Preface
Why this book was written and who it is for.
Agents change the shape of software compliance because they do not merely respond. They act.
A conventional application waits for a user to click a button, submit a form, or call an API. An agent can decide which tool to call, which record to retrieve, which workflow to start, and when to ask a human for approval. That autonomy is useful. It is also the point where familiar compliance controls start to feel incomplete.
This book is for the teams building those systems.
It is written for engineering leaders, product leaders, architects, security teams, compliance teams, and developers who need a practical way to reason about agentic systems under real-world obligations. The focus is not legal theory. The focus is the operating model: what must be classified, logged, limited, reviewed, approved, tested, and monitored before an agent is allowed to act on behalf of a user or an organization.
The book has two parts.
Part 1 is for the business. It explains why agentic systems change the compliance conversation, how to classify risk, how vendor and model governance fit into the picture, and which obligations repeat across GDPR, the EU AI Act, HIPAA, SOC 2, PCI-DSS, and NIST AI RMF.
Part 2 is for the developer. It turns those obligations into architecture. It covers system boundaries, identity, permission models, model-layer security, audit trails, data handling, human oversight, testing, monitoring, and incident response.
You do not need to read the book in one path. If you own governance, start with Part 1 and use Part 2 to understand what must be built. If you build agents, start with Part 2 and use Part 1 to understand why the controls matter. If you are responsible for both, read straight through.
The central argument is simple: compliant agents are not slower agents. They are better engineered agents. The same controls that satisfy auditors also make systems easier to debug, safer to operate, and more trustworthy when they act in the real world.
Platform Agentic
Compliance, governance, and accountability for teams building agentic AI systems.