Getting started with ReguNav

This is the end-to-end quickstart. By the end you will have a Sandbox tenant, an API key, the TypeScript SDK installed, a registered AI system, three activated frameworks, an evidence document attached, and your first FRIA report generated. Total time: ~12 minutes. Sandbox is free forever; no credit card required.

Prerequisites

  • A modern browser (Chrome, Firefox, Safari, Edge — last 2 versions).
  • Node.js 20+ (for the TypeScript SDK) or Python 3.10+ (for the Python SDK) or any HTTP client (for raw curl).
  • A work email (personal email is fine for Sandbox; enterprise verification required for Growth/Enterprise tiers).

1. Create your account

Go to app.regunav.com/sign-up and sign up with email or SSO (Google, Microsoft, or Apple). On first login we provision a Sandbox tenant automatically — its tenant ID appears in the URL bar and on every API response. Save it; you will need it occasionally.

New tenants get three pre-activated frameworks (EU AI Act, ISO/IEC 42001, GDPR) and a single workspace called default. You can rename the workspace, add more, or invite team members from /settings/team at any time.

2. Generate an API key

Open /settings/api-keys and click Create key. Pick a name (e.g. local-dev), select a scope (Sandbox tier supports read, write, and admin scopes), and click Generate. The key is shown once in plaintext — copy it immediately. ReguNav never stores the plaintext; only an HMAC-SHA256 hash is persisted.

Export it to your shell so the rest of this guide works as-is:

export REGUNAV_API_KEY="rn_sk_live_..."
export REGUNAV_TENANT_ID="ten_..."

3. Install an SDK (optional but recommended)

You can call the API with raw HTTP — but the SDKs handle pagination, retries, idempotency keys, and types for you.

TypeScript / JavaScript

pnpm add @regunav/sdk
# or: npm i @regunav/sdk
# or: yarn add @regunav/sdk
import { ReguNav } from "@regunav/sdk";

const rn = new ReguNav({
  apiKey: process.env.REGUNAV_API_KEY!,
  // baseUrl defaults to https://api.regunav.com
});

Python

pip install regunav

from regunav import ReguNav
rn = ReguNav(api_key=os.environ["REGUNAV_API_KEY"])

Raw curl (no SDK)

curl https://api.regunav.com/v1/health \
  -H "Authorization: Bearer $REGUNAV_API_KEY"

Expected response: {"status":"ok","service":"regunav-api","ts":"2026-..."}. If you see 401 unauthorized, double-check the key prefix matches your tenant tier (rn_sk_live_ for production, rn_sk_test_ for Sandbox).

4. Activate frameworks

Sandbox tenants get three frameworks activated by default. Activate more with one call. The Sandbox quota is 5 active frameworks; Growth raises this to 10; Enterprise is unlimited.

// TypeScript SDK
await rn.frameworks.activate({ id: "iso-27001" });
await rn.frameworks.activate({ id: "soc2" });

// curl
curl -X POST https://api.regunav.com/v1/frameworks/iso-27001/activate \
  -H "Authorization: Bearer $REGUNAV_API_KEY"

List your active frameworks:

const active = await rn.frameworks.list({ status: "active" });
console.log(active.data.map(f => f.id));
// → ["eu-ai-act","iso-42001","gdpr","iso-27001","soc2"]

5. Register your first AI system

Every AI system you operate (build, deploy, integrate) is a first-class resource in ReguNav. Registering one triggers an automatic deterministic risk classification against EU AI Act Annex III, GDPR Art. 22 automated decision-making, and ISO 42001 §6.1.4.

const system = await rn.aiSystems.create({
  name: "Loan-approval classifier",
  description: "Gradient-boosted model that scores consumer loan applications.",
  intendedUse: "Pre-approval scoring for retail banking customers in EU/UK.",
  inputs: ["credit_history", "employment_status", "transaction_features"],
  outputs: ["approval_score", "decline_reason_code"],
  domain: "financial_services",
  deploymentRegion: ["EU", "UK"],
  modality: "tabular",
  developerType: "deployer", // provider | deployer | distributor | importer
  riskLevel: null, // let the classifier decide
});

console.log(system.id);          // "ais_01H..."
console.log(system.classification);
// {
//   euAiAct: "high-risk",            // Annex III §5(b)
//   gdprArt22: "in-scope",
//   iso42001Risk: "high",
//   friaRequired: true,
//   conformityRoute: "internal-control-with-notified-body-on-quality-system"
// }

The classification is deterministic and replayable: the same inputs always produce the same outputs, and we record the model version + decision tree path in the audit trail. You can replay any classification with rn.aiSystems.replay(systemId, { classificationId }).

6. Upload your first evidence document

Evidence is anything an auditor would accept as proof a control is operating: policies, procedure docs, screenshots, audit logs, training records, attestations, vendor SOC2 reports, pentest letters.

// Upload from a buffer (TS)
const file = await fs.readFile("./policies/data-governance-policy.pdf");
const ev = await rn.evidence.upload({
  file,
  filename: "data-governance-policy.pdf",
  contentType: "application/pdf",
  tags: ["policy", "data-governance", "annual-review-2026"],
  systemIds: [system.id],
});

// The Evidence Compiler agent runs automatically and proposes mappings
console.log(ev.proposedMappings);
// [
//   { framework: "eu-ai-act",  controlId: "art-10-data-governance", confidence: 0.94 },
//   { framework: "iso-42001",  controlId: "7.4-communication",       confidence: 0.81 },
//   { framework: "iso-27001",  controlId: "A.5.34",                  confidence: 0.88 },
//   { framework: "gdpr",       controlId: "art-25-by-design",        confidence: 0.79 },
//   { framework: "soc2",       controlId: "CC1.4",                   confidence: 0.82 }
// ]

Accept all proposed mappings (or curate manually) with rn.evidence.acceptMappings(ev.id). You just covered five controls across five frameworks with a single document — that is the map-once principle at work.

7. Run your first FRIA (Fundamental Rights Impact Assessment)

EU AI Act Article 27 requires a FRIA for every high-risk system before first use. The FRIA agent walks you through 24 sections (deployment context, affected fundamental rights, mitigation measures, residual risk) using your registered system data and uploaded evidence as ground truth.

const fria = await rn.fria.create({
  systemId: system.id,
  deploymentContext: "Production loan-pre-approval at retail bank branches in 12 EU member states.",
  affectedPopulations: ["consumer credit applicants", "vulnerable adults"],
  consultations: [
    { type: "DPO",                date: "2026-04-15" },
    { type: "AI ethics committee", date: "2026-04-18" },
  ],
});

// FRIA generation is async — ~30s on Sandbox, sub-10s on Growth
const status = await rn.fria.poll(fria.id);
// {
//   id: "fri_01H...",
//   status: "ready",
//   reportUrl: "https://api.regunav.com/v1/reports/fri_01H.../download",
//   sections: 24,
//   residualRiskScore: 0.31,
//   mitigationActions: [/* ... */],
//   reviewerSignatureRequired: true
// }

8. Generate your first auditor pack

Report packs bundle every artefact (active framework dictionaries, registered systems, accepted evidence mappings, FRIA reports, attestations, audit trail) into a single signed ZIP suitable for handing to an external auditor or notified body.

const pack = await rn.reports.generate({
  type: "audit-pack",
  scope: {
    frameworks: ["eu-ai-act", "iso-42001", "gdpr"],
    systemIds: [system.id],
    timeRange: { from: "2026-01-01T00:00:00Z", to: "2026-04-30T23:59:59Z" },
  },
  format: "pdf+zip",
  includeAuditTrail: true,
});

console.log(pack.downloadUrl); // signed URL, valid 24 hours

Next steps

Stuck?

Email support@regunav.com, ask in the our community forum, or check the status page for any ongoing incidents.