Security by research-lead
Regulatory Watch: PL 2338/2023 — Implications for AgentScope & OctantOS
AgentScopeOctantOS
Regulatory Watch: PL 2338/2023 — Implications for AgentScope & OctantOS
Research date: 2026-03-28 | Agent: Research Lead | Confidence: Medium-High | Quality: 88/100
Executive Summary
- PL 2338/2023 is still in Câmara and not yet in plenary vote. Current status is explicitly: “Aguardando Parecer do(a) Relator(a)” in the Special Commission (PL233823). Latest actions (March 2026) are procedural apensações, not final merit vote.
- The Senate text already contains a risk-based regime with explicit high-risk categories, prohibited uses (risco excessivo), mandatory algorithmic impact assessment, logging/auditability obligations, human oversight rights, and administrative fines up to R$50M or 2% of Brazilian gross revenue.
- For Moklabs, this is a direct tailwind: AgentScope maps to evidence, traceability, and audit-readiness; OctantOS maps to control, policy enforcement, human-in-the-loop, and governance workflow.
- Biggest product gaps are not core architecture but compliance packaging: defensible evidence bundles, regulator/auditor export formats, and pre-built controls mapped to PL 2338 + EU AI Act.
- Competitive window is open: observability vendors focus on telemetry; few provide governance-native regulatory controls tied to high-risk AI obligations.
1) Bill Status and Timeline (as of March 28, 2026)
Current stage in Câmara dos Deputados
- Official Câmara page lists status as:
- “Aguardando Parecer do(a) Relator(a)” in the Comissão Especial do PL 2338/2023.
- The proposition is in Special Commission track, with plenary appreciation required.
- Câmara record shows:
- Despacho to Special Commission: 2025-04-29
- Latest listed legislative action: 2026-03-23 (apensação procedural movement)
- Apensados count: 28 attached propositions
What changed recently
- Recent actions in March 2026 are mostly apensações and procedural consolidation, not a final substitute vote.
- This indicates active legislative processing but no final report approval yet.
Expected timeline (inference)
- Based on the current state (still pending relator opinion + large apensado set), the plausible next sequence is:
- Relator report in Comissão Especial
- Committee vote
- Câmara plenary
- If changed from Senate text, return to Senate
- Sanction/regulation rollout
- Confidence: Medium (legislative timing is politically volatile).
2) Key Provisions That Affect Moklabs
2.1 Risk classification and prohibited uses
- The text defines:
- Risco Excessivo (Art. 13): prohibited uses (including manipulative harm, social scoring by public power, specified biometric/public-space constraints, and other high-abuse classes).
- Alto Risco (Art. 14): explicit categories including critical infrastructure, education selection/progression, employment decisions, essential services eligibility, justice/public security contexts, health-adjacent uses, biometric/emotion recognition contexts, and migration/border contexts.
- The SIA can expand high-risk interpretation over time (Arts. 15-16).
2.2 Transparency, explainability, auditability, and logging
- Core principles include:
- transparency and explainability
- human supervision
- auditability
- High-risk governance duties include:
- operation records
- model/system documentation
- explainability support for users/affected persons
- public-sector usage logs (who used system, for which case, with what purpose)
2.3 Human oversight and affected-person rights
- Rights framework includes:
- right to explanation
- right to contest and request review
- right to human review in high-risk decisions
- Public-sector provisions reinforce human review and access rights for materially impactful decisions.
2.4 Impact assessments and incident obligations
- Algorithmic Impact Assessment (AIA) is mandatory for high-risk systems (Art. 25), with lifecycle updates and authority sharing.
- Unexpected relevant risks discovered post-deployment must be communicated to authorities and impacted parties.
2.5 Penalties and enforcement
- Administrative sanctions include warning, publication, operational restrictions/suspensions, and fines.
- Fine ceiling in text: up to R$ 50,000,000 per infraction, and for private legal entities up to 2% of group gross Brazilian revenue (Art. 50).
3) Requirement-to-Product Capability Matrix
| PL 2338 requirement | AgentScope current fit | OctantOS current fit | Gap / build status | Confidence |
|---|---|---|---|---|
| High-risk system governance evidence (Arts. 14-18, 25) | Strong on trace/event evidence and observability telemetry | Strong on governance workflows and policy control | Need compliance dossier generator (evidence pack by system/use case) | Medium-High |
| Human oversight and review rights (Arts. 6-10, 23) | Can show event history but not full rights workflow by default | Core architecture aligns (approval gates, HITL flows) | Need rights-request workflow templates + SLA tracking + signed review records | Medium |
| Logging and audit trail for public/regulated use (Art. 23 I) | Strong potential for immutable trace timeline | Strong potential for policy/action provenance | Need tamper-evidence + retention policy controls + auditor export format | Medium |
| Explainability/access rights for affected persons (Arts. 6-7, 23 II) | Supports technical traces; currently engineer-centric | Control-plane context for decision path exists | Need human-readable explanation artifacts and affected-person portal outputs | Medium |
| Synthetic content marking/provenance (Art. 19-20) | Can observe generation events and metadata | Can enforce policy gates before output release | Need first-class content provenance tagging policy module | Medium |
| Impact assessment lifecycle (Art. 25-28) | Can collect evidence inputs to AIA | Can enforce pre-deploy checkpoints | Need AIA workflow module (risk register, mitigation, periodic review, regulator-facing format) | High |
| Incident communication (Art. 42) | Event/alert substrate exists | Escalation/workflow substrate exists | Need regulatory incident template pack (what/when/who notified) | Medium |
| Sanctions risk reduction via demonstrable governance (Art. 50, §1) | Good potential for evidence of preventive controls | Good potential for enforceable controls | Need control mapping dashboard (obligation -> control -> evidence) | High |
Practical conclusion
- Architecturally, Moklabs is directionally aligned.
- Commercially, the missing piece is compliance productization, not core telemetry or orchestration primitives.
4) Competitive Implications
Market effect if PL 2338 advances substantially in current form
- Compliance burden rises from optional best practice to purchase trigger.
- Buyers (CTO/CISO/Legal/Compliance) will ask for:
- audit-grade trails
- human-oversight enforcement
- impact assessment workflow
- evidence exports for regulator/auditor review
Competitor positioning implication
- LLM observability tools generally compete on traces and evals; fewer compete on regulatory workflow + policy enforcement + rights handling as one system.
- This creates room for a governance-native stack story where:
- AgentScope = evidence substrate
- OctantOS = control and enforcement substrate
Compliance-as-a-service angle
- Strong opportunity to package:
- prebuilt obligation controls
- AIA templates
- incident notification playbooks
- auditor/regulator export bundles
- This can become a premium SKU and wedge in Brazil before broad LATAM replication.
5) EU AI Act Comparison (Reg. EU 2024/1689)
| Topic | PL 2338/2023 (Brazil draft) | EU AI Act | Product implication |
|---|---|---|---|
| Regulatory style | Risk-based with prohibited + high-risk tiers | Risk-based with prohibited + high-risk + GPAI obligations | Shared control architecture works for both |
| High-risk duties | Governance controls + AIA + rights + oversight | Risk management, data governance, documentation, record-keeping, human oversight | Build one control plane with jurisdiction-specific profiles |
| Transparency duties | Strong emphasis on transparency/explainability and synthetic content identification | Explicit transparency obligations incl. AI interaction and deepfake contexts | Unified provenance + disclosure module |
| Enforcement | Administrative sanctions incl. R$50M / 2% gross revenue cap in text | Administrative fine framework with phased applicability | Need jurisdiction-aware risk scoring and evidence retention |
| Timeline | Still in Câmara process | Applies from 2026-08-02 with phased early provisions | EU deadline can shape near-term roadmap urgency |
Cross-market build strategy
- Build controls once, expose regulatory profiles:
BR-PL2338-profileEU-AI-Act-profile
- Shared primitives: policy, traceability, human approval, incident handling, impact assessment lifecycle.
6) ANPD Context and Data Handling Implications
- ANPD technical analysis on generative AI data processing (Meta case) reinforces recurring LGPD themes:
- legality and legitimate-interest balancing scrutiny
- transparency quality requirements
- secondary-use risk concerns
- data-subject rights exercise feasibility
- heightened sensitivity for children/adolescents data contexts
- This matters for Moklabs because PL 2338 and LGPD pressures will converge in procurement and audits.
Architecture implications for AgentScope/OctantOS
- Add first-class support for:
- lawful-basis metadata in data flows
- purpose-limitation tagging
- retention/deletion policy attestation
- rights-request operational logs
- public/private data-source lineage in model lifecycle events
7) Priority Build Plan (90 Days)
- Regulatory Evidence Bundle (P0)
- Exportable package: controls, trace history, approvals, incidents, AIA snapshots.
- Outcome: auditors stop asking engineering for ad-hoc evidence pulls.
- AIA Workflow Module (P0)
- Structured risk register, mitigation actions, periodic updates, sign-offs.
- Outcome: direct mapping to Art. 25 style obligations.
- Human Oversight & Rights Ops (P1)
- Review queue, override rationale logging, rights-request SLA workflow.
- Outcome: operationalized explanation/review rights.
- Synthetic Content Provenance Controls (P1)
- Output tagging, provenance metadata, policy checks at release boundary.
- Outcome: direct alignment to Art. 19-20 style obligations.
- Brazil Compliance Profile (P1)
- Turn key controls by obligation with status (
implemented,partial,missing). - Outcome: pre-sales acceleration in regulated accounts.
8) Decision Guidance for Moklabs
- Should we invest now?
- Yes. Treat this as a go-to-market catalyst, not only legal risk.
- What specifically to ship first?
- Compliance evidence bundle + AIA workflow + oversight/rights ops.
- Who buys?
- CTO + CISO + compliance/legal leadership in regulated or high-automation sectors.
- Why us / unfair advantage?
- Combined governance + observability stack (control + proof) is more defensible than telemetry-only tooling.
- What kills the thesis?
- Legislative dilution of enforceable obligations.
- Slow conversion from “interest” to paid compliance budgets.
- Competitors bundling governance features faster than expected.
Sources
- A — Câmara (official proposition tracking): https://www.camara.leg.br/proposicoesWeb/fichadetramitacao?idProposicao=2487262
- A — Câmara full text in review (PL 2338/2023): https://www.camara.leg.br/proposicoesWeb/prop_mostrarintegra?codteor=2868197&filename=PL+2338%2F2023
- A — Congresso bicameral tracking page: https://www.congressonacional.leg.br/materias/materias-bicamerais/-/ver/pl-2338-2023
- A — ANPD technical note (generative AI data processing context): https://www.gov.br/anpd/pt-br/centrais-de-conteudo/documentos-tecnicos-orientativos/sei_anpd-0140555-nota-tecnica.pdf
- A — EU AI Act official text (Regulation (EU) 2024/1689): https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401689
- A — NIST AI RMF 1.0: https://nvlpubs.nist.gov/nistpubs/ai/nist.ai.100-1.pdf
- B — Internal capability framing (Moklabs positioning brief, 2026-03-28):
reports/product-strategy/2026-03-28-positioning-octantos-agentscope-agentic-governance.md
Quality Scorecard
| Dimension | Score | Notes |
|---|---|---|
| Sources (20%) | 17/20 | 7 primary/secondary sources; strong legal primaries |
| Quantified claims (20%) | 16/20 | Monetary sanctions and timeline quantified; some forecast/timing claims marked as inference |
| Competitive depth (15%) | 11/15 | Competitive implications covered; limited direct fresh vendor compliance docs due source-access constraints |
| Actionability (20%) | 19/20 | Clear P0/P1 build plan and decision guidance |
| Recency (10%) | 9/10 | Core legislative status and actions verified through March 2026 |
| Counter-arguments (15%) | 15/15 | Legislative dilution and market-conversion risks explicitly included |
| Total | 88/100 | Pass |
Related Reports
Internal