Semi-Automated Compliance Checks

• Semi-Automated Compliance Checks is a hybrid approach that merges advanced automation, including formal methods and AI, with expert human oversight to interpret complex regulations.
• It employs precise logic-based formalisms, temporal logics, and semantic web tools to transform regulatory text into actionable, machine-interpretable rules.
• This approach overcomes the limitations of purely manual or fully automated methods by enhancing scalability, accuracy, and transparency across diverse compliance domains.

Semi-automated compliance checking involves combining automated techniques, often employing formal methods, AI, or specialized software tools, with essential human expertise to verify adherence to regulations, policies, or standards. This approach seeks to overcome the limitations of purely manual processes, which are time-consuming, prone to human error, and difficult to scale, as well as the challenges of fully automated systems, which may struggle with the ambiguity, complexity, and dynamic nature of real-world compliance requirements and data. It is applied across diverse domains, including building codes, data privacy (e.g., GDPR), business processes, software code, network security, financial regulations, and content moderation.

Formalisms and Logic-Based Approaches

A foundational aspect of semi-automated compliance checking is the formal representation of regulations and business logic using machine-interpretable languages. Various logical formalisms enable precise expression and automated reasoning over compliance constraints.

Defeasible Deontic Logic (DDL) is utilized to model normative rules, capturing obligations, prohibitions, and permissions, and accommodating defeasibility to handle exceptions and potential rule conflicts found in regulations such as GDPR (2110.07710). DDL allows representation of rule types (punctual vs. persistent, achievement vs. maintenance) essential for complex processes like those in e-health. Tools like Regorous can then automatically check BPMN process traces against these DDL rules, identifying violations (2110.07710).

Temporal logics, such as Linear Temporal Logic (LTL), are employed to specify the required order and timing of events within business processes (2006.05777, 2501.10362). An LTL formula like $\Box (\text{A} \rightarrow \Diamond \text{B})$ can encode a constraint stating "Always, if activity A occurs, then eventually activity B must follow" (2006.05777). This is particularly relevant for monitoring process execution logs in systems like ERPs to detect deviations from sustainability or other process-level constraints (2006.05777). Complex Event Processing (CEP) techniques are also used to define event-based rules and queries over process streams to check multi-perspective compliance (control flow, temporal, data, resources) (2501.10362).

Semantic Web technologies, including OWL ontologies and SPARQL queries, are used to bridge the gap between abstract regulations and structured data models, such as Building Information Models (BIM) based on the IFC standard (1910.00334). Regulations are translated into semantic rules or SPARQL queries that operate over an RDF triple-store representation of the BIM data (1910.00334). The Building Topology Ontology (BOT) and ifcOWL facilitate this by providing a standard core for building concepts and IFC mapping (1910.00334). Similarly, OWL DL is used to represent normative regulations as axioms, enabling automated compliance checking through standard Description Logic reasoners (e.g., Pellet, HermiT) (2504.05951). Regulations are formalized as General Class Inclusion (GCI) axioms, such as Subject $\subseteq$ Requirement, where Subject and Requirement are complex OWL class expressions built from vocabulary and structural rules (2504.05951).

In data governance and privacy contexts, logic-based policy languages, often based on OWL2 or extensions of situation calculus, are used to express consent, business policies, and regulatory obligations (like GDPR) (2001.08930, 2109.00838). Compliance checking is performed by automated reasoning components that verify if a business policy is a subclass of the formalized consent or regulatory constraint, or by tracking rule propagation and transformation through data-flow graphs based on situation calculus and provenance (2001.08930, 2109.00838).

Data and Model Representation for Checking

Effective semi-automated compliance checking heavily relies on the structured representation and quality of the data and models being checked. The format and content of this data must align with the formal representation of the rules or enable extraction of relevant features for automated analysis.

Building Information Models (BIM), typically using the Industry Foundation Classes (IFC) standard (ISO 16739), serve as the primary data source for compliance checks in the architecture, engineering, and construction domain (1910.00334, 2011.03117, 2506.20551). Automated tools extract geometric properties (e.g., maximum height, storey profiles, overhangs) and semantic attributes (e.g., element types, function labels) from IFC models (2011.03117). Challenges include inconsistent semantics, erroneous spatial grouping, geometry problems, and lack of standardization for specific elements like parking spaces, necessitating geometry-driven approaches where semantics are unreliable (2011.03117). IFC data can be transformed into RDF triple-stores using tools like Open-IFC-to-RDF-converter, with geometric and semantic pre-processing to simplify complexity and align vocabularies (1910.00334). Compliance with regulations formalized in OWL DL can also be checked by representing specific building instances as individuals in an ontology that includes the ifcOWL domain ontology (2504.05951).

For business process compliance, process execution data is captured in event logs, which record sequences of activities with timestamps, resources, and data attributes (2006.05777, 2501.10362). Process mining techniques reconstruct actual process models from these logs, providing a basis for conformance checking against prescriptive models or constraints (2006.05777). Integration with Enterprise Resource Planning (ERP) systems is common, as ERPs are a source of extensive process logs (2006.05777). Business processes can also be modeled using standard languages like Business Process Model and Notation (BPMN), which provides a visual representation that can be mapped to formal logic for compliance analysis (2110.07710).

Data privacy and usage compliance systems utilize structured data representations like "Data Capsules," which pair encrypted user data with governing policies expressed in a Domain Specific Language (DSL) (2012.05291). These policies are OWL2 classes, enabling static analysis of code operating on the data. Compliance data structures in privacy-preserving smart wallets include Merkle trees for tracking allowed/illicit states and bloom filters for probabilistically encoding ancestral provenance of funds, integrated with on-chain Sparse Merkle Trees (SMTs) for auditability (2506.04853).

Compliance checks between software design models and code rely on modeling security specifications using extended data flow diagrams (SecDFDs) and extracting a "Program Model" (PM) from source code (2108.08579). The PM represents program structure (classes, methods, data flows) and is often graph-based, enabling heuristic-based mapping between design elements and code elements (2108.08579).

In legal and regulatory text analysis, datasets are created by annotating clauses or sentences with domain-specific semantic frames (SFs), semantic roles, or logical elements (Subject, Condition, Constraint, Context) (2209.09722, 2505.19804). Glossaries of legal terms and relations between regulatory units are also established to provide structured context (2209.09722, 2505.19804). These structured representations, often paired with executable code snippets, serve as benchmarks for training and evaluating AI models (2505.19804).

Network security compliance utilizes data gathered from network discovery, asset mapping, vulnerability assessments (VA), and penetration tests (PT) (2307.10967). This data, along with captured expert decisions, is structured into forms usable by rule-based expert systems (RBES) or stored as "attack vectors" in a memory module (2307.10967).

Compliance in AI systems themselves is addressed through computational transparency artifacts called "Compliance Cards (CCs)" (2406.14758). These artifacts capture compliance-relevant metadata about an overall AI initiative and its constituent datasets and models in quantized attribute-value pairs (booleans, integers, categorical), designed for algorithmic processing (2406.14758).

AI and Automated Techniques

A range of AI and automated techniques are employed to perform the checking and analysis required in semi-automated compliance systems.

NLP techniques are central to interpreting unstructured regulatory text. This includes preprocessing (sentence splitting, tokenization, lemmatization), POS tagging, dependency parsing, and Semantic Role Labeling (SRL) to extract phrasal-level semantic representations (2209.09722). Specific vocabulary mappings and ontology-based annotation schemas support the conversion of annotated text into formal logic or code (2504.05951). LLMs are increasingly used for interpreting regulations, generating executable code scripts (e.g., Python for BIM platforms), and producing compliance reports (2506.20551, 2505.19804, 2409.08963, 2412.08593). Advanced prompt engineering techniques like Chain-of-Thought (CoT) and Tree-of-Thought (ToT) are used to enhance LLM reasoning capabilities for complex regulatory text interpretation and traceability (2412.08593). LLM agents can also perform automated content moderation tasks by interpreting community rules and content (2409.08963).

Static analysis techniques are applied to software code or formalized representations to verify compliance. PrivFramework uses static analysis to check if data analysis programs written in Python comply with user-defined privacy policies expressed as OWL2 classes, using abstract interpretation to track data flows and operations (2012.05291). RUSTInA performs static dataflow analysis (forward impact and backward liveness) on intermediate representations of inline assembly code to check interface compliance (framing, unicity) against declared interfaces (2102.07485). Project-specific taint analysis, parameterized by sources and sinks derived from security design models, can identify security violations or data flow non-compliance in code (2108.08579).

Logic-based reasoning engines, such as OWL DL reasoners, SPARQL engines, or custom components based on situation calculus, execute formalized rules or queries against structured data to determine compliance (2504.05951, 1910.00334, 2001.08930, 2109.00838). This allows for automated inference of compliance status based on the logical relationship between the data state and the regulatory requirements. Rule-Based Expert Systems (RBES), often implemented in languages like CLIPS, capture expert knowledge as IF-THEN rules to automate decision-making in domains like network security compliance, guiding VA/PT tool execution (2307.10967).

Process mining, specifically conformance checking, compares event logs to process models or declarative constraints using algorithms that measure the "fitness" of traces against the prescriptive model (2006.05777, 2501.10362). Association rule learning can be used in conjunction with process mining to uncover data-driven patterns of non-compliance (2006.05777).

Graph-based techniques are integrated with LLMs in frameworks like Graph-RAG to improve the retrieval of relevant regulatory context for compliance checks on software requirements (2412.08593). Knowledge graphs capturing entities and relationships from regulations enable more context-aware retrieval compared to simple text-based RAG (2412.08593).

Specialized algorithms handle specific compliance checks. In BIM, algorithms extract storey profiles, calculate overlaps, and measure overhangs from geometric data to check planning regulations (2011.03117). In privacy-preserving systems, zero-knowledge SNARK proofs are generated to attest to properties like "proof of innocence" based on Merkle tree inclusions, or to verify the integrity of bloom filters encoding ancestral compliance states (2506.04853).

Human-in-the-Loop Interaction and Semi-Automation

The "semi-automated" aspect of these systems is critical, indicating that human input, expertise, and oversight remain integral components of the workflow, complementing the automated processes.

Operationalizing Regulations: A primary area requiring human expertise is the initial translation of complex, often ambiguous natural language regulations into formal, machine-readable rules, logic, or code (1910.00334, 2006.05777, 2110.07710, 2209.09722, 2504.05951, 2505.19804, 2501.10362). Domain experts work with formal methods or AI practitioners to interpret textual provisions, resolve ambiguities, and structure the requirements into a formal representation (1910.00334, 2209.09722, 2505.19804). While NLP and LLMs can assist in extracting concepts, proposing structures, or suggesting annotations, the final judgment on semantic accuracy and formal correctness typically requires human validation to ensure fidelity to regulatory intent (2504.05951, 2209.09722, 2505.19804). This manual step is often identified as a key bottleneck for scalability (2501.10362).

Model and Rule Validation: Human experts validate the formal models, rules, or policies derived from regulations (2006.05777, 2108.08579, 2504.05951, 2110.07710). This involves checking that the formal representation accurately captures the nuances and exceptions of the original text (2006.05777). In systems using heuristic-based automated mapping (e.g., between design models and code), human users review and refine the suggested mappings to ensure they align with project-specific semantics and developer intent (2108.08579). Similarly, LLM-generated code or interpretations may require human review and correction, with feedback loops enabling iterative refinement by the AI (2506.20551).

Result Interpretation and Action: Automated systems generate reports, lists of violations, or compliance scores (1910.00334, 2006.05777, 2209.09722). Human experts interpret these results, diagnose the root causes of non-compliance, and determine appropriate corrective actions or policy adjustments (2006.05777, 2501.10362). Systems often provide explanations (e.g., token-level attributions, logical reasoning steps) to aid this interpretation (2506.01671, 2412.08593, 2505.19804). In cases of uncertainty or low confidence from the automated system, human analysts perform targeted manual review of specific cases or flagged items (2209.09722). For complex scenarios or edge cases that formal rules or AI models cannot fully resolve, human judgment remains essential (2006.05777).

Expertise Capture and Generalization: In systems like ESASCF, expert decisions during initial compliance runs are captured and formalized into reusable rules or "attack vectors" for the automated system (2307.10967). This allows the system to learn from human expertise and apply it automatically in similar future scenarios, particularly during re-testing (2307.10967). The human expert's role evolves from manual execution to oversight, decision validation, and handling novel or complex tasks (2307.10967).

This integration of human expertise ensures that compliance checks remain accurate, robust to ambiguity, adaptable to evolving requirements, and ultimately trustworthy for high-stakes applications.

Applications and Domain-Specific Implementations

Semi-automated compliance checking techniques are applied across a variety of domains, leveraging domain-specific data formats, regulatory frameworks, and compliance objectives.

In the Architecture, Engineering, and Construction (AEC) sector, these techniques are used for checking building designs against building codes and planning regulations (1910.00334, 2011.03117, 2506.20551). Systems translate code provisions into semantic rules (SPARQL) or OWL DL axioms operating on BIM/IFC data (1910.00334, 2504.05951). Tools extract relevant geometric properties and attributes from IFC models, even handling inconsistent data quality by prioritizing geometry-based checks (2011.03117). LLM-driven approaches generate Python scripts to execute compliance checks within BIM software environments like Revit (2506.20551). Use cases include verifying accessibility features (e.g., WC clear space), fire safety requirements (e.g., structural element fire resistance), building dimensions (height, setbacks), and spatial requirements (room areas, parking spaces) (1910.00334, 2011.03117, 2506.20551).

In the domain of Data Privacy and Governance, systems automate checks against regulations like the GDPR (2001.08930, 2012.05291, 2209.09722, 2109.00838, 2506.04853). This includes verifying that data processing operations comply with user consent or regulatory obligations using logic-based policy languages and ontology reasoning (2001.08930). Static analysis checks data analysis code against user-defined privacy policies (2012.05291). NLP is used to check Data Processing Agreements (DPAs) against GDPR "shall" requirements by extracting semantic frames and comparing them to formal requirement representations (2209.09722). For decentralized data processing, frameworks use formal logic and provenance graphs to ensure compliance with data governance rules across multi-stage workflows (2109.00838). Privacy-preserving financial systems integrate probabilistic compliance checks (e.g., Proof of Innocence, bloom filter-based ancestry tracking) into smart contract operations using zero-knowledge proofs (2506.04853).

For Business Process Compliance, techniques monitor process executions against regulations or internal policies (2006.05777, 2110.07710, 2501.10362). Process mining analyzes event logs to identify deviations from required sequences or constraints (2006.05777). Formal logics like DDL or LTL specify compliance rules that are checked against process models (BPMN) or event streams (CEP) (2110.07710, 2501.10362). Applications include ensuring sustainability criteria adherence in ERP-managed processes (e.g., CO2 emissions linked to checks) (2006.05777) or checking GDPR compliance in e-health processes (e.g., consent acquisition before data processing) (2110.07710).

Software Code Compliance can involve checking adherence to security properties or interface specifications (2108.08579, 2102.07485). Static analysis techniques verify inline assembly interfaces against declared constraints, detecting subtle bugs and proposing patches or refinements (2102.07485). Compliance between security design models and implementation code is checked using heuristic mapping and static taint analysis to verify required security mechanisms and data flows (2108.08579). Compliance of Software Requirements Specifications (SRS) with higher-level regulations (finance, aerospace) is enhanced using Graph-RAG and LLM-based reasoning (CoT, ToT) to establish traceable links and assess conformance (2412.08593).

Network Security Compliance utilizes expertise extraction and rule-based systems to automate vulnerability assessments and penetration testing segments (2307.10967). The ESASCF framework captures expert decisions to guide security tool execution and prioritize tasks, aiming to reduce time and improve consistency in compliance audits (2307.10967).

In Financial Compliance, LLM-driven approaches are applied to interpret complex regulations and generate executable code for automated checks (2505.19804). The Compliance-to-Code dataset provides a resource for training models to structure regulations into modular units and map them to Python code, supporting auditable checking pipelines like FinCheck (2505.19804).

For Content Moderation, LLM agents are evaluated for semi-automated compliance checking against community guidelines in decentralized social networks (2409.08963). These agents classify content, provide justifications for their decisions, and suggest remedies, serving as AI assistants for human moderators (2409.08963).

The generalizability of these techniques is evident as approaches initially developed for one domain (e.g., formal methods for process compliance, NLP for legal text) are adapted and applied across others. For instance, the semi-automated mapping and checking framework for security models and code is suggested as applicable to reliability, safety, and privacy checks (2108.08579). Similarly, the NLP-based approach for GDPR compliance of DPAs is noted as reusable for other legal texts (2209.09722), and LLM-driven BIM checks are extensible to diverse regulatory documents and potentially other platforms (2506.20551).

Challenges and Future Directions

While significant progress has been made, several challenges persist in the development and adoption of semi-automated compliance checking systems.

Formalization Complexity: Translating the nuances, ambiguities, and implicit knowledge of natural language regulations into formal, machine-executable logic remains a significant challenge (1910.00334, 2006.05777, 2504.05951, 2501.10362). Some aspects, particularly those involving subjective judgment, indirect effects, or long-term impacts (e.g., in sustainability), are difficult to formalize completely (2006.05777).

Data Quality and Availability: The effectiveness of automated checks is highly dependent on the quality, completeness, and consistency of the input data (BIM models, event logs, codebases, regulatory text) (2011.03117, 2006.05777, 2412.08593, 2506.20551). Real-world data often contains inconsistencies, errors, or uses non-standardized terminology, hindering automated processing (2011.03117, 2209.09722). Some required information may not be readily available in standard data formats (2006.05777).

Vocabulary Mismatch and Semantic Alignment: Bridging the gap between the language used in regulations (legal, performance-based) and the vocabulary in domain-specific data models (e.g., IFC, code variables) requires careful semantic alignment and ontology mapping (1910.00334). Ensuring consistent terminology and handling synonyms, aliases, or fragmented text is crucial for NLP-based approaches (2209.09722).

Scalability and Efficiency: Checking compliance constraints over large, complex datasets (large BIM models, massive event logs, extensive codebases, numerous regulations) can be computationally intensive (2006.05777, 2412.08593). While some approaches offer efficiency gains, scaling formal reasoning or complex AI models (like LLMs with advanced prompting) can introduce significant computational and monetary costs (2412.08593).

Usability and Maintenance: Formal languages and complex technical systems can present usability barriers for domain experts or business users (2006.05777, 2504.05951). Maintaining and updating rule bases or formal models as regulations evolve requires ongoing effort and expertise (2406.14758).

Trust and Explainability: For compliance checks, particularly in high-stakes domains, it is essential that the automated system's decisions are trustworthy and explainable (2506.01671, 2412.08593, 2505.19804). Black-box AI models may not be suitable, necessitating methods that provide transparent reasoning, traceability, and confidence scores (2506.01671, 2412.08593, 2505.19804).

Future research aims to address these challenges through several avenues. Further automation of the regulation operationalization step, potentially using advanced NLP and ML with human-in-the-loop validation, is a key focus (2501.10362, 2504.05951, 2506.20551, 2209.09722). Developing more robust and automated techniques for handling inconsistent or incomplete data is crucial for real-world applicability (2011.03117, 2506.20551). Research into hybrid methods combining different formalisms or AI techniques is ongoing (2006.05777, 2501.10362). Efforts are also directed towards building generic, extensible compliance monitoring frameworks and improving user interfaces to make these tools more accessible (2501.10362, 2412.08593). Expanding the scope to cover more regulatory domains, legal jurisdictions, and data modalities (e.g., multi-modal content) is also a direction for future work (2506.01671, 2209.09722). Finally, incorporating mechanisms for third-party verifiability and focusing on ethical AI principles (e.g., human autonomy, transparency) are important for regulatory compliance tools (2504.05951, 2406.14758).