How RegAlign uses AI — and how it doesn't
RegAlign uses AI to help compliance professionals, never to replace their judgement. Every AI-assisted output is shown to a named human, who accepts, edits, or rejects it before anything is committed to a governance record. Every AI call is logged. We do not train external models on your data.
Where AI is used
- Compass (assistive co-pilot)
Suggests classifications, drafts narratives, proposes remediation, ranks risk hotlists.
Human in the loop: Every suggestion is a draft. A named user accepts, edits, or rejects. Both the suggestion and the decision are written to the audit trail.
- Routine classification
Pre-populates fields where the data is unambiguous (e.g. mapping an obligation to an existing theme).
Human in the loop: Human approver remains accountable for the saved state.
- Extended assistance
Assembles multi-step drafts (e.g. finding narrative + suggested remediation).
Human in the loop: Only when a methodology owner has switched it on for a specific workflow. Always reversible. Always logged.
Where AI is never used
- Final governance actions (publishing a finding, ratifying a decision, signing a board statement).
- Sanctions or regulator-facing determinations.
- Adverse decisions about a customer's customer.
Governance controls
- Model and version logged on every call (agent_runs table: model_version, prompt_id, input/output hash, token counts, source).
- Deterministic fallback if the AI gateway is unavailable — features degrade, they don't fail open.
- Anti-prompt-injection: user-supplied text is sanitised (zero-width stripped, role markers defanged, length-capped, wrapped in UNTRUSTED_* delimiters). Every classifier system prompt includes anti-injection rules.
- No training on your data — AI calls route through the Lovable AI Gateway under no-training contractual terms.
- EU egress for AI gateway calls.
- Per-tenant AI cost cap configurable so spend can never exceed your published budget.
- Per-tenant opt-out: a tenant administrator can disable Compass entirely (Settings → AI). All workflows still work; suggestions just don't appear.
Maps to common frameworks
- EU AI Act: "limited risk" — assistive content generation with human oversight. No automated decision-making affecting natural persons under Article 22 GDPR.
- ICO AI guidance: DPIA covers AI use; explainability surfaced via the audit trail of suggestion + decision.
- NIST AI RMF: Govern (documented uses + HITL), Map (per-call logging), Measure (cost cap, fallback monitoring), Manage (sanitisation, deterministic fallback).
See also: Trust Centre, Security Roadmap, Vulnerability Disclosure Policy.
Questions: hello@regalign.app (subject [AI Use]).