Agent-Agnostic Compliance:
How Three AI Models Interpret Identical Regulatory Data via MCP
PUBLISHED
MARCH 2026
01 Executive Summary
When agents are asked to evaluate regulatory compliance, does the quality of their analysis depend on the model, or on the data they receive?
This study demonstrates that “Agent-Agnostic Compliance” — the ability for disparate AI models to arrive at identical regulatory conclusions — is driven by the MCP data layer. All three agents independently identified identical critical GDPR gaps regardless of reporting style differences.
02 Background & Context
A compliance process that produces different results depending on which AI model happens to be in use is not a process; it is a lottery. In regulated industries, auditors require evidence that compliance controls are systematic and reproducible.
RuleMesh uses MCP to expose regulatory data — GDPR requirements decomposed into IT-actionable checklist items. The hypothesis: if the data layer is structured and consistent, the compliance output remains consistent regardless of which model consumes it.
03 Experiment Design
Test Parameters
| Parameter | Specification | Control Variable |
|---|---|---|
| Target Codebase | RuleMesh landing page (Next.js 15) | Git Commit 756a5a7 |
| Reg. Framework | GDPR (IT Requirements) | 118 requirements / 7 bundles |
| MCP Protocol | RuleMesh MCP Server v5.1 | Standardized workflow |
AGENT 01
Claude Opus 4.6
Anthropic
Environment: Claude Code CLI. Strategy: High precision and descriptive labeling.
AGENT 02
Gemini 3 Flash
Google (via JetBrains Junie)
Environment: PyCharm Junie agent. Strategy: Systematic requirements coverage.
AGENT 03
Codex / GPT-5.4
OpenAI (via Codex CLI)
Environment: OpenAI Codex CLI. Strategy: Broad category labeling.
04 Quantitative Overview
| Metric | Claude Opus 4.6 | Gemini 3 Flash | Codex / GPT-5.4 |
|---|---|---|---|
| Signals Reported | 39 | 119 | 236 |
| Unique Signal Names | 39 | 91 | 13 |
| Specificity Ratio | 1.00 | 0.76 | 0.06 |
| Requirements Covered | 38 / 118 | 118 / 118 | 118 / 118 |
05 Findings & Discoveries
Common Findings (Consensus)
- No cookie consent banner / CMP
- No Data Protection Officer (DPO) contact published
- No data portability or export mechanism
- No age verification (required by ToS)
Unique Discoveries
Claude
lib/api/client.js, pages/settings/notifications.js
Junie
components/LoginModal.jsx, e2e/auth-complete.spec.js
Codex
pages/settings/security.js
Complementary Knowledge
While the MCP ensures structural consistency, model-specific general knowledge adds depth. Gemini 2.5 Pro independently cited the LG München ruling on Google Fonts, while Claude flagged the transfer risk without the specific legal reference.
“The protocol provides the baseline; the agent provides the depth.”
06 Conclusion & Implications
The experiment proves that Compliance-as-Code is driven primarily by the quality of the regulatory data infrastructure. By decoupling the “Data Truth” (RuleMesh MCP) from the “Reasoning Engine” (LLM), enterprise security teams can achieve model-agnostic results.
Running multiple agents against the same MCP data yields broader codebase coverage than any single agent alone. Organizations should invest in structured, machine-readable regulatory bundles rather than optimizing for a single AI provider.
Validate Your Architecture
Access the raw comparison data and see how our MCP orchestration ensures consistent audit outcomes.