Most "AI for compliance" demos in 2024 looked the same. A user pasted a contract. The model spat back a confident-sounding summary. Buyers nodded politely and went back to their actual workflow, which still ran on spreadsheets and Slack.
The problem wasn't the summary. The problem was that nobody could verify it. A compliance officer's job is not "read this and trust me." It's "show your work, with a paragraph reference, and be ready to defend it in front of a regulator who already disagrees with you." Confident prose is the opposite of what the role requires.
Citation is not a feature. It's the product.
A regulatory finding without a source citation is a guess in fancy clothing. The bar in this domain is not "is the model right?" — it's "can the model show me where it got that, in the original text, in the original language, with the original date stamp, and with a clear path back to the source of authority?"
That bar rules out a lot of architectures. It rules out anything that rephrases and discards. It rules out anything that hallucinates a paragraph number and hopes you don't check. It rules out RAG implementations where retrieval is fuzzy and generation papers over the gaps with confident-sounding text.
The right question for any regulatory AI isn't "how smart is it?" — it's "what is the audit trail when it's wrong?"
Two kinds of wrong
There are two failure modes regulators care about, and they are not symmetrical. A false positive — flagging a clean clause as risky — wastes a lawyer's afternoon. A false negative — missing a material disclosure obligation — can be a fine, a consent decree, or a front-page story.
Systems that optimize for "answer-ness" tune for false positives. Systems that optimize for evidence tune for false negatives, because the structure forces the model to find a citation or admit it can't. That second behavior is what a compliance officer actually wants.
What "evidence-first" looks like in practice
Three concrete properties:
One. Every claim is anchored to a paragraph in a primary source — not a summary, not a synthesis, not a press release. The paragraph is reproducible: same text, same line numbers, same hash, every time.
Two. Every interpretation is timestamped against the version of the regulation in force. "Article 16(2) of the EU AI Act" means nothing without the effective date. Provisions move. Recitals get amended. The model needs to know which yesterday it's talking about.
Three. Every disagreement is logged. When two analysts (human or model) reach different conclusions on the same paragraph, that delta becomes a row in a queue, not a fact buried in a transcript.
None of this is glamorous. It is, however, the actual job.