The Compliance Layer AI Agent Frameworks Forgot to Build: The Story of Comply54
AI agents can now reason, plan, call tools, retrieve customer data, and initiate financial transactions on their own. What almost none of them know is that any of it is regulated. That gap is what pushed Oluwajuwon Steven Omotayo, to build Comply54, an open-source engine that checks what an AI agent is about to do against African law before the action is allowed to complete.
An agent could pull a customer’s identity information without knowing what the Nigeria Data Protection Act required. It could move money without any awareness of the Central Bank of Nigeria’s compliance obligations or the Nigerian Financial Intelligence Unit’s anti-money laundering rules. It had no concept that Nigeria’s newly signed NIMC Act now places strict legal duties around how identity data is handled.
“The more I worked with modern AI agent frameworks, the more obvious it became that this was not a bug,” Omotayo says. “It was a missing layer of infrastructure.”
That realisation became Comply54, an open-source compliance engine that evaluates what an AI agent is about to do and checks it against the law before the action is allowed to complete. Named after Africa’s 54 countries, it now covers more than 10 jurisdictions, runs entirely offline, and is free under the Apache 2.0 licence.
Omotayo is CTO at Sagegrey Technologies in Lagos, where he leads product and engineering. Comply54 is his answer to a question he could not stop asking himself: what if the law could run at the same moment as the code?
The Gap Nobody Was Building For
Today’s AI agent frameworks, LangGraph, CrewAI, AutoGen, and LangChain, are built to help developers ship capable systems fast. They reason, plan, call APIs, and coordinate with other agents with impressive fluency. What none of them understands is regulation.
That leaves the entire burden of compliance sitting with whoever deploys the agent. An AI system can process sensitive identity data or trigger a regulated financial action with no built-in awareness that a law even applies, and the organisation running it only finds out after something has gone wrong.
Comply54 sits between the agent and the systems it touches, evaluating the intended action before execution and returning one of four outcomes:
- Allowed to proceed
- Blocked, with a specific regulatory explanation
- Escalated for human approval
- Audited and logged for compliance records
When Comply54 blocks something, it does not just say no. It names the regulation, the specific provision, and the reason, producing an audit trail that developers, compliance officers, and regulators can actually read.
How It Actually Works
From a developer’s chair, Comply54 behaves like middleware. Instead of letting an agent call a payment API, a customer database, or a healthcare system directly, the request passes through Comply54 first. The engine loads the policy pack for the relevant jurisdiction, checks the action against it, and either lets it through or intervenes with a structured decision explaining exactly which law was triggered.

Everything runs locally, on the organisation’s own infrastructure. No customer data leaves the environment, and no external API calls are needed, a detail that matters a great deal to banks, hospitals, and government agencies that cannot let sensitive information cross a network boundary. Comply54 is also framework-agnostic, so teams already building on LangGraph, CrewAI, AutoGen, or LangChain can add the governance layer without re-architecting anything.
Where It’s Already Being Put to Work
Nigerian fintech. Before an AI customer-support agent can touch BVN-linked data or execute a regulated financial operation, Comply54 checks the request against the NDPA, CBN requirements, NFIU obligations, and the new NIMC Act. If it violates policy, it simply never runs.
Healthcare in Kenya. A hospital using AI to support clinicians has every patient record access checked against Kenya’s Data Protection Act before the data is processed.
Banking in South Africa. A bank running AI-assisted fraud investigations gets every customer-data operation evaluated against POPIA, with a complete audit trail for its compliance team.
Cross-border platforms. Companies operating in multiple African markets can load several jurisdiction-specific policy packs at once instead of rewriting compliance logic for every country they enter.
Why This Moment Matters
AI agents are moving fast from chat interfaces into systems that can move money, verify identities, and touch enterprise infrastructure directly. Nigeria’s fintech sector has already shown what that looks like in practice, with products like Paystack Index signalling that agents are becoming a genuine interface for financial services on the continent.
The regulatory backdrop is shifting just as quickly. President Bola Tinubu signed the NIMC Act 2026 into law in June, repealing a 2007 framework that had gone untouched for nearly two decades and had nothing to say about digital credentials, biometric data handling, or cybersecurity obligations. The new Act ties NIMC’s data practices directly to the Nigeria Data Protection Act and introduces much steeper penalties for identity-related offences, exactly the kind of moving regulatory target that a static, once-a-year compliance review cannot keep up with, but that a runtime engine like Comply54 is built to track.
“AI agents are rapidly evolving from conversational assistants into autonomous software capable of performing real-world actions,” Omotayo says. As that shift accelerates, he argues, governance can no longer be a manual process bolted on after deployment. It has to be part of the software itself.
Why He Gave It Away
Comply54 is open source under Apache 2.0 by design on Github. Omotayo’s view is that compliance infrastructure should not be a black box that only its vendor can inspect. Developers, auditors, regulators, and researchers should all be able to see exactly how a decision gets made, and an open codebase lets that knowledge evolve as African laws change and new jurisdictions get added.
It launched with 21 policy packs across more than 10 African jurisdictions, including Nigeria, Kenya, South Africa, Ghana, Rwanda, Egypt, and Mauritius, and is available through both PyPI (pip install comply54) and npm (npm install @comply54/core).
The recognition has followed the same open pattern. An earlier open-source project of Omotayo’s on African AI governance was accepted directly into Microsoft’s Agent Governance Toolkit, and a new AI safety initiative backed by Anthropic, OpenAI, Google, and Microsoft has publicly credited that earlier work as part of its technical foundation. The project also sits in the Open Policy Agent ecosystem through Awesome OPA, a community-curated registry of governance tooling. Comply54 itself now has open pull requests adding NIMC Act protections and West and North Africa policy expansion to Microsoft’s toolkit, plus a pull request with Vercel’s AI agent framework that adds compliance-agent capabilities built directly on Comply54.
Seeing It Run
A demo video shows eve-policy, an integration layer built on Comply54’s policy architecture for Vercel’s Eve agent framework, handling three scenarios against real Nigerian regulatory rules: a routine balance check gets waved through instantly as read-only; a transfer of 6 million naira gets automatically escalated because it crosses the CBN’s Currency Transaction Report threshold; and an attempted server command execution is denied outright as a critical security violation under the OWASP Agentic AI security baseline.
A live governance feed on screen shows every tool call, the decision reached, the regulation that fired, and the associated risk level, all running deterministically with zero dependency on a language model. Omotayo says the integration itself runs to roughly 15 lines of code.
This week, that same enforcement logic went live for anyone to test directly: the Agent Disaster Lab walks through nine real-world AI agent failure scenarios spanning Nigerian fintech, healthcare, and insurance, including an agent leaking a patient’s HIV status to their employer in violation of the National Health Act 2014, and one routing a payment to a globally sanctioned counterparty with no anti-money-laundering screening under the NFIU’s Money Laundering (Prevention and Prohibition) Act 2022, and lets readers watch Comply54 intercept each one in real time, no account required, in-browser or run locally.
What He’s Building Toward
Omotayo is candid that Comply54’s ambitions outgrow Nigeria almost by design. “The laws already exist,” he says. “What has been missing is the infrastructure that allows AI systems to enforce those laws automatically.” His long-term goal is a governance infrastructure that spans the continent, not one jurisdiction at a time, and he wants it embedded in AI architecture from day one rather than treated as an afterthought.
“I don’t think AI governance should be something organisations bolt on later,” he says. “It should be part of the architecture from day one.”
As African AI agents start touching real money, real identities, and real regulated systems, that argument is getting harder to dismiss, and Omotayo has already built the infrastructure to back it up.


