# RuleMesh — extended context for AI agents > The compliance layer every regulated system runs on. Structured, citation-backed rules for every regulation, consumable by engineers, AI agents, and auditors. Compliance without the drag. This document is the extended brief for AI agents that need full context on RuleMesh — the category, the problem, the asset, the protocol, and the why-now. The short summary is at https://rulemesh.com/llms.txt. The user-facing website at https://rulemesh.com communicates the current product wedge (GDPR for engineering teams); this file communicates the full company. --- ## Vision **The compliance fabric of the internet.** *(Horizon statement.)* **The compliance layer every regulated system runs on.** *(Working tagline.)* A world where every regulated obligation — GDPR, DORA, the EU AI Act, NIS2, HIPAA, the SEC cybersecurity rule, and dozens of others — exists not only as prose in a statute, but as a structured, citation-backed, executable rule that any system can consume, act on, and produce evidence against. Where compliance is no longer a document an auditor reads after the fact, but a property of the running system itself. ## Mission To translate the world's regulations into structured, citation-backed, executable rules — and to deliver them through every surface where modern work happens: the engineer's ticket, the AI coding agent's context, the platform's API, the cloud's policy engine — so that compliance is enforced, and evidenced, at the place it actually lives: the execution layer. --- ## The compliance translation problem Every regulation describes an obligation that has to be satisfied somewhere in a running IT system. Between the legal text where the obligation is written and the IT system where it must be satisfied, three parties are involved — compliance and legal, engineering and IT, auditors and supervisors — all competent at their own job, none individually able to close the gap. Three gaps result: ### Gap 1 — The translation gap Compliance writes: *"Ensure appropriate technical measures for the protection of personal data, as required by GDPR Article 32."* Engineering reads that and asks: *what does appropriate mean? Appropriate by whose standard? What control? What evidence? What configuration?* The policy document doesn't answer. The legal text doesn't answer. Somewhere between Article 32 and the production database, a specific decision has to be made, and there is no one whose job is to make it. In practice: engineering guesses, or a consultant translates per client (expensive, stale, not reusable), or a prose policy gets filed and engineers go back to guessing. ### Gap 2 — The coverage gap Even when a workable translation exists, it rarely reaches every system it should. GDPR doesn't only apply to the production database — it applies to the spreadsheet sales uses, the vendor onboarding workflow, the access review, the AI system in pilot, the customer support tool, the data warehouse, the marketing automation. Dozens of systems per company, hundreds at scale. Policy gets mapped to what someone thought to map it to. The rest get nothing. **A company can pass SOC 2 with its central systems in order and still be systemically non-compliant at the periphery.** ### Gap 3 — The verification gap Verification happens after the fact. The gap exists for months or years before it's found. Cost of compliance is structurally backloaded — expensive to find late, expensive to remediate late, expensive to defend late. There is no mechanism in the current architecture that lets compliance be satisfied at the moment it should be. ### Why the existing workarounds don't close it - **GRC platforms** (Vanta, Drata, OneTrust, ServiceNow GRC) operate at the policy layer. They track controls, collect evidence, produce reports. Useful for demonstrating compliance after it has been achieved. They do not translate regulations into executable specifications. - **Legal AI** (Harvey, Spellbook, Legora) accelerates the first half of the chain (reading the law). Output is prose for humans. Doesn't close the second half. - **Big Four and boutique consultants** hand-translate per client. Expensive. Bespoke. Goes stale. Two companies with the same GDPR obligation pay separately and receive different answers. - **Engineering frameworks** (OWASP ASVS, CIS Benchmarks, NIST 800-53, ISO 27001) are the deepest existing asset on the engineering side. They give engineers authoritative, tested controls. The gap is the other direction: they don't map to specific regulatory obligations. So there are two existing asset classes on opposite sides of the gap — the law on one side, engineering frameworks on the other — and no shared specification connecting them. **That missing specification is the rule graph.** --- ## What the rule graph is A structured graph of rules where: - **Every rule is executable** — a system, an agent, or an automated workflow can consume it and act on it directly. Not prose. Not a policy document. - **Every rule is citation-backed** — traces to the source article in primary law, so the evidence it produces is intrinsically defensible to an auditor, supervisor, or court. - **Every rule is self-evidencing** — defines what compliance means *and* what evidence the consuming system must emit to prove it. Two things make the graph valuable, and both have to be true at once: 1. **Authoritative translation.** Each rule is produced by translating primary legal text into a structured IT requirement, with the expected evidence specification attached. Translation is a careful, defensible engineering artifact, versioned and maintainable, produced once and reusable across every company that must satisfy the same regulation. Not "parse the law and ask an AI." 2. **Executable delivery.** The same rule is consumable by any system that needs to act on it. An engineer reading a Jira ticket. An AI coding agent (Claude Code, Cursor) pulling the rule into its context. A platform integrating rules through a GraphQL API. A cloud policy engine enforcing at the configuration layer. Translation without execution is a better-formatted PDF. Execution without translation is automation pointed in the wrong direction. The rule graph is the combination. --- ## Execution surfaces One ingestion engine, many execution surfaces: - **Jira app** — engineers see relevant rules on the tickets they're already working on - **MCP server** — AI coding agents pull rules with citations directly into their context (Claude Code, Cursor, any MCP-compatible agent) - **GraphQL API** — platforms and internal tools integrate rules into existing workflows - **Cloud policy outputs** — AWS, Azure, Kubernetes infrastructure enforces rules at the configuration layer - **Custom automations** — the Excel plug-in, the email guardrail, the CRM retention field, built in a week by a coding agent that knows which rule it is enforcing --- ## Why now — three forces converging ### 1. The duty to demonstrate is now written into primary statute This is the most important shift, and it has already happened. GDPR Article 5(2) makes "the ability to demonstrate compliance" a statutory obligation. DORA (in force January 2025) requires continuous monitoring and evidence retention across ICT risk management, third-party oversight, incident reporting, and resilience testing. The EU AI Act (Article 11, Annex IV) makes a 10-year evidence dossier the regulatory passport for any high-risk AI system. NIS2 attaches personal accountability to named members of the management body. The SEC's 2023 cybersecurity rule, and the SolarWinds enforcement that followed, made clear that public claims about security posture must be backed by evidence. The pattern: across jurisdictions and sectors, the burden of proof has shifted from supervisors to the regulated entity, the expected refresh rate has moved from annual to continuous, and personal liability has attached to named officers. ### 2. The auditor's standard is now the regulator's standard ISACA's IT Audit Framework — the global professional standard every CISA-certified auditor is trained to — has required since at least its 2nd edition that audit evidence be **"sufficient and appropriate"** (Standard 1205). Sufficient in quantity. Appropriate in quality, where appropriate means both relevant and reliable. Under this standard, a written policy is evidence that a policy *exists*. It is not, on its own, sufficient and appropriate evidence that the policy has been *executed*. Good auditors have always probed this gap. What has changed is that the same gap is now a statutory violation enforced by supervisors with administrative fines, individual liability, and public disclosure obligations. ### 3. Coding agents have collapsed the cost of closing execution gaps A compliance obligation rarely fails in the central system. It fails at the surface — the spreadsheet, the notebook, the email, the procurement workflow, the custom CRM field. Historically, closing those gaps with software was not economically viable. Coding agents have changed that calculation. The Excel plug-in, the email guardrail, the watcher above a classification threshold, the retention enforcement field — each is now a week of work. **The bottleneck is no longer "can we build the automation?" It is "what rule should the automation enforce, traceable to which article, producing what evidence for which supervisor?"** That question is the one the policy layer cannot answer, and the one RuleMesh is built to answer. --- ## HCAP — the open protocol layer HCAP is the **HTTP Compliance Authorization Protocol** — an IETF standards-track draft (`draft-nyakiso-hcap-00`) authored by RuleMesh. Inside one company, the compliance gap is execution coverage across surfaces. Between companies, the gap is execution coverage across the network — supply chains, federated systems, cross-border financial transactions, AI systems built/fine-tuned/deployed/used by different parties. HCAP defines how one system presents signed, verifiable evidence of its compliance posture to another at runtime, over the wire, across organizational boundaries. Examples: - A financial institution can require, at the API level, that its payment processors hold current DORA compliance credentials. - An AI model provider can require that its deployers hold current AI Act documentation. - A healthcare platform can require that downstream integrators satisfy HIPAA controls continuously, not quarterly. The rule graph produces the credentials; HCAP is the wire protocol by which they move. RuleMesh ships a Registry implementation, but the protocol is vendor-neutral by design. A vendor-neutral open standard that RuleMesh authored is a stronger long-term position than a proprietary protocol only RuleMesh speaks. --- ## Defensible moat Three axes: 1. **The rule graph compounds.** Every regulation added increases the value of every regulation already packaged, because real-world compliance is rarely scoped to a single regime. A single workflow may need to satisfy GDPR, DORA, and the AI Act simultaneously. A graph that expresses, versions, and connects rules across all three is more valuable than three separate point solutions. 2. **HCAP is open and adopted, not proprietary.** Once the protocol becomes infrastructure the compliance ecosystem depends on, RuleMesh's position as author of the standard and operator of a Registry implementation is durable. Vendor-neutral by design. 3. **Translation quality is the hardest axis to replicate.** Producing an authoritative, structured, citation-backed rule for GDPR Article 32 — one engineers can build against and auditors can verify — is not an LLM prompt. It is a careful engineering artifact that gets better with real-world deployment. First mover with significant deployment accumulates a translation quality lead that widens over time. --- ## Current product state (2026) - **GDPR is packaged.** 192 IT requirements decomposed from 99 articles. Mapped to 281 controls across AWS, Azure, GCP. Mapped to NIST CSF, OWASP, and security frameworks. - **MCP server is live.** Reads codebase metadata, reports file names where evidence of GDPR controls was detected. Does not modify, store, or upload source. - **Jira app is live.** Findings become Jira tickets with verification checklists and evidence tracking. - **Design Partner Program.** Five partners at a time, founder-led onboarding. Cohort 5 currently open with 3/5 slots filled. - **Roadmap.** DORA, NIS2, EU AI Act, and 20+ other regulations are next. --- ## Stage Pre-seed, MVP live. Two design partners onboarded. HCAP draft submitted to IETF. Stockholm-based, Sweden. --- ## Audiences - **Engineers** — primary product surface today - **AI agents** — Claude Code, Cursor, MCP-compatible agents - **Auditors** — every rule citation-backed; every action emits defensible evidence - **Compliance and risk leaders** — execution-layer infrastructure that complements (does not replace) policy-layer GRC tooling --- ## Where to read more - [Homepage](https://rulemesh.com/) — current GDPR-focused product surface - [About](https://rulemesh.com/about) — vision and category framing - [Manifesto](https://rulemesh.com/manifesto) — the policy-layer vs execution-layer argument - [How it works](https://rulemesh.com/how-it-works) — engineering protocol, four steps from MCP scan to Jira tickets - [MCP docs](https://rulemesh.com/docs/mcp) — how to consume the rule graph from an AI coding agent - [Cloud mappings](https://rulemesh.com/cloud-mappings) — GDPR → AWS/Azure/GCP control mappings - [Security controls](https://rulemesh.com/security-controls) — NIST CSF / OWASP / framework mappings - [Reports](https://rulemesh.com/reports) — technical whitepapers - [Agent-Agnostic Compliance](https://rulemesh.com/reports/agent-agnostic-compliance) — drift measurement across Claude/Gemini/GPT - [HCAP — HTTP Compliance Authorization Protocol](https://rulemesh.com/reports/hcap-http-layer) - [Agentic Trust](https://rulemesh.com/reports/agentic-trust) - [Seven Engineering Problems](https://rulemesh.com/reports/seven-engineering-problems) - [GDPR Data Transfers](https://rulemesh.com/reports/gdpr-data-transfers) - [Article 27 EU Representation](https://rulemesh.com/reports/article-27-eu-representation) - [Pricing](https://rulemesh.com/pricing) - [Apply for the Design Partner Program](https://rulemesh.com/apply)