Regulatory change management software — a buyer's guide.

Written for compliance, risk, and legal leaders evaluating RCM tooling. We'll be honest about where RegAI lands and where it doesn't — but the guide is useful regardless of whether you end up shortlisting us.

The shape of the problem

Regulatory change management (RCM) is the operational discipline of:

1. Knowing when a regulator publishes something new or changed.
2. Determining whether it applies to your firm.
3. Mapping it to internal policies, procedures, and controls.
4. Identifying and closing gaps.
5. Producing evidence of all the above for internal audit and external regulators.

That's five distinct workflows. The vendor landscape has tools that cover one, two, three, or all five — at very different price points and with very different definitions of "covered." The first job of any buyer is figuring out which of the five matter most for their team and how much overlap they're willing to tolerate.

The four categories of vendor

If you take only one thing from this guide, take this taxonomy. It explains 80% of the confusion in vendor demos.

1. Regulatory feed providers

Examples: regulatory horizon-scanning services, regulator alert subscriptions. Output: a feed of new and changed regulations, often with summaries and tagging. Best at: knowing when something happens. Weakest at: telling you what to do about it.

If RCM means "stay informed," this is the category. Pricing is usually per-seat or per-feed. The buyer is often a regulatory affairs analyst or horizon-scanning lead.

2. GRC platforms with RCM modules

Examples: Archer, ServiceNow GRC, MetricStream, OneTrust, LogicGate, AuditBoard. Output: a workflow system to track regulatory updates, assign tasks, and document controls. Best at: workflow, audit trails, and integration into broader GRC programs. Weakest at: actually understanding the regulations — the AI/NLP layer is often shallow.

Pricing is per-user, often expensive at scale. The buyer is usually the CISO or CRO. Ideal when you already run a GRC platform and want RCM as an extension.

3. Pure regulatory intelligence platforms

Examples: dedicated AI-first RCM tools focused on the regulatory analysis itself, not the broader GRC stack. Output: structured obligation libraries, semantic mapping to your policies, gap analysis, AI-drafted controls. Best at: turning regulator text into structured, mappable obligations. Weakest at: replacing your GRC platform — usually integrates with it instead.

Pricing is per-firm or per-jurisdiction. The buyer is typically the CCO or Head of Regulatory Affairs. Ideal when the bottleneck is the regulatory analysis itself, not the workflow around it.

4. Consulting deliverables / outsourced RCM

Big-four and specialist firms producing one-off matrices or running RCM-as-a-service. Output: a delivered compliance matrix, refreshed quarterly, with consultant FTEs in the loop. Best at: judgment-heavy work, novel regimes. Weakest at: scaling — the cost grows linearly with regulatory footprint.

Pricing is per-engagement or retainer. Often the right answer for a one-off (a charter conversion, a new market entry) but expensive as a steady state.

RegAI sits in category 3 — the pure regulatory intelligence platform — and integrates with category 2 (GRC) on one side and absorbs the steady-state of category 4 (consulting) on the other. We are also built by a category-4 firm (Sia), which is why our domain content is unusually strong for a category-3 product.

The eight capabilities to demand

Once you've picked a category, the capability checklist below applies. If any vendor in your shortlist is missing more than two, downgrade them.

1. Continuous source monitoring

Automated capture of regulator publications across the regulators you care about. Daily refresh at minimum. The system pins source versions so a regulator's republished page doesn't silently overwrite your prior reference. Test: ask which regulators they cover and how often each is refreshed.

2. Obligation extraction with traceback

The system extracts discrete obligations from regulator text, and every obligation is linked back to its exact source paragraph (with character offsets, ideally). Without this, the matrix is a starting point, not a defensible artifact. See our citation graphs guide for why this is the floor, not a feature.

3. Applicability triage

Not every obligation applies to every entity. The system supports an entity / license-type profile and produces an applicability decision (with rationale) per obligation. Test: walk through a regulation that applies to one of your three entities differently. The system should produce three different outputs.

4. Semantic mapping to internal policies

Each in-scope obligation mapped to the internal policy clauses that address it, scored Full / Partial / Not covered. Semantic, not keyword — meaning the system finds matches even when wording differs. Test: ask for a partial-coverage example with the rationale shown.

5. AI-drafted controls / language for gaps

For uncovered or partially-covered obligations, the system drafts replacement or new control language. Human review is non-negotiable; the AI is producing first drafts, not final controls. Test: ask for a sample draft alongside the source obligation it addresses.

6. Decision log and diff view

Every AI suggestion → human accept / edit / reject is timestamped, with the editor identified and the diff preserved. This is the audit trail that survives external review. Test: ask to see the diff history for a published artifact.

7. GRC integration

Native or API-based publishing into Archer / ServiceNow / MetricStream / OneTrust. The compliance matrix doesn't live in the RCM tool forever — it has to land in the system of record. Test: ask which GRCs they have production integrations with, not which they "support."

8. Multi-jurisdictional support

Especially important for global firms. The system handles overlapping regulators (MAS + HKMA, OCC + Fed, EBA + national overlays) without forcing duplicate work. Multilingual handling matters for pharma, insurance, and EU work in general. Test: ask for a multi-jurisdiction example and how shared obligations are reconciled.

The seven questions to ask before signing

This is the script we'd run if we were the buyer:

1. "For this output, show me the source paragraphs that produced it." — citation graph.
2. "What changed between the AI's first draft and the published version, and who approved each change?" — decision log + diff.
3. "How does this perform on regulator X? — pick one obscure to the vendor — and how do you measure?" — eval harness.
4. "What happens when the regulator updates the source text? Is my matrix updated automatically, and what is flagged for re-review?" — change propagation.
5. "How many SMEs annotated the training data, over what period, and in what specialties?" — domain depth.
6. "What's the integration story with our existing GRC platform? Can I see a production customer using it?" — actually deployed integration.
7. "Where does my data live? Tenant model, training-data isolation, security certifications?" — data residency and security posture.

If question 1 produces a hand-wave, walk away. Question 5 separates real domain platforms from thin wrappers — see our thick vs thin wrapper guide on why this matters.

Pricing — what to expect

This part is uncomfortable for vendors and useful for buyers. Rough ranges based on what we see in the market:

• Regulatory feeds: $5K–$30K per year, per seat or per feed.
• GRC platforms: $50K–$500K+ per year for the platform; RCM module is often a 10–20% add-on.
• Pure regulatory intelligence platforms: $100K–$1M+ per year, scaling with regulatory footprint and modules.
• Consulting deliverables: $200K–$2M+ per engagement, depending on scope.

The cost-per-obligation gets cheaper as you scale up: a firm tracking 50 regulations on a single jurisdiction has a different unit economics than a global firm tracking 500. Ask vendors to model your specific footprint, not their list price.

Common buyer mistakes

• Buying for the demo. The pretty UI you saw on the sales call is rarely how analysts use the tool day-to-day. Insist on a sandbox or proof-of-concept where your team works on your own regulation, not the vendor's curated demo data.
• Underspecifying integration. "Integrates with Archer" can mean anything from a real-time API to a CSV export. Check what the actual data flow is, who maintains the connector, and whether your version of the GRC is actually supported.
• Skipping the audit-trail walkthrough. The single most common cause of failed RCM tool adoption is internal audit's first review producing findings the tool can't satisfy. Walk through audit's expectations before contracting.
• Conflating the categories. A GRC platform's RCM module and a pure regulatory intelligence platform are doing different things. If you only need workflow, don't pay for AI you won't use. If you need the AI, don't expect a GRC vendor's bolt-on to deliver it.
• Expecting "AI" to mean the same thing across vendors. "AI-powered RCM" covers everything from "we used GPT to summarize alerts" to "we trained a model on tens of thousands of SME annotations." Question 5 above separates them.

The honest case for RegAI

We sit in category 3 (pure regulatory intelligence) and we're built by a category-4 firm (Sia, with two decades of regulatory consulting). The architecture is what we cover in the thick wrapper piece: curated version-pinned corpus, regulatory ontology, tens of thousands of SME annotations, deterministic post-processing, audit-grade citation graph.

Where RegAI is a strong fit:

• Multi-regulator, multi-jurisdiction firms where the analysis is the bottleneck (banks, insurers, pharma, large tech).
• Teams that already have a GRC platform and want regulatory intelligence on top, not a GRC replacement.
• Firms with significant audit / regulatory exam exposure where citation-grade defensibility matters.

Where RegAI is the wrong fit:

• Single-jurisdiction, narrow-scope monitoring. A regulatory feed plus your existing tooling will be cheaper.
• Firms that want a full GRC replacement. We integrate with GRCs; we don't replace them.
• Buyers who haven't budgeted for a meaningful platform commitment. The TCO sits firmly in the six-figure-plus range for serious deployments.

Closing

Regulatory change management is one of those operational disciplines that gets harder every year — more regulators, more frequency, more cross-border coordination — and the tooling has fragmented into four overlapping categories that vendors don't always disambiguate cleanly. The best-buyer move is to know which category you're shopping in before the sales calls start, then run the eight-capability checklist and the seven-question script through every shortlisted vendor.

Whether the answer is RegAI or someone else, the framework above will keep you out of the most expensive failure mode: buying for the demo and discovering the tool can't answer audit's first question.