Curiosity

Compliance knowledge base

A blueprint for regulated content: regulations, the policies that implement them, the controls that operationalize the policies, the audits that test the controls, and the evidence that supports each audit. Built for the case where auditors ask questions like "show me every control that satisfies SOC2 CC6.1, and the evidence collected in the last cycle".

The graph

flowchart LR Regulation -->|Cites| Regulation Policy -->|ImplementsRegulation| Regulation Control -->|UnderPolicy| Policy Control -->|TestedBy| Audit Audit -->|EvidenceFor| Document Document -->|OwnedBy| Team Policy -->|OwnedBy| Team
Node Key Notes
Regulation Code SOC2-CC6.1, GDPR-Art32, ISO27001-A8.1
Policy Id Internal policy identifier
Control Id The implementation of a policy
Audit Id A scheduled / completed audit cycle
Document Id Evidence: signed attestations, screenshots, log exports
Team Name Compliance, security, etc.

What this demonstrates

  • Multi-hop traversal across a policy framework — from a regulation node, find every downstream control and its evidence in three hops.
  • Time-aware evidenceAudit.PerformedAt lets users filter to the current cycle, last quarter, or all-time.
  • Strict ACL — evidence is sensitive; team-based access ingested from SSO group membership.
  • Citation-heavy RAG — auditors won't trust answers without source pointers; every chat answer cites the specific control / audit / document.

Retrieval

  • Text search on Regulation.Code, Control.Id, Document.Title — auditors search by exact identifier.
  • Hybrid search on Document.Body — for "what does our incident-response procedure say?" style questions.
  • Graph-scoped retrieval: from a regulation, traverse In(ImplementsRegulation) → In(UnderPolicy) → Out(TestedBy) → Out(EvidenceFor) to gather all evidence.

AI

A "compliance assistant" with three tools:

  • FindControlsForRegulation(code) — returns the controls that implement a regulation, with their policy parents.
  • ListEvidenceForControl(controlId, since?) — returns the evidence collected under a control, optionally filtered by date.
  • SummarizePolicy(policyId) — returns a grounded summary of a policy with citations to specific sections.

Prompt template: "Answer using only the cited evidence. If asked about regulatory coverage, list the relevant controls. Never claim coverage without a cited control."

Permissions

Evidence is restricted to the compliance team and, on a per-document basis, to the originating team (the network team owns its log exports, the HR team owns its attestations). Auditors get a dedicated _AccessGroup with read access to evidence within the current audit window.

Connector

Sources:

  • Policy management system (custom internal tool, ServiceNow GRC, Vanta, Drata, …) for Policy, Control, Audit.
  • Document store (SharePoint, S3, internal Confluence) for Document.
  • Regulation taxonomy (a yearly-updated JSON/CSV) for Regulation and Cites edges.

The connector handles a tricky property of compliance data: regulations are updated yearly, but the evidence and audits reference specific versions of regulations. Model versions as new nodes with RevisedFrom edges; don't mutate in place.

Deployment

  • Compliance corpora are usually small (thousands of nodes) — a single small workspace is sufficient.
  • Audit logs of every read are required — forward Workspace audit logs to your SIEM.
  • Retention requirements often mandate storing evidence for 7+ years — your backup retention should match.

Common pitfalls in this domain

  • Evidence that doesn't link to a control — orphaned in the graph. Add a reconciliation check that flags evidence without EvidenceFor edges.
  • Policy text changes without revision tracking — auditors can't tell what the policy was at the time of the audit. Always create a new policy node, never mutate.
  • Granting auditors blanket read access — minimum-privilege requires scoping to the audit window.

Referenced by

© 2026 Curiosity. All rights reserved.
Powered by Neko