Jurisdictional Applicability Mapping Governance

2. Summary

Jurisdictional Applicability Mapping Governance requires that every AI agent deployment resolves, at action time, which legal regimes attach to the specific deployment context, user location, market of operation, and data flow path — and constrains the agent's behaviour to the intersection of all applicable legal obligations. Without this mapping, an agent operating across borders will inevitably violate at least one jurisdiction's requirements because it cannot know which rules apply. This dimension ensures that jurisdictional determination is structural and pre-computed, not left to the agent's reasoning about legal applicability.

3. Example

Scenario A — Data Residency Violation Through Unresolved Jurisdiction: A European financial services firm deploys a customer-facing AI agent that serves clients across the EU, UK, and Switzerland. The agent processes customer queries by routing them to a central inference cluster hosted in the United States. A German customer submits a query containing personal financial data. The agent processes the query in the US cluster without evaluating whether the data flow is permissible under GDPR Article 45 (adequacy decisions) or Article 46 (appropriate safeguards). The German data protection authority (BfDI) receives a complaint and determines that the personal data transfer lacked a valid legal basis. The firm receives a fine of EUR 4.2 million — 1.8% of its German subsidiary's annual turnover.

What went wrong: The system had no jurisdictional mapping layer that resolved, at request time, which data protection regime applied to the customer based on their location. The inference routing was purely technical (lowest latency) rather than legally constrained. No pre-execution check evaluated whether the proposed data flow was permissible under the applicable regime. Consequence: EUR 4.2 million fine, mandatory data flow remediation within 90 days, reputational damage across the EU market, and suspension of AI-assisted services pending architectural review.

Scenario B — Conflicting Consumer Protection Obligations: A crypto/Web3 agent provides automated trading recommendations to users across multiple jurisdictions. The agent treats all users identically regardless of location. A retail user in the UK receives a leveraged trading recommendation that complies with US regulations but violates the FCA's restrictions on retail crypto derivatives (PS 20/10). The FCA identifies 340 UK retail users who received non-compliant recommendations over a 6-month period. The firm faces enforcement action for breaching the FCA's prohibition on marketing crypto derivatives to UK retail consumers.

What went wrong: The agent had no mechanism to determine that the UK user was subject to FCA jurisdiction and that FCA rules are materially more restrictive than US rules for crypto derivatives. The jurisdictional mapping was absent — the agent applied a single rule set globally. Consequence: FCA enforcement action, requirement to contact all 340 affected users, potential compensation payments estimated at GBP 1.7 million, and a 12-month restriction on new UK retail onboarding.

Scenario C — Multi-Jurisdiction Tax Withholding Error: An enterprise workflow agent processes cross-border payments between a US parent company and subsidiaries in India, Ireland, and Brazil. The agent applies a flat 15% withholding rate to all payments based on the OECD Pillar Two minimum rate, without evaluating the specific double taxation treaties between the US and each country. India's treaty rate for royalties is 10%, Ireland's is 0% for certain payment types under the US-Ireland treaty, and Brazil's is 15% but with specific documentation requirements. The agent over-withholds from India (losing the subsidiary cash flow), under-documents for Brazil (creating a compliance exposure), and correctly withholds for Ireland only by coincidence.

What went wrong: The agent applied a single global rate instead of resolving the specific treaty applicable to each bilateral payment flow. The jurisdictional mapping for tax treatment was absent, replaced by a simplistic global assumption. Consequence: USD 230,000 in excess withholding from India requiring refund applications (12-18 month recovery), Brazilian tax authority audit for insufficient documentation, and internal audit finding of inadequate tax controls.

4. Requirement Statement

Scope: This dimension applies to every AI agent that operates in, serves users in, processes data from, or produces outputs directed at more than one legal jurisdiction — or that operates in a single jurisdiction but processes data originating from or directed to other jurisdictions. It also applies to agents operating within a single jurisdiction where the applicable legal regime depends on factors such as user type (retail vs. professional), product type (regulated vs. unregulated), or transaction type (domestic vs. cross-border). The scope extends to agents whose outputs are consumed by downstream systems that operate across jurisdictions: even if the agent itself operates in one jurisdiction, if its output feeds a cross-border process, the jurisdictional constraints on that process attach to the agent's output. The test is not where the agent's compute runs, but where the legal consequences of the agent's actions materialise.

4.1. A conforming system MUST maintain a structured, machine-readable jurisdictional rule registry that maps each jurisdiction to its applicable legal obligations, restrictions, and requirements relevant to the agent's operational domain.

4.2. A conforming system MUST resolve, at action time, the complete set of jurisdictions applicable to each agent action based on user location, data origin, data destination, service market, entity of incorporation, and any other legally relevant nexus point.

4.3. A conforming system MUST constrain agent behaviour to the intersection of all applicable jurisdictional requirements — where jurisdictions conflict, the most restrictive applicable requirement MUST govern unless a specific legal basis permits otherwise.

4.4. A conforming system MUST block agent actions where the applicable jurisdiction cannot be determined, rather than defaulting to the least restrictive rule set.

4.5. A conforming system MUST update the jurisdictional rule registry within a defined period (not exceeding 30 calendar days) following the enactment, amendment, or repeal of a relevant legal obligation in any mapped jurisdiction.

4.6. A conforming system MUST log, for each agent action, the jurisdictions resolved, the rules applied, and the resolution logic path, in sufficient detail to demonstrate compliance to a regulator in any applicable jurisdiction.

4.7. A conforming system SHOULD resolve jurisdictional applicability using authoritative data sources (e.g., IP geolocation verified against account registration country, regulatory status databases, treaty registries) rather than user self-declaration alone.

4.8. A conforming system SHOULD support jurisdiction-specific behavioural profiles that can be activated or deactivated without modifying the agent's core logic, enabling rapid compliance with new jurisdictional requirements.

4.9. A conforming system SHOULD implement automated conflict detection that identifies when two or more applicable jurisdictions impose contradictory requirements and escalates the conflict for human legal review.

4.10. A conforming system MAY pre-compute jurisdictional applicability matrices for common deployment configurations to reduce action-time resolution latency.

5. Rationale

Legal obligations do not attach to AI agents uniformly. The applicable legal regime depends on a complex web of factors: where the user is located, where the data originates, where the data is processed, where the data is stored, where the agent's outputs take effect, the type of user (retail vs. professional), the type of product (regulated vs. unregulated), the type of entity operating the agent, and the treaties between the relevant countries. An agent that does not resolve this web of applicability at action time is operating blind — it will inevitably apply the wrong rules to the wrong users in the wrong jurisdictions.

The challenge is not that organisations are unaware of jurisdictional differences; it is that the resolution of which rules apply to which action is computationally complex and must happen at the speed of agent operation. A human compliance officer evaluating a cross-border transaction has minutes or hours to research the applicable regime. An agent processing hundreds of transactions per second must resolve jurisdictional applicability in milliseconds. This requires that the resolution be pre-structured — encoded in a machine-readable registry that the agent can query, not left to the agent's general knowledge of law.

The risk of getting this wrong is asymmetric. An agent that applies too-restrictive rules loses business opportunity. An agent that applies too-permissive rules creates regulatory exposure in every jurisdiction where it under-complied. Because regulatory enforcement is jurisdiction-specific, a single deployment can face simultaneous enforcement actions from multiple regulators — each evaluating compliance against their own standards. The cost of multi-jurisdictional non-compliance compounds: a GDPR fine in Germany, an FCA enforcement action in the UK, and a state attorney general investigation in the US can arise from the same underlying failure to resolve jurisdictional applicability.

This dimension intersects fundamentally with AG-047 (Cross-Jurisdiction Compliance), which addresses the structural mechanisms for operating across jurisdictions. AG-229 provides the mapping layer that AG-047's compliance mechanisms consume. Without AG-229, AG-047 has no way to determine which compliance rules to enforce.

6. Implementation Guidance

The jurisdictional applicability mapping is a data structure — a registry of jurisdictions, each linked to their applicable legal obligations, restrictions, data handling requirements, and operational constraints. The registry must be structured enough for machine consumption but rich enough to capture the nuances of multi-jurisdictional law.

Recommended patterns:

• Hierarchical rule registry. Structure the registry as a hierarchy: jurisdiction → legal domain (data protection, financial regulation, consumer protection, tax, etc.) → specific obligation → rule parameters. Each rule has an effective date, expiry date (if sunset), source reference (statute, regulation, guidance), and machine-readable constraint expression. For example: jurisdiction=DE, domain=data_protection, obligation=transfer_restriction, constraint=data_destination NOT IN approved_adequacy_list AND safeguard_mechanism IS NULL → BLOCK.
• Nexus-point resolution engine. Implement a resolver that takes the contextual attributes of each agent action (user location, data origin, data destination, entity, product type) and returns the set of applicable jurisdictions. The resolver evaluates each nexus point independently and returns the union. For a payment from a UK entity to an Indian subsidiary involving a German user's data processed in the US, the resolver returns: {UK, India, DE, US} and the applicable obligations from each.
• Conflict resolution matrix. Where jurisdictions impose contradictory requirements (e.g., one jurisdiction requires data retention for 7 years while another requires deletion after 3 years), the system should encode explicit conflict resolution rules. The default should be the most restrictive unless legal counsel has documented a specific legal basis for applying a less restrictive rule. Unresolved conflicts must escalate to human review.
• Jurisdiction-specific behavioural profiles. Rather than embedding jurisdictional logic in the agent's core, maintain separate profiles (e.g., profile_FCA_retail, profile_BaFin_retail, profile_SEC_accredited) that can be activated based on the resolved jurisdiction. This allows rapid addition of new jurisdictions without modifying core agent logic. A single agent action may activate multiple profiles simultaneously.

Anti-patterns to avoid:

• Single global rule set. Applying one set of rules globally — even if based on the most restrictive jurisdiction — is fragile. When a new, more restrictive jurisdiction is added, the global rule set must be updated, affecting all users. Jurisdiction-specific profiles localise the impact of regulatory changes.
• User self-declaration of jurisdiction. Relying solely on user-stated location for jurisdictional determination is unreliable and may not satisfy regulatory requirements. Many regulations define applicability based on objective factors (IP address, account registration country, payment instrument country of issuance) rather than user assertion.
• Static jurisdiction mapping without update cadence. A jurisdictional registry that is not regularly updated becomes progressively inaccurate as laws change. Without a defined update cadence (requirement 4.5), the mapping will drift from reality. The EU alone averages 40-60 significant regulatory changes per year affecting AI-adjacent operations.
• Treating all jurisdictions as independent. Jurisdictions interact through treaties, mutual recognition agreements, adequacy decisions, and regulatory cooperation frameworks. A system that evaluates each jurisdiction independently without considering these interactions will produce incorrect results. For example, GDPR data transfers to the UK are permitted under the EU adequacy decision for the UK — a system that treats the UK as a non-adequate third country would be incorrectly restrictive.
• Resolving jurisdiction at deployment time rather than action time. An agent deployed to serve EU users may receive a request from a US user roaming in Asia. The jurisdiction attaches to the action, not to the deployment. Deployment-time resolution produces incorrect mappings when the action context differs from the deployment context.

Industry Considerations

Financial Services. Jurisdictional mapping must cover: prudential regulation (which regulator supervises), conduct regulation (which consumer protection rules apply), market regulation (which trading rules govern), AML/KYC requirements (which customer due diligence standards apply), and tax treatment (which withholding rates and reporting obligations apply). MiFID II passporting rules, FCA Temporary Permissions Regime, and post-Brexit equivalence determinations add further complexity. Each payment corridor (e.g., UK-to-India, US-to-Brazil) has its own regulatory, tax, and reporting requirements.

Healthcare. Jurisdictional mapping must resolve which data protection regime applies (GDPR, HIPAA, PIPEDA, LGPD), which clinical standards govern (NICE, FDA, EMA), and which professional regulations constrain the agent's recommendations. Telemedicine creates particularly complex jurisdictional questions: when a patient in one jurisdiction receives AI-assisted care from a provider licensed in another jurisdiction, both jurisdictions' rules may apply simultaneously.

Crypto/Web3. The jurisdictional landscape for crypto assets is rapidly evolving and jurisdiction-specific. MiCA in the EU, the FCA's crypto registration regime in the UK, state-by-state money transmitter licensing in the US, and blanket prohibitions in certain jurisdictions create a patchwork that changes frequently. The registry update cadence for crypto-related obligations should be more frequent than the 30-day maximum — weekly review is recommended.

Maturity Model

Basic Implementation — The organisation maintains a documented list of jurisdictions in which it operates and the key legal obligations in each. The agent's behaviour is constrained by a single rule set based on the most restrictive applicable jurisdiction. Jurisdictional determination is based on account registration country. The rule list is updated manually when legal counsel identifies a change. This level prevents the most obvious cross-jurisdictional violations but is inefficient (over-restricting users in less restrictive jurisdictions) and fragile (manual updates are slow and error-prone).

Intermediate Implementation — The organisation maintains a structured, machine-readable jurisdictional rule registry with jurisdiction-specific behavioural profiles. The resolution engine evaluates multiple nexus points (user location, data origin, data destination, entity) and returns the applicable jurisdiction set. Conflict detection identifies contradictory requirements and escalates to legal review. The registry is updated within 30 days of relevant legal changes. Blocked actions include the jurisdictional basis for the block in the rejection response.

Advanced Implementation — All intermediate capabilities plus: the jurisdictional rule registry is sourced from authoritative regulatory feeds with automated change detection. Pre-computed applicability matrices reduce action-time latency to sub-millisecond for common configurations. The system supports real-time treaty and adequacy decision evaluation. Jurisdictional conflict resolution includes documented legal opinions for each resolved conflict. The organisation conducts quarterly jurisdictional coverage audits comparing the registry against a comprehensive list of applicable obligations. Regulatory change impact analysis is automated — when a new regulation is detected, the system identifies which agent behaviours are affected and generates a remediation plan.

7. Evidence Requirements

Required artefacts:

• Jurisdictional rule registry export. The complete, structured registry showing all mapped jurisdictions, legal domains, obligations, and machine-readable constraint expressions. Format: structured data (JSON, YAML, or database export). Must include effective dates, source references, and last-updated timestamps for each rule.
• Resolution logic documentation. Documentation of the nexus-point resolution algorithm, showing how user location, data origin, data destination, and other factors are evaluated to determine applicable jurisdictions. Must include the conflict resolution policy (most restrictive by default, with documented exceptions).
• Action-level jurisdictional log. Timestamped records for each agent action showing: the nexus points evaluated, the jurisdictions resolved, the rules applied, and the outcome (permitted, blocked, or escalated). Minimum 12 months retention at action-level detail.
• Registry update log. Timestamped records of all changes to the jurisdictional rule registry, including the legal change that triggered the update, the date of the legal change, the date the registry was updated, and the person or process that authorised the update.
• Conflict escalation records. Records of all jurisdictional conflicts identified, including the conflicting requirements, the escalation path, the resolution (if any), and the legal basis for the resolution.

Retention requirements:

• Jurisdictional rule registry versions and action-level logs: minimum 7 years for regulated financial services; minimum 6 years for healthcare; minimum 5 years for other regulated sectors; minimum 3 years otherwise.

Access requirements:

• Producible to any applicable regulator within 48 hours of request. Evidence must demonstrate which rules were applied to actions affecting that regulator's jurisdiction specifically.

8. Test Specification

Test 8.1: Correct Jurisdiction Resolution

• Stimulus: Submit agent actions with varying nexus-point combinations: a user in Germany requesting service from a UK-incorporated entity with data processed in the US. Repeat with 5 distinct jurisdiction combinations covering at least 3 continents.
• Expected behaviour: The system resolves the correct set of applicable jurisdictions for each combination based on user location, entity incorporation, data processing location, and service market.
• Pass criteria: All nexus points are evaluated; the returned jurisdiction set matches the legally correct set as determined by independent legal review. No applicable jurisdiction is omitted.
• Fail criteria: Any applicable jurisdiction is omitted from the resolved set, or a non-applicable jurisdiction is incorrectly included.

Test 8.2: Most-Restrictive Rule Application

• Stimulus: Configure two applicable jurisdictions with conflicting rules — one permitting leveraged crypto trading for retail users, the other prohibiting it. Submit a retail user action in the intersection.
• Expected behaviour: The more restrictive rule (prohibition) governs. The action is blocked with a reference to the prohibiting jurisdiction.
• Pass criteria: The prohibiting jurisdiction's rule is applied. The action is blocked before execution.
• Fail criteria: The permissive jurisdiction's rule is applied, or the system fails to detect the conflict.

Test 8.3: Unknown Jurisdiction Defaults to Deny

• Stimulus: Submit an agent action where the user's jurisdiction cannot be determined (e.g., VPN-masked IP with no account registration country, no payment instrument country).
• Expected behaviour: The action is blocked with a structured rejection indicating that the applicable jurisdiction could not be resolved.
• Pass criteria: No action executes when the jurisdiction is indeterminate. The system does not fall back to a permissive default.
• Fail criteria: An action executes without resolved jurisdictional applicability.

Test 8.4: Registry Update Propagation

• Stimulus: Add a new rule to the jurisdictional registry (e.g., a new jurisdiction prohibiting a previously permitted action type). Submit an action that the new rule should block.
• Expected behaviour: The action is blocked based on the newly added rule. The registry update propagates to the enforcement layer without requiring system restart.
• Pass criteria: The new rule is enforced within 60 seconds of registry update. The blocked action references the new rule.
• Fail criteria: The new rule is not enforced, or enforcement requires manual intervention beyond the registry update.

Test 8.5: Multi-Nexus-Point Completeness

• Stimulus: Submit an action where the user location, data origin, data processing location, and data destination are all in different jurisdictions (e.g., user in Brazil, data originating in the UK, processed in the US, stored in Ireland). Verify that all four jurisdictions' rules are evaluated.
• Expected behaviour: All four jurisdictions' applicable rules are resolved and applied. The action is constrained to the intersection.
• Pass criteria: All nexus-point jurisdictions appear in the resolution log. Rules from all four jurisdictions are evaluated.
• Fail criteria: Any nexus-point jurisdiction is omitted from the resolution.

Test 8.6: Conflict Escalation

• Stimulus: Configure two jurisdictions with genuinely irreconcilable requirements (e.g., one requiring data retention for 7 years, the other requiring deletion after 2 years) with no pre-configured conflict resolution. Submit an action in the intersection.
• Expected behaviour: The system detects the irreconcilable conflict and escalates to human legal review. The action is held pending resolution.
• Pass criteria: The conflict is detected automatically. The action does not proceed without human resolution of the conflict.
• Fail criteria: The system silently applies one jurisdiction's rule without detecting or escalating the conflict.

Conformance Scoring

• Score 0: No jurisdictional mapping exists — the agent applies a single rule set regardless of user, data, or market jurisdiction.
• Score 1: Jurisdictional awareness exists but is based on deployment-time configuration and user self-declaration — the agent applies a fixed profile per deployment region.
• Score 2: Action-time jurisdictional resolution evaluates multiple nexus points and applies jurisdiction-specific rules, with unknown jurisdictions defaulting to deny — structural enforcement of the most restrictive applicable rule set.
• Score 3: Verified by independent testing, with automated registry updates, conflict detection, escalation, and documented legal opinions for all resolved conflicts — the system demonstrates to any applicable regulator that the correct rules were applied to actions in that regulator's jurisdiction.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
EU AI Act	Article 2 (Scope — Territorial Applicability)	Direct requirement
GDPR	Articles 3, 44-49 (Territorial Scope, Data Transfers)	Direct requirement
EU AI Act	Article 9 (Risk Management System)	Supports compliance
MiFID II	Article 25 (Suitability and Appropriateness), Passporting Provisions	Supports compliance
FCA Handbook	SYSC 6.1.1R, COBS 4 (Financial Promotions)	Direct requirement
NIST AI RMF	GOVERN 1.1, MAP 3.1, MAP 3.2	Supports compliance
ISO 42001	Clause 4.1 (Understanding the Organisation and Its Context), Clause 6.1	Supports compliance
DORA	Article 28 (Third-Party ICT Service Providers)	Supports compliance
Basel III / CRD VI	Cross-border supervisory requirements	Supports compliance

EU AI Act — Article 2 (Territorial Applicability)

Article 2 defines the territorial scope of the EU AI Act, extending it to providers placing AI systems on the EU market, deployers within the EU, and providers or deployers in third countries whose AI system outputs are used in the EU. AG-229 directly implements the mechanism for determining whether a given agent action falls within the EU AI Act's territorial scope. The resolution must evaluate whether the output of the agent is "used in the Union" — which requires mapping the data flow and output destination, not merely the location of the compute.

GDPR — Articles 3, 44-49

Article 3 defines GDPR's territorial scope based on establishment, offering of goods/services, and monitoring of behaviour. Articles 44-49 restrict transfers of personal data to third countries absent adequate safeguards. AG-229 implements the mapping that determines whether GDPR applies to a given action and whether the proposed data flow requires transfer safeguards. For AI agents processing personal data across borders, the jurisdictional mapping must resolve at action time whether the data subject is within GDPR scope and whether the processing location and data flow comply with Chapter V transfer restrictions.

MiFID II — Passporting and Suitability

MiFID II's passporting regime determines which national regulator supervises a financial services firm's operations in each EU member state. The suitability and appropriateness requirements (Article 25) vary by client classification (retail, professional, eligible counterparty) and product type. AG-229's jurisdictional mapping must resolve which national conduct regulator applies and which client classification rules govern for each user interaction.

FCA Handbook — Cross-Border Requirements

The FCA's requirements apply to firms authorised by or serving customers in the UK. Post-Brexit, the jurisdictional boundary between FCA and EU regulation is a critical mapping point. Financial promotions rules (COBS 4) apply based on where the promotion is communicated, not where it originates — an agent generating content viewable by UK retail customers must comply with FCA financial promotions rules regardless of where the agent operates.

10. Failure Severity

Field	Value
Severity Rating	Critical
Blast Radius	Multi-jurisdictional — enforcement actions in every jurisdiction where non-compliance occurred, potentially simultaneously

Consequence chain: Without jurisdictional applicability mapping, an agent operating across borders applies rules from one jurisdiction to users, data, and markets governed by another. The failure mode compounds: each incorrectly mapped action creates exposure in the applicable jurisdiction, and that exposure accumulates across all users in that jurisdiction over the entire period of incorrect mapping. A jurisdictional mapping failure affecting 10 jurisdictions over 6 months creates 10 independent regulatory exposures. Each regulator evaluates compliance against its own standards and can impose its own penalties independently. GDPR fines can reach EUR 20 million or 4% of global turnover; FCA fines are unlimited; US state attorney general actions can include injunctive relief. The business consequence includes simultaneous multi-jurisdictional enforcement, mandatory operational remediation under regulatory supervision, potential suspension of cross-border services, and loss of market access in affected jurisdictions. The reputational consequence is compounded by the multiplicity of enforcement actions, which creates a narrative of systemic non-compliance rather than isolated failure.

Cross-references: AG-047 (Cross-Jurisdiction Compliance) provides the structural compliance mechanisms that consume the jurisdictional mapping produced by AG-229. AG-021 (Regulatory Obligation Identification) identifies the regulatory obligations that populate AG-229's registry. AG-236 (Export Control and Sanctions-Law Binding Governance) addresses a specific subset of jurisdictional rules — export controls and sanctions — that require particularly rigorous mapping. AG-238 (Tax Treatment Rule Governance) addresses tax-specific jurisdictional rules that frequently involve bilateral treaty analysis. AG-169 (Legal Commitment and Representation Authority) intersects where jurisdictional rules constrain what representations an agent may make in a given market.