Regulated AI Compliance

Overview Schema Related Servers Score Discussions

lookup_control

Identify security/compliance controls by regulation, category, surface, or sector. Get control details, tooling options, and evidence expectations for auditors.

Instructions

Look up which security/compliance controls apply for a given regulation, control category, enforcement surface, and/or sector.

Each result includes: the named control, the regulations that mandate it, the tooling options that implement it (categorised as managed/oss/commercial/standard), the evidence shape an auditor would expect, sector relevance, and a practitioner note.

Sourced from the curated dataset at hellouchit.com/dataset/ (CC BY 4.0). Covers EU AI Act, NIST AI RMF, ISO/IEC 42001, APRA CPS 234/230, AU AI Safety Standard, ASD Essential Eight, IRAP, SLSA, NIST SSDF, OWASP LLM Top 10, MITRE ATLAS, BCBS 239, PCI DSS 4.0, HIPAA, GDPR, EU DORA, EU NIS2, CISA SSA, FDA SaMD, IEC 62443, and more.

Use this tool whenever you need to answer 'which tool closes X regulator's requirement on Y surface' or 'what evidence does Z compliance regime expect'.

Input Schema

TableJSON Schema

Name	Required	Description
`regulation`	No	Regulation slug. One of: cps234, cps230, soci, ai_safety_au, privacy_au, e8, irap, eu_ai_act, dora, nis2, gdpr, circia, hipaa, fda_samd, cisa_ssa, ssdf, ai_rmf, sp80053, iso42001, iso27001, slsa, owasp_llm, atlas, bcbs239, pci, iec62443, iso13485, iec62304
`surface`	No	Enforcement surface keyword (case-insensitive substring match). Examples: 'Cloud', 'CI/CD', 'K8s', 'Network', 'Runtime', 'Source'
`category`	No	Control category. Examples: 'Identity & access', 'Supply chain & provenance', 'AI evals & guardrails', 'Data governance', 'Cryptography & secrets', 'Resilience & continuity'
`sector`	No	Sector filter. One of: banks, government, healthcare, critical-infrastructure, all
`search`	No	Free-text search over control names + notes + evidence shape
`limit`	No	Maximum number of matches to return (default 10)

Tool Definition Quality

A4.3/5.0

Behavior4/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations are provided, so the description bears the full burden. It discloses result contents (control, regulations, tooling, evidence shape, sector relevance, practitioner note) and data source (hellouchit.com, CC BY 4.0). It does not mention any non-obvious behaviors like rate limits or permissions, but as a read-only lookup, this is acceptable.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is moderately long but well-structured: first sentence states purpose, followed by result details, source, and usage examples. It is front-loaded with the key action. Minor redundancy (listing regulations again at the end) could be trimmed, but overall effective.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness4/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given 6 parameters, no required fields, and no output schema, the description adequately explains the return format ('Each result includes...') and the scope of data (list of regulations). It is sufficient for an agent to understand what the tool returns and when to use it.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters4/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema coverage is 100%, so the schema already describes parameters. The description adds value by giving concrete examples for 'surface' and 'category' and explaining the 'search' field semantics (free-text over control names, notes, evidence shape). This extra context justifies a score above baseline 3.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description starts with a specific verb ('Look up') and resource ('security/compliance controls'), listing the dimensions (regulation, category, surface, sector). It clearly distinguishes this lookup tool from siblings like classify_use_case or walk_playbook.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines4/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description explicitly states when to use the tool with example queries ('which tool closes X regulator's requirement on Y surface'). It does not explicitly state when not to use, but the examples and sibling names provide sufficient context.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/uchit/mcp-regulated-ai-compliance'

If you have feedback or need assistance with the MCP directory API, please join our Discord server