Semi-Automated Compliance Checks

• Semi-Automated Compliance Checks is a hybrid approach that merges advanced automation, including formal methods and AI, with expert human oversight to interpret complex regulations.
• It employs precise logic-based formalisms, temporal logics, and semantic web tools to transform regulatory text into actionable, machine-interpretable rules.
• This approach overcomes the limitations of purely manual or fully automated methods by enhancing scalability, accuracy, and transparency across diverse compliance domains.

Semi-automated compliance checking involves combining automated techniques, often employing formal methods, AI, or specialized software tools, with essential human expertise to verify adherence to regulations, policies, or standards. This approach seeks to overcome the limitations of purely manual processes, which are time-consuming, prone to human error, and difficult to scale, as well as the challenges of fully automated systems, which may struggle with the ambiguity, complexity, and dynamic nature of real-world compliance requirements and data. It is applied across diverse domains, including building codes, data privacy (e.g., GDPR), business processes, software code, network security, financial regulations, and content moderation.

Formalisms and Logic-Based Approaches

A foundational aspect of semi-automated compliance checking is the formal representation of regulations and business logic using machine-interpretable languages. Various logical formalisms enable precise expression and automated reasoning over compliance constraints.

Defeasible Deontic Logic (DDL) is utilized to model normative rules, capturing obligations, prohibitions, and permissions, and accommodating defeasibility to handle exceptions and potential rule conflicts found in regulations such as GDPR (Amantea et al., 2021). DDL allows representation of rule types (punctual vs. persistent, achievement vs. maintenance) essential for complex processes like those in e-health. Tools like Regorous can then automatically check BPMN process traces against these DDL rules, identifying violations (Amantea et al., 2021).

Temporal logics, such as Linear Temporal Logic (LTL), are employed to specify the required order and timing of events within business processes (Schreiber, 2020, Klessascheck et al., 6 Dec 2024). An LTL formula like $\Box (\text{A} \rightarrow \Diamond \text{B})$ can encode a constraint stating "Always, if activity A occurs, then eventually activity B must follow" (Schreiber, 2020). This is particularly relevant for monitoring process execution logs in systems like ERPs to detect deviations from sustainability or other process-level constraints (Schreiber, 2020). Complex Event Processing (CEP) techniques are also used to define event-based rules and queries over process streams to check multi-perspective compliance (control flow, temporal, data, resources) (Klessascheck et al., 6 Dec 2024).

Semantic Web technologies, including OWL ontologies and SPARQL queries, are used to bridge the gap between abstract regulations and structured data models, such as Building Information Models (BIM) based on the IFC standard (Bus et al., 2019). Regulations are translated into semantic rules or SPARQL queries that operate over an RDF triple-store representation of the BIM data (Bus et al., 2019). The Building Topology Ontology (BOT) and ifcOWL facilitate this by providing a standard core for building concepts and IFC mapping (Bus et al., 2019). Similarly, OWL DL is used to represent normative regulations as axioms, enabling automated compliance checking through standard Description Logic reasoners (e.g., Pellet, HermiT) (Baimuratov et al., 8 Apr 2025). Regulations are formalized as General Class Inclusion (GCI) axioms, such as Subject $\subseteq$ Requirement, where Subject and Requirement are complex OWL class expressions built from vocabulary and structural rules (Baimuratov et al., 8 Apr 2025).

In data governance and privacy contexts, logic-based policy languages, often based on OWL2 or extensions of situation calculus, are used to express consent, business policies, and regulatory obligations (like GDPR) (Bonatti et al., 2020, Zhao, 2021). Compliance checking is performed by automated reasoning components that verify if a business policy is a subclass of the formalized consent or regulatory constraint, or by tracking rule propagation and transformation through data-flow graphs based on situation calculus and provenance (Bonatti et al., 2020, Zhao, 2021).

Data and Model Representation for Checking

Effective semi-automated compliance checking heavily relies on the structured representation and quality of the data and models being checked. The format and content of this data must align with the formal representation of the rules or enable extraction of relevant features for automated analysis.

Building Information Models (BIM), typically using the Industry Foundation Classes (IFC) standard (ISO 16739), serve as the primary data source for compliance checks in the architecture, engineering, and construction domain (Bus et al., 2019, Noardo et al., 2020, Madireddy et al., 25 Jun 2025). Automated tools extract geometric properties (e.g., maximum height, storey profiles, overhangs) and semantic attributes (e.g., element types, function labels) from IFC models (Noardo et al., 2020). Challenges include inconsistent semantics, erroneous spatial grouping, geometry problems, and lack of standardization for specific elements like parking spaces, necessitating geometry-driven approaches where semantics are unreliable (Noardo et al., 2020). IFC data can be transformed into RDF triple-stores using tools like Open-IFC-to-RDF-converter, with geometric and semantic pre-processing to simplify complexity and align vocabularies (Bus et al., 2019). Compliance with regulations formalized in OWL DL can also be checked by representing specific building instances as individuals in an ontology that includes the ifcOWL domain ontology (Baimuratov et al., 8 Apr 2025).

For business process compliance, process execution data is captured in event logs, which record sequences of activities with timestamps, resources, and data attributes (Schreiber, 2020, Klessascheck et al., 6 Dec 2024). Process mining techniques reconstruct actual process models from these logs, providing a basis for conformance checking against prescriptive models or constraints (Schreiber, 2020). Integration with Enterprise Resource Planning (ERP) systems is common, as ERPs are a source of extensive process logs (Schreiber, 2020). Business processes can also be modeled using standard languages like Business Process Model and Notation (BPMN), which provides a visual representation that can be mapped to formal logic for compliance analysis (Amantea et al., 2021).

Data privacy and usage compliance systems utilize structured data representations like "Data Capsules," which pair encrypted user data with governing policies expressed in a Domain Specific Language (DSL) (Khan et al., 2020). These policies are OWL2 classes, enabling static analysis of code operating on the data. Compliance data structures in privacy-preserving smart wallets include Merkle trees for tracking allowed/illicit states and bloom filters for probabilistically encoding ancestral provenance of funds, integrated with on-chain Sparse Merkle Trees (SMTs) for auditability (Rizzini et al., 5 Jun 2025).

Compliance checks between software design models and code rely on modeling security specifications using extended data flow diagrams (SecDFDs) and extracting a "Program Model" (PM) from source code (Tuma et al., 2021). The PM represents program structure (classes, methods, data flows) and is often graph-based, enabling heuristic-based mapping between design elements and code elements (Tuma et al., 2021).

In legal and regulatory text analysis, datasets are created by annotating clauses or sentences with domain-specific semantic frames (SFs), semantic roles, or logical elements (Subject, Condition, Constraint, Context) (Amaral et al., 2022, Li et al., 26 May 2025). Glossaries of legal terms and relations between regulatory units are also established to provide structured context (Amaral et al., 2022, Li et al., 26 May 2025). These structured representations, often paired with executable code snippets, serve as benchmarks for training and evaluating AI models (Li et al., 26 May 2025).

Network security compliance utilizes data gathered from network discovery, asset mapping, vulnerability assessments (VA), and penetration tests (PT) (Ghanem et al., 2023). This data, along with captured expert decisions, is structured into forms usable by rule-based expert systems (RBES) or stored as "attack vectors" in a memory module (Ghanem et al., 2023).

Compliance in AI systems themselves is addressed through computational transparency artifacts called "Compliance Cards (CCs)" (Marino et al., 20 Jun 2024). These artifacts capture compliance-relevant metadata about an overall AI initiative and its constituent datasets and models in quantized attribute-value pairs (booleans, integers, categorical), designed for algorithmic processing (Marino et al., 20 Jun 2024).

AI and Automated Techniques

A range of AI and automated techniques are employed to perform the checking and analysis required in semi-automated compliance systems.

NLP techniques are central to interpreting unstructured regulatory text. This includes preprocessing (sentence splitting, tokenization, lemmatization), POS tagging, dependency parsing, and Semantic Role Labeling (SRL) to extract phrasal-level semantic representations (Amaral et al., 2022). Specific vocabulary mappings and ontology-based annotation schemas support the conversion of annotated text into formal logic or code (Baimuratov et al., 8 Apr 2025). LLMs are increasingly used for interpreting regulations, generating executable code scripts (e.g., Python for BIM platforms), and producing compliance reports (Madireddy et al., 25 Jun 2025, Li et al., 26 May 2025, Cava et al., 13 Sep 2024, Masoudifard et al., 11 Dec 2024). Advanced prompt engineering techniques like Chain-of-Thought (CoT) and Tree-of-Thought (ToT) are used to enhance LLM reasoning capabilities for complex regulatory text interpretation and traceability (Masoudifard et al., 11 Dec 2024). LLM agents can also perform automated content moderation tasks by interpreting community rules and content (Cava et al., 13 Sep 2024).

Static analysis techniques are applied to software code or formalized representations to verify compliance. PrivFramework uses static analysis to check if data analysis programs written in Python comply with user-defined privacy policies expressed as OWL2 classes, using abstract interpretation to track data flows and operations (Khan et al., 2020). RUSTInA performs static dataflow analysis (forward impact and backward liveness) on intermediate representations of inline assembly code to check interface compliance (framing, unicity) against declared interfaces (Recoules et al., 2021). Project-specific taint analysis, parameterized by sources and sinks derived from security design models, can identify security violations or data flow non-compliance in code (Tuma et al., 2021).

Logic-based reasoning engines, such as OWL DL reasoners, SPARQL engines, or custom components based on situation calculus, execute formalized rules or queries against structured data to determine compliance (Baimuratov et al., 8 Apr 2025, Bus et al., 2019, Bonatti et al., 2020, Zhao, 2021). This allows for automated inference of compliance status based on the logical relationship between the data state and the regulatory requirements. Rule-Based Expert Systems (RBES), often implemented in languages like CLIPS, capture expert knowledge as IF-THEN rules to automate decision-making in domains like network security compliance, guiding VA/PT tool execution (Ghanem et al., 2023).

Process mining, specifically conformance checking, compares event logs to process models or declarative constraints using algorithms that measure the "fitness" of traces against the prescriptive model (Schreiber, 2020, Klessascheck et al., 6 Dec 2024). Association rule learning can be used in conjunction with process mining to uncover data-driven patterns of non-compliance (Schreiber, 2020).

Graph-based techniques are integrated with LLMs in frameworks like Graph-RAG to improve the retrieval of relevant regulatory context for compliance checks on software requirements (Masoudifard et al., 11 Dec 2024). Knowledge graphs capturing entities and relationships from regulations enable more context-aware retrieval compared to simple text-based RAG (Masoudifard et al., 11 Dec 2024).

Specialized algorithms handle specific compliance checks. In BIM, algorithms extract storey profiles, calculate overlaps, and measure overhangs from geometric data to check planning regulations (Noardo et al., 2020). In privacy-preserving systems, zero-knowledge SNARK proofs are generated to attest to properties like "proof of innocence" based on Merkle tree inclusions, or to verify the integrity of bloom filters encoding ancestral compliance states (Rizzini et al., 5 Jun 2025).

Human-in-the-Loop Interaction and Semi-Automation

The "semi-automated" aspect of these systems is critical, indicating that human input, expertise, and oversight remain integral components of the workflow, complementing the automated processes.

Operationalizing Regulations: A primary area requiring human expertise is the initial translation of complex, often ambiguous natural language regulations into formal, machine-readable rules, logic, or code (Bus et al., 2019, Schreiber, 2020, Amantea et al., 2021, Amaral et al., 2022, Baimuratov et al., 8 Apr 2025, Li et al., 26 May 2025, Klessascheck et al., 6 Dec 2024). Domain experts work with formal methods or AI practitioners to interpret textual provisions, resolve ambiguities, and structure the requirements into a formal representation (Bus et al., 2019, Amaral et al., 2022, Li et al., 26 May 2025). While NLP and LLMs can assist in extracting concepts, proposing structures, or suggesting annotations, the final judgment on semantic accuracy and formal correctness typically requires human validation to ensure fidelity to regulatory intent (Baimuratov et al., 8 Apr 2025, Amaral et al., 2022, Li et al., 26 May 2025). This manual step is often identified as a key bottleneck for scalability (Klessascheck et al., 6 Dec 2024).

Model and Rule Validation: Human experts validate the formal models, rules, or policies derived from regulations (Schreiber, 2020, Tuma et al., 2021, Baimuratov et al., 8 Apr 2025, Amantea et al., 2021). This involves checking that the formal representation accurately captures the nuances and exceptions of the original text (Schreiber, 2020). In systems using heuristic-based automated mapping (e.g., between design models and code), human users review and refine the suggested mappings to ensure they align with project-specific semantics and developer intent (Tuma et al., 2021). Similarly, LLM-generated code or interpretations may require human review and correction, with feedback loops enabling iterative refinement by the AI (Madireddy et al., 25 Jun 2025).

Result Interpretation and Action: Automated systems generate reports, lists of violations, or compliance scores (Bus et al., 2019, Schreiber, 2020, Amaral et al., 2022). Human experts interpret these results, diagnose the root causes of non-compliance, and determine appropriate corrective actions or policy adjustments (Schreiber, 2020, Klessascheck et al., 6 Dec 2024). Systems often provide explanations (e.g., token-level attributions, logical reasoning steps) to aid this interpretation (Bora et al., 2 Jun 2025, Masoudifard et al., 11 Dec 2024, Li et al., 26 May 2025). In cases of uncertainty or low confidence from the automated system, human analysts perform targeted manual review of specific cases or flagged items (Amaral et al., 2022). For complex scenarios or edge cases that formal rules or AI models cannot fully resolve, human judgment remains essential (Schreiber, 2020).

Expertise Capture and Generalization: In systems like ESASCF, expert decisions during initial compliance runs are captured and formalized into reusable rules or "attack vectors" for the automated system (Ghanem et al., 2023). This allows the system to learn from human expertise and apply it automatically in similar future scenarios, particularly during re-testing (Ghanem et al., 2023). The human expert's role evolves from manual execution to oversight, decision validation, and handling novel or complex tasks (Ghanem et al., 2023).

This integration of human expertise ensures that compliance checks remain accurate, robust to ambiguity, adaptable to evolving requirements, and ultimately trustworthy for high-stakes applications.

Applications and Domain-Specific Implementations

Semi-automated compliance checking techniques are applied across a variety of domains, leveraging domain-specific data formats, regulatory frameworks, and compliance objectives.

In the Architecture, Engineering, and Construction (AEC) sector, these techniques are used for checking building designs against building codes and planning regulations (Bus et al., 2019, Noardo et al., 2020, Madireddy et al., 25 Jun 2025). Systems translate code provisions into semantic rules (SPARQL) or OWL DL axioms operating on BIM/IFC data (Bus et al., 2019, Baimuratov et al., 8 Apr 2025). Tools extract relevant geometric properties and attributes from IFC models, even handling inconsistent data quality by prioritizing geometry-based checks (Noardo et al., 2020). LLM-driven approaches generate Python scripts to execute compliance checks within BIM software environments like Revit (Madireddy et al., 25 Jun 2025). Use cases include verifying accessibility features (e.g., WC clear space), fire safety requirements (e.g., structural element fire resistance), building dimensions (height, setbacks), and spatial requirements (room areas, parking spaces) (Bus et al., 2019, Noardo et al., 2020, Madireddy et al., 25 Jun 2025).

In the domain of Data Privacy and Governance, systems automate checks against regulations like the GDPR (Bonatti et al., 2020, Khan et al., 2020, Amaral et al., 2022, Zhao, 2021, Rizzini et al., 5 Jun 2025). This includes verifying that data processing operations comply with user consent or regulatory obligations using logic-based policy languages and ontology reasoning (Bonatti et al., 2020). Static analysis checks data analysis code against user-defined privacy policies (Khan et al., 2020). NLP is used to check Data Processing Agreements (DPAs) against GDPR "shall" requirements by extracting semantic frames and comparing them to formal requirement representations (Amaral et al., 2022). For decentralized data processing, frameworks use formal logic and provenance graphs to ensure compliance with data governance rules across multi-stage workflows (Zhao, 2021). Privacy-preserving financial systems integrate probabilistic compliance checks (e.g., Proof of Innocence, bloom filter-based ancestry tracking) into smart contract operations using zero-knowledge proofs (Rizzini et al., 5 Jun 2025).

For Business Process Compliance, techniques monitor process executions against regulations or internal policies (Schreiber, 2020, Amantea et al., 2021, Klessascheck et al., 6 Dec 2024). Process mining analyzes event logs to identify deviations from required sequences or constraints (Schreiber, 2020). Formal logics like DDL or LTL specify compliance rules that are checked against process models (BPMN) or event streams (CEP) (Amantea et al., 2021, Klessascheck et al., 6 Dec 2024). Applications include ensuring sustainability criteria adherence in ERP-managed processes (e.g., CO2 emissions linked to checks) (Schreiber, 2020) or checking GDPR compliance in e-health processes (e.g., consent acquisition before data processing) (Amantea et al., 2021).

Software Code Compliance can involve checking adherence to security properties or interface specifications (Tuma et al., 2021, Recoules et al., 2021). Static analysis techniques verify inline assembly interfaces against declared constraints, detecting subtle bugs and proposing patches or refinements (Recoules et al., 2021). Compliance between security design models and implementation code is checked using heuristic mapping and static taint analysis to verify required security mechanisms and data flows (Tuma et al., 2021). Compliance of Software Requirements Specifications (SRS) with higher-level regulations (finance, aerospace) is enhanced using Graph-RAG and LLM-based reasoning (CoT, ToT) to establish traceable links and assess conformance (Masoudifard et al., 11 Dec 2024).

Network Security Compliance utilizes expertise extraction and rule-based systems to automate vulnerability assessments and penetration testing segments (Ghanem et al., 2023). The ESASCF framework captures expert decisions to guide security tool execution and prioritize tasks, aiming to reduce time and improve consistency in compliance audits (Ghanem et al., 2023).

In Financial Compliance, LLM-driven approaches are applied to interpret complex regulations and generate executable code for automated checks (Li et al., 26 May 2025). The Compliance-to-Code dataset provides a resource for training models to structure regulations into modular units and map them to Python code, supporting auditable checking pipelines like FinCheck (Li et al., 26 May 2025).

For Content Moderation, LLM agents are evaluated for semi-automated compliance checking against community guidelines in decentralized social networks (Cava et al., 13 Sep 2024). These agents classify content, provide justifications for their decisions, and suggest remedies, serving as AI assistants for human moderators (Cava et al., 13 Sep 2024).

The generalizability of these techniques is evident as approaches initially developed for one domain (e.g., formal methods for process compliance, NLP for legal text) are adapted and applied across others. For instance, the semi-automated mapping and checking framework for security models and code is suggested as applicable to reliability, safety, and privacy checks (Tuma et al., 2021). Similarly, the NLP-based approach for GDPR compliance of DPAs is noted as reusable for other legal texts (Amaral et al., 2022), and LLM-driven BIM checks are extensible to diverse regulatory documents and potentially other platforms (Madireddy et al., 25 Jun 2025).

Challenges and Future Directions

While significant progress has been made, several challenges persist in the development and adoption of semi-automated compliance checking systems.

Formalization Complexity: Translating the nuances, ambiguities, and implicit knowledge of natural language regulations into formal, machine-executable logic remains a significant challenge (Bus et al., 2019, Schreiber, 2020, Baimuratov et al., 8 Apr 2025, Klessascheck et al., 6 Dec 2024). Some aspects, particularly those involving subjective judgment, indirect effects, or long-term impacts (e.g., in sustainability), are difficult to formalize completely (Schreiber, 2020).

Data Quality and Availability: The effectiveness of automated checks is highly dependent on the quality, completeness, and consistency of the input data (BIM models, event logs, codebases, regulatory text) (Noardo et al., 2020, Schreiber, 2020, Masoudifard et al., 11 Dec 2024, Madireddy et al., 25 Jun 2025). Real-world data often contains inconsistencies, errors, or uses non-standardized terminology, hindering automated processing (Noardo et al., 2020, Amaral et al., 2022). Some required information may not be readily available in standard data formats (Schreiber, 2020).

Vocabulary Mismatch and Semantic Alignment: Bridging the gap between the language used in regulations (legal, performance-based) and the vocabulary in domain-specific data models (e.g., IFC, code variables) requires careful semantic alignment and ontology mapping (Bus et al., 2019). Ensuring consistent terminology and handling synonyms, aliases, or fragmented text is crucial for NLP-based approaches (Amaral et al., 2022).

Scalability and Efficiency: Checking compliance constraints over large, complex datasets (large BIM models, massive event logs, extensive codebases, numerous regulations) can be computationally intensive (Schreiber, 2020, Masoudifard et al., 11 Dec 2024). While some approaches offer efficiency gains, scaling formal reasoning or complex AI models (like LLMs with advanced prompting) can introduce significant computational and monetary costs (Masoudifard et al., 11 Dec 2024).

Usability and Maintenance: Formal languages and complex technical systems can present usability barriers for domain experts or business users (Schreiber, 2020, Baimuratov et al., 8 Apr 2025). Maintaining and updating rule bases or formal models as regulations evolve requires ongoing effort and expertise (Marino et al., 20 Jun 2024).

Trust and Explainability: For compliance checks, particularly in high-stakes domains, it is essential that the automated system's decisions are trustworthy and explainable (Bora et al., 2 Jun 2025, Masoudifard et al., 11 Dec 2024, Li et al., 26 May 2025). Black-box AI models may not be suitable, necessitating methods that provide transparent reasoning, traceability, and confidence scores (Bora et al., 2 Jun 2025, Masoudifard et al., 11 Dec 2024, Li et al., 26 May 2025).

Future research aims to address these challenges through several avenues. Further automation of the regulation operationalization step, potentially using advanced NLP and ML with human-in-the-loop validation, is a key focus (Klessascheck et al., 6 Dec 2024, Baimuratov et al., 8 Apr 2025, Madireddy et al., 25 Jun 2025, Amaral et al., 2022). Developing more robust and automated techniques for handling inconsistent or incomplete data is crucial for real-world applicability (Noardo et al., 2020, Madireddy et al., 25 Jun 2025). Research into hybrid methods combining different formalisms or AI techniques is ongoing (Schreiber, 2020, Klessascheck et al., 6 Dec 2024). Efforts are also directed towards building generic, extensible compliance monitoring frameworks and improving user interfaces to make these tools more accessible (Klessascheck et al., 6 Dec 2024, Masoudifard et al., 11 Dec 2024). Expanding the scope to cover more regulatory domains, legal jurisdictions, and data modalities (e.g., multi-modal content) is also a direction for future work (Bora et al., 2 Jun 2025, Amaral et al., 2022). Finally, incorporating mechanisms for third-party verifiability and focusing on ethical AI principles (e.g., human autonomy, transparency) are important for regulatory compliance tools (Baimuratov et al., 8 Apr 2025, Marino et al., 20 Jun 2024).