When we designed Surrogate OS, we made a foundational decision that shaped every architectural choice that followed: compliance is not a feature to be added. It is the substrate on which everything else is built.
This post is a technical deep dive into how we implemented regulatory compliance across six frameworks, why we made the specific architectural decisions we did, and what we learned along the way.
The temptation to defer compliance is understandable. Regulatory requirements are complex, they vary by jurisdiction and industry, and implementing them properly is expensive in terms of engineering effort. The standard startup playbook says to validate the core value proposition first, then layer on compliance requirements once you have traction.
This playbook fails for AI agents in regulated industries for three specific reasons.
Architectural contamination. Compliance requirements affect data flow, storage patterns, API design, and logging infrastructure. If you build a system without compliance constraints and then try to retrofit them, you end up with a dual architecture — the original design plus a compliance overlay that fights against it at every turn. We have seen this pattern in enterprise software for decades. It produces brittle, expensive-to-maintain systems.
Audit trail integrity. A retroactively added audit trail is inherently suspect from a regulatory perspective. If the logging infrastructure was not present from the beginning, there is no way to prove that historical operations were compliant. Regulators understand this. An audit trail that starts six months after deployment raises more questions than it answers.
Trust erosion. Healthcare systems, financial institutions, and legal organizations make deployment decisions based on trust assessments. If your compliance story is "we are working on it," you will not get past the initial evaluation. These organizations need to see compliance built into the architecture, not bolted onto the side.
Surrogate OS currently implements compliance controls for six regulatory frameworks. Each imposes distinct requirements, and there is meaningful overlap that we exploit for implementation efficiency.
HIPAA governs the handling of Protected Health Information (PHI) in the United States. For an AI agent system, the key requirements are:
In Surrogate OS, HIPAA compliance is enforced at the SOP node level. Each node in a surrogate's procedure graph that handles PHI is tagged with HIPAA requirements. The runtime engine verifies compliance at each node transition — checking that the accessing surrogate has appropriate authorization, that only minimum necessary data fields are being accessed, and that the audit log entry is written before the operation proceeds.
GDPR applies to any system processing personal data of EU residents. The requirements that most affect AI agent systems are:
Our implementation tracks data lineage through the entire surrogate operational pipeline. Every piece of personal data carries metadata indicating its lawful processing basis, retention period, and applicable data subject rights. When a data subject exercises a right (such as erasure), the system can trace every location where that individual's data exists within the surrogate's memory and operational logs.
The EU AI Act is the most directly relevant regulation for AI agent systems, and its high-risk AI system requirements are substantial:
Surrogate OS implements these requirements through its SOP architecture. The procedure graph serves as the risk management system — each node has defined risk levels, mitigation strategies, and escalation triggers. The transparency requirement is handled at the interface layer, where every surrogate interaction begins with a clear disclosure of AI identity. Human oversight is built into the SOP execution engine, which supports real-time intervention and override at any point in a procedure.
The remaining three frameworks — SOC 2 for data security controls, FDA Software as a Medical Device guidelines for clinical AI applications, and FINRA for financial services AI — each add specific requirements that overlap significantly with the three frameworks above. Our implementation treats the six frameworks as a compliance matrix, where shared requirements are implemented once and mapped to all applicable frameworks.
The most distinctive compliance mechanism in Surrogate OS is cryptographic SOP signing. Every standard operating procedure — the complete directed acyclic graph of nodes, transitions, validation criteria, and compliance annotations — is signed using Ed25519 digital signatures.
The choice of Ed25519 was deliberate. It provides strong security guarantees with fast signature generation and verification, compact signature sizes (64 bytes), and deterministic signatures that simplify testing and auditing. Unlike RSA, Ed25519 has no known padding oracle attacks and is resistant to timing-based side-channel attacks.
The signing process works as follows:
The complete SOP definition is serialized into a canonical JSON representation. We use a deterministic serialization that guarantees identical byte output for semantically identical SOPs, regardless of property ordering or whitespace.
The serialized SOP is hashed using SHA-512 (which is part of the Ed25519 specification).
The hash is signed using the organization's private key, producing a 64-byte signature.
The signature, public key identifier, timestamp, and SOP version are stored alongside the SOP definition.
When a surrogate executes an SOP, the runtime engine verifies the signature before beginning execution. If the signature is invalid — indicating the SOP has been modified since signing — execution is blocked and a compliance alert is generated.
SOP signing alone proves that a procedure has not been tampered with since it was signed. But regulators also need to verify the history of changes. We implement this through hash chaining.
Each SOP revision includes the cryptographic hash of the previous version in its signed content. This creates a tamper-evident chain:
SOP v1: sign(content_v1)
SOP v2: sign(content_v2 + hash(SOP v1))
SOP v3: sign(content_v3 + hash(SOP v2))
To verify the complete history, you walk the chain backward. If any intermediate version has been modified or deleted, the hash chain breaks at that point. This provides mathematical proof of the complete revision history without requiring trust in any single storage system.
The hash chain also includes the identity of the person who authorized each revision and a timestamp from a trusted time source. This produces a complete chain of custody: who changed what, when, and in what order.
Every compliance-relevant action in Surrogate OS generates an audit log entry. These entries are structured, indexed, and immutable.
Immutability is enforced at multiple levels:
An audit entry includes:
The audit trail is queryable by any dimension — you can retrieve all actions by a specific surrogate, all actions affecting a specific data subject (for GDPR right-of-access requests), all actions within a time window, or all actions flagged under a specific compliance framework.
The EU AI Act requires that high-risk AI systems include mechanisms for detecting and mitigating bias. Our bias detection system operates at the operational level, monitoring surrogate behavior for statistical anomalies across demographic dimensions.
The system works through three mechanisms:
Distribution monitoring. For every measurable decision dimension (triage priority, response time, escalation frequency, recommendation type), the system maintains running statistical distributions segmented by available demographic variables. When the distribution for any demographic segment deviates significantly from the overall distribution, a bias alert is generated.
Comparative analysis. The system periodically runs comparative analyses across surrogates performing similar roles. If one surrogate shows different behavioral patterns from its peers when controlling for case mix, this is flagged for human review.
Counterfactual testing. On a configurable schedule, the system generates counterfactual test cases — identical scenarios with only demographic variables modified — and runs them through the surrogate's decision logic. Divergent outcomes indicate potential bias in the underlying decision process.
Bias alerts are routed to designated compliance officers and include the statistical evidence, affected demographic dimensions, time period, and recommended investigation steps. The system does not automatically modify surrogate behavior in response to bias detection — that decision remains with human oversight.
Organizations running multiple surrogates across different locations face a tension: surrogates would benefit from shared operational learnings, but sharing operational data across locations may violate data residency requirements or expose sensitive information.
Surrogate OS addresses this with federated learning using differential privacy.
Federated aggregation. Operational learnings are computed locally at each facility. Only aggregated model updates — not raw data — are transmitted to a central coordinator. The coordinator combines updates from all participating facilities and distributes the combined learning back.
Differential privacy guarantees. Before any local update leaves a facility, calibrated Gaussian noise is added. The noise is calibrated to provide a specific privacy budget (epsilon value), which provides a mathematical guarantee about the maximum information that can be inferred about any individual data point from the aggregated output.
The privacy budget is configurable per organization and per regulatory framework. A deployment subject to HIPAA might use a stricter epsilon than a deployment handling only non-clinical administrative data.
This architecture means a hospital network can run ER triage surrogates at twenty locations, have all of them benefit from the collective operational experience of the network, and provide mathematical proof that no individual patient's data was exposed in the process.
One of the most important architectural decisions was how compliance logic relates to the rest of the system. We evaluated three approaches:
Middleware approach — Compliance checks as middleware in the request/response pipeline. Rejected because this creates a bypass risk (any code path that skips the middleware skips compliance) and makes it difficult to enforce compliance at the SOP node level.
Embedded approach — Compliance logic embedded directly in the SOP execution engine. Rejected because it creates tight coupling between operational logic and compliance logic, making it difficult to add new frameworks or modify compliance rules without touching the core engine.
Service approach (selected) — Compliance as an independent service with a well-defined API. The SOP execution engine calls the compliance service at each node transition. The compliance service evaluates the operation against all applicable frameworks and returns an allow/deny/flag decision.
The service approach provides several advantages: compliance rules can be updated independently of the SOP engine, new frameworks can be added without modifying core code, the compliance service can be tested in isolation, and the service boundary provides a natural audit point.
The compliance service maintains its own data store for framework definitions, rule configurations, and audit records. It exposes APIs for compliance verification, audit trail queries, bias monitoring results, and compliance reporting.
Building compliance into an AI agent system from the beginning taught us several things that may be useful to others working in this space.
Compliance requirements are better engineering constraints than they appear. The impulse is to view regulations as obstacles. In practice, requirements like audit trails, access controls, and bias monitoring produce a more robust, observable, and maintainable system. The Surrogate OS codebase is better software because of its compliance architecture, not in spite of it.
Cryptographic primitives are underused in AI governance. The AI governance conversation is heavy on policy and light on mechanism. Cryptographic signing, hash chaining, and verifiable computation provide concrete, mathematically provable governance guarantees. We would like to see more AI platforms adopt these approaches.
Open source and compliance are complementary. The ability to audit source code, verify compliance implementations, and run independent security assessments is enormously valuable in regulated contexts. Open source is not a risk factor for compliance — it is an enabler.
Surrogate OS is available on GitHub under the MIT license. We welcome contributions, particularly from engineers and compliance professionals with domain expertise in healthcare, financial services, and legal technology.
]]>This is not another chatbot framework. Surrogate OS produces AI surrogates that carry professional identities, follow auditable decision-making procedures, comply with real-world regulations, and learn from their own operational history. Think of it as the operating system layer between foundation models and the actual work that regulated industries need AI to perform.
The AI agent landscape in 2026 is simultaneously thrilling and deeply broken.
On one side, foundation models have reached a level of capability that makes autonomous task completion genuinely viable. Every week brings a new framework promising to turn GPT or Claude into an agent that can handle customer support, triage medical records, process insurance claims, or manage financial portfolios.
On the other side, the industries that would benefit most from AI agents — healthcare, finance, legal, government — are the ones that cannot deploy them. The reason is not technical capability. The reason is trust, governance, and regulatory compliance.
Consider the state of affairs. A hospital system evaluating an AI triage assistant faces HIPAA requirements that demand a complete audit trail of every clinical decision. A European bank deploying an AI financial advisor must satisfy both GDPR data handling requirements and the incoming EU AI Act obligations for high-risk AI systems. A law firm exploring AI paralegals needs to demonstrate that the system follows established procedures and does not introduce bias into case assessments.
None of the mainstream agent frameworks address these requirements as first-class concerns. Compliance is treated as something to bolt on later — a Phase 2 problem. But anyone who has worked in regulated industries knows that compliance cannot be Phase 2. If the foundation is not auditable, no amount of wrapper code will make a regulator comfortable.
The gap between a compelling AI demo and a production deployment in a regulated environment is enormous. We built Surrogate OS to close that gap.
The core premise is deceptively simple: you define a role, and Surrogate OS synthesizes a complete AI professional to fill it.
But "define a role" means something very specific here. A surrogate is not a prompt template with a personality description stapled on. It is a structured professional identity composed of several interconnected layers:
Identity and Persona — Every surrogate has a defined professional background, communication style, areas of expertise, and behavioral boundaries. This is not flavor text. The persona layer constrains the surrogate's behavior in measurable ways, ensuring it operates within its defined scope of practice.
Standard Operating Procedures (SOPs) — This is the core of what makes a surrogate different from a chatbot. Each surrogate comes with a directed acyclic graph of operational procedures. These are not simple instruction lists. They are structured decision trees with defined inputs, outputs, validation criteria, escalation triggers, and compliance checkpoints.
Regulatory Compliance — Every SOP node is tagged with applicable regulatory frameworks. The system enforces compliance at the procedure level, not as an afterthought.
Institutional Memory — Surrogates maintain both short-term and long-term memory, with mechanisms for promoting operational learnings into persistent institutional knowledge.
Interface Adaptability — The same surrogate identity can be deployed across text chat, voice, avatar, and eventually humanoid robotic interfaces without redefining its core logic.
To make this tangible, walk through what happens when you create a Senior ER Nurse surrogate.
You start with a role definition that specifies the clinical scope: emergency triage, patient assessment, care coordination, medication verification. The system synthesizes a professional identity with appropriate clinical communication patterns and establishes boundaries — this surrogate will escalate to a physician for diagnostic decisions and will not prescribe medications.
The SOP engine then generates a 9-node procedure graph for the triage workflow:
Every node in this graph has defined inputs, outputs, and validation criteria. Every transition is logged. Every compliance-relevant action generates an audit trail entry with a cryptographic signature.
This is not a theoretical architecture. It is implemented, tested, and running.
We made an early decision that shaped everything about Surrogate OS: compliance is not a feature. It is the foundation.
The platform currently supports six regulatory frameworks:
Each framework imposes specific requirements on how AI systems make decisions, store data, handle personal information, and maintain audit trails. Surrogate OS implements these requirements at the architectural level.
Every standard operating procedure in Surrogate OS is cryptographically signed using Ed25519 signatures. When an SOP is created or modified, the system generates a signature that covers the complete procedure definition — every node, every transition, every validation criterion.
This creates an immutable chain of custody for operational procedures. If a regulator asks "what procedure was this AI following when it made that decision at 3:47 AM on Tuesday?", we can provide the exact SOP version, prove it has not been tampered with, and show the complete decision trace through that procedure.
The signing infrastructure uses hash chaining, where each SOP revision includes the hash of the previous version. This produces a tamper-evident history of every procedural change, who authorized it, and when it took effect.
The compliance layer includes a bias detection system that monitors surrogate behavior across demographic dimensions. The system tracks decision distributions and flags statistical anomalies that might indicate bias in triage priority, response quality, escalation frequency, or any other measurable operational dimension.
This is not optional. For high-risk AI systems under the EU AI Act, bias monitoring is a legal requirement. We built it in from day one rather than trying to retrofit it later.
There is a philosophical reason we chose to open-source Surrogate OS, and it goes beyond the usual arguments about community and collaboration.
In regulated industries, trust requires transparency. When a hospital deploys an AI triage system, the compliance team needs to be able to audit not just the decisions the system makes, but the code that governs how it makes them. Black-box AI systems face an inherently harder path to regulatory approval than systems whose decision-making logic can be inspected, tested, and verified.
Open source is not just a distribution model for Surrogate OS. It is a compliance strategy.
A static set of procedures is useful but limited. Real professionals learn from experience. Surrogate OS includes an intelligence layer designed to give surrogates the same capability — with appropriate guardrails.
Every surrogate maintains two tiers of memory:
Short-Term Memory (STM) captures the immediate operational context — the current interaction, recent decisions, active tasks. This functions like a professional's working memory during a shift.
Long-Term Memory (LTM) stores persistent institutional knowledge — patterns observed across many interactions, procedural learnings, domain-specific insights. The system includes a promotion mechanism that identifies high-value short-term observations and elevates them to long-term storage after validation.
The key design decision is that memory promotion is not automatic. The system proposes promotions based on frequency, impact, and novelty. A human operator reviews and approves before any learning becomes part of the surrogate's permanent knowledge base.
At the end of each operational period, a surrogate generates a structured self-assessment. The LLM analyzes its own performance across that period, identifying:
These debriefs feed into the SOP improvement pipeline, creating a structured feedback loop between operational experience and procedural refinement.
When accumulated operational data suggests a procedure modification, the system generates a specific, testable proposal. This proposal includes the current procedure, the suggested change, the evidence supporting the change, and the expected impact.
Critically, no SOP modification takes effect without human approval. The system proposes; humans decide. This preserves the auditability and accountability that regulated environments require while still allowing the system to surface genuine operational improvements.
For organizations running multiple surrogates across different facilities or departments, Surrogate OS supports federated learning with differential privacy guarantees. This means surrogates can benefit from collective operational experience without exposing the underlying data from any individual facility.
A hospital network running ER triage surrogates at twelve locations can aggregate learnings about triage patterns without any individual patient data leaving its home facility. The differential privacy layer adds calibrated noise to the aggregated updates, providing mathematical guarantees about individual data protection.
One of the most consequential design decisions in Surrogate OS is the separation between a surrogate's identity and its interface.
The same Senior ER Nurse surrogate — with the same persona, SOPs, compliance layer, and institutional memory — can be deployed as a text-based chat interface for patient intake, a voice interface for phone triage, an avatar for telemedicine interactions, or eventually a physical presence through humanoid robotic systems.
The interface layer handles modality-specific concerns: speech-to-text conversion, natural language generation tuned for spoken delivery, gesture and expression mapping for avatars. But the decision-making logic, compliance enforcement, and professional identity remain constant across all interfaces.
Real-world deployments involve not one surrogate but many. A hospital might run triage surrogates in the ER, patient education surrogates in outpatient clinics, and administrative surrogates handling insurance coordination.
Surrogate OS includes fleet management capabilities for monitoring, updating, and coordinating multiple surrogates. Operators can push SOP updates across an entire fleet, monitor compliance metrics in aggregate, and manage handoff protocols between surrogates with different specializations.
Not every situation can be handled by a surrogate. The system includes a structured handoff protocol for transferring operational context from a surrogate to a human professional. The handoff package includes a complete interaction summary, relevant clinical or operational data, the surrogate's assessment and confidence level, and any compliance-relevant flags.
This is designed to minimize the information loss that typically occurs when an AI system "escalates to a human." The receiving professional gets a structured briefing, not a raw chat transcript.
Surrogate OS is not a prototype. It is a production-grade platform built with the engineering rigor that regulated industries demand.
Test Coverage — The platform includes 571 tests spanning unit, integration, and end-to-end scenarios. Test coverage includes not just happy paths but failure modes, edge cases, and compliance-specific validation scenarios.
API Surface — Over 130 REST endpoints covering surrogate lifecycle management, SOP operations, compliance reporting, memory management, fleet coordination, and administrative functions.
Technology Stack — TypeScript monorepo using Turborepo for build orchestration. The backend runs on Node.js with a PostgreSQL database. The architecture follows a loosely coupled, event-driven design with dependency injection throughout.
Deployment — Docker Compose configuration for single-command deployment. The system is designed for both cloud and on-premises deployment — an important consideration for healthcare organizations with data residency requirements.
Multi-Tenant Architecture — Built from the ground up for multi-tenancy, with tenant isolation at the database, API, and surrogate level. Organizations can run isolated surrogate fleets with independent compliance configurations.
Observability — Full observability stack with structured logging, distributed tracing, and metrics collection. Every decision a surrogate makes is traceable from API request through SOP execution to the final response.
Surrogate OS is ready for early adopters, contributors, and organizations willing to explore what compliance-first AI agents look like in practice.
The near-term roadmap includes:
We are particularly interested in collaborators from regulated industries — healthcare systems, financial institutions, legal organizations — who can provide domain expertise and real-world validation scenarios.
Surrogate OS is available now:
We welcome contributions across the entire stack — from core platform development to compliance framework implementations to documentation and testing. If you have domain expertise in healthcare, finance, or legal technology, we especially want to hear from you.
The conversation about AI in the workforce tends to oscillate between utopian promises and dystopian fears. We think both framings miss the point.
The question is not whether AI will take on professional roles. It already is. The question is whether those AI professionals will operate with the same standards of accountability, compliance, and governance that we expect from their human counterparts.
Surrogate OS is our answer: build the compliance in from the start, make the decision-making transparent and auditable, give organizations the tools to govern their AI workforce with the same rigor they apply to their human workforce, and open-source the entire thing so that trust can be verified rather than assumed.
The workforce of the future will be a blend of human and AI professionals. Surrogate OS exists to make sure the AI half of that equation is built on a foundation worthy of the trust it will be given.
]]>