A compliance team advises the board that a new AI regulation is likely to require a specific disclosure standard. The advice is based on a Commission guidance note — not a Regulation. Eighteen months later the Regulation passes with a different standard. The board wanted binding law; the team was tracking soft guidance. The distinction was never made explicit in the advice.
Regulatory intelligence that does not distinguish by source tier and document status is not intelligence. It is summaries of text.
Epistamate's source credibility tier system enforces the distinction automatically. Every claim carries the tier of its source. The confidence formula penalises claims from lower-tier sources regardless of how many times they are cited.
Regulations, Directives, Acts, Treaties, Decisions. These have direct legal effect. Claims sourced here carry maximum tier credit. They are treated differently from everything else — by the formula, not by analyst judgment.
Commission communications, regulatory authority guidance notes, official Q&A documents, consultation responses. Authoritative but not binding. Claims from these sources score differently — and the distinction is visible in every score breakdown.
Legislative proposals, draft standards, academic commentary, industry positions. Informative for tracking direction — not evidence of current obligations. Claims that only cite Tier 3 sources cannot achieve high confidence scores regardless of how authoritative the prose sounds.
A claim about GDPR Article 22 obligations is not the same as a claim about a proposed amendment to Article 22. Epistamate tracks the source tier and document status of every claim. When a regulation passes, claims that were previously sourced to Tier 3 (proposal) can be re-run against the enacted text and rescored.
The EU AI Act Article 12 requires that high-risk AI systems maintain logs that enable post-hoc auditability — what the system did, on what basis, at what point in time. Epistamate's Decision Log produces exactly this: an immutable record of the full evidence state at the moment a compliance decision was logged.
A compliance claim that holds under GDPR is contested under the California Consumer Privacy Act. A safety obligation established in the EU AI Act has no direct equivalent in the UK's AI framework. These contradictions are typed, tracked, and visible — not buried in a 40-page comparison document that nobody reads the cross-references in.
A gap in the regulatory intelligence — "the enforcement position of the ICO on this specific provision is not yet established" — is not the same as "there is no obligation." Gaps are typed, tracked, and carry importance ratings. The compliance brief tells the reader not just what is known but where the regulatory picture is still forming.
EU AI Act, UK AI framework, NIST RMF, proposed US federal AI legislation — all in motion simultaneously, often in conflict. The claim graph tracks what is binding where, what is proposed where, and what the enforcement position is where it exists.
GDPR, CCPA, PIPEDA, PDPB — across jurisdictions. Claims about data subject rights, lawful bases, and controller obligations are jurisdiction-specific and source-tier-dependent. The engine enforces these distinctions structurally.
MiFID II, Basel IV, DORA, SEC AI guidance — regulatory obligations in financial services are dense, overlapping, and frequently updated. The knowledge graph means the second update cycle on the same topic starts from what was verified in the first.
CSRD, SFDR, TCFD, taxonomy regulations — mandatory disclosure obligations with significant variation between what is required, what is voluntary, and what is proposed. Source tier enforcement is essential; the policy landscape is moving fast enough that draft and enacted are routinely confused.
We're talking to compliance teams, regulatory intelligence practices, and in-house legal functions in active development. We'd like to understand the specific workflow problem before describing the solution.