Compliance
Our Focus
We make compliance programmable and less painful. Regulatory requirements are growing in scope and complexity, but the tools most organizations use to manage them have not kept pace.
Our research bridges the gap between legal and regulatory text and working software — turning policies into code, audits into automation, and governance into something that actually scales.
Key Research Areas
Policy-as-Code
Translating regulatory requirements into executable rules. We study how to represent complex compliance logic in machine-readable formats that can be tested, versioned, and audited like software.
Automated Auditing
Continuous compliance monitoring and evidence collection. We build systems that replace periodic manual audits with real-time validation — reducing cost and increasing coverage.
Governance Frameworks
Organizational structures and decision-making processes for technology governance. We research how compliance, security, and engineering teams can work together without slowing each other down.
How do we keep compliance automation current as regulations evolve?
Build on modular, versioned rule engines that separate regulatory logic from enforcement infrastructure. When regulations change, only the rule definitions need updating — not the underlying platform.
What does continuous compliance look like in practice?
Automated evidence collection integrated into CI/CD pipelines, real-time policy evaluation against running infrastructure, automated drift detection with alerting, and living audit trails always ready for review.
How should AI governance frameworks account for rapidly changing capabilities?
Frameworks need to be principle-based rather than prescriptive, with review cycles tied to capability milestones. They should define risk categories that adapt as models evolve and require ongoing monitoring of deployed systems.
Where does compliance tooling create genuine risk reduction versus checkbox theater?
Genuine risk reduction comes from tooling that enforces controls in real-time and integrates with engineering workflows. Checkbox theater results from tools that generate reports without enforcement.