Ask Your Compliance Data a Question — Get an Answer with Citations

“Which of Client X’s systems have unresolved Article 9 gaps?”

That question takes a compliance consultant 15 minutes to answer manually. Open the client workspace. Navigate to the gap analysis. Filter by regulation. Scan for Article 9 references. Cross-reference against the system inventory. Build a mental map of which systems are affected and which gaps are still open.

Or you type the question into the Copilot and get an answer in 8 seconds. With citations showing exactly which obligations inform the answer and which systems are affected.

This is the difference between a database you query with filters and a knowledge layer you query with questions. The data is the same. The interface is language.

What This Is Not

This is not a chatbot. It doesn’t generate opinions about AI governance. It doesn’t write policy documents. It doesn’t offer legal advice. It doesn’t answer questions about topics it has no data on.

If you ask “What are the best practices for AI risk management?” you’ll get a response grounded in the specific obligations your client is mapped against – not a generic answer sourced from the model’s training data. If your client has NIST AI RMF obligations mapped, the answer cites NIST Govern and Measure subcategories. If they have EU AI Act obligations, it cites Article 9 sub-requirements. The answer reflects your data, not the internet.

If you ask a question that has no relevant data in the system – “What’s the weather in Berlin?” – the Copilot declines. It searches your obligations, your gaps, your inventory. If nothing matches, it says so. It does not hallucinate an answer from general knowledge and present it as compliance guidance.

This constraint is intentional. A compliance AI that confidently generates plausible-sounding answers without grounding them in verified regulation text is a liability. An auditor who traces a compliance decision back to an AI-generated answer that can’t cite its source has found a deficiency, not a tool.

How It Works

The Copilot uses retrieval-augmented generation – a pattern where the AI’s response is constrained to information retrieved from a specific knowledge base rather than generated from general training.

When you ask a question, the system searches across the obligations, gaps, and inventory data relevant to your client. The most relevant items – obligations that match the topic of your question, gaps that relate to the systems you’re asking about, inventory details that provide context – form the evidence base for the answer.

The AI generates its response exclusively from this retrieved context. Every claim in the answer traces to something in the data. If the answer references an obligation, that obligation exists in the system. If it references a gap, that gap exists in the client’s analysis. If it mentions a system, that system is in the inventory.

Citations, Not Footnotes

Every Copilot answer includes citations. Not footnotes at the bottom of a page that nobody reads – inline references showing the obligation code and article number that supports each part of the answer.

Ask: “What evidence does Client Y need for Colorado AI Act transparency requirements?”

The answer identifies the specific Colorado obligations related to consumer notification (Section 6-1-1702), lists the evidence requirements for each, cross-references against the client’s current evidence status, and cites each obligation by code. The consultant can click any citation and see the full obligation text, its source regulation section, and the client’s compliance status against it.

This is the trust mechanism. The consultant doesn’t need to believe the AI’s answer. She can verify it by following the citations to the source obligations. If the AI says “Client Y needs to document their notification process per Colorado Section 6-1-1702(1)(a),” she can check: does that obligation exist? Does it say what the AI claims? Is the client actually mapped against it?

The answer is verifiable in under a minute. If it’s wrong, the citations make the error visible. If it’s right, the citations make it defensible.

Suggested Actions

Answers alone aren’t enough. A consultant who learns that Client X has three unresolved Article 9 gaps needs to know what to do next. The Copilot generates suggested actions alongside every answer – concrete next steps with specific entity references.

“Review the risk management documentation for the Resume Screening AI system” – with a link to that system’s detail page. “Run evaluation plan against Article 9 obligations for Client X” – with a link to the evaluation tab. “Check the evidence status for Obligation Art.9(2)(a)” – with a link to that obligation’s evidence collection page.

Each suggested action names a specific entity in the system: a system, an obligation, a gap, a task. Not “review your risk management process” – “review the risk management documentation for this specific system against this specific obligation.” The specificity is what makes the action actionable.

Four Questions That Show the Difference

“Which of Client X’s systems have unresolved Article 9 gaps?”

The answer lists the specific systems – by name, with their risk classifications – that have open gaps against Article 9 obligations. Not “several systems have gaps.” The actual system names, the specific obligation codes, and the severity of each gap.

A consultant answering this manually would open the gap analysis, filter by regulation, scan for Article 9, and build the list. The Copilot builds it in seconds from the same data.

“What evidence does Client Y need for Colorado AI Act transparency requirements?”

The answer identifies which Colorado transparency obligations apply to Client Y’s systems, what evidence each obligation requires, and which evidence items have been collected versus which are missing. The gap between “required” and “collected” is explicit.

“How does our NIST alignment affect EU AI Act compliance for this system?”

This is a cross-regulation question. The answer pulls cross-references between NIST AI RMF obligations and EU AI Act obligations, identifies where meeting a NIST requirement also satisfies an EU AI Act obligation, and flags where the requirements diverge. The consultant gets a cross-framework analysis scoped to a specific system – without running a separate cross-regulation report.

“What’s the highest-risk gap across all my clients right now?”

Cross-client query. The Copilot searches gaps across the consultant’s entire client portfolio, ranks by risk, and surfaces the top finding with client name, system name, obligation reference, and severity. The same answer the priority inbox provides – accessible through a question rather than a dashboard.

The Boundary

The Copilot searches your data. It does not search the internet. It does not access external databases. It does not pull from other tenants’ data. The knowledge boundary is exact: your clients, your obligations, your gaps, your inventory. Nothing else.

This boundary is a feature. A compliance AI that mixes verified obligation data with general web knowledge creates answers that are partially grounded and partially hallucinated – and the consultant can’t tell which parts are which. Our boundary is strict: every claim comes from data you can inspect.

The Copilot also won’t answer questions about how ReguLume’s internal systems work. If you ask “what model do you use?” or “how does the mapping engine work?” – the response redirects to the compliance question. The Copilot is a compliance tool. It answers compliance questions.

Queryable Compliance Data

The obligation mapping structures the regulatory landscape. The gap analysis identifies where compliance falls short. The evidence layer proves remediation happened. The governance score tracks progress. The cross-regulation mapping connects frameworks.

All of that creates a compliance knowledge base. Structured. Specific. Traceable.

The Copilot makes that knowledge base conversational. Instead of navigating tabs, applying filters, and cross-referencing screens, the consultant asks a question and gets an answer grounded in the same data those screens display.

Every answer traces back to the regulation. Every recommendation traces back to your data.

That’s not a chatbot. That’s your compliance program, queryable.

The Copilot uses retrieval-augmented generation over tenant-scoped obligation, gap, and inventory data. All queries and responses are logged in the audit trail with citations. The Copilot does not access external data sources, other tenants’ data, or general web content. Learn how we validate AI outputs.