Building a Compliance Agent Swarm: Architecture Guide

A single AI agent can answer questions. A swarm of coordinated agents can run your compliance department. The difference is not just scale; it is architecture. Building a compliance agent swarm that handles CSRD, ETS, CBAM, and EU AI Act requirements simultaneously requires careful design of agent roles, communication patterns, and governance layers.

This guide presents the architecture patterns we use at DWS IQ to orchestrate compliance agent swarms for Nordic manufacturers operating across multiple EU regulatory frameworks.

Why Swarms, Not Single Agents

EU compliance in 2026 is not one problem. It is at least five distinct regulatory domains (CSRD/ESRS, EU ETS, CBAM, EU AI Act^[1], GDPR), each with its own data requirements, calculation methodologies, reporting formats, and deadlines. A single "compliance agent" attempting to handle all of these would need expertise in sustainability accounting, carbon market mechanics, customs procedures, AI governance, and data protection law simultaneously.

The swarm approach mirrors how human compliance departments work: specialized teams coordinated by management. Each agent in the swarm has deep expertise in one domain, and an orchestrator agent coordinates their work, resolves conflicts, and assembles the final outputs.

Core Architecture: The Four-Layer Model

Layer 1: Data Agents

Data agents handle the interface between the swarm and external data sources. Each data agent specializes in one source system: the ERP data agent extracts financial and operational data, the energy data agent reads smart meter and SCADA outputs, the HR data agent pulls workforce statistics, and the supply chain data agent queries supplier portals and logistics systems.

Data agents use the Model Context Protocol (MCP)^[5] to connect to source systems, providing a standardized interface regardless of the underlying technology. This means the same compliance swarm architecture works whether your ERP is SAP, IFS, Monitor, or Visma.

Layer 2: Domain Agents

Domain agents are the compliance specialists. Each understands one regulatory framework deeply:

CSRD Agent: Understands all 12 ESRS topical standards (E1-E5, S1-S4, G1) plus the cross-cutting standards (ESRS 1 and 2)^[2]. It maps raw data to disclosure requirements, performs double materiality scoring, and generates ESRS-compliant narrative and quantitative disclosures.

ETS Agent: Tracks emission allowances, calculates benchmark comparisons, monitors free allocation phase-down, and prepares annual emissions verification reports. It models carbon cost scenarios under different EUA price trajectories.

CBAM Agent: Calculates embedded emissions for imported goods, manages supplier emissions data collection, prepares quarterly CBAM declarations, and tracks CBAM certificate purchases and surrenders.

AI Governance Agent: Monitors the swarm itself for EU AI Act compliance. It logs all agent decisions (Article 12)^[3], enforces human oversight checkpoints (Article 14)^[4], generates transparency reports (Article 13), and maintains the risk classification documentation required for high-risk AI systems.

Layer 3: Orchestrator Agent

The orchestrator is the swarm's brain. It receives compliance tasks (for example, "generate Q1 2026 CSRD report"), decomposes them into sub-tasks, assigns sub-tasks to the appropriate domain and data agents, monitors execution progress, and handles failures and retries.

Critically, the orchestrator resolves cross-domain conflicts. When the ETS Agent and CSRD Agent both need the same emissions data but with different boundary definitions (installation-level for ETS, corporate-level for CSRD), the orchestrator ensures both receive correctly scoped data from the same authoritative source.

The DWS IQ orchestrator uses Temporal.io for durable workflow execution. If an agent fails mid-task (network timeout, API rate limit, or LLM context overflow), Temporal automatically retries with exponential backoff. The orchestration state survives server restarts, ensuring that a 4-hour compliance report generation does not need to restart from scratch if a component fails at hour 3.

Layer 4: Governance Layer

The governance layer sits above the orchestrator and enforces organizational policies:

Human-in-the-loop gates. Configurable checkpoints where human approval is required before the swarm proceeds. For example: the CSRD Agent generates a double materiality matrix, which must be reviewed and approved by the Chief Sustainability Officer before the report proceeds to data collection.

Audit trail. Every agent action is recorded in an immutable log: which agent, what input, what decision, what output, at what time. This creates the court-defensible audit trail required by both CSRD assurance and EU AI Act transparency requirements.

Kill switch. The governance layer can halt any agent or the entire swarm immediately. This is not a theoretical safety feature. In production, we have seen scenarios where a data agent encounters corrupted source data and begins propagating incorrect values through the swarm. The kill switch prevents a cascade of wrong compliance calculations.

Communication Patterns

Agents in the swarm communicate through two primary patterns:

Request-response (synchronous): The orchestrator asks a data agent to extract sales data for Q1 2026 and waits for the result. Used when the next step depends on the response. Implemented as MCP tool calls with timeout and retry logic.

Event-driven (asynchronous): A data agent detects that energy consumption data has been updated in the source system and publishes an event. The ETS Agent and CSRD Agent both consume this event and update their calculations independently. Implemented through a message queue (in DWS IQ, this is Supabase Realtime with PostgreSQL LISTEN/NOTIFY).

Deployment Considerations

EU data residency. The entire swarm runs within EU borders (Google Cloud europe-north1 in Finland for DWS IQ). No compliance data crosses jurisdictional boundaries. Agent LLM calls use EU-hosted model endpoints to ensure that even the AI processing respects data sovereignty.

Cost management. Each agent call to an LLM has a cost. A naive swarm architecture that allows agents to make unlimited LLM calls can generate thousands of euros in API costs for a single report. The orchestrator enforces token budgets per task, and agents are designed to use cached results and deterministic calculations wherever possible, reserving LLM calls for tasks that genuinely require reasoning.

Testing. The swarm must be testable with synthetic data. Each agent has unit tests with mocked data sources. Integration tests run the full swarm against a synthetic company dataset that exercises all regulatory domains. This ensures that changes to one agent do not break cross-domain workflows.

References

[1] Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act). OJ L, 12.7.2024. EUR-Lex: eur-lex.europa.eu/eli/reg/2024/1689/oj.
[2] Commission Delegated Regulation (EU) 2023/2772 of 31 July 2023 supplementing Directive 2013/34/EU as regards sustainability reporting standards (ESRS). ESRS 1 (General Requirements) and ESRS 2 (General Disclosures) plus 10 topical standards E1-E5, S1-S4, G1. OJ L, 22.12.2023.
[3] Regulation (EU) 2024/1689, Article 12 — Record-keeping: providers of high-risk AI systems shall ensure automatic logging of events over the lifetime of the system.
[4] Regulation (EU) 2024/1689, Article 14 — Human oversight: high-risk AI systems shall be designed to be effectively overseen by natural persons during the period of use.
[5] Anthropic, "Model Context Protocol (MCP) Specification," 2024. Open standard for connecting AI models to external data sources and tools. modelcontextprotocol.io/specification.

Next step: See the compliance agent swarm in action. DWS IQ provides a pre-built swarm covering CSRD, ETS, CBAM, and EU AI Act compliance for Nordic manufacturers. Request a technical architecture review at dws10.com.