Citation graphs for compliance — why every AI output needs receipts.

The problem with "the AI said so"

The first time a compliance team uses an AI tool that produces a coverage matrix, the second slide they're asked is "where did this come from?" Without a good answer, the matrix is a starting point — useful, but not shippable. Internal audit can't sign off on something whose provenance is "the model decided." Regulators definitely can't.

What audit and regulators want is the same thing: a clean trail from final output back to the original regulatory text, with every transformation along the way recorded. That trail is the citation graph.

What a citation graph actually is

A citation graph is a directed graph where every node is a piece of compliance content (a regulation paragraph, an extracted obligation, a policy clause, a control, an evidence artifact) and every edge records a transformation: extracted from, mapped to, drafted from, approved by. Every output node has a path back to the source nodes that produced it.

For RegAI, the typical citation graph for a single drafted control runs like this:

1. Source paragraph — DORA Article 6 §1, in its published form on the EUR-Lex feed, fetched on a known date and pinned to a specific version.
2. Extracted obligation — "Financial entities shall implement a documented ICT business continuity policy with recovery time and recovery point objectives for all critical functions." Linked back to §1 of Article 6 with character offsets.
3. Applicability decision — Applies to entity GSIB-SG-001, with a one-line justification linked to the entity profile.
4. Mapped policy clauses — ICT-POL-07 sections 4.2 and 4.3, retrieved at semantic-similarity 0.81 and 0.74 respectively, both linked to their version-pinned source.
5. Coverage score — Partial (62%), with a generated rationale linking to which sub-requirements are met and which aren't.
6. Drafted control — A new control language proposal, generated by the AI with the prompt and source references attached.
7. Human decision — Reviewed by Sarah K., 2026-04-22 14:31 UTC, accepted with two edits (diffs preserved), reviewer rationale recorded.
8. Published artifact — Final control text, version 3, in the GRC system, with a back-pointer to the entire chain above.

That's the mechanic. Click any node, walk backward to source. Click the source, walk forward to every output it produced.

Why this is harder than it sounds

"Just track citations" is easy to say. The reasons it tends to be implemented badly:

1. Source pinning is nontrivial. Regulator websites change. URLs rot. Documents get republished with the same headline but different paragraph numbering. A citation back to "MAS Notice 626" without a version stamp is a citation to whatever the regulator's site happens to be hosting today. The system has to fetch the source, hash the content, store the hash, and re-fetch on a schedule to detect changes.

2. Character-level offsets matter. "DORA Article 6" is a citation. "DORA Article 6, paragraph 1, second sentence, characters 234–411" is a defensible citation. The first one looks fine in a footnote and falls apart in audit. The second survives a regulator asking "show me the exact text."

3. AI outputs are fluid; citations have to be sticky. An LLM might phrase "recovery time objective" as "RTO" or "time to recovery" or "recovery time targets" depending on the run. The citation needs to bind the output to the source it was derived from, not to the wording, so you can re-run the model without breaking the chain.

4. Human edits compound. The reviewer accepts an AI draft with three edits. The next reviewer further edits. Six months later, an auditor asks "what did the AI originally propose?" If the system has lost the diff history, the answer is "we don't know." That's a finding.

5. Cross-references explode. DORA Article 28 cites the underlying directive, an RTS that cites three ESA Q&As that cite a separate directive. A citation graph that doesn't traverse those cross-references gives auditors half the picture.

What a good citation graph looks like in practice

Two properties matter most:

Traversability in both directions. Forward (source → output) and backward (output → source). Auditors usually start from the output ("show me the trail for this control"). Regulators sometimes start from the source ("show me everything affected by this article"). The graph supports both equally.

Persistence under change. When the regulator updates a paragraph, every output downstream gets flagged automatically. The graph isn't a snapshot taken on day one; it's a live structure that updates with the source. That's how a compliance matrix stays current without re-running everything from scratch every quarter.

The five things to demand of any AI compliance vendor

If you're evaluating a tool that claims it produces "audit-ready" output, run it through these checks:

1. Click any output, see source paragraph. Not "see the regulation." See the exact paragraph, with character offsets if you ask for them.
2. Source is version-pinned. If the regulator republishes the document tomorrow, your citation still points to what was law when you made the decision. The graph stores both pointers — current and historical.
3. Diff view exists. AI draft vs. published version, every edit timestamped, every reviewer recorded. Without this, "human in the loop" is a marketing claim, not an audit fact.
4. Cross-references resolve. Citations to RTS, ITS, Q&As, and bulletins are first-class graph nodes, not flat text references.
5. Change propagation is visible. When a source paragraph changes, the system shows you which obligations, gaps, and controls downstream are affected — automatically.

A tool that has all five is doing the work. A tool that has three is a productivity helper, not a compliance system. A tool that has zero is a thin wrapper with a chat interface.

Why this is the moat

The citation graph is the part of the system that's hardest to replicate. Frontier models keep getting better — that's the easy part. The hard part is having a curated, version-pinned, cross-referenced, diff-tracked, regulator-by-regulator graph that stays current. That requires sustained investment in source ingestion, ontology modeling, and SME annotation that no off-the-shelf tool delivers.

It's also the part that buyers underweight in early evaluations and then suddenly weight at 100% during the first audit cycle. The right time to ask about citation graphs is before the contract, not after.

Where RegAI lands

Every obligation, gap score, draft control, and evidence artifact in RegAI carries a citation graph back to source. The graph is queryable from the UI, exportable to GRC platforms (Archer, ServiceNow, MetricStream), and survives source-version changes via pinning. When a regulator republishes, every affected output is flagged with a notification and a delta view; nothing is silently overwritten.

For the team running an audit cycle, the practical impact is fewer hours spent reconstructing the trail. For the auditor reviewing the work, it's a single linkable artifact instead of a binder. For the regulator asking "where did this come from?", it's one click.

Closing

"AI for compliance" is a category big enough to fit dozens of products with different definitions of done. The honest test is what survives the first audit. If the answer is "we'd have to rebuild the trail," the tool isn't ready. If the answer is "click the output, see the source," the tool is doing the work the category requires.

Citation graphs are not a feature. They're the floor.