Methodology
How a policy becomes a cited, human-reviewed finding.
Regis is a first-pass analysis engine inside a professional review workflow. This page sets out the method end to end: what is checked, how findings are cited, how the posture score is computed, and where human judgement is required.
The pipeline.
Scope from published libraries
Every analysis is scoped to a requirement library you can inspect: a jurisdiction, or a single framework within it. Each requirement carries the rule it derives from. Nothing outside the scoped list is checked or claimed.
Bounded AI mapping
The AI receives your supplied evidence and the scoped requirements, and drafts a finding wherever the evidence fails to address a requirement. Each draft cites the governing rule, rates the risk, and proposes remediation language. It uses careful wording: potential risk, consider, requires review.
Complete coverage matrix
Every report includes a matrix of every in-scope requirement marked met or gap, so you can see exactly what was checked, not just what was flagged.
Human review and sign-off
Findings stay draft until a qualified reviewer resolves them. Any status change records who reviewed it, when, and an optional rationale. That trail is the deliverable.
The requirement libraries.
The same libraries drive the analysis prompt, the coverage matrix, and every public claim about scope, so the numbers below cannot drift from the product. Coverage is limited to the frameworks shown in the product.
UK
Live7 frameworks · 31 requirements
EU
Beta6 frameworks · 34 requirements
US
Beta5 frameworks · 32 requirements
Libraries last reviewed: 14 July 2026 · See the full framework coverage matrix
Source & citation policy.
Every finding cites its rule
A finding is always attached to a specific requirement, and each requirement names its source (for example, a Bribery Act section, an FCA SYSC provision, or a UK GDPR article). Findings without a mappable requirement are not produced.
Sample findings are consistency-tested
The example findings shown on our public pages are checked by automated tests that fail the build if a citation and its requirement text describe different obligations.
Ambiguity goes to the reviewer
Where a requirement is ambiguous, or sources appear to conflict, the draft flags the issue for reviewer judgement. The system never auto-resolves an interpretation question.
Libraries are maintained editorially
Requirement libraries are written and revised by people against the cited rules and guidance, not generated on the fly. Current libraries were last reviewed on 14 July 2026; the coverage page shows what is in scope today.
Monitoring is sourced and dated
Regulatory updates come from named authoritative sources (FCA, PRA, ESMA, EBA, and the US Federal Register). Freshness varies by source, items carry their publication date, and updates are flagged for human review, never applied automatically.
The posture score is computed, never AI-assigned.
Each audit’s compliance posture score (0 to 100) comes from a fixed, published formula over the reviewed findings: gaps are weighted by severity (High 3, Medium 2, Low 1) against the total in-scope requirements. The AI drafts findings; arithmetic produces the score. Closing gaps and reducing severities on a re-scan raises it, and nothing else does.
score = 100 × (1 − weighted gaps ÷ (requirements in scope × 3))
Where the method stops
Regis is not legal advice, not a replacement for compliance professionals, not a final decision-maker, and the absence of a flag never means an activity is compliant, approved, safe, or legal. Outputs stay draft until a qualified professional signs them off.