Janus Compliance

AI governance for the agent era

When you deploy AI that acts, agents that book, pay, decide, and touch customer data, your board and your counsel ask one question: who is accountable, and is this defensible? That is the question answered here.

By Michael K. Onyekwere, CIPP/E, a common law qualified lawyer with 10+ years across Royal Bank of Scotland, Fidelity, TMF Group, and UnitedHealth. Author of the AI Agent Incident Register.

Free download

Get the AI API Compliance Checklist

OpenAI / Anthropic DPA setup, zero-retention config, and the documentation a procurement or DPIA review will ask for. Worked example included.

Built for engineers implementing AI and the founders or compliance leads responsible for signing it off.

·DPA setup steps for OpenAI and Anthropic API accounts
·Zero-retention configuration: when it applies, what it changes, how to evidence it
·Retention and logging questions to answer before launch
·Audit documentation pack a procurement reviewer will accept

Your email is used to deliver the PDF and (if you opt in) the newsletter. No spam. Privacy policy.

Work with Michael →Read the AI Agent Incident Register →

AI governance analysis: agent risk classification and liability mapping

The practice

What I do

Governance for AI and AI agents, written by someone who reads the law and runs the systems.

Agent & AI governance reviews

A written assessment of an AI or agent deployment: the data flows, the tool boundaries, the decision points, the liability across the chain, and the documentation a regulator or a buyer will ask for.

DPIAs & EU AI Act readiness

Data Protection Impact Assessments for AI and agentic systems, risk classification under the AI Act, Article 50 transparency, and the conformity work for anything high-risk.

Fractional DPO

Ongoing Data Protection Officer coverage for organisations deploying AI: the standing governance, the records, and the accountability model that agent adoption now demands.

View all services →

The work

The analysis behind the advice

The public record of how this lane is thought about. The advice clients pay for is the same analysis, applied to their system before the incident.

AI Agent Incident Register

A numbered public corpus: every significant AI agent failure analysed legally. What happened, which duty was engaged, who bears liability, and the governance that would have prevented it.

AI and your rights

The individual-rights side: what UK law gives you when an algorithm screens, scores, or rejects you, and what the deployer owes in return.

Compliance Engineering

Practitioner-grade writing on AI compliance: DPIAs, the EU AI Act, the OpenAI and Anthropic API setup, and the governance of agents.

Build, with the governance included

Need the system built too?

We also build compliant AI systems: chatbots, workflow automation, and document processing, each shipped with the DPIA, the AI Act classification, and the documentation a review will ask for. The build and the compliance work come from one team.

See what we build →

Credentials

CIPP/E

Certified

10+ Years

Financial Services

LLB · LLM

Common Law Qualified

RBS · Fidelity

Previous Roles

Sample Deliverables

See the work before you buy

Blog posts explain the ideas. These sample deliverables show what the work product actually looks like.

Most useful for GDPR + AI buyers

Sample DPIA structure for an AI chatbot

A redacted outline showing the sections, risk analysis, and controls we include in a real AI-system DPIA.

View sample Download PDF

Quick proof of practical drafting

Sample privacy notice update

A before-and-after example showing how a privacy notice changes once an AI system is introduced.

View sample Download PDF

Useful before hiring any AI vendor

AI vendor due diligence checklist

A practical checklist covering DPAs, retention, subprocessors, transfers, security, and exit risk.

View sample Download PDF

Start with a £500 scoping review

Start with the scoping review.

A written review of your AI or agent deployment: the risk, the documentation gap, and what the full work should cost. One week, fixed price.

Book the £500 scoping review See sample deliverables

Insights

Latest articles

GDPR

Is the Gemini API GDPR Compliant? It Depends Which Gemini You Use (2026)

Google's Gemini has two front doors with very different data terms, and the GDPR answer turns on which one you use. The free Google AI Studio tier trains on your data and humans may read it. The paid Gemini API and Vertex AI do not train on your data, and Vertex AI gives you the Cloud Data Processing Addendum, EU data residency, and retention controls. Here is how to tell them apart and configure the compliant path: the DPA, residency, data minimisation, the DPIA, transfers, and where the EU AI Act lands.

9 min read

Employment Law

Unfair Dismissal When AI Influenced the Decision (UK, 2026): What Your Rights Actually Are

A growing number of UK dismissals are shaped by AI: productivity scores, monitoring analytics, automated performance flags. Your protections when that happens: the fairness test that still applies, the automated-decision safeguards in force since February 2026, the discrimination route that needs no qualifying period, and exactly what you can demand to see. Plus the unfair-dismissal reforms landing on 1 January 2027.

6 min read

GDPR

Is the Claude API GDPR Compliant? The 2026 Setup, Step by Step

Yes, the Claude (Anthropic) API can be run GDPR compliant, and the defaults start in a stronger place than most. The DPA is built into the Commercial Terms, API data is not used for training, and retention defaults to seven days. Here is exactly what to check and configure: the DPA, retention and zero-data-retention, data minimisation, the DPIA, international transfers, the Microsoft Copilot caveat, and where the EU AI Act lands.

10 min read

View all articles →

Questions

What does Michael K. Onyekwere do?

Practitioner-grade AI governance. DPIAs and EU AI Act readiness for AI and agent deployments, automated-decision compliance under the UK and EU rules, and fractional Data Protection Officer services. He also authors the AI Agent Incident Register, the public legal analysis of how AI agents fail and who is liable when they do.

Do I need EU AI Act compliance?

If you deploy AI in the EU or UK, probably. The Article 50 transparency obligations apply from 2 August 2026. The high-risk obligations moved to 2 December 2027 under the May 2026 Omnibus agreement. Most customer-facing AI needs at least a risk classification and transparency disclosures, and agent deployments need a governance and accountability model on top.

What makes this different from other AI compliance advisers?

Most advisers have never run the systems they govern. Michael is a common law qualified lawyer and CIPP/E who operates real AI systems and publishes the legal analysis behind the advice. You get the law and the engineering reality from one person, not a policy template.

What regions do you work in?

United Kingdom and Ireland primarily. Michael also advises on NDPA compliance for businesses operating in Nigeria.

Ready when you are.

Start with a written scoping review. Reply within 48 hours.

Book the £500 scoping review