Compliance & Regulated Operations — RAG on the corpus the audit hangs on.

The regime

Compliance and risk teams sit at the intersection of every regulated workflow in the organization. The corpus they operate on — policies, procedures, control narratives, audit findings, attestation evidence, vendor agreements, regulator correspondence, prior responses — is dense, frequently revised, and load-bearing for every Sarbanes-Oxley (SOX) attestation, every Payment Card Industry Data Security Standard (PCI DSS) assessment, every General Data Protection Regulation (GDPR) inquiry, and every regulator letter the company receives.

A Retrieval-Augmented Generation (RAG) system that handles this corpus has to satisfy the same chain-of-custody and audit standards the compliance function itself operates under. Citorum runs inside the organization's perimeter, indexes the corpus with chain-of-custody attached at ingestion, and produces answers with citations to the specific policy paragraph or control narrative that grounds each claim. Faithfulness labels make it explicit when the corpus did not support the answer — Verified answers carry the citation; Review Recommended answers route to a senior compliance officer; Do Not Rely answers are never surfaced as authoritative.

What changes for compliance and risk operations

The platform is the same; the configuration is control-framework-shaped.

Connectors target the document systems compliance and audit teams actually run: Governance, Risk, and Compliance (GRC) tools (RSA Archer, ServiceNow GRC, MetricStream), SharePoint policy and control libraries, network drives holding attestation evidence and regulator correspondence, and the integrated audit working papers your internal-audit team maintains. Control-framework metadata rides with documents — Sarbanes-Oxley (SOX), Payment Card Industry Data Security Standard (PCI DSS), General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), International Organization for Standardization (ISO) 27001, Service Organization Control 2 (SOC 2), National Institute of Standards and Technology (NIST) 800-53 — so an audit-response drafter can scope retrieval to the framework the regulator is asking about.

Identity integrates with the organization's Identity Provider (IdP) so compliance officer, internal auditor, control owner, and General Counsel roles flow through unchanged. Reviewer queues route uncertain answers to the appropriate seniority: a Review Recommended answer on an external-audit response routes to the Chief Compliance Officer; a Do Not Rely answer is never surfaced as authoritative in the response packet. The audit log retains every retrieval, prompt, response, and faithfulness score with seven-year default retention — long enough to satisfy Sarbanes-Oxley (SOX) retention and most external-audit working-paper requirements, configurable for the longer holds some regulators impose.

Deployment is on-premises inside the company's data center, in a customer-owned Virtual Private Cloud (VPC) the IT department already operates, or as a Citorum-managed dedicated tenant. No documents, prompts, or model outputs cross the company's perimeter in the default configuration.