Sovereign Compliance Overlays

git clone https://github.com/AEEF-AI/aeef-production.git

Overlays are configuration layers that add jurisdiction-specific governance requirements on top of the base AEEF production standards. They activate additional controls, data handling rules, and audit requirements mandated by regional regulations.

What Overlays Are and How They Work

An overlay is a directory of configuration files that extends the Production tier base configuration:

overlays/
  ksa/
    controls.json        # Additional controls for KSA regulations
    data-residency.json  # Data residency requirements
    semgrep-ksa.yml      # KSA-specific security rules
    ci-overrides.yml     # Additional CI pipeline stages
  uae/
    controls.json
    data-residency.json
    semgrep-uae.yml
    ci-overrides.yml
  egypt/
    controls.json
    data-residency.json
    semgrep-egypt.yml
    ci-overrides.yml
  eu/
    controls.json
    risk-classification.json
    semgrep-eu.yml
    ci-overrides.yml

Activation

Set the AEEF_OVERLAY environment variable to activate an overlay:

# In docker-compose.yml
environment:
  - AEEF_OVERLAY=ksa

# Or at runtime
export AEEF_OVERLAY=ksa

Multiple overlays can be combined for organizations operating across jurisdictions:

export AEEF_OVERLAY=ksa,eu

How Overlays Merge

Overlays use an additive merge strategy:

1. Base AEEF controls are always active
2. Overlay controls are added on top (they never remove base controls)
3. Overlay-specific CI stages are appended to the base pipeline
4. Overlay Semgrep rules are added to the scan configuration
5. Data residency rules restrict where data can be processed and stored

KSA Overlay

The KSA overlay enforces compliance with Saudi Arabian regulations. For full regulatory details, see the KSA Regulatory Profile.

Regulations Covered

Regulation	Authority	Key Requirements
PDPL	SDAIA	Personal data protection, consent management, cross-border transfer restrictions
NCA ECC	NCA	Essential Cybersecurity Controls for critical infrastructure
SAMA CSF	SAMA	Cybersecurity Framework for financial institutions
SDAIA AI Ethics	SDAIA	AI ethics principles, transparency, accountability

Controls Added

{
  "overlay": "ksa",
  "controls": [
    {
      "id": "KSA-DATA-001",
      "title": "Data Residency",
      "requirement": "Personal data of KSA residents MUST be processed within KSA borders or in approved jurisdictions",
      "enforcement": "data-residency.json"
    },
    {
      "id": "KSA-CONSENT-001",
      "title": "Consent Management",
      "requirement": "AI systems processing personal data MUST obtain explicit consent with Arabic language support",
      "enforcement": "ci-overrides.yml (consent-check stage)"
    },
    {
      "id": "KSA-AUDIT-001",
      "title": "Audit Trail",
      "requirement": "All AI-assisted code changes MUST maintain a tamper-evident audit trail retained for 5 years",
      "enforcement": "provenance record retention policy"
    },
    {
      "id": "KSA-ETHICS-001",
      "title": "AI Ethics Assessment",
      "requirement": "AI agents MUST undergo ethics assessment per SDAIA guidelines before production deployment",
      "enforcement": "agent contract validation"
    }
  ]
}

UAE Overlay

The UAE overlay enforces compliance with United Arab Emirates regulations. For full details, see the UAE AI Governance Profile.

Regulations Covered

Regulation	Authority	Key Requirements
Federal DPL	UAE Government	Federal data protection, processing requirements
ADGM DPR	ADGM	Abu Dhabi financial free zone data protection
DIFC DPL	DIFC	Dubai financial free zone data protection

Controls Added

{
  "overlay": "uae",
  "controls": [
    {
      "id": "UAE-DATA-001",
      "title": "Data Processing Registration",
      "requirement": "AI data processing activities MUST be registered with the relevant authority",
      "enforcement": "data-residency.json"
    },
    {
      "id": "UAE-TRANS-001",
      "title": "Transparency",
      "requirement": "AI-generated outputs MUST be clearly labeled when presented to end users",
      "enforcement": "ci-overrides.yml (transparency-check stage)"
    },
    {
      "id": "UAE-ZONE-001",
      "title": "Free Zone Compliance",
      "requirement": "ADGM and DIFC operations MUST comply with zone-specific data protection regulations",
      "enforcement": "zone-specific data routing configuration"
    }
  ]
}

Egypt Overlay

The Egypt overlay enforces compliance with Egyptian data protection requirements. For full details, see the Egypt PDPL Profile.

Regulations Covered

Regulation	Authority	Key Requirements
Egypt PDPL	DPA	Personal data protection, cross-border transfer controls

Controls Added

{
  "overlay": "egypt",
  "controls": [
    {
      "id": "EGY-DATA-001",
      "title": "Data Protection",
      "requirement": "Personal data processing MUST comply with Egypt PDPL consent and lawful basis requirements",
      "enforcement": "data-residency.json"
    },
    {
      "id": "EGY-TRANSFER-001",
      "title": "Cross-Border Transfer",
      "requirement": "Personal data transfers outside Egypt MUST have DPA authorization or adequate safeguards",
      "enforcement": "ci-overrides.yml (transfer-check stage)"
    }
  ]
}

EU AI Act Overlay

The EU overlay enforces compliance with the EU AI Act and GDPR requirements. For full details, see the EU AI Act Profile.

Regulations Covered

Regulation	Authority	Key Requirements
EU AI Act	European Commission	Risk classification, conformity assessment, transparency
GDPR	DPAs	Data protection, DPIA, automated decision-making

Controls Added

{
  "overlay": "eu",
  "controls": [
    {
      "id": "EU-RISK-001",
      "title": "Risk Classification",
      "requirement": "AI systems MUST be classified by risk level (minimal, limited, high, unacceptable)",
      "enforcement": "risk-classification.json"
    },
    {
      "id": "EU-CONFORM-001",
      "title": "Conformity Assessment",
      "requirement": "High-risk AI systems MUST undergo conformity assessment before deployment",
      "enforcement": "ci-overrides.yml (conformity-check stage)"
    },
    {
      "id": "EU-DPIA-001",
      "title": "Data Protection Impact Assessment",
      "requirement": "AI systems processing personal data MUST have a completed DPIA",
      "enforcement": "dpia-template validation"
    }
  ]
}

How to Add a Custom Overlay

To create an overlay for a jurisdiction not covered by the default set:

1. Create the overlay directory:

   mkdir -p overlays/my-jurisdiction/

2. Define controls in controls.json following the schema:

   {
     "overlay": "my-jurisdiction",
     "version": "1.0.0",
     "authority": "Regulatory Authority Name",
     "controls": [
       {
         "id": "MJ-001",
         "title": "Control Title",
         "requirement": "Description of the requirement",
         "enforcement": "file-or-stage-that-enforces-it"
       }
     ]
   }

3. Add Semgrep rules for jurisdiction-specific code patterns in semgrep-my-jurisdiction.yml.

4. Define CI overrides in ci-overrides.yml for additional pipeline stages.

5. Configure data residency rules in data-residency.json.

6. Test the overlay by setting AEEF_OVERLAY=my-jurisdiction and running the full CI pipeline.

Next Steps

• KSA details: KSA Regulatory Profile
• UAE details: UAE AI Governance Profile
• Egypt details: Egypt PDPL Profile
• Monitoring overlays: Monitoring Setup for overlay-specific dashboards