compliance and policy enforcement

Translating legal and regulatory requirements (e.g., GDPR, HIPAA, SOC2) into technical controls, access policies, and audit trails using policy engines (OPA), data classification, risk assessments, and compliance documentation and testing to demonstrate adherence.

complianceandpolicyenforcement

12-Month Skill Trend

Momentum and market value over time
Trending
Score
+20 in 12 mo
96
12 mo agoNow
Career
Value
+$12K in 12 mo
$42K/year
12 mo agoNow

Recommended Survey Paper

Quick overview of the field
View more

Must-Read Papers

Most classic and influential ideas
View more

This work addresses the error-prone and labor-intensive process of manually translating regulatory texts such as the GDPR and the EU AI Act into actionable software requirements. The authors propose Reg2Req, the first end-to-end automated pipeline that leverages natural language processing to identify regulatory provisions, generate system-agnostic software requirements accompanied by plain-language explanations, and establish traceability links. The approach supports requirement classification, use case seed generation, and cross-reference analysis, achieving macro-averaged F1 scores of 0.82 on the GDPR and 0.78 on the EU AI Act. A user study demonstrates that the generated plain-language explanations significantly enhance users’ comprehension and confidence in taking compliance actions (p < 0.001), with all participants expressing willingness to adopt the output as a starting point for compliance efforts.

AI regulationlegal text processingregulatory compliance

This study addresses the compliance challenges faced by data practitioners in machine learning systems under regulations such as the GDPR and the AI Act, particularly concerning data quality. Through semi-structured interviews with practitioners in the European Union, combined with thematic analysis of regulatory texts and engineering workflows, the research systematically uncovers a structural disconnect between regulation-driven data quality requirements and ML engineering practices. It identifies five core challenges: misalignment between legal principles and engineering implementation, fragmented data pipelines, lack of purpose-built compliance tools, ambiguous accountability, and reactive responses to audits. Building on these findings, the work proposes directions for designing compliance-oriented tooling, establishing effective governance mechanisms, and fostering cultural transformation to bridge the gap between regulatory mandates and practical ML development.

AI Actdata qualityGDPR

From Legal Text to Tech Specs: Generative AI's Interpretation of Consent in Privacy Law

Jul 05, 2025
AK
Aniket Kesari
🏛️ Fordham University | Carnegie Mellon University

Privacy laws designate “consent” as a lawful basis for data processing, yet its translation into software implementations has long suffered from a legal–technical gap and opaque development practices. This paper proposes the first LLM-based, three-step automated framework: (1) legal clause parsing, (2) use-case compliance classification, and (3) technical requirement reconstruction—augmented by human-in-the-loop verification to ensure legal alignment. It establishes the first systematic, end-to-end mapping from privacy regulation text to executable technical specifications, enabling compliance-aware requirements engineering and use-case remediation. Empirical evaluation demonstrates that the LLM effectively identifies and rectifies non-compliant use cases, validating its feasibility for automated compliance tasks; it also reveals persistent limitations in complex legal reasoning. The work introduces a novel paradigm and practical pathway for AI-augmented legal technologization.

Automating compliance tasks using Large Language Models (LLMs)Bridging legal consent requirements and technical implementation in softwareValidating AI-generated modifications against legal privacy standards

Towards a Framework for Supporting the Ethical and Regulatory Certification of AI Systems

Sep 30, 2025
FK
Fabian Kovac
🏛️ St. Pölten University of Applied Sciences | Digital for Planet - D4P | University of Luxembourg | Netcompany-Intrasoft S.A.

Facing ethical misalignment, legal non-compliance, and regulatory lag arising from the rapid deployment of AI across Europe, this paper proposes a unified governance framework integrating semantic MLOps, ontology-driven data lineage, and RegOps workflows. Grounded in computable ontology modeling, the framework enables semantic alignment and automated verification of model behavior, data provenance, and regulatory requirements across the AI lifecycle. Its key innovation lies in the first deep integration of semantic technologies into synergistic MLOps–RegOps processes—supporting formalized ethical principle representation, real-time compliance auditing, and auditable, traceable decision-making. Evaluated across multiple EU pilot deployments, the framework significantly enhances AI system transparency, verifiability, and regulatory adaptability. It delivers a scalable, dual-track pathway—combining technical infrastructure and governance mechanisms—for institutionalizing trustworthy AI.

Developing framework for ethical AI certificationEnsuring traceability in AI lifecycle managementIntegrating regulatory compliance with transparency standards

This study addresses the challenge of operationalizing GDPR compliance in software engineering—specifically, how to realize “Privacy by Design” (PbD) at the requirements and system specification levels while reconciling heterogeneous stakeholder interests and ensuring semantic consistency and traceability between legal provisions and technical specifications. We propose a formal modeling approach grounded in original legal concepts, systematically mapping GDPR articles to reusable privacy requirement patterns. Integrating systematic literature analysis, industry interviews, and requirements modeling, we develop a joint specification framework supporting cross-layer abstraction and transparent, bidirectional traceability. Empirical evaluation demonstrates that the framework significantly improves the accuracy of privacy requirement elicitation and the transparency of regulatory specification, thereby providing a scalable, methodology-driven foundation for law–technology co-governance.

Aligning GDPR requirements with software engineering specificationsBridging problem-solution space gap in privacy by designCapturing legal knowledge in system specifications for compliance

Latest Papers

What's happening recently
View more

Current AI systems rely heavily on manual auditing and documentation, which hinders scalable governance for automated services. This work proposes Ontological Knowledge Blocks (OKBs), a novel framework that formalizes regulatory obligations as quintuples comprising ontologies, SHACL rules, evidence requirements, and provenance links. By leveraging RDF/OWL modeling, PROV-O for provenance tracking, and an intermediate representation–driven deterministic compiler, the approach enables dynamic switching of governance configurations without modifying service code. Evaluation in an AI-assisted HPC scheduling scenario demonstrates that compliance checks are configuration-sensitive, violations accumulate strictly additively, SHACL validation incurs only 12.6–100.3 milliseconds of latency, and the Combined configuration provides the most comprehensive coverage.

AI governanceautomated verificationcompliance

This work addresses the lack of traceable and tamper-resistant transparency mechanisms in large language models (LLMs) deployed in high-stakes decision-making contexts, which undermines accountability. To bridge this gap, the paper introduces the first LLM lifecycle auditing framework that integrates technical provenance with governance records. It proposes a reference architecture enabling cross-organizational traceability and implements a lightweight, open-source Python-based auditing layer. By leveraging append-only logs, event emitters, structured metadata, and an auditor interface, the system seamlessly integrates into existing LLM workflows with minimal intrusiveness. This design ensures complete, tamper-evident traceability across critical stages—including training, deployment, and monitoring—thereby facilitating robust accountability and responsibility attribution throughout the model’s lifecycle.

accountabilityaudit trailsgovernance

This study addresses the challenges of assessing compliance between organizational cybersecurity policies and abstract security control frameworks such as NIST SP 800-53, which are often time-consuming, difficult to standardize, and lack traceability. To overcome these limitations, the authors propose PROPAGATE, a novel framework that leverages large language models (LLMs) to automate control-level compliance evaluation for the first time. By integrating both open-source and closed-source LLMs, the framework automatically retrieves relevant policy text, evaluates coverage across 1,007 security controls, and generates interpretable gap analyses with actionable improvement recommendations. Experimental results on two real-world organizational policy corpora demonstrate high effectiveness, achieving F1 scores of 88.54 and 82.31, respectively, thereby enabling traceable and explainable compliance enhancement.

compliance assessmentcybersecurity policyNIST SP 800-53

Prose2Policy (P2P) is a LLM-based practical tool that translates natural-language access control policies (NLACPs) into executable Rego code (the policy language of Open Policy Agent, OPA). It provides a modular, end-to-end pipeline that performs policy detection, component extraction, schema validation, linting, compilation, automatic test generation and execution. Prose2Policy is designed to bridge the gap between human-readable access requirements and machine-enforceable policy-as-code (PaC) while emphasizing deployment reliability and auditability. We evaluated Prose2Policy on the ACRE dataset and demonstrated a 95.3\% compile rate for accepted policies, with automated testing achieving a 82.2\% positive-test pass rate and a 98.9\% negative-test pass rate. These results indicate that Prose2Policy produces syntactically robust and behaviorally consistent Rego policies suitable for Zero Trust and compliance-driven environments.

This study addresses the widespread lack of compliance disclosures regarding data privacy regulations—such as GDPR and CCPA—in AI datasets hosted on the Hugging Face platform, which poses significant regulatory risks. For the first time, the paper introduces “compliance readiness” as a core dimension of dataset quality and systematically evaluates transparency in data provenance, processing workflows, and handling of sensitive information. Through an analysis of 11,682 public datasets—combining automated text mining of dataset cards with manual sampling and review—the research reveals that the vast majority fail to clearly document their creation processes or data sources, and only a small fraction explicitly identify sensitive fields such as personally identifiable information (PII). These findings highlight critical gaps in current practices and provide an empirical foundation for developing standardized tools and benchmarks for assessing dataset compliance.

AI supply chaindata privacydataset transparency

Hot Scholars

FJ

Frederik J. Zuiderveen Borgesius

Professor ICT and Law, iHub, Radboud University, The Netherlands
Law and technologyprivacydata protection lawnon-discrimination law
MA

Markus Anderljung

Centre for the Governance of AI
AI governanceAI policyAI forecasting
LT

L. Thomas van Binsbergen

University of Amsterdam
Software Language EngineeringFormal MethodsMulti-Agent SystemsNormative Reasoning
ZS

Zubair Shafiq

University of California, Davis
Online PrivacyInternet MeasurementTech Policy