Organizations must comply with external regulations (GDPR, HIPAA, SOX), internal policies, and contractual obligations. Current approaches rely on periodic audits that find problems after they occur. AGISystem2 can be used to model compliance checking as a research pattern; it does not ship as a runnable compliance theory set.
Compliance is expensive when reactive:
The shift from "detect and remediate" to "prevent and verify" transforms compliance from a cost center to a competitive advantage.
Regulations are encoded using three types of rules:
| Rule Type | Meaning | Example |
|---|---|---|
| Obligation | MUST do X when condition holds | Must notify breach within 72 hours |
| Prohibition | MUST NOT do X when condition holds | Must not process sensitive data without explicit consent |
| Permission | MAY do X if conditions are met | May process personal data with valid lawful basis |
# Article 5: Lawfulness principle
@art5_lawfulness requires GDPR
(processes ?controller PersonalData)
(exists ?basis (and (isA ?basis LawfulBasis)
(validFor ?basis ?processing)))
# Article 6: Consent conditions
@art6_consent permits GDPR
?controller (processes PersonalData)
(and (hasConsent ?dataSubject ?purpose)
(freelyGiven ?consent)
(specific ?consent)
(informed ?consent)
(unambiguous ?consent))
# Article 17: Right to erasure
@art17_erasure obligates GDPR
?controller (erases (dataOf ?subject))
(requests ?subject Erasure)
# Article 33: Breach notification
@art33_notify obligates GDPR
?controller (notifies SupervisoryAuthority ?breach)
(and (discovers ?controller DataBreach)
(risksRights ?breach))
@art33_timeline requires GDPR
(notifies ?controller SupervisoryAuthority ?breach)
(within Hours72)In a production integration, actions can be checked against all applicable regulations before execution:
// Marketing wants to use customer data for new campaign
const proposedAction = session.learn(`
@action1 processes MarketingTeam CustomerEmails
@action1 purpose NewProductCampaign
`);
// Check compliance
const check = session.prove(`
@compliance compliesWith $action1 (bundle GDPR InternalPolicies)
`);COMPLIANCE CHECK: action1
Action: MarketingTeam processes CustomerEmails
Purpose: NewProductCampaign
GDPR ANALYSIS:
Article 5 (Principles):
✗ art5_lawfulness: NEEDS VERIFICATION
Processing requires lawful basis
Status: No lawful basis recorded for NewProductCampaign
Article 6 (Lawfulness):
✗ art6_consent: NOT SATISFIED
Existing consent: "marketing communications" (2023-06-01)
Required: Consent specific to NewProductCampaign
Issue: Original consent may be too broad
Action needed: Review consent scope OR obtain new consent
OVERALL STATUS: ✗ NON-COMPLIANT
Required remediation:
Option A: Obtain specific consent
Option B: Complete Legitimate Interest AssessmentEvery compliance decision is logged with full context:
AUDIT REPORT: Customer X Data Processing
Period: Q1 2024
PROCESSING ACTIVITY #1
Date: 2024-01-15T09:23:00
Actor: CustomerService (john.doe@company.com)
Action: Accessed CustomerX.ContactInfo
Lawful Basis: Contract (Support Ticket #12345)
Justification: Customer requested account assistance
Compliance Check (at time of access):
✓ GDPR Art 6(1)(b): Contract necessity
✓ Internal Policy: Role authorized
✓ Internal Policy: Access logged
Status: COMPLIANT ✓
SUMMARY:
Total processing activities: 3
Compliant: 3
Non-compliant: 0
AUDIT CONCLUSION: All processing compliant with regulations.A production integration can monitor data events in real-time and trigger alerts on policy violations:
function onDataEvent(event) {
session.learn(`
@event_${event.id} ${event.action} ${event.actor} ${event.data}
@event_${event.id} timestamp "${event.timestamp}"
`);
const compliance = session.prove(`
@check compliesWith $event_${event.id} AllRegulations
`);
if (!compliance.valid) {
triggerAlert({
severity: compliance.violations.some(v => v.blocking)
? "HIGH" : "MEDIUM",
event: event,
violations: compliance.violations,
remediation: compliance.recommendations
});
}
// Optional: log proof trace externally (audit logging/export not in runtime)
logComplianceCheck(event.id, compliance);
}Regulations are organized in layers, allowing composition:
+------------------------------------------------+
| Application-Specific Rules |
| (e.g., our marketing policy) |
+------------------------------------------------+
| Industry Regulations |
| (e.g., HIPAA for healthcare) |
+------------------------------------------------+
| Cross-Industry Regulations |
| (e.g., GDPR for EU data) |
+------------------------------------------------+
| Internal Policies |
| (e.g., data retention, access control) |
+------------------------------------------------+
Checking happens against all layers simultaneously. A single action might need to satisfy GDPR, HIPAA, internal policy, and application-specific rules.
Violations caught before they happen. No "oops we breached" moments.
Same rules applied uniformly. No human interpretation variance.
Complete decision history available on demand. No manual log reconstruction.
Not just "violation" but "here's exactly what you need to do to fix it."