actions to Address Risks)	Supports compliance
FCA SYSC	6.1.1R (Adequate Policies and Procedures)	Supports compliance
DORA	Article 5(4) (ICT Risk Management — Keep Up to Date)	Direct requirement
NIST AI RMF	GOVERN 1.1 (Legal and Regulatory Awareness)	Direct requirement
SOX	Section 404 (Internal Controls — Ongoing Assessment)	Supports compliance

EU AI Act — Article 9(9)

Article 9(9) requires that the risk management system for high-risk AI systems is regularly and systematically updated to reflect changes in the regulatory environment, state of the art, and operational conditions. AG-228 provides the horizon scanning mechanism that detects regulatory environment changes, triggering the risk management system updates required by Article 9(9).

DORA — Article 5(4)

Article 5(4) requires financial entities to keep their ICT risk management framework up to date in light of developments in their ICT environment, regulatory requirements, and industry best practices. For AI agents in financial services, this includes monitoring for AI-specific regulatory developments. AG-228 implements this ongoing monitoring requirement.

NIST AI RMF — GOVERN 1.1

GOVERN 1.1 requires organisations to be aware of legal and regulatory requirements relevant to AI risk management. AG-228 provides the systematic process for maintaining this awareness as the legal and regulatory landscape evolves.

ISO 42001 — Clause 4.1

Clause 4.1 requires the organisation to determine external issues relevant to the AI management system. Regulatory developments are a primary category of external issues. AG-228 provides the mechanism for continuously identifying and assessing regulatory developments that affect the AI management system.

10. Failure Severity

Field	Value
Severity Rating	High
Blast Radius	Organisation-wide — affects compliance posture across all jurisdictions and all governed agents

Consequence chain: Without horizon scanning governance, the organisation operates with an outdated understanding of its regulatory obligations. The immediate failure mode is compliance surprise — discovering a requirement after or near its compliance deadline, leaving insufficient time for implementation. The downstream consequence is a forced choice between non-compliance (operating without meeting the new requirement) and disruption (suspending agent operations until the requirement is met). In regulated sectors, non-compliance triggers enforcement action, fines, and reputational damage. The cost of reactive compliance (urgent implementation at premium rates with shortcuts) is typically 3-5x proactive compliance. The ultimate business consequence is a governance framework that falls progressively further behind the regulatory landscape, creating an accumulating compliance debt that becomes increasingly expensive and disruptive to resolve.

Cross-references: AG-158 (Standard Evolution and Emergency Update) governs how the Agent Governance Standard itself evolves; AG-228 ensures the organisation detects those evolutions. AG-225 (Board and Risk Committee Reporting Governance) receives horizon scanning outputs for Board reporting. AG-222 (Conformance Profile Governance) is updated when regulatory changes affect conformance requirements. AG-219 (Control Taxonomy Governance) is updated when new controls are added in response to regulatory changes. AG-224 (Residual Risk Acceptance Governance) may receive new residual risks identified through regulatory gap analysis.

Cite this protocol

AgentGoverning. (2026). AG-228: Regulatory Horizon Scanning Governance. The 783 Protocols of AI Agent Governance, AGS v2.1. agentgoverning.com/protocols/AG-228

← Previous Protocol

AG-227

Assurance Sampling Governance

Next Protocol →

AG-229

Jurisdictional Applicability Mapping Governance