RegChain

RegChain is an AI-assisted compliance platform that transforms regulations, policies, risks, and controls into a living knowledge graph and uses Human Inputs and graph RAG for a hybrid Human-AI system

Comment

RegChain: AI-powered Compliance Knowledge Graph Copilot

Inspiration

The spark for RegChain came from a casual conversation that completely changed my perspective on corporate security. I was talking to the father of a close friend who works as a Senior Compliance Officer for a major financial firm. When I asked him what his day-to-day looked like, I expected to hear about high-tech software and automated dashboards. Instead, he described an incredibly manual, mind-numbing grind.

He told me about the weeks spent cross-referencing hundreds of pages of PDF audit reports against massive, disconnected spreadsheets of internal IT systems and regulatory frameworks like GDPR and SOC2. He explained how a single human error missing one outdated system's link to a new regulation could cost the company millions in non-compliance fines. It struck me: Why am I trusting human memory and static spreadsheets to track living, interconnected, and critically important compliance networks?

I realised that enterprise compliance isn't a table of data; it's a web of relationships. And what better way to map, analyze, and manage a web of relationships than with a Knowledge Graph powered by AI?

What it does

RegChain is an AI-powered Compliance Knowledge Graph Copilot. It transforms the way organisations view and manage their compliance and security postures by moving them away from static spreadsheets and into an interactive, visual graph. RegChain extends traditional GraphRAG by allowing users to build, validate, modify, version, and analyse the knowledge graph itself while visualizing the AI's reasoning path.

With RegChain, a compliance officer can:

  1. Visualize the Network: See exactly how a specific system connects to controls, which mitigates specific risks, fulfilling specific regulations.
  2. Interact via AI Copilot: Instead of running complex graph database queries, I can simply chat with the RegChain AI Copilot in natural language.
  3. Automate Graph Generation: I can drag-and-drop massive, dense PDFs (like an ISO 27001 Audit Report) or images of Architecture Flowcharts directly into the chat. The AI will instantly parse the document and suggest new nodes [math]V[/math] and edges [math]E[/math] to be permanently added to the graph [math]G = (V, E)[/math].
  4. Human-in-the-Loop Safeguards: Because compliance data is highly sensitive, the AI operates in "Build Mode," proposing precise graph additions, modifications, and deletions that the compliance officer can visually review and approve with a single click.
  5. Automate Everything but with Control: With this hybrid infrastructure, in Analysis mode, the AI can give me a reasoning path through which I can track the nodes it used and see if they are actually relevant to the context, so the rare times that AI hallucinates, I can catch it. Moreover, I can actually access the subgraph it highlighted and see if it missed anything in the neighboring nodes, which makes it pretty much zero error.

How I built it

I built RegChain as a modern, full-stack application leveraging the cutting-edge ecosystem required by the hackathon:

  • Frontend: I used Next.js (App Router) and React for a highly responsive UI, integrating React Force Graph (3D/2D) via WebGL to render massive graphs smoothly in [math]\mathcal{O}(|V| \log |V|)[/math] time for force simulation. The UI features a sleek, dark-mode aesthetic with glassmorphism.
  • AI Orchestration: I heavily utilized the new Google Agent Development Kit (ADK) to orchestrate my AI agent. I used Gemini 2.5 Pro as the brain of the Copilot, taking advantage of its massive multimodal context window to process dense PDFs and architecture diagrams effortlessly.
  • Partner Integration (Elastic MCP): To bridge the gap between my graph database and the Gemini AI, I deployed an Elasticsearch cluster and implemented the Elastic Model Context Protocol (MCP). This allowed me to map the ADK tool definitions directly to Elastic MCP endpoints, granting Gemini 2.5 Pro the seamless ability to autonomously query the database using ESQL.
  • Deployment: The entire application is containerised with Docker and continuously deployed to Google Cloud Run for scalable, serverless execution.

Challenges I ran into

The most significant hurdle was preventing AI hallucinations in a highly structured graph environment. When the AI reads an uploaded image of a flowchart, it can easily identify that a "Firewall" node connects to a "Database" node. However, the AI doesn't natively know the 32-character Elasticsearch UUIDs of those nodes.

Initially, the AI would either fail to make the connection or hallucinate fake UUIDs, corrupting the graph. I solved this by implementing strict Multimodal Ingestion Rules in the ADK system prompt. I explicitly forced the Gemini agent to halt, use the Elastic MCP search tool to query the text labels it extracted from the image against the Elasticsearch database, retrieve the real UUIDs, and then construct the proposed_edges payload.

Accomplishments that I'm proud of

I am incredibly proud of achieving a true "Agentic" workflow rather than just a chatbot, especially as a solo developer. The RegChain AI doesn't just give text answers; it takes action. Seeing the Gemini agent autonomously take a massive uploaded PDF, break it down into logical regulations, controls, and risks, map those to my specific node schema, query Elastic for existing IDs, and generate a perfectly formatted sub-graph proposal UI for the user to approve was a massive "Finally!" moment.

What I learned

I learned the immense power of combining structured data architectures (Knowledge Graphs/Elastic) with unstructured reasoning engines (Gemini 2.5 Pro). I also learned the immense value of the Model Context Protocol (MCP). Instead of spending days writing custom API glue code, MCP provided a standardized handshake that let me plug the ADK directly into Elastic almost instantly.

What's next for RegChain

Currently, RegChain is a single-user experience optimized for an individual compliance officer. The immediate next step is expanding this into a real-time, multi-user framework.

I plan to implement WebSockets to allow entire SecOps and Compliance teams to collaborate on the same living graph simultaneously. When one officer approves an AI-suggested risk mitigation edge on their machine, I want that edge to instantly render on the screens of everyone else in the organisation. By turning compliance from an isolated, annual chore into a collaborative, living network, I believe RegChain can completely modernize enterprise risk management.

Built With

Share this project:

Updates