System and method for governance, regulation, and compliance using artificial intelligence

Abstract

Methods, systems, and computer readable storage media for using Artificial Intelligence (AI) to reduce risk with Governance, Risk, and Compliance (GRC) analysis. The method can include receiving a query related to governance, regulation, and compliance, then generating one or more sub-queries based on the query. Next, one or more expert agent algorithms are executed, where each of the one or more expert agent algorithms are used to answer at least one of the one or more sub-queries, resulting in sub-answers. A response to the query is then generated using the sub-answers.

Description

Attomev Docket 157818.619588SYSTEM AND METHOD FOR GOVERNANCE, REGULATION, AND COMPLIANCE USING ARTIFICIAL INTELLIGENCECROSS-REFERENCE TO RELATED APPLICATIONS

[0001] This application claims the benefit U.S. Provisional Patent Application No.63 / 729,702, filed December 9, 2024, the disclosure of which is incorporated herein by reference in its entirety.BACKGROUND1. Technical Field

[0002] The present disclosure relates to Governance, Risk, and Compliance (GRC), and more specifically to using Artificial Intelligence (Al) to reduce risk.2. Introduction

[0003] Modem GRC programs assist entities to reduce wastage, increase efficiency, reduce noncompliance risk, and share information more effectively. However, the paperwork and bureaucracy required to navigate risk through an effective GRC program has become so onerous that they often prevent actions from taking place.SUMMARY

[0004] Additional features and advantages of the disclosure will be set forth in the description that follows, and in part will be understood from the description, or can be learned by practice of the herein disclosed principles. The features and advantages of the disclosure can be realized and obtained by means of the instruments and combinations particularly pointed out in the appended claims. These and other features of the disclosure will become more fully apparent from the following description and appended claims, or can be learned by the practice of the principles set forth herein.

[0005] Disclosed are systems, methods, and non-transitory computer-readable storage media which provide a technical solution to the technical problem described. A method for performing the concepts disclosed herein can include: receiving, at a computer system, a query related to governance, regulation, and compliance; generating, via at least one processor of the computer system, one or more sub-queries based on the query; executing, via the at least one processor, one or more expert agent algorithms, each of the one or more expert agent algorithms being used to answer at least one of the one or more sub-queries,Attomev Docket 157818.619588 resulting in sub-answers: and generating, via at least one processor, a response to the query using the sub-answers.

[0006] A system configured to perform the concepts disclosed herein can include: at least one processor; and a non-transitory computer readable storage medium having instructions stored which, when executed by the at least one processor, cause the at least one processor to perform operations comprising: receiving a query related to governance, regulation, and compliance; generating one or more sub-queries based on the query; executing one or more expert agent algorithms, each of the one or more expert agent algorithms being used to answer at least one of the one or more sub-queries, resulting in sub-answers; and generating a response to the query using the sub-answers.

[0007] A non-transitory computer readable storage medium configured to perform the concepts disclosed herein can include: receiving a query related to governance, regulation, and compliance; generating one or more sub-queries based on the query; executing one or more expert agent algorithms, each of the one or more expert agent algorithms being used to answer at least one of the one or more sub-queries, resulting in sub-answers; and generating a response to the query using the sub-answers.BRIEF DESCRIPTION OF THE DRAWINGS

[0008] FIG. 1 illustrates an example of an agent-based architecture;

[0009] FIG. 2 illustrates an example of a query and a route through a multi-agent architecture;

[0010] FIG. 3 illustrates an example method embodiment; and

[0011] FIG. 4 illustrates an example computer system.DETAILED DESCRIPTION

[0012] Various embodiments of the disclosure are described in detail below. While specific implementations are described, this is done for illustration purposes only. Other components and configurations may be used without parting from the spirit and scope of the disclosure.

[0013] The system disclosed herein is configured to provide Artificial Intelligence (Alldriven solutions for Governance, Risk, and Compliance (GRC). More specifically, as companies, entities, government agencies, etc., (collectively "entities") hire vendors, those entities need to perform an analysis to identify the risks associated with those vendors, as well as the potential upsides to working with those vendors. Non-limiting examples of such risks can be to the entity’s reputation, harm and disruption to the employees, data security,Attomev Docket 157818.619588 reduced profits or impaired ability to work, etc. Likewise, benefits of working with various vendors can include increased profits, improved reputation, higher quality output, improved ability for employees to work, etc.

[0014] To make these GRC evaluations can involve the collection of massive amounts of data, often in the form of questionnaires sent to the vendors to obtain information about how the vendors operate. Upon receiving the completed questionnaires, specialists can review the answers provided and decide on risk associated with the vendors. This process has multiple points of inefficiency and subjectivity. First, having the vendor complete a detailed questionnaire requires time by the vendor. Next, reviewing the answers provided by the vendor again requires time by the entity hiring (or considering using) the vendor. In addition, when reviewed by human beings, the interpretation to the answers provided by the vendor is subjective, resulting in inconsistent results.

[0015] The system disclosed herein addresses these points of inefficiency and subjectivity, resulting in a system which can generate answers to questions provided by an entity (i.e., allowing vendors to answer questions within a questionnaire), while also being capable of generating Al driven assessments based on the answers provided by the vendors. These solutions leverage Al models, unique workflows, and multi-agent coordination algorithms to solve complex problems that traditional solutions cannot address. The system, broadly, captures (1) Third-Party Risk Management (TPRM), (2) Al-powered security questionnaire handling, and (3) using Al to ask questions / receive answers regarding GRC. The Al models are, for example, Large Language Models (LLMs) specifically configured to carry out the TPRM.

[0016] More specifically , the system provides an integrated suite of Al-driven governance, risk, and compliance (GRC) tools — specifically the Third Party Risk Management (TPRM) system, an Al-powered questionnaire handler, and a GRC Copilot. Collectively, these systems collectively automate vendor risk assessments, streamline compliance documentation, and enable expert-level reasoning across complex data environments. The TPRM system can use an Al-powered risk inference engine to analyze vendor characteristics such as data access, business purpose, and hosting configurations to generate dynamic risk profiles. It can then produce customized questionnaires tailored to each vendor and use large language models (LLMs) to validate vendor responses for completeness and accuracy. An intelligent task automation algorithm can further interpret risk findings and auto-generate mitigation actions, significantly reducing manual analysis by compliance teams. The uniqueness of the Al used by the system comes from (a) the domain-specific context itAttomev Docket 157818.619588 operates on, (b) the structure of the knowledge graphs, and (c) the specialized training data and best-practice data used to train the Al.

[0017] Regarding the domain-specific context, the Al relies on structured security, compliance, and risk context — covering frameworks, cloud tests, controls, risks, evidence, assets, and policies. This interconnected domain context fundamentally changes how the system reasons compared to general-purpose LLM applications.

[0018] Regarding the knowledge graphs, each customer / user of the system can have an isolated knowledge graph encoding their posture, assets, controls, issues, and / or relationships. As a non-limiting example, each knowledge graph can have 150k-200k nodes, each node representing a data point of the customer / user’s posture, assets, controls, issues, and / or relationship, with edges linking those nodes / data points. The Al then uses this structured knowledge graph for grounding responses (i.e. , connecting the Al output to verifiable sources of information to make the response more accurate and trustworthy), which is distinct from a ty pical pooled Retrieval-Augmented Generation (RAG) or static document retrieval.

[0019] Regarding best practices, the Al used by systems configured as disclosed herein can use remediation playbooks, cloud misconfiguration mappings, framework interpretations, consultant heuristics, and / or common risk patterns to form a domain-specific instruction layer. This domain-specific instruction layer can be located immediately upon receiving a query or can be located between the query and the output.

[0020] Non-limiting examples of training data can include Governance, Risk, and Compliance (GRC) training sets which cover (for example): how risks are remediated, how evidence is submitted, how analysts classify issues, and how auditors request clarifications. The training sets the data can also include reinforcement data used for feedback when training the Al algorithm(s), where a machine learning model receives positive or negative signals to improve its performance.

[0021] The second component addresses the complementary challenge of answering complex security' questionnaires. It automatically populates responses by extracting information from the organization's internal policies, infrastructure documentation, and prior questionnaire responses. To overcome the context limitations of conventional LLMs, the second component employs retrieval-augmented generation (RAG) techniques — retrieving only the most relevant snippets from vast document repositories before feeding them into the LLM. This design enables organizations to maintain answer consistency across hundreds of questionnaires while improving accuracy and compliance traceability. Unlike off-the-shelf Al models, the second component is optimized for large-scale document ingestion andAttomev Docket 157818.619588 regulatory' nuance, positioning it as an enterprise-grade solution for automated compliance documentation.

[0022] The GRC Copilot is a multi-agent expert system designed to handle complex compliance and audit queries with human-like reasoning. It decomposes user queries into subproblems and routes them to specialized agents — such as a Policy Agent, Test Agent, Risk Agent, and Evidence Agent — under the coordination of a Supervisor Agent. The agents are Large Language Models (LLMs), each specifically configured (i.e., trained) to evaluate the subproblems in distinct ways. Responses are then synthesized and verified by a Reflection Agent to ensure accuracy and contextual relevance.

[0023] As used herein, an Al engine is the underlying system that processes data and makes predictions, while an Al agent is a more complete, autonomous system that uses an Al engine to make decisions and take actions to achieve a goal. Al engines are reactive, requiring user input to perform tasks, while Al agents are proactive, capable of interacting with environments, learning, and performing tasks independently, like a virtual assistant scheduling meetings. However, as used herein, "‘engines’; “agents”, and “algorithms” may be used interchangeably to describe the Al algorithms.

[0024] The Reflection Agent (also an LLM) can verify accuracy and relevance by crosschecking answers against the customer’s structured context (controls, risks, assets, evidence, cloud tests), and by using specialized training data created from many (e.g., tens of thousands) of expert-labeled signals. These signals encode what correct mappings and valid remediation steps look like in previous GRC workflows. The reflection agent also applies rule-based checks to detect inconsistencies or hallucinations, and regenerates answers if they don’t meet these domain-specific criteria.

[0025] This architecture allows the system to analyze multiple data ty pes (text, documents, system diagrams, evidence artifacts) and correlate them to regulatory frameworks, cloud configurations, and audit requirements. The system dynamically decides the order and depth of analysis across agents, effectively mimicking the reasoning of a human expert in GRC management. Collectively, these innovations create a scalable Al platform that intelligently automates end-to-end compliance, risk assessment, and audit processes in enterprise environments.

[0026] Returning to the TPRM, the system can automate the process of assessing risks associated with third-party vendors by utilizing an Al-driven risk assessment engine. In addition, the system can generate tailored / customized questionnaires based on each vendor's profile. To do so, the system can include the following unique features:Attomev Docket 157818.619588

[0027] (A) Al-Powered Risk Inference Engine (also a LLM): The TPRM system can analyze vendor-specific data to generate dynamic risk profiles of the vendors. The system can consider the following information to provide an initial risk assessment of high, medium, or low risk.Data Accessed by the Vendor (e.g., the entity data being accessed by the vendor); Vendor Type (e.g., User Interface (Ul)Zreporting, Application Programming Interface (API), Application, Software Development Kit (SDK) / package, services);Hosting Details (e.g., On premises, single or multi-tenant);Business Scope; and / orReason for Engagement.

[0028] (B) Intelligent Vendor Portal with Response Validation Algorithms: The system can have a portal which integrates real-time response validation regarding the questionnaires completed by the vendors using Large Language Models (LLMs). More specifically, the system, upon receiving the completed questionnaires, can (using the LLMs) assess the vendor responses for completeness, accuracy, and consistency against predefined criteria, ensuring each answer directly addresses the questions posed. Such LLMs can be operated by the system, or the system can transmit the query to a third-party LLM and receive responses to the query'. This approach mitigates the risk of misinterpreted or incomplete responses in risk assessments, thereby mitigating subjectivity while ensuring compliance with the questionnaire process.

[0029] (C) AI-Based Risk and Mitigation Task Identification: The system can include an intelligent task automation feature powdered by decision-making algorithms, which automatically extracts tasks related to risk mitigation. For example, upon detecting an answer to a question using the Intelligent Vendor Portal discussed above, the system may identify a task to reduce risk to the entity based on the vendor’s answer. As a non-limiting example, an answ er may indicate a range of experience levels by employees at the vendor, and the system may automatically generate a task to ensure that more experienced employees of the vendor work on the entity's jobs. Such automation reduces the manual workload for risk managers, enabling the nsk managers to prioritize and address potential vulnerabilities more efficiently.

[0030] The Al-Powered Risk Inference Engine, the Intelligent Vendor Portal with Response Validation Algorithms, and the Al-based Risk and Mitigation Task Identification are different engines carrying out different tasks. For example, the risk inference engine is trained to extract risk out of vendor documents, whereas the mitigation task identification engine canAttomev Docket 157818.619588 then interpret the risk and determine how the user should mitigate this risk. However, they are all powered by similar reference data (e.g., the same underlying documents).

[0031] For each of these unique features (i.e. , the Al-Powered Risk Inference Engine, the Intelligent Vendor Portal with Response Validation Algorithms, and the Al -based Risk and Mitigation Task Identification), the system can use synthetic data to train with, thereby- ensuring quality responses. Synthetic data can be useful because it lets allows for scenarios that may not have occurred yet in actual customer environments but are entirely plausible and important for the system to handle. Whereas real data only reflects the past, synthetic data can prepare the system for future edge cases, emerging risks, and variations expected to appear over time. It also allows training to systematically cover the full range of conditions — common, rare, and extreme — in a balanced way, which improves generalization and reduces blind spots within the resulting system. Additionally, synthetic data avoids the need to use customer information, which is critical for privacy, isolation, and compliance.

[0032] To support the development and scaling of the Al-driven TP RM system, the system uses a rigorous synthetic data generation process that simulates real-world vendor interactions and responses. This dataset is used to train and validate the TP RM system's algorithms for risk assessment, response validation, and task automation.

[0033] The process for generating this synthetic data and training the system includes the following steps. Note that in some configurations, certain steps may be added or removed as required for a particular scenario. In addition, the order of the steps may vary as needed, and in some instances may be able to be executed simultaneously.

[0034] (1) Data Generation Process: Synthetic data is created to represent a broad spectrum of vendor ty pes, industries, data sensitivity- levels, and compliance requirements. Each dataset includes vendor profiles with unique characteristics, as well as simulated responses to tailored questionnaires. This process ensures coverage of various scenarios, providing a robust dataset to train the Al algorithms (i.e., the engines or agents disclosed herein) for accurately evaluating vendor risks.

[0035] (2) Expert Review for Consistency and Accuracy: To ensure the synthetic data reflects real-world accuracy, security and compliance experts can manually review and validate the responses. Experts can scrutinize each synthetic response for adherence to predefined criteria, such as relevance, completeness, and compliance accuracy. This step can provide a high-quality foundation, ensuring that the data is consistent and free from inaccuracies before scaling.Attorney Docket 157818.619588

[0036] Note that the manual review process is used to ensure the quality of the data meets desired standards. As the system scales, Large Language Models (LLMs) can be used to review the responses, with expert agents (in the form of human beings or algorithms) reviewing the data and ensuring that the data is clean.

[0037] (3) Metric Development and Scaling Algorithms: After expert validation, metrics can be developed to quantify response quality across various dimensions. Key metrics can include:Completeness: Checking whether vendor responses fully addressed all aspects of a given question.Accuracy: Ensuring the information was precise, correct, and contextually relevant.- Consistency: Verifying that responses align with previously provided information and maintain continuity across related answers.

[0038] These metrics can be integrated into algorithms that apply the same rigorous standards at scale, enabling efficient validation of responses across large datasets. The system's LLM- powered algorithms can then use these metrics to perform real-time assessments of vendor responses.

[0039] (4) Automated Risk Inference and Task Generation: The synthetic dataset can simulate risk scenarios to train the TPRM system's risk inference engine. This includes generating vendor-specific risk profiles and associated mitigation tasks based on response analysis. By training the Al to recognize patterns of risk across varying vendor types, the system can become proficient at automating risk identification and task extraction.

[0040] The Al can be trained by leveraging a pre-trained large language model (LLM) and fine-tuning the LLM for Third-Party Risk Management (TPRM) using few-shot prompting and synthetic data. Few-shot prompting is a technique for guiding a large language model (LLM) by including a small number of examples in the prompt itself, which helps the model understand the desired task and output format. There not a fixed numerical limit for what counts as few-shot prompting. In practice, it refers to providing just enough examples for the model to infer a pattern without becoming a full training dataset. Typically, this is anywhere from 1 to about 10 examples. Few-shot prompting can include presenting the LLM with carefully crafted examples that simulate real-world TPRM scenarios, such as vendor responses and risk assessments.

[0041] When there is sufficient time / data, the system can progress to fine-tuning and incontext training. To enhance accuracy and diversity, synthetic datasets (e.g., 100k+ points) can be generated representing different types of vendors and risk cases, with these syntheticAttomev Docket 157818.619588 datasets being manually validated by security experts. The LLM’s performance can be evaluated against metrics like precision, recall, and completeness, ensuring the LLM identifies risks and provides actionable insights correctly. A feedback loop can provide iterative refinement of the prompts while also improving the LLM’s contextual understanding. Real-world interactions provide additional data for continuous learning, while expert validation ensures the system aligns with compliance and risk management best practices.

[0042] A non-limiting example of a feedback loop review can include: (1) Collection of interaction data (questions, responses, thumbs-down / negative feedback, and cases of customer dissatisfaction); (2) Review of low-quality or low-satisfaction cases to identify patterns: missing context, wrong assumptions, hallucinations, or unclear wording; (3) Updating prompts, system instructions, and routing / decision logic to better guide the LLM; (4) Redeploying the systems with these updated prompts; and (5) Monitor subsequent interactions to verify that the changes improved quality. In some configurations this feedback loop can include manual interaction, whereas in other cases the feedback loop can be automated. For example, the system can use machine learning to identify the patterns of errors, then deploy updates to the prompts / instructions based on the detected patterns.

[0043] (5) Continuous Dataset Expansion and Improvement: To adapt to new compliance requirements, industry changes, and emerging risk factors, the synthetic dataset can be continuously expanded and refined. Real-world feedback and new compliance standards can be incorporated to enhance the dataset's relevance.

[0044] Retraining of the TPRM can cause the system to improve continuously from each piece of feedback. This feedback from users can be immediately fed into a refinement loop using Reinforcement Learning with Human Feedback (RLHF), where the system rewards behavior that leads to good feedback and tends to answer in the direction that the user encourages. High-quality corrections can be incorporated into prompt designs through advanced augmentation techniques like context layering and adaptive scaffolding, ensuring the model understands and applies these refinements in future responses. This iterative approach allows the TPRM system to remain current and responsive to evolving risk landscapes.

[0045] Regarding the system’s Al-powered security’ questionnaire handling, the system can have one or more algorithms designed to streamline the process of filling out security questionnaires by auto-filling responses based on policy review and analysis of previously completed questionnaires. The security questionnaire handling leverages Al models toAttorney Docket 157818.619588 interpret regulator ' standards and policy nuances, synthesizing responses to questionnaires with a high degree of accuracy and consistency. In addition, the security questionnaire handling enables the system to understand complex compliance requirements and tailor responses (with or with the use of LLMs) based on specific standards. By analyzing past responses, the security questionnaire handling can maintain response consistency across multiple questionnaires, thereby reducing the risk of discrepancies and improving compliance accuracy for organizations handling security questionnaires.

[0046] Regarding the GRC Copilot, the system can provide an Al-pow ered assistant that provides expert-level answers to queries related to risk management, audit processes, and compliance standards. The core features of the GRC Copilot can include:

[0047] (A) An Adaptive Agent Routing Algorithm: This routing algorithm can intelligently decompose complex, multi-part questions, assigning each part of the question to a relevant expert agent (expert agents being specific algorithms designed to handle a given type of task). To perform question decomposing and context analysis, the system uses an LLM trained to understand the query and identify what the best way would be to respond. Identification of the best way to respond is performed by “talking” (i.e., digitally communicating) with other LLMs involved in the architecture. This is a “Supervisor” agent, the supervisor being trained to understand the queries that come in, including decomposition and context analysis.The system can consolidate the sub-responses generated by the respective expert agents into a cohesive answer, thereby ensuring high accuracy across diverse topics, such as audit procedures, risk management strategies, and compliance queries.

[0048] (B) Cross-Referencing Capability7: The system can reference and identify insights across multiple documents, such as risk assessment reports, compliance frameworks, and technical configurations. More specifically, the system can identify the content in each document and, where there are contextual similarities, the system can identify and highlight those contextual similarities. In some configurations, the system can highlight or otherwise link (e.g., a hyperlink) data across multiple sources. This multi-document, multi-data approach ensures that answers are grounded in comprehensive context rather than being isolated to a single document.

[0049] (C) Expert Conversational Flow: The system can utilize a conversational Al system (e.g., a LLM or other generative Al system) which is adaptive, adjusting in real time based on user feedback and clarification requests. The conversational Al system allows users to engage in detailed discussions on specific risk and compliance topics, promoting an expert-level exchange that caters to specialized needs.Attorney Docket 157818.619588

[0050] (D) Integrated Task Automation: The system can leverage Al-based decision-making, allowing the GRC Copilot to assess the context of discussions and automatically create tasks based on user interactions. More specifically, the Supervisor discussed above can determine, for example, that the user is instructing the system to perform a given task. The Supervisor can then instruct a separate LLM, called the “Task Handler'’, that is trained to generate pieces of code to carry out these tasks. If. for example, the given task is to send an email, the Task Handler may be instructed by the Supervisor to carry out this action. For example. When the Supervisor delegates a task, the Task Handler can generate a specific code required to execute that operation (e.g., sending an email, creating a task, updating a record), based on the patterns it learned during training. Likewise, the system can generate action items for risk mitigation or compliance follow-ups, streamlining operational processes for GRC managers.

[0051] FIG. 1 illustrates an example of an agent-based architecture which can be used by the Adaptive Agent Routing Algorithm to route questions to an appropriate expert agent. The illustrated architecture coordinates various specialized / expert agents 110, each responsible for specific GRC -related tasks, under the direction of a Supervisor Agent 104. This allows for precise, efficient query handling, leveraging specialized agents that process specific types of information, execute targeted actions, and generate accurate answers across multiple GRC domains. While FIG. 1 illustrates a number of different expert agents 110, in other configurations there may be additional expert agents or fewer expert agents. In addition, in some configurations the illustrated expert agents may be combined or otherwise consolidated as needed for a particular use.

[0052] Each of the expert agents 110 can be separate Al algorithms, and may be executed on a single computing device or distinct computing devices, and such execution can occur in parallel or in serial, per the instructions of the Supervisor Agent 104. The expert agents 110 can, in some configurations, be updated periodically based on feedback to the answers 108 generated. Such updates or modifications can include deleting, updating, and / or replacing portions of code associated with the algorithms of each agent 110. In some configurations, such as neural networks, updating the code of any given agent may require retraining all or a portion of the agent 110 using updated training data which is distinct from the past training data.

[0053] Supervisor Agent 104: The Supervisor Agent 104 is responsible for analyzing incoming queries and routing them to the appropriate specialized agents. This routing decision is made based on the nature of the query and the expertise required to address it. For example, first, the Supervisor Agent 104 classifies the user request into a predefined set ofAttomev Docket 157818.619588 intent categories using rules and keywords. Then the Supervisor Agent 104 computes semantic similarity between the request and each agent’s domain (e.g., cloud, access, tasks, remediation) using embeddings. The Supervisor Agent 104 chooses the agent (from the agents 110) whose domain scores highest while also satisfying any rule-based constraints (e.g., “cloud-only questions must go to the Cloud Agent”). The Supervisor Agent 104 can send queries (which may be sub-queries) to one or multiple agents as needed to provide a comprehensive answer. As illustrated, the non-limiting examples of expert agents can include:

[0054] (1) Test Agent 112: The test agent 112 can retrieve information related to cloud and security tests. Using tools that pull specific test data, the test agent 112 can assess the compliance of various cloud assets and security controls, assisting in identifying potential vulnerabilities and non-compliance issues.

[0055] (2) Policy Agent 114: The policy agent 114 can gather policies relevant to the query at hand. By accessing and retrieving policy documents, the policy agent 114 can ensure that the provided response aligns with established organizational or regulatory’ policies.

[0056] (3) Control Agent 116: The control agent 116 can retrieve control mappings, connecting policy standards to operational controls. The control agent 116 can output insights into how various controls support compliance requirements and highlight gaps in compliance frameworks.

[0057] (4) Evidence Agent 118: The evidence agent 118 can pull relevant reports, such as vulnerability assessment and penetration testing (VAPT) reports. The evidence agent 1 18 can support evidence-based decision-making by providing documentation that substantiates compliance and security measures.

[0058] (5) Risk Agent 120: The risk agent 120 can evaluate potential risks based on retrieved data, policies, and controls. The risk agent 120 can synthesize information to identify, infer, and prioritize risks, playing a critical role in proactive risk management.

[0059] (6) Task Agent 122: Task derivation and automation are managed by the task agent 122. Using Al-driven decision-making capabilities, the task agent 122 can generate tasks related to identified risks or gaps in compliance, creating actionable items and enabling follow-through on identified issues.

[0060] (7) Follow-up Agent 124: The follow-up agent 124 can ensure continuous monitoring and follow-up on previously identified tasks, issues, or risks. The follow-up agent 124 enables a loop of constant engagement and reassessment, supporting ongoing compliance and risk mitigation.Attomev Docket 157818.619588

[0061] (8) Simple Query Agent 126: The simple query agent 126 handles straightforward queries that require factual information retrieval or simple responses. The simple query’ agent 126 can use tools to identify product documentation, and can perform retrieval -augmented generation (RAG) to quickly answer basic questions without invoking more complex agents.

[0062] Upon receiving findings / answers to one or more of the expert agents 110 at the supervisor 104, the supervisor 104 sends the findings / answers to a reflection agent 106. The reflection agent 106 can consolidate and review the responses, using those responses to generate a final response / answer 108 to the query 102. In addition, the reflection agent 106 can ensure that the final answer 108 is coherent and accurately addresses the initial query' 102. Moreover, the reflection agent 106 can enable refinement and, if necessary', prompt additional steps (i.e.. tasking the supervisor 104, which can then send additional tasks back to the individual agents 1 10) to ensure completeness and relevance in the response / answer 108.

[0063] This modular, multi-agent architecture ensures efficient, contextually relevant responses by leveraging specific expertise across agents. Each agent's specialized functionality enables the system to address complex, multi-faceted queries in GRC domains effectively, providing a comprehensive and accurate response framework that meets the needs of compliance, audit, and risk management processes.

[0064] FIG. 2 illustrates an example of a query’ and a route through a multi-agent architecture. In this example, the system uses the same architecture described with respect to FIG. 1. however only a few specific agents 122. 124 within the possible agents 110 are used. As illustrated, the system receives a query 102 ‘'Can you make a task for this?” 202. The query’ 102, 202 is received by a supervisor 104 (aka a router), which decides which agent(s) 110 will receive one or more sub-queries. The supervisor 104 also uses previous conversation context in evaluating the query’ 102, 202. In evaluating the query 102, 202, the supervisor 104 seeks to determine if it has enough context 206 (based on the previous conversation context 204) to generate a task. To make that determination, the supervisor 104 sends a sub-query to the task agent 122 (described above) and the follow-up agent 124 (described above). These sub-queries may be sequential or conducted in parallel, depending on the results of each subquery and / or configuration. Upon receiving the results from the expert agents 122, 124, the supervisor 104 forwards the answers to the reflection agent 106, which compiles the answers of the individual expert agents and generates an answ er 108, which is provided to the user which generated the query 102, 202.

[0065] FIG. 3 illustrates an example method embodiment. As illustrated, a method can include: receiving, at a computer system, a query related to governance, regulation, andAttorney Docket 157818.619588 compliance 302; generating, via at least one processor of the computer system, one or more sub-queries based on the query’ 304; executing, via the at least one processor, one or more expert agent algorithms, each of the one or more expert agent algorithms being used to answer at least one of the one or more sub-queries, resulting in sub-answers 306; and generating, via the at least one processor, a response to the query using the sub-answers 308.

[0066] With reference to FIG. 4, an exemplary system includes a computing device 400 (such as a general-purpose computing device), including a processing unit (CPU or processor) 420 and a system bus 410 that couples various system components including the system memory’ 430 such as read-only memory’ (ROM) 440 and random access memory (RAM) 450 to the processor 420. The computing device 400 can include a cache of highspeed memory connected directly with, in close proximity’ to. or integrated as part of the processor 420. The computing device 400 copies data from the system memory 430 and / or the storage device 460 to the cache for quick access by the processor 420. In this way, the cache provides a performance boost that avoids processor 420 delays while waiting for data. These and other modules can control or be configured to control the processor 420 to perform various actions. Other system memory 430 may be available for use as well. The system memory 430 can include multiple different types of memory with different performance characteristics. It can be appreciated that the disclosure may operate on a computing device 400 with more than one processor 420 or on a group or cluster of computing devices networked together to provide greater processing capability. The processor 420 can include any general -purpose processor and a hardware module or software module, such as module 1 462, module 2 464, and module 3 466 stored in storage device 460, configured to control the processor 420 as well as a special-purpose processor where software instructions are incorporated into the actual processor design. The processor 420 may essentially be a completely self-contained computing system, containing multiple cores or processors, a bus, memory controller, cache, etc. A multi-core processor may7be symmetric or asymmetric.

[0067] The system bus 410 may be any of several ty pes of bus structures including a memory’ bus or memory controller, a peripheral bus, and a local bus using any of a variety of bus architectures. A basic input / output (BIOS) stored in memory ROM 440 or the like, may provide the basic routine that helps to transfer information between elements within the computing device 400, such as during start-up. The computing device 400 further includes storage devices 460 such as a hard disk drive, a magnetic disk drive, an optical disk drive, tape drive or the like. The storage device 460 can include software modules 462, 464, 466 for controlling the processor 420. Other hardware or software modules are contemplated.Attomev Docket 157818.619588The storage device 460 is connected to the system bus 410 by a drive interface. The drives and the associated computer-readable storage media provide nonvolatile storage of computer- readable instructions, data structures, program modules and other data for the computing device 400. In one aspect, a hardware module that performs a particular function includes the software component stored in a tangible computer-readable storage medium in connection with the necessary hardware components, such as the processor 420, system bus 410, output device 470 (such as a display or speaker), and so forth, to carry out the function. In another aspect, the system can use a processor and computer-readable storage medium to store instructions which, when executed by a processor (e.g., one or more processors), cause the processor to perform a method or other specific actions. The basic components and appropriate variations are contemplated depending on the tvpe of device, such as whether the computing device 400 is a small, handheld computing device, a desktop computer, or a computer server.

[0068] Although the exemplary embodiment described herein employs the storage device 460 (such as a hard disk), other types of computer-readable media which can store data that are accessible by a computer, such as magnetic cassettes, flash memory cards, digital versatile disks, cartridges, random access memories (RAMs) 450, and read-only memory (ROM) 440, may also be used in the exemplary7operating environment. Tangible computer- readable storage media, computer-readable storage devices, or computer-readable memory devices, expressly exclude media such as transitory waves, energy, carrier signals, electromagnetic waves, and signals per se.

[0069] To enable user interaction w ith the computing device 400, an input device 490 represents any number of input mechanisms, such as a microphone for speech, a touch- sensitive screen for gesture or graphical input, keyboard, mouse, motion input, speech and so forth. An output device 470 can also be one or more of a number of output mechanisms known to those of skill in the art. In some instances, multimodal systems enable a user to provide multiple types of input to communicate with the computing device 400. The communications interface 480 generally governs and manages the user input and system output. There is no restriction on operating on any particular hardware arrangement and therefore the basic features here may easily be substituted for improved hardware or firmware arrangements as they are developed.

[0070] The computing device 400 may be described in the general context of computer system-executable instructions, such as program modules, being executed by a computer system. Generally, program modules may include routines, programs, objects, components.Attomev Docket 157818.619588 logic, data structures, and so on that perform particular tasks or implement particular abstract data types. In configurations where the computing device 400 is used in a distributed cloud computing environment (such as where the computing device 400 utilizes one or more servers) where tasks are performed by remote processing devices that are linked through a communications network. In a distributed cloud computing environment, program modules may be located in both local and remote computer system storage media including memory’ storage devices.

[0071] The technology discussed herein refers to computer-based systems and actions taken by, and information sent to and from, computer-based systems. One of ordinary skill in the art will recognize that the inherent flexibility’ of computer-based systems allows for a great variety of possible configurations, combinations, and divisions of tasks and functionality between and among components. For instance, processes discussed herein can be implemented using a single computing device or multiple computing devices working in combination. Databases, memory, instructions, and applications can be implemented on a single system or distributed across multiple systems. Distributed components can operate sequentially or in parallel.

[0072] Neural networks, foundational to modem artificial intelligence, are computational systems designed to process data and generate predictions or classifications by emulating aspects of human brain function. A neural network is a framework of machine learning algorithms that work together to classify inputs based on a previous training process. They power applications like image recognition, natural language processing, and predictive analytics. At their core, neural networks consist of interconnected layers of mathematical units called neurons, organized into an input layer, one or more hidden layers, and an output layer. The input layer receives raw or preprocessed data, such as pixel values or text embeddings, represented as numerical vectors. Hidden layers transform this data into increasingly abstract representations through complex computations, while the output layer produces the result, such as a class probability or a numerical prediction. Each neuron connects to those in the next layer via weighted connections, where weights are numerical values that amplify or diminish the influence of one neuron’s output on another’s input. Additionally, biases — adjustable offsets — enhance the model’s flexibility in fitting data.

[0073] The operation of a neural network begins with a forward pass, where data flows from the input layer through the hidden layers to the output. Each neuron computes a weighted sum of its inputs, adds its bias, and applies a nonlinear activation function, such as a sigmoid, rectified linear unit (ReLU), or hyperbolic tangent (tanh), to produce an output. This processAttomev Docket 157818.619588 repeats across layers, with each layer extracting more complex features, such as edges in images or semantic patterns in text. The final layer’s output depends on the task: classification tasks yield probabilities (e.g., “90%”), while regression tasks produce continuous values (e.g., a predicted temperature). Crucially, the forward pass does not alter the model’s stored parameters — weights and biases — which represent the network’s learned knowledge. These parameters are stored in digital memory, typically as 32-bit or 16-bit floating-point arrays. Weights form matrices, with rows and columns corresponding to neurons in adjacent layers, while biases are stored as one-dimensional arrays. Metainformation, such as layer counts and activation function types, is also stored to define the network’s structure.

[0074] Training a neural network involves adjusting its parameters to minimize prediction errors. During training, a forward pass generates predictions, which are compared to correct outputs using a loss function, such as mean squared error or cross-entropy, to quantify errors. Backpropagation then computes gradients, indicating how much each parameter contributed to the error, by applying the chain rule to propagate errors backward from the output to the input layer. Optimization algorithms, like stochastic gradient descent, adjust weights and biases in directions that reduce the loss. This process iterates over multiple epochs, with parameters gradually converging to values that improve accuracy. Memory' usage during training is dynamic: weights and biases are updated incrementally for each data batch, and intermediate results, like neuron activations and gradients, are temporarily stored in buffers to facilitate backpropagation. To ensure progress is saved, parameters are periodically checkpointed to persistent storage, allowing training to resume later. Efficiency techniques, such as reducing parameter precision to 16-bit formats, further optimize memory and computation.

[0075] Once trained, the network enters inference mode, where parameters are fixed, and only forward passes are executed to generate predictions. This mode minimizes memory’ writes, making it ideal for deployment on resource-constrained devices like mobile phones. Neural networks can reduce memory’ usage, use unique parameter update mechanisms to enhance training efficiency, use hy brid memory systems combining volatile and non-volatile storage, and / or perform dynamic precision adjustments during training or inference.

[0076] Use of language such as “at least one of X, Y, and Z,” “at least one of X, Y, or Z,” “at least one or more of X, Y, and Z,’’ “at least one or more of X, Y, or Z,’’ “at least one or more of X. Y, and / or Z,” or “at least one of X, Y, and / or Z,” are intended to be inclusive of both a single item (e.g., just X, or just Y, or just Z) and multiple items (e.g., {X and Y}, {X and Z},Attorney Docket 157818.619588{Y and Z}, or {X, Y, and Z}). The phrase "at least one of’ and similar phrases are not intended to convey a requirement that each possible item must be present, although each possible item may be present.

[0077] The various embodiments described above are provided by way of illustration only and should not be construed to limit the scope of the disclosure. Various modifications and changes may be made to the principles described herein without following the example embodiments and applications illustrated and described herein, and without departing from the spirit and scope of the disclosure. For example, unless otherwise explicitly indicated, the steps of a process or method may be performed in an order other than the example embodiments discussed above. Likewise, unless otherwise indicated, various components may be omitted, substituted, or arranged in a configuration other than the example embodiments discussed above.

[0078] Further aspects of the present disclosure are provided by the subject matter of the following clauses.

[0079] A method comprising: receiving, at a computer system, a query related to governance, regulation, and compliance; generating, via at least one processor of the computer system, one or more sub-queries based on the query; executing, via the at least one processor, one or more expert agent algorithms, each of the one or more expert agent algorithms being used to answer at least one of the one or more sub-queries, resulting in sub-answers; and generating, via at least one processor, a response to the query using the sub-answers.

[0080] The method of any prior clause, further comprising: executing, via the at least one processor, at least one action as part of the response to the query.

[0081] The method of any prior clause, wherein generating the one or more sub-queries comprises using a supervisor agent algorithm to decompose the query’ into multiple components.

[0082] The method of any’ prior clause, wherein the supervisor agent algorithm analyzes the query using semantic similarity' and rule-based constraints, resulting in routing decisions, wherein routing decisions determine which of the one or more expert agent algorithms receive the one or more sub-queries.

[0083] The method of any prior clause, wherein each of the one or more expert agent algorithms comprise a distinct large language model.

[0084] The method of any prior clause, further comprising: generating a plurality' of agent training data sets, each agent training data set within the plurality of agent training data sets having a distinct context from other agent training data sets within the plurality’ of agentAttomev Docket 157818.619588 training data sets; and training, via the at least one processor, the one or more expert agent algorithms using the plurality of agent training data sets, wherein each training data set within the plurality of agent training data sets is used to train a single expert agent algorithm within the one or more expert agent algorithms.

[0085] The method of any prior clause, wherein at least a portion of the plurality of agent training data sets comprise a mixture of synthetic data and real data.

[0086] The method of any prior clause, further comprising: consolidating the sub-answers using a reflection agent algorithm to generate the response to the query.

[0087] The method of any prior clause, wherein the reflection agent algorithm cross-checks the sub-answers against structured context data to verify accuracy and relevance of the response to the query’, the comprising controls comprising risks, assets, and evidence.

[0088] A system comprising: at least one processor; and a non-transitory computer readable storage medium having instructions stored which, when executed by the at least one processor, cause the at least one processor to perform operations comprising: receiving a query related to governance, regulation, and compliance; generating one or more sub-queries based on the query; executing one or more expert agent algorithms, each of the one or more expert agent algorithms being used to answer at least one of the one or more sub-queries, resulting in sub-answers; and generating a response to the query’ using the sub-answers.

[0089] The system of any prior clause, the non-transitory computer readable storage medium having additional instructions stored which, when executed by the at least one processor, cause the at least one processor to perform operations comprising: executing at least one action as part of the response to the query’.

[0090] The system of any prior clause, wherein generating the one or more sub-queries comprises using a supervisor agent algorithm to decompose the query’ into multiple components.

[0091] The system of any prior clause, wherein the supervisor agent algorithm analyzes the query using semantic similarity' and rule-based constraints, resulting in routing decisions, wherein routing decisions determine which of the one or more expert agent algorithms receive the one or more sub-queries.

[0092] The system of any prior clause, wherein each of the one or more expert agent algorithms comprise a distinct large language model.

[0093] The system of any prior clause, the non-transitory computer readable storage medium having additional instructions stored which, when executed by the at least one processor, cause the at least one processor to perform operations comprising: generating a plurality ofAttomev Docket 157818.619588 agent training data sets, each agent training data set within the plurality of agent training data sets having a distinct context from other agent training data sets within the plurality’ of agent training data sets; and training the one or more expert agent algorithms using the plurality of agent training data sets, wherein each training data set within the plurality of agent training data sets is used to train a single expert agent algorithm within the one or more expert agent algorithms.

[0094] The system of any prior clause, wherein at least a portion of the plurality of agent training data sets comprise a mixture of synthetic data and real data.

[0095] The system of any prior clause, the non-transitory computer readable storage medium having additional instructions stored which, when executed by the at least one processor, cause the at least one processor to perform operations comprising: consolidating the subanswers using a reflection agent algorithm to generate the response to the query.

[0096] The system of any prior clause, wherein the reflection agent algorithm cross-checks the sub-answers against structured context data to verify accuracy and relevance of the response to the query’, the comprising controls comprising risks, assets, and evidence.

[0097] A non-transitory computer readable storage medium having instructions stored which, when executed by at least one processor, cause the at least one processor to perform operations comprising: receiving a query’ related to governance, regulation, and compliance; generating one or more sub-queries based on the query; executing one or more expert agent algorithms, each of the one or more expert agent algorithms being used to answer at least one of the one or more sub-queries, resulting in sub-answers; and generating a response to the query’ using the sub-ansyvers.

[0098] The non-transitory computer readable storage medium of any prior clause, having additional instructions stored yvhich. when executed by the at least one processor, cause the at least one processor to perform operations comprising: executing at least one action as part of the response to the query’.

Claims

Attomev Docket 157818.619588CLAIMSWe claim:

1. A method comprising: receiving, at a computer system, a query related to governance, regulation, and compliance; generating, via at least one processor of the computer system, one or more sub-queries based on the query; executing, via the at least one processor, one or more expert agent algorithms, each of the one or more expert agent algorithms being used to answer at least one of the one or more sub-queries, resulting in sub-answers; and generating, via at least one processor, a response to the query using the sub-answers.

2. The method of claim 1, further comprising: executing, via the at least one processor, at least one action as part of the response to the query.

3. The method of claim 1, wherein generating the one or more sub-queries comprises using a supervisor agent algorithm to decompose the query into multiple components.

4. The method of claim 3, wherein the supervisor agent algorithm analyzes the query using semantic similarity and rule-based constraints, resulting in routing decisions, wherein routing decisions determine which of the one or more expert agent algorithms receive the one or more sub-queries.

5. The method of claim 1, wherein each of the one or more expert agent algorithms comprise a distinct large language model.

6. The method of claim 5, further comprising: generating a pl ural ity of agent training data sets, each agent training data set within the plurality of agent training data sets having a distinct context from other agent training data sets within the plurality of agent training data sets; and training, via the at least one processor, the one or more expert agent algorithms using the plurality of agent training data sets, wherein each training data set within the plurality ofAttomev Docket 157818.619588 agent training data sets is used to train a single expert agent algorithm within the one or more expert agent algorithms.

7. The method of claim 6, wherein at least a portion of the plurality of agent training data sets comprise a mixture of synthetic data and real data.

8. The method of claim 1, further comprising: consolidating the sub-answ ers using a reflection agent algorithm to generate the response to the query'.

9. The method of claim 8, wherein the reflection agent algorithm cross-checks the subanswers against structured context data to verify accuracy and relevance of the response to the query', the comprising controls comprising risks, assets, and evidence.

10. A system comprising: at least one processor; and a non -transitory computer readable storage medium having instructions stored which, when executed by the at least one processor, cause the at least one processor to perform operations comprising: receiving a query related to governance, regulation, and compliance; generating one or more sub-queries based on the query; executing one or more expert agent algorithms, each of the one or more expert agent algorithms being used to answer at least one of the one or more sub-queries, resulting in sub-answers; and generating a response to the query using the sub-answers.

11. The system of claim 10, the non-transitory computer readable storage medium having additional instructions stored which, when executed by the at least one processor, cause the at least one processor to perform operations comprising: executing at least one action as part of the response to the query7.

12. The system of claim 10, wherein generating the one or more sub-queries comprises using a supervisor agent algorithm to decompose the query into multiple components.Attomev Docket 157818.61958813. The system of claim 12, wherein the supervisor agent algorithm analyzes the query using semantic similarity and rule-based constraints, resulting in routing decisions. wherein routing decisions determine which of the one or more expert agent algorithms receive the one or more sub-queries.

14. The system of claim 10, wherein each of the one or more expert agent algorithms comprise a distinct large language model.

15. The system of claim 14, the non-transitory computer readable storage medium having additional instructions stored which, when executed by the at least one processor, cause the at least one processor to perform operations comprising: generating a plurality of agent training data sets, each agent training data set within the plurality of agent training data sets having a distinct context from other agent training data sets within the plurality of agent training data sets; and training the one or more expert agent algorithms using the plurality of agent training data sets, wherein each training data set within the plurality of agent training data sets is used to train a single expert agent algorithm within the one or more expert agent algorithms.

16. The system of claim 15, wherein at least a portion of the plurality of agent training data sets comprise a mixture of synthetic data and real data.

17. The system of claim 10, the non-transitory' computer readable storage medium having additional instructions stored which, when executed by the at least one processor, cause the at least one processor to perform operations comprising: consolidating the sub-answers using a reflection agent algorithm to generate the response to the query'.

18. The system of claim 17, wherein the reflection agent algorithm cross-checks the subanswers against structured context data to verify accuracy and relevance of the response to the query7, the comprising controls comprising risks, assets, and evidence.

19. A non-transitory computer readable storage medium having instructions stored which, when executed by at least one processor, cause the at least one processor to perform operations comprising:Attomev Docket 157818.619588 receiving a query related to governance, regulation, and compliance; generating one or more sub-queries based on the query; executing one or more expert agent algorithms, each of the one or more expert agent algorithms being used to answer at least one of the one or more sub-queries, resulting in subanswers; and generating a response to the query using the sub-answers.

20. The non-transitory computer readable storage medium of claim 19, having additional instructions stored which, when executed by the at least one processor, cause the at least one processor to perform operations comprising: executing at least one action as part of the response to the query.

Images