Policy-Governed RAG - Research Design Study

TL;DR

This paper proposes a policy-governed RAG architecture designed for audit-ready, compliant generation in regulated industries, integrating cryptographic evidence and policy checks to ensure verifiability and auditability.

Contribution

It introduces a novel triptych architecture combining control, evidence, and verification modules for regulated, audit-ready AI outputs.

Findings

Cryptographically anchored source evidence ensures verifiable provenance.

Policy gates improve auditability and compliance in regulated workflows.

Design targets error reduction, latency, and cost metrics for practical deployment.

Abstract

A policy-governed RAG architecture is specified for audit-ready generation in regulated workflows, organized as a triptych: (I) Contracts/Control (SHRDLU-like), which governs output adherence to legal and internal policies; (II) Manifests/Trails (Memex-like), which cryptographically anchors all cited source evidence to ensure verifiable provenance; and (III) Receipts/Verification (Xanadu-like), which provides the final, portable proof of compliance for auditors (portable COSE/JOSE) (see Section 4 and Appendix A). Rather than explaining model internals, outputs are gated ex-ante and bound to cryptographically verifiable evidence for each material answer. Unvalidated targets are stated (>=20% relative reduction in confident errors; p95 latency <= 900 ms; <= 2.2x serve cost) together with a pre-registered (optional) pilot using NO-GO gates. The design complements existing RAG/guardrails by making policy checks auditable, replayable, and receipt-backed. Target domains include back-office compliance in pharma, medical devices, finance, legal, and the public sector where error costs may exceed thousands of euros and audit trails are mandatory under regulations such as the EU AI Act. Future evaluations may pre-commit to publishing negative results when any example NO-GO gate is not met.