ESG Copilot

AI-powered ESG compliance automation for SMBs—cutting $50K manual reporting costs to near-zero via autonomous data collection, regulation research, emissions tracking, and report generation.

Comment

Inspiration

Small and medium businesses face a critical challenge: ESG compliance costs $10K-$50K per report, requires specialized expertise, and involves navigating complex regulations across multiple jurisdictions. Most SMBs can't afford dedicated sustainability teams, leading to:

  • Manual data collection taking weeks
  • Missed compliance deadlines
  • Incomplete or inaccurate reports
  • Risk of regulatory penalties

The inspiration: What if AI agents could autonomously handle the entire ESG compliance workflow - from researching regulations to generating framework-compliant reports - making sustainability accessible to businesses of all sizes?

What it does

ESG Copilot is a multi-agent AI system that automates end-to-end ESG compliance:

5 Specialized AI Agents:

  1. Regulation Research Agent (with 3 sub-agents)

    • Analyzes company location, industry, size
    • Performs real-time web search for applicable regulations
    • Identifies jurisdiction-specific requirements (California SB 253, SEC Climate, EU CSRD)
    • Calculates compliance deadlines
    • Sub-agents: Jurisdiction Analyzer, Framework Mapper, Deadline Calculator

  2. ESG Data Collection Agent (with 3 sub-agents)

    • Queries EPA Envirofacts API for environmental data
    • Web scrapes company sustainability pages
    • AI estimates missing metrics using industry benchmarks
    • Sub-agents: EPA Collector, Web Scraper, AI Estimator
    • Parallel execution: All 3 sub-agents run simultaneously

  3. Emissions Calculator Agent

    • Calculates Scope 1, 2, 3 carbon emissions
    • Uses Climatiq API for emission factors
    • Provides breakdown by source category
    • Generates emissions trends

  4. Report Generator Agent (with 4 sub-agents)

    • Creates framework-compliant reports (GRI, SASB, TCFD)
    • Iterative refinement: Review & Critique loop (1-3 iterations)
    • Auto-generates executive summaries
    • Produces downloadable PDFs
    • Sub-agents: GRI Writer, SASB Writer, TCFD Writer, Review & Critique

  5. Chat Agent (RAG)

    • Permission-aware Q&A using Retrieval-Augmented Generation
    • Company-scoped knowledge base (Pinecone vector DB)
    • Real-time authorization checks (Auth0 FGA Store)
    • Answers questions about regulations, ESG data, reports

Key Features:

  • Real-time web search for regulation discovery (Google Gemini grounding)
  • Multi-source data collection (EPA API, web scraping, AI estimation)
  • Automated emissions calculation (Climatiq API integration)
  • Framework-compliant reports (GRI, SASB, TCFD standards)
  • Role-based access control (4 roles: Company Admin, ESG Consultant, Auditor, Regulator)
  • Company-level data isolation (zero data leakage between companies)
  • Audit logging (all agent actions tracked in BigQuery)

How we built it

Architecture:

Frontend:

  • Next.js 14 (React framework)
  • TailwindCSS for styling
  • Auth0 SDK for authentication
  • Deployed on Vercel

Backend:

  • Node.js + Express.js
  • Google Gemini 2.5 Flash (LLM for agent reasoning)
  • LangChain.js (agent orchestration)
  • Deployed on Render

Data & Storage:

  • Google BigQuery (ESG data, audit logs, reports)
  • Pinecone (vector database for RAG)
  • Google Cloud Storage (report PDFs)

External APIs:

  • Climatiq API (emissions calculations)
  • EPA Envirofacts API (environmental data)
  • SendGrid (email notifications)
  • Auth0 (authentication, authorization, Token Vault, FGA Store)

Multi-Agent Patterns:

  1. Hybrid Parallel + Sequential Execution
  • Regulation Research: Phase 1 runs 2 agents in parallel (Jurisdiction Analyzer + Framework Mapper), Phase 2 runs Deadline Calculator with Phase 1 results
  • ESG Data Collection: 3 sub-agents execute in parallel via Promise.all()
  • Results aggregated and merged
  • Optimizes for both speed and data dependencies
  1. Iterative Refinement
  • Report Generator: Review & Critique loop
  • Draft → Review → Revise (1-3 iterations)
  • Configurable via MAX_REVIEW_ITERATIONS env variable
  1. Service-Level Orchestration
    • Main agents coordinate sub-agents
    • State management via BigQuery
    • Error handling with graceful degradation

Security Implementation:

  • Authentication: Auth0 Universal Login with JWT tokens
  • Authorization: Role-based access control (RBAC) with 9 permissions
  • Token Vault: API keys injected into JWT (never hardcoded)
  • FGA Store: Document-level authorization with real-time checks
  • Audit Logging: Every agent action logged with user, company, timestamp

Challenges we ran into

1. Multi-Agent Coordination

Challenge: Coordinating 5 main agents + 9 sub-agents with dependencies

  • Regulation Research must complete before Report Generation
  • ESG Data Collection needed before Emissions Calculator
  • Deadline Calculator needs regulations from Jurisdiction Analyzer
  • Race conditions with parallel sub-agents

Solution:

  • Service-level orchestration with clear dependency chains
  • Hybrid execution: Promise.all() for independent agents, sequential for dependent ones
  • Regulation Research uses 2-phase approach: Phase 1 parallel (jurisdiction + frameworks), Phase 2 sequential (deadlines)
  • State management in BigQuery for tracking agent progress
  • Error handling with partial success (if 2/3 sub-agents succeed, continue)

2. Real-Time Web Search Reliability

Challenge: Google Search grounding sometimes returns incomplete results

  • Regulation deadlines not always available
  • Jurisdiction-specific laws hard to find
  • Web scraping blocked by some company websites

Solution:

  • Fallback to AI estimation when web search fails
  • Multiple search queries with different phrasings
  • Graceful degradation (show partial results, mark as "estimated")
  • Clear error messages to users

3. Company Data Isolation

Challenge: Preventing data leakage between companies in multi-tenant system

  • Company Admin should only see own company data
  • ESG Consultant should see all companies
  • RAG must respect company boundaries

Solution:

  • Auth0 FGA Store for document-level authorization
  • Real-time authorization checks before every query
  • Pinecone metadata filtering by company_id
  • Two-layer security: Pinecone filter + FGA authorization

4. Emissions Calculation Accuracy

Challenge: Climatiq API requires specific activity data formats

  • Different emission factors for different industries
  • Scope 3 emissions hard to estimate
  • Missing data for some emission sources

Solution:

  • Industry-specific emission factor mapping
  • AI estimation for missing Scope 3 data
  • Clear labeling of "estimated" vs "calculated" values
  • Validation against industry benchmarks

5. Report Quality & Compliance

Challenge: Ensuring reports meet GRI/SASB/TCFD standards

  • Each framework has multiple disclosure requirements
  • Reports must be auditable and verifiable
  • Iterative refinement needed for quality

Solution:

  • Framework-specific prompts for each standard
  • Review & Critique sub-agent validates completeness
  • Iterative refinement loop (1-3 iterations)
  • Human review option before finalization

6. Deployment & Environment Variables

Challenge: Managing multiple environment variables across dev/prod

  • API keys for 6 external services
  • GCP service account JSON file
  • Different URLs for frontend/backend

Solution:

  • Auth0 Token Vault for API keys (3 keys in JWT)
  • Render Secret Files for GCP credentials
  • Environment-specific .env files
  • Clear deployment documentation

Accomplishments that we're proud of

1. Production-Ready Multi-Agent System

  • 5 main agents + 9 sub-agents working in production
  • Parallel execution with fan-out/gather pattern
  • Iterative refinement with review/critique loop
  • Real-world use case solving actual SMB pain point

2. Zero Data Leakage

  • Company-level isolation enforced by Auth0 FGA Store
  • Tested with 5 test accounts across 4 roles
  • Real-time authorization on every query
  • Audit trail of all access attempts

3. Framework-Compliant Reports

  • GRI, SASB, TCFD standards implemented
  • Automated generation from raw ESG data
  • PDF export with professional formatting
  • Iterative quality improvement via review loop

4. Seamless Auth0 Integration

  • Universal Login (no custom auth code)
  • Token Vault for API key management
  • FGA Store for document authorization
  • RBAC with 4 roles, 9 permissions

5. Real-Time Regulation Discovery

  • Web search for latest regulations
  • Jurisdiction-specific (California, EU, SEC)
  • Deadline calculation for compliance
  • No dummy data - all real-time queries

What we learned

1. Multi-Agent Orchestration is Hard

  • Coordinating multiple agents requires careful state management
  • Parallel execution needs proper error handling
  • Dependencies between agents must be explicit
  • Service-level orchestration is cleaner than agent-to-agent communication

2. Security Must Be Built-In, Not Bolted-On

  • Authorization checks at every layer (API, database, vector DB)
  • Token Vault prevents API key leakage
  • FGA Store enables fine-grained access control
  • Audit logging is essential for production systems

3. LLM Limitations Require Fallbacks

  • Web search doesn't always return complete results
  • AI estimation needed for missing data
  • Iterative refinement improves output quality
  • Human-in-the-loop still valuable for critical decisions

4. Real-World Data is Messy

  • EPA API has incomplete records
  • Company websites vary widely in structure
  • Emission factors differ by industry/region
  • Graceful degradation is essential

5. Framework Compliance is Complex

  • GRI has multiple disclosure requirements
  • SASB is industry-specific (77 sectors)
  • TCFD focuses on climate risks
  • Each framework needs specialized prompts

What's next for ESG Copilot

  1. Enhanced Data Sources - Integrate CDP API, S&P Global ESG scores, ERP systems, and IoT sensors
  2. More Frameworks - Add ISSB, EU CSRD, BRSR, and custom framework builder
  3. Predictive Analytics - Forecast emissions, predict compliance risks, recommend reduction strategies
  4. Stakeholder Engagement - Automated surveys, sentiment analysis, materiality matrix generation
  5. Supply Chain ESG - Supplier risk assessment, Scope 3 tracking, vendor scorecards
  6. AI-Powered Recommendations - Personalized strategies, regulatory alerts, best practice recommendations
  7. Enterprise Features - Multi-subsidiary support, consolidated reporting, custom workflows
  8. Real-Time Monitoring - Redis caching, async execution, horizontal scaling, edge deployment

Try It Out

Live Demo: [Your Vercel URL]

GitHub: https://github.com/omkardongre/ESG-Copilot

Test Accounts (Password: Test@1234):

  • 3m@company.com - Company Admin (3M Company data only)
  • ef@company.com - Company Admin (Eileen Fisher data only)
  • consultant@esgfirm.com - ESG Consultant (all companies)
  • auditor@sustainapilot.com - Auditor (read-only)
  • regulator@epa.gov - Regulator (read-only)

Test Scenarios:

  1. Login as 3M Admin → Execute "Research Regulations" → See California SB 253, SEC Climate rules
  2. Execute "Collect ESG Data" → Watch 3 sub-agents run in parallel
  3. Execute "Calculate Emissions" → See Scope 1, 2, 3 breakdown
  4. Execute "Generate Report" → Select GRI → Download PDF
  5. Use Chat Agent → Ask "What are our Scope 2 emissions?" → Get company-specific answer
  6. Login as Eileen Fisher Admin → Try to view 3M data → Access denied (data isolation works!)

Built With

Share this project:

Updates