PEC (Protocol-Embedded Compliance) is an academic proposal to extend Model Context Protocol (MCP) with compliance metadata, so AI agents can make compliance-aware tool selections.
The problem:
When an AI agent discovers tools via MCP, it has no standard way to know where that tool processes data, what certifications it holds, or what use restrictions apply. Each deployer has to figure this out manually.
The proposal:
A JSON schema extension where MCP servers declare processing locations (e.g., "EU-only", specific countries), certifications (HIPAA, PCI-DSS, ISO 27001, etc.), and use restrictions. This lets compliance-aware orchestrators filter tools before invocation.
Current status:
Draft paper targeting Q1 2026 publication. Draft schema available at https://usepec.eu. No adoption yet — seeking feedback from the MCP ecosystem.
What it's not:
This doesn't guarantee compliance or replace legal review. It standardises how tools declare compliance characteristics. The bet is that protocol-level standardisation is worth the coordination cost.
Happy to discuss the technical approach, alternative designs, or why this might be a terrible idea.