Why RAG over a document dump fails regulated work
RAG citations are decorative — no provenance contract links chunk to answer. Regulated work needs typed corpus tools, deterministic validation, and refusal.
RAG citations are decorative — no provenance contract links chunk to answer. Regulated work needs typed corpus tools, deterministic validation, and refusal.
6,041 Swedish statutes from Riksdagen, segmented to section level and served as an MCP — query by SFS number, chapter, and paragraf, every result cited.
A GDPR Article 35 DPIA has an automatable core and a judgment core. AI assembles the cited evidence trail; the DPO signs necessity and proportionality.
DORA Article 28 sets the third-party obligations; the contract clauses live in Article 30. Each subsection mapped to ISO 27001 and SCF controls.
Every NIS2 Article 21(2) measure mapped to ISO 27001:2022 Annex A — and the three real gaps: reporting clock, management liability, supply chain depth.
Chat and RAG hallucinate regulatory citations. An MCP gateway adds routing, fan-out, tier auth, and deterministic citation validation — and when you need one.
AI tooling files more CVEs than any analyst can read. Effective-risk rescoring deterministically scores CVE × asset × controls, citing every score change.
STRIDE was built for 1999 monoliths. How we adapted it for agentic systems and shipped it as a workflow your own AI client runs through the Ansvar gateway.