Quick start
Fetch a policy by ID:policy text and exemplars from the response in your governance agent’s evaluation prompt. The exemplars calibrate the agent’s interpretation of the policy — include them as few-shot examples.
Why a shared registry
Advertising compliance involves the same regulations and standards across many campaigns, brands, and governance agents. Without a shared registry, every governance agent would independently define policies for COPPA, GDPR, HFSS, and other well-known regulations — creating inconsistency and duplication. The registry solves this by providing:- Standardized policy definitions with structured metadata (jurisdiction, policy category, enforcement level)
- Natural language policy text that governance agents (LLMs) use directly for evaluation
- Calibration exemplars (pass/fail scenarios) that align agent behavior
- Version tracking so brands can pin to specific policy versions
Policy categories
Policies fall into two categories based on the nature of the obligation:
Enforcement levels follow RFC 2119 keywords:
must— Legal requirement. Governance agents reject violations.should— Best practice. Governance agents warn but do not block.may— Recommendation. Governance agents log for informational purposes only.
How governance agents use policies
Governance agents are LLMs that interpret natural language policy text — the same pattern used by Content Standards. The registry’s value is in structured metadata and calibration exemplars, not a custom rule language.- Resolve applicable policies from the brand’s compliance configuration or buyer request
- Bulk-resolve from the registry via
POST /api/policies/resolve/bulk - Filter by context — intersect policy jurisdictions/policy categories/channels with campaign parameters
- Include policy text + exemplars in the evaluation prompt
- Apply enforcement level —
mustviolations result in rejection,shouldviolations result in warnings
Policy structure
Each policy in the registry follows the policy-entry schema:Temporal enforcement
Policies have optionaleffective_date and sunset_date fields. Governance agents use these dates to determine enforcement behavior automatically:
This means brands can reference upcoming regulations before they take effect. The governance agent evaluates them and reports what would have been flagged, without blocking campaigns. Once the effective date passes, enforcement activates automatically — no configuration change needed.
For example, the EU AI Act Article 50 has
effective_date: "2026-08-02". A brand referencing this policy before August 2026 sees informational findings about AI disclosure compliance. After August 2026, violations are rejected.
For the operational pattern — how to pin a policy version, what happens when a registry policy version-bumps mid-campaign, how to use effective_date for staged adoption, the additive-only rule for inline custom_policies, and a working-group FAQ — see Sync and versioning.
Three tiers of policy application
Brand compliance configuration
Brands reference registry policies through their compliance configuration. See the Campaign Governance specification for the conceptual model.Integration across governance domains
The registry is a shared resource consumed by all governance domains:Governance domains
Each policy declares which governance sub-domains it applies to viagovernance_domains. This determines which types of governance agents can evaluate and declare the policy as a feature.
For example,
eu_ai_act_article_50 has governance_domains: ["creative", "content_standards"] because it’s about AI-generated content disclosure — relevant to creative evaluation and content standards, but not to property or campaign-level governance.
Filter by domain via the API: GET /api/policies/registry?domain=creative
The registry: prefix
Governance agents declare standardized capabilities using registry: prefixed feature IDs. This creates a shared vocabulary so buyers searching for “EU AI Act compliance” find agents using the same terminology.
Convention: registry:{policy_id} maps a feature ID to a registry policy. Unprefixed feature IDs are agent-defined.
The
registry: convention is the delegated form of policy reference — buyer asks the seller’s governance agent to evaluate the policy as a binary feature. The complementary attribution pattern, where producers tag mechanism-level filters and measurements with policy_id to record buyer-chosen thresholds and motivated evaluations, lives at Policy Attribution.governance_domains field on the policy validates that the agent type is appropriate for the policy.
Buyer-seller transparency
Buyers list enforced policies in media buy requests. Sellers declare which policies they already enforce on their products. Buyer requests policies:API
The registry is served via the AgenticAdvertising.org API:
Registry-sourced policies (authoritative) cannot be edited via the community save endpoint. Community-contributed policies go through a review process.
Mandatory human review
Policies and policy categories can declarerequires_human_review: true to flag regulatory regimes that prohibit solely automated decisions — most notably GDPR Article 22 and EU AI Act Annex III. When a plan resolves any policy or category with this flag, the governance agent MUST set plan.human_review_required = true and MUST escalate every action for human review before execution.
Seeded categories carrying requires_human_review: true:
fair_housing— US FHA, Annex III-equivalent housing decisionsfair_lending— US ECOA, Annex III §5(b) creditworthinessfair_employment— US Title VII, ADEA, Annex III §1(b) recruitmentpharmaceutical_advertising— FDA DTC, EU prescription ad bans
reallocation_threshold (budget reallocation) and human_review_required (decisions affecting individuals).
Seeded policies
The registry ships with 14 seeded policies covering common advertising regulations and standards:Regulations
Standards
Common Sense Brand Standards (CSBS) is a content adjacency standard governed by AgenticAdvertising.org. It defines content categories where advertising placement poses brand-reputation risk, applicable across industries and channels. CSBS originated at Scope3 and was contributed to AAO in 2026; formalization of the IP donation instrument is tracked in #2314. Until the formal donation record is complete, CSBS ships as a seeded policy under AAO custodianship rather than under a signed assignment.
Policy category definitions
The registry defines policy categories — regulatory regime groupings that determine which sets of policies apply to a campaign. Categories are referenced by ID in campaign plans viapolicy_categories.
Each category definition includes:
Seeded categories
The
restricted_attributes on a category are authoritative — when a plan declares a policy category, those attributes are automatically restricted for the campaign regardless of whether the plan also declares them in restricted_attributes.
Restricted attribute definitions
The registry defines restricted attribute categories — types of personal data that regulations restrict for ad targeting. These map to GDPR Article 9 special categories and are used across plans, signal definitions, and policy categories. Each attribute definition includes:Seeded attributes
Data providers can reference these definitions when declaring
restricted_attributes on their signal definitions. See Declaring governance metadata. Governance agents match signal-declared attributes against plan-level restricted_attributes during check_governance validation — signals with matching restricted attributes are blocked from targeting for that campaign.
Contributing policies
Community members can contribute new policies via the API or admin interface. Contributed policies:- Must include
policy_id,version,name,category,enforcement, andpolicytext - Are created with
source_type: communityandreview_status: pending - Go through review before becoming available in the registry
- Cannot overwrite registry-sourced (authoritative) policies