D17OPERATIONS

Compliance and policy enforcement monitoring

Continuously checks activity across systems against the firm's compliance and policy rules: are expense claims within policy, are PR submissions following the approval workflow, are customer communications meeting regulatory requirements, are access grants getting proper review. Flags potential violations as they happen rather than waiting for periodic audits. Routes flagged items to the right reviewer with the evidence. The pattern's value is shifting compliance from a quarterly cleanup exercise to an always-on signal: violations get caught and fixed within hours, not months, and the audit story becomes much simpler.

WHERE THIS FITS

BUSINESS SHAPES

B2B servicesProfessional servicesProduct company

VOLUME THRESHOLD

Below 100 policy relevant events per week a month, the payback rarely earns the build. Patterns this shape reliably pay back at 1,000+.

REQUIREMENTS · 7 REQUIRED

Requirements describe capabilities the pattern needs in your environment, not the vendors you must buy. Any system that fills a requirement satisfies it — that’s what makes the catalog portable across the long tail of SMB tooling.

monitored_activity_streams
REQUIREDREADevent
The streams of activity the pattern watches. Multiple sources, one pattern.
DATA SHAPE
Event records from various systems with consistent metadata: actor, action, target, timestamp, optional context.
COMMONLY FILLED BY
- expense system event stream
- access management logs
- communications archives
- purchase requisition events
- code repository commits and pull requests for change-control
policy_rule_library
REQUIREDREADcorpus
The firm's policies expressed as testable rules. Critical that this is explicit and maintained: the pattern is only as good as the rules it checks against.
DATA SHAPE
Per-policy: applicability conditions, the test, severity, suggested response. Mix of structured rules (amount thresholds) and content-based checks (does this communication contain prohibited claims).
COMMONLY FILLED BY
- structured policy library maintained by compliance and legal
- rules engine the pattern reads from
- small admin UI for policy authoring
actor_context_lookup
REQUIREDREADrequest
Who the actor is: their role, their authority limits, their reporting line. Many policies depend on who's doing what.
DATA SHAPE
Per-person: role, team, manager, approval authority, any active flags (e.g. probation, special handling).
COMMONLY FILLED BY
- HR directory with role and reporting structure
- identity management system with permission grants
- RACI matrix maintained by operations
violation_review_queue
REQUIREDWRITErequest
Where flagged violations go for human review. Most violations are not clear-cut and need someone to decide.
DATA SHAPE
Flagged event with policy violated, evidence, actor context, severity, suggested action. Reviewer can confirm, dismiss, or escalate.
COMMONLY FILLED BY
- compliance review queue in the GRC tool
- ticket queue for compliance officers
- dashboard with prioritized cases
escalation_route
REQUIREDWRITEevent
Where high-severity violations route directly without waiting for queue processing.
DATA SHAPE
Escalation event with full context and immediate notification to the responsible authority.
COMMONLY FILLED BY
- direct chat alert to the compliance officer or general counsel
- phone call escalation for severe cases
- automated email to the CEO or designated executive
audit_evidence_archive
REQUIREDWRITEcorpus
Long-term retention of all flags, reviews, and resolutions. Critical for the audit story this pattern is supposed to support.
DATA SHAPE
Per-event: original activity, what policy was checked, the verdict, the human review if any, the resolution, retention period.
COMMONLY FILLED BY
- compliance archive in the GRC system
- structured audit log with retention policies
- evidence store accessible to external auditors
false_positive_feedback
REQUIREDREAD + WRITEevent
How reviewers flag that something was incorrectly identified as a violation. Critical for tuning: false positives erode trust faster than missed violations.
DATA SHAPE
Per-flag: was it valid, was the policy wrongly applied, was the rule too aggressive.
COMMONLY FILLED BY
- dismissal reason capture in the review queue
- false-positive tag reviewers can apply
- weekly retrospective with the compliance team

RUNTIME FLOW · 8 STEPS

01
Continuously ingest events from monitored activity streams
monitored_activity_streams
02
For each event, determine which policies apply based on actor, target, and action type
policy_rule_libraryactor_context_lookup
03
Run applicable policy checks against the event, scoring severity if violated
policy_rule_library
04
If no violation: log as audited-clean, archive evidence, continue
audit_evidence_archive
05
If violation flagged: classify by severity
DECISION Low-medium → review queue; high → immediate escalation.
06
Route to review queue or escalation route as appropriate
violation_review_queueescalation_route
07
Capture reviewer verdict and resolution; archive evidence
audit_evidence_archive
08
Capture false-positive feedback for rule tuning
false_positive_feedback

EMISSIONS · 3

Structured outputs this pattern produces. Other patterns and client systems can subscribe to them, which is how the catalog composes over time.

compliance_health_signal
Per-policy violation rates over time, the compliance dashboard's main view.
CONSUMED BY
- compliance leadership
- board reporting
- audit preparation
policy_quality_signal
Per-rule false-positive rate, surfaced for rule refinement.
CONSUMED BY
- policy rule library maintenance
- compliance team workflows
actor_pattern_signal
Patterns where specific actors or teams trigger frequent flags, useful for targeted training or process review.
CONSUMED BY
- compliance management
- manager coaching workflows
- training program design