view_kanban
Jira app
Engineers see the relevant rules on the tickets they're already working.
Atlassian Forge · early access
Compliance keeps getting bigger. So do the fines.
The GRC market crossed $50B and is still growing. Regulatory fines hit €4.6B in 2024 — banking enforcement alone was up 522%. Both numbers moving in the same direction tells you the current architecture isn't working. The piece that's been missing is the one we're building.
shareThe architecture problem
Three competent groups, none of them owning the gap.
Every regulation has to land somewhere in a running system. A database is encrypted or it isn't. A vendor is assessed before onboarding or it isn't. A quarterly access review actually runs, or someone checks the box and it doesn't.
These are not policy questions. They are binary outcomes in code, configuration, and operational discipline.
Three groups work on the problem, and each is competent at its own job. Compliance and legal read the law and write policies. Engineering and IT build the systems those policies are supposed to govern. Auditors and supervisors verify what was done. Between the three sits a gap nobody owns: turning the obligation into something an engineer can act on, in every system the obligation actually touches, with the evidence a supervisor will ask for already attached.
That gap is where the fines come from.
do_not_disturb_onWhy existing approaches don't close it
Two bodies of structured knowledge, on opposite sides of the gap.
The law on one side. The engineering frameworks on the other. Nothing connects them.
01Stops at policy layer
Compliance platforms
SOC 2 · ISO 27001 · trackers
Track certifications and produce reports. They operate at the policy layer. Their output is prose, scoped to a framework like SOC 2, not to a regulation. An engineer can read a SOC 2 report; they can't build from it.
02Stops at prose for humans
Legal AI
Harvey · Spellbook · in-house copilots
Makes lawyers faster at reading law. Same audience, same output type — prose for humans. Useful for the people who already write the policies, irrelevant to the people who have to satisfy them.
03Stops at per-client prose
Consultants
Big Four · boutique · staff aug
Hand-craft a bespoke deliverable per client, in prose, expensively. The deliverable works for a while, then the regulation updates, the consultant moves on, the document goes stale, and the next company pays someone to do the same work again.
04Stops before regulatory map
Engineering frameworks
OWASP · CIS · NIST
Give engineers authoritative controls. None of them maps to specific regulatory obligations. An engineer using OWASP ASVS knows how to build strong authentication. They don't know which obligations require it, or what evidence each supervisor expects.
schemaWhat we changed
One rule graph. All three sides work from it.
Compliance and legal work from it. Engineering and IT build from it. Auditors verify against it.
RuleMesh produces a structured, citation-backed rule for every obligation in a regulation. Each rule is mapped to the engineering control that satisfies it — OWASP for authentication, CIS for cloud hardening, NIST for access — with the evidence an auditor expects already attached.
The graph is the asset. Every regulation added increases the value of every regulation already packaged, because real-world compliance is rarely scoped to one regime — a single workflow may need to satisfy GDPR, DORA, and the AI Act at the same time, and the engineering controls overlap in ways prose policy documents never capture.
Reference
Regulations
The cross-regulation entry point for the public reference layer.
Live
GDPR Hub
Scope, obligations, checker routing, and glossary for engineering teams.
Live
AI Act Hub
Role posture, AI-system obligations, and vocabulary for product and ML teams.
01 · What
The obligation, structured.
Every article and paragraph of a regulation, engineered into machine-consumable rules. Citation back to source law on every rule.
02 · How
The control, mapped.
OWASP, CIS Benchmarks, NIST 800-53 — the framework engineers already work in. Mapping rationale recorded.
03 · Evidence
The proof, specified.
The artefact, log, configuration, or attestation a supervisor will accept. Specified at write-time, emitted at runtime.
hubOne graph, many execution surfaces
The graph alone isn't enough. The obligation has to land where the work happens.
view_kanban
Jira app
Engineers see the relevant rules on the tickets they're already working.
Atlassian Forge · early access
smart_toy
MCP server
Coding agents like Claude Code and Cursor pull rules with citations directly into their context.
stdio · HTTP · live
api
GraphQL API
Platforms and internal tools integrate rules into existing workflows.
typed schema · design-partner preview
cloud_done
Cloud policy outputs
AWS, Azure, and Kubernetes enforce rules at the configuration layer.
Terraform · OPA · Azure Policy · design-partner preview
Jira is where we are today because it's where our design partners are. The same surface pattern extends to Asana, Linear, ServiceNow, and the other places engineering work lives — those land as design-partner demand pulls them in.
One ingestion engine. Many consumption surfaces. Compliance has to land in all of them, so we ship to all of them.
scheduleWhy now
Two waves are converging. They don't reach equilibrium under the current architecture.
Wave · 01
The regulatory wave
DORA, NIS2, the EU AI Act, the Cyber Resilience Act, the Data Act — all moving from prose into code-level obligations across 2025–2027.
The supervisor's mental model is shifting from can you describe your control to can you demonstrate it ran.
Wave · 02
What's writing the code
AI coding agents — Claude Code, Cursor, Copilot — are now drafting the application logic that has to satisfy those obligations. MCP standardised how those agents pull context.
Either the compliance layer is machine-readable, or it becomes a bottleneck the agents route around.
The window where you build infrastructure for a category opens once. It opens when the new layer is no longer optional and no incumbent has shipped it. That window is now.
flagWe're early — that's deliberate
Two design partners onboarded. GDPR packaged end-to-end.
GDPR and the EU AI Act are live in the public reference layer. DORA and NIS2 are next, with twenty more on the roadmap across the EU, the US, and Australia.
We're a small, focused team building something we believe is missing. We're telling you that upfront, because the companies we most want to work with are the ones who'd rather shape the product than inherit one.
handshakeDesign Partner Program
Shape the product, don't inherit it.
RuleMesh is shaped by the companies we onboard as design partners. They get first access to new regulation packages, direct input on the roadmap, and a line straight to the founder.
First access to new regulationsDirect roadmap inputLine to the founder
Request a Spot
We take on a small number of partners at a time. Lawrance will reach out directly.