Title: Deterministic Compliance Middleware for SAP Cloud SDK (Optional Module) · Issue #215 · SAP/cloud-sdk-python · GitHub
Open Graph Title: Deterministic Compliance Middleware for SAP Cloud SDK (Optional Module) · Issue #215 · SAP/cloud-sdk-python
X Title: Deterministic Compliance Middleware for SAP Cloud SDK (Optional Module) · Issue #215 · SAP/cloud-sdk-python
Description: Describe the Problem The SAP Cloud SDK for Python ships the building blocks for AI agents, agent_decorators, agentgateway, AI Core auth, OTLP telemetry, but lacks compliance gate. Every agent built on the SDK today reaches an LLM and cal...
Open Graph Description: Describe the Problem The SAP Cloud SDK for Python ships the building blocks for AI agents, agent_decorators, agentgateway, AI Core auth, OTLP telemetry, but lacks compliance gate. Every agent built...
X Description: Describe the Problem The SAP Cloud SDK for Python ships the building blocks for AI agents, agent_decorators, agentgateway, AI Core auth, OTLP telemetry, but lacks compliance gate. Every agent built...
Opengraph URL: https://github.com/SAP/cloud-sdk-python/issues/215
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Deterministic Compliance Middleware for SAP Cloud SDK (Optional Module)","articleBody":"### Describe the Problem\n\nThe SAP Cloud SDK for Python ships the building blocks for AI agents, agent_decorators, agentgateway, AI Core auth, OTLP telemetry, but lacks compliance gate. Every agent built on the SDK today reaches an LLM and calls tools with no deterministic control point between \"model decided to act\" and \"action executes.\"\n \nConcretely, an SDK-built agent today can:\n - Invoke a tool the deployer never intended to expose.\n - Ship to production with no per-decision audit record traceable to an operator-authored rule.\n - Ship with no technical documentation artifact that maps to EU AI Act Article 11 (Annex IV) obligations.\n\nThe above cited is a missing layer. Under the EU AI Act, any agent classified Annex III (essential services, employment, credit, law enforcement, education) is high-risk. High-risk\nSystems need: Article 9 risk management, Article 10 data governance, Article 12 automatic logging of decisions, Article 14 human oversight,\nArticle 15 accuracy + robustness + cybersecurity, and Article 11 technical documentation before market entry. \n\nThe SDK has no primitive to help teams meet any of those obligations, so every agent development team have to re-implements the same middleware from scratch.\n\nRegulators require the policy that gated a decision to be inspectable, versionable, and reproducible against the same input. Only rule-based, deterministic evaluation clears that bar.\n \nWithout this primitive in the SDK, every team building an agent on top faces a choice: ship ungated, or invent their own compliance stack. \n\n### Propose a Solution\n\n## Summary\n\nIntroduce a **Compliance** module in the SAP Cloud SDK, shipped as an **optional extra** so the base installation remains lightweight.\n\nThe module would provide a single, deterministic middleware for evaluating agent actions against deployer-defined compliance policies.\n\n## Proposed API\n\n```python\nfrom sap_cloud_sdk.compliance import SAPComplianceMiddleware\n\nmiddleware = SAPComplianceMiddleware.from_paths(\n agent_name=\"my-agent\",\n policy_file=\"policies/my-agent.yaml\",\n profile_file=\"policies/profile-my-agent.yaml\",\n fail_closed=True,\n)\n\ndecision = middleware.evaluate(\n prompt,\n action=\"tool:x\",\n tool_args={...},\n)\n\nif not decision.allowed:\n raise PermissionError(decision.reason)\n```\n\n## Key Capabilities\n\n- Deterministic policy evaluation using deployer-authored YAML rules.\n- Author-time policy definition, runtime deterministic enforcement.\n- Per-decision audit records integrated into the SDK's existing telemetry and audit pipeline.\n- Deployer-authored Agent Profile (YAML) that can be used to generate Annex IV Technical Documentation.\n- CI-friendly, byte-deterministic artifacts to support drift detection and governance.\n\n## Why Determinism Matters\n\nFor compliance-sensitive AI systems, the same:\n\n- Prompt\n- Action\n- Tool arguments\n\n**must always produce the same decision**, regardless of runtime instance or deployment replica.\n\nWhen auditors ask:\n\n\u003e \"Why did the agent perform action X on Tuesday?\"\n\nthe answer should always be:\n\n- Policy Version\n- Rule ID\n- Audit Record\n\n—not:\n\n\u003e \"The model decided differently.\"\n\nDeterministic enforcement makes regulatory investigations reproducible, explainable, and auditable.\n\n---\n\n### Describe Alternatives\n\n# Alternatives Considered\n\n## 1. Keep compliance middleware outside the SDK\n\n**Current approach**\n\nEvery Line of Business implements its own compliance middleware.\n\n### Drawbacks\n\n- Multiple incompatible implementations\n- No shared audit integration\n- No shared telemetry integration\n- No standard Annex IV artifact generation\n- Increased maintenance across teams\n\n---\n\n## 2. Ship as a separate SAP package\n\nExample:\n\n```\nsap-agent-compliance\n```\n\n### Rejected\n\nAgents already depend on the SDK for:\n\n- AI Core\n- Telemetry\n- Authentication\n- Common infrastructure\n\nIntroducing a second SAP package for the mandatory compliance layer creates unnecessary dependency and adoption friction.\n\nOptional SDK extras are a more natural fit.\n\n---\n\n## 3. Use non-deterministic policy gates\n\nExamples:\n\n- LLM-as-a-Judge\n- Learned classifiers\n- AI moderation models\n\n### Rejected\n\nCompliance decisions must be reproducible.\n\nA policy engine whose output changes for identical inputs cannot reliably support auditability or regulatory investigations.\n\nFor regulated AI systems, deterministic policy evaluation provides a stronger foundation for reconstructable decision-making and consistent governance.\n\n### Affected Development Phase\n\nDevelopment\n\n### Impact\n\nInconvenience\n\n### Timeline\n\nI already have a working implementation for a mock-agent that demonstrates this approach.\n\nThe implementation includes:\n\n- SDK Module Registry integration\n- `@record_metrics` integration\n- Audit log integration following the existing `auditlog_ng` shape\n- `py.typed` support\n- Per-module documentation (`user-guide.md`)\n- 40 automated tests\n- 93% test coverage\n- Ruff clean\n- Ty clean\n- pytest-bdd integration scenarios\n- DCO signed\n---","author":{"url":"https://github.com/Thilaknath","@type":"Person","name":"Thilaknath"},"datePublished":"2026-07-08T13:15:52.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/215/cloud-sdk-python/issues/215"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:9f50d608-706c-5867-c1f4-151110fdfce1 |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | 9A2E:20853D:49DF91D:660DAC2:6A4F5E18 |
| html-safe-nonce | c96904ac55338470974a591c90e978d8bc7baf1070ccb0e17c45ac7581793e25 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiI5QTJFOjIwODUzRDo0OURGOTFEOjY2MERBQzI6NkE0RjVFMTgiLCJ2aXNpdG9yX2lkIjoiODA0Mzg0ODc2NTAyNTUwODg4OCIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9 |
| visitor-hmac | 245c0a6a04ae95284b3aa1ae714eb6589d4cf98f817ef5cfcdd0fd25a5e4b1b3 |
| hovercard-subject-tag | issue:4837800450 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/SAP/cloud-sdk-python/215/issue_layout |
| twitter:image | https://opengraph.githubassets.com/8bacc60ad4e772b98bd72e22a5b64db0d611b9f87aeec4492b9ab3f9e1f0dfe3/SAP/cloud-sdk-python/issues/215 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/8bacc60ad4e772b98bd72e22a5b64db0d611b9f87aeec4492b9ab3f9e1f0dfe3/SAP/cloud-sdk-python/issues/215 |
| og:image:alt | Describe the Problem The SAP Cloud SDK for Python ships the building blocks for AI agents, agent_decorators, agentgateway, AI Core auth, OTLP telemetry, but lacks compliance gate. Every agent built... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | Thilaknath |
| hostname | github.com |
| expected-hostname | github.com |
| None | b92d11c0aa4a77d54ef4af1078b6a15fb5a70a215b30c4ecf28889d5a8e656d9 |
| turbo-cache-control | no-preview |
| go-import | github.com/SAP/cloud-sdk-python git https://github.com/SAP/cloud-sdk-python.git |
| octolytics-dimension-user_id | 2531208 |
| octolytics-dimension-user_login | SAP |
| octolytics-dimension-repository_id | 1187276298 |
| octolytics-dimension-repository_nwo | SAP/cloud-sdk-python |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 1187276298 |
| octolytics-dimension-repository_network_root_nwo | SAP/cloud-sdk-python |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 4b249b445842943ed31549e027f57a8ade9881ed |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width