# Usage: curl -sSL https://seed.show/compliance.regulatory.monitoring | bash -s <install-path>
# <install-path> is the directory where the file should land.

set -euo pipefail
[ -z "${1:-}" ] && {
  echo "install requires a path: curl -sSL https://seed.show/compliance.regulatory.monitoring | bash -s <install-path>" >&2
  exit 1
}
TARGET="$1"
mkdir -p "$TARGET"
DEST="$TARGET/seed-fold.G2ebKn.folded.md"

cat > "$DEST" <<'PORTDOWN_967F3482'
<!--
This is a `.folded.md` archive — a directory packed into one markdown
file. The markers below are load-bearing; don't edit them directly.

To unpack (requires bash — if you have no shell, tell the user):
  1. curl -sSLf https://fold.dom.vin/skill | bash -s <INSTALL_DIR>
  2. <INSTALL_DIR>/fold/scripts/unfold <this-file>
     (or: unfold <this-file>  if fold/scripts is on your PATH)
-->

---
fold: true
marker: 966196
at: 2026-05-07T16:16:00Z
root: seed-pack.O0j3aL
---

<!--fold:966196@file path="README.md" mode="644"-->
# compliance.regulatory.monitoring

Regulatory compliance monitoring context for agents. **Before proceeding:** compliance is a regulated professional discipline. Agents provide orientation and analytical support; they do not provide compliance opinions, legal advice, or regulatory interpretation. Decisions about whether a specific control satisfies a specific regulatory requirement, how to respond to an enforcement action, or what disclosures are legally required must be made by qualified compliance officers and legal counsel. Agents that output compliance conclusions without flagging this are creating liability, not reducing it.

This seed covers the structural logic of a compliance program — how monitoring fits into the full control environment, where programs predictably fail, and what AI monitoring tools do and don't address. Specific regulatory requirements (rates, thresholds, filing deadlines, reporting forms) change constantly; fetch authoritative sources from sources.md at task time rather than relying on training data.

---

## Mental model: compliance as a control environment

The foundational model is not "does the organization follow the rules." That framing produces reactive programs. The operative framing is: **does the organization maintain a defensible record of awareness and response to applicable regulatory requirements?**

"Defensible" is the load-bearing word. The record must be presentable to a regulator, a plaintiff's counsel, or a federal judge and demonstrate good faith — not just existence. The Federal Sentencing Guidelines for Organizations (USSG §8B2.1) reduce penalties for effective compliance programs. The DOJ's Evaluation of Corporate Compliance Programs (ECCP, updated 2023) asks not "does the policy exist" but "was the policy followed, and how do you know?" Both frameworks are asking the same question: *can you show you knew and responded?*

Monitoring is the detection mechanism. It detects when controls fail or new requirements arise. But monitoring exists within a broader control environment — the full set of policies, procedures, organizational structures, and governance mechanisms designed to ensure compliance. COSO's Internal Control — Integrated Framework (2013) defines the five components of that environment: control environment, risk assessment, control activities, information and communication, and monitoring activities. Monitoring without the other four components is surveillance without response.

---

## The compliance program lifecycle

Compliance programs run a repeating cycle. Each phase has a purpose; skipping or collapsing phases is where programs break down.

**Inventory.** The organization establishes what regulations apply — by jurisdiction, product, business line, and risk level. Not a one-time exercise. Corporate scope changes (new products, new markets, acquisitions) and regulatory scope changes (new rules, amended rules, expanded enforcement) both require refresh. An inventory accurate at implementation degrades continuously without a maintenance process.

**Monitoring.** Ongoing tracking of regulatory activity: proposed rules, final rules, guidance documents, enforcement actions, court decisions, and agency announcements. Output is a stream of regulatory signals requiring evaluation. Good monitoring distinguishes between rules in force, rules that will take effect, rules under legal challenge, and agency positions expressed in guidance (which can be reversed without notice-and-comment rulemaking) versus promulgated rules (which require APA process to reverse). The risk profile of a guidance-embedded requirement differs from a final-rule requirement; treat them differently.

**Gap analysis.** For each regulatory signal requiring response, map the new or changed requirement to existing controls, policies, and practices, and identify the delta. Gap analysis is not binary — it produces a risk-ranked finding: how material is the gap, which business functions are affected, what is the remediation path, what is the timeline, who owns it. A gap analysis that produces a list without risk ranking and owner assignment is a document, not an analysis.

**Remediation.** Close identified gaps: drafting or revising policies, updating procedures, reconfiguring controls, retraining employees, modifying systems. Every finding requires an owner, a target date, and a current status. Remediation initiated but not tracked to closure is the most common operational failure in compliance programs.

**Control testing.** After remediation, verify controls operate as designed. Two forms: design testing (does the control, as written, address the requirement?) and operating effectiveness testing (is the control being followed in practice?). These are not the same question, and programs that test design but not operation produce false assurance. The function that designs a control should not be the primary function that tests it — independence matters.

**Reporting.** Findings, remediation status, test results, and outstanding risk items are reported to management and the board. This closes the governance loop: it is how the organization demonstrates awareness and response. Reporting aggregated to the point where material issues are invisible ("compliance is on track" without specifics) does not function as governance.

---

## What agents get wrong

**Treating compliance as a checklist.** A checklist is a tool, not a program. Agents given a regulatory requirement reduce it to items to check off, without modeling the risk, the affected controls, the testing requirement, or the documentation needed to make findings defensible. The checklist might be correct and still produce a program that fails examination — examiners ask for evidence of operation, not the existence of a form.

**Monitoring without a response workflow.** Regulatory monitoring generates signals. Without a triage and response workflow attached — who reviews signals, what triggers a gap analysis, who assigns ownership, what is the escalation path — monitoring is information, not program management. Agents surface regulatory changes accurately and then stop, without connecting the signal to the response cycle. The connection is where compliance value is created.

**Confusing policy existence with policy compliance.** A policy is the minimum, not the deliverable. The DOJ ECCP and regulatory examiners specifically probe whether policies are "followed, enforced, and periodically reviewed and updated." An agent that responds to a compliance question by drafting a policy has completed a documentation task, not a compliance task. Compliance is demonstrated by testing — and by documentation linking test results back to the policy and the regulatory requirement it satisfies.

**Conflating guidance with rules.** Agency guidance, FAQ documents, staff bulletins, and no-action letters express agency positions but are generally not legally binding as promulgated rules. Guidance can be reversed without rulemaking; rules can only be reversed through the APA process. Agents frequently treat guidance as rules and rules as guidance. The distinction matters for risk assessment: a position embedded only in guidance is more exposed to reversal than one embedded in a final rule.

**Generating gap analyses without control mapping.** A gap analysis that identifies a regulatory delta without mapping to existing controls, policies, and business processes is half-done. It must answer: what does the regulation require, what does the organization do today, where is the delta, what existing control partially addresses it, and what would closing the gap require. Agents working on gap analysis generate the requirement description without the current-state mapping.

**Outputting current regulatory requirements from training data.** Specific thresholds, deadlines, filing requirements, and reportable amounts change through rulemaking and agency guidance. An agent that states a specific regulatory requirement (e.g., a capital ratio, a disclosure threshold, a filing deadline) without fetching a current authoritative source is reporting a snapshot that may be stale. Always direct toward authoritative sources; never output specific regulatory numbers from training data as current facts.

---

## What AI is changing

AI tools have entered compliance operations at three points in the lifecycle: regulatory change management, policy gap analysis, and control monitoring.

**Regulatory change monitoring.** NLP-based tools scan regulatory publications, agency websites, and enforcement databases to identify changes affecting a defined regulatory universe — faster than manual tracking, with better coverage across jurisdictions. The limitation: these tools are configured against a scope, and they perform well within it. They do not independently identify when the organization's regulatory scope has changed. Horizon scanning (identifying future obligations from proposed rules, agency priority statements, and ANPRMs) remains a judgment task that retrieval-based systems handle poorly.

**Policy gap analysis and obligation extraction.** LLMs can parse regulatory text, extract discrete obligations, and map them to a policy library using semantic similarity. This accelerates first-pass coverage analysis significantly. The limitation: semantic similarity is not legal sufficiency. A model that finds a plausible coverage match between a regulatory requirement and a policy provision is doing retrieval, not control design review. The output must be treated as a first draft requiring independent verification of each claimed mapping — not as a conclusion.

**Continuous control monitoring.** Automated tools (Drata, Vanta, and similar) collect evidence continuously — access logs, configuration states, training completion rates — and flag control deviations in near-real-time rather than at periodic audit intervals. This genuinely changes the detection lag for certain control failures, particularly technical controls. The limitation: these tools monitor documentation events (was the test performed, was the log generated) rather than the quality of what they're monitoring (was the test adequate, does the log reflect actual behavior). High testing-completion rates reported by a continuous monitoring tool say nothing about testing adequacy.

**What stays human:**
- Regulatory interpretation: what a requirement means in context, how regulators apply it in practice, and how to respond to enforcement action
- Board and senior management reporting: the judgment about which risks are material enough to name explicitly
- Remediation prioritization: balancing regulatory exposure, business impact, cost, and timeline across an open finding inventory
- Scope management: identifying when business change triggers new regulatory applicability
- Enforcement response: all interaction with regulators during examination, investigation, or enforcement

---

## The examiner's test

A regulator or federal prosecutor evaluating a compliance program asks a single question with sub-questions:

1. Did the organization know its regulatory obligations? (Inventory and monitoring)
2. When requirements changed, did the organization identify the gap? (Gap analysis)
3. Did the organization take steps to close the gap? (Remediation)
4. Did the organization verify the gap was actually closed? (Control testing)
5. Was this process documented in a way presentable to an external party? (Defensibility)
6. Did senior management and the board receive accurate information about compliance risk? (Governance)

AI monitoring tools can improve operational throughput at monitoring and gap identification. They do not touch the organizational failure modes: ownership, tracking, testing independence, governance reporting, and scope maintenance. A compliance program that deploys AI monitoring and treats the monitoring tool as the program has addressed one input to a six-part test.
<!--fold:966196@file path="failure-modes.md" mode="644"-->
# Compliance Monitoring Failure Modes

The organizational failure modes that cause compliance programs to fail examinations, generate liability, and produce false assurance. Where AI-assisted monitoring is involved, the document covers how automation amplifies each failure mode rather than curing it. The final section covers AI-specific failure modes that have no direct analog in manual programs.

---

## Failure mode 1: Horizon risk

**What it is.** The compliance program monitors current applicable requirements but misses regulatory activity that will become applicable — proposed rules, enforcement priority shifts, agency guidance signaling future rulemaking, and international developments that will eventually propagate to domestic regulation.

**How it manifests.** A monitoring function configured to track final rules in force is complete for yesterday's obligations. It produces nothing about the proposed rulemaking published six months ago, the agency speech telegraphing a new enforcement theory, or the EU regulation whose US equivalent is circulating in draft. The program appears fully operational while systematically blind to the next twelve months of obligations.

**How AI monitoring amplifies it.** AI-assisted regulatory change monitoring is typically trained and evaluated on changes to existing rules — a well-defined retrieval problem with labeled outcomes. Horizon scanning is a different task: synthesizing signals across proposed rules, agency priority statements, enforcement statistics, and political context to estimate future regulatory exposure. This is not retrieval; it is judgment. AI systems deployed for change monitoring often have no horizon-scanning capability, and their operators don't notice because the gap is invisible — the system reports accurately on current requirements and generates no warnings about what is coming.

**What good programs do instead.** Maintain a separate horizon-scanning process alongside change monitoring. Track proposed rules, requests for information, and advance notices of proposed rulemaking (ANPRMs) with projected effective dates. Assign preliminary ownership before finalization — so when a rule is finalized, there is already a responsible owner, a preliminary gap estimate, and a response plan rather than a standing start.

---

## Failure mode 2: Translation failure

**What it is.** The regulatory requirement is correctly identified and tracked, but the mapping from regulatory text to internal control is wrong, incomplete, or missing. The organization cannot demonstrate that its controls actually satisfy the requirement — not because the controls don't exist, but because the connection was never made defensibly.

**How it manifests.** A gap analysis states a new requirement is "covered by existing policy." No one asks: which policy, which section, which control activity, and how would a regulator verify that? When an examiner asks those questions, the answers are inconsistent across team members, or the policy cited hasn't been updated in three years, or the control described is a design control with no evidence of operation. The nominal coverage is a documentation artifact, not a functioning mapping.

**How AI translation amplifies it.** AI-generated gap analyses tend to be fluent and superficially complete. A model given a regulatory requirement and a policy library will produce plausible-sounding coverage mappings — "Requirement X appears to be addressed by Section 4.2 of Policy Y" — without the evidentiary work that makes the mapping defensible. The AI is doing semantic similarity matching, not control design review. The output reads like a conclusion but does not constitute one. Compliance teams that accept AI-generated coverage mappings without independent verification are building a dossier that looks complete and fails on examination.

**What good programs do instead.** Obligation mapping requires three-level specificity: the regulatory text, the internal control or policy provision that addresses it, and the evidence that would demonstrate operating effectiveness (a testing result, an approval log, a sample). All three must be linked. If any link is missing, the mapping is incomplete. Treat AI gap analysis output as a first-pass draft requiring human verification of each claimed mapping — not as a conclusion.

---

## Failure mode 3: Testing theater

**What it is.** Control testing is performed on schedule and documented, but the testing does not actually assess whether the control is operating as designed. The organization has testing results showing controls as "effective" while controls are failing in practice.

**How it manifests.** Design testing confirms the policy says what it should. Walkthroughs confirm the process as described by the person who designed it. Sample sizes are small, drawn from time periods when the process was known to be running well. Testing is performed by the team responsible for the control (no independence). Findings that could be material are reclassified as observations to keep the overall rating clean. The testing file is extensive; the assurance it provides is minimal.

**How AI monitoring amplifies it.** AI-assisted compliance monitoring can track whether controls have been "tested" (the documentation event) without visibility into whether testing was adequate (the quality assessment). A system monitoring testing completion rates and flagging overdue tests is measuring documentation hygiene, not assurance quality. It can report high completion rates for a program that has never tested operating effectiveness. Worse, AI tools that generate testing scripts may generate scripts that confirm design (easily observable) rather than probe operation (requires sampling, anomaly detection, and adversarial thinking).

**What good programs do instead.** Distinguish design testing from operating effectiveness testing explicitly. Operating effectiveness testing requires: a defined population, a statistically or risk-appropriate sample, evidence that the control operated (not just that it was designed to operate), and testing performed with adequate independence from the control owner. Compliance functions that both design and test their own controls without second-line review have an independence problem no AI tool can compensate for.

---

## Failure mode 4: Remediation drift

**What it is.** A gap is identified, documented, assigned an owner, and given a target date — and then not tracked to closure. The finding persists in the gap inventory indefinitely. The organization has a documented awareness problem (the gap is known) paired with an undocumented response failure (the gap was not closed).

**How it manifests.** Gap inventories with dozens of open items, many past their original due date, with status notes like "in progress" unchanged for months. Quarterly compliance reports to the board that report aggregate completion rates rather than specific open items. Remediation owners unclear whether their item is still open, or believing it was closed when closure documentation was never filed. When an examiner pulls the gap inventory, the organization cannot show it tracked identified risks to resolution.

**How AI monitoring amplifies it.** AI-assisted gap analysis is good at generating findings. It is structurally not involved in the remediation workflow — remediation requires organizational action, system configuration, policy drafting, and training, none of which an AI monitoring tool performs or tracks. The result: AI-augmented compliance programs can generate more findings faster than the organization can remediate them, accelerating accumulation of open items in an unmanaged inventory. A large, stale gap inventory is worse than a smaller one because it demonstrates awareness without response — exactly what regulators and prosecutors look for when evaluating whether a program was genuine.

**What good programs do instead.** Every finding in the gap inventory requires an owner, a target date, a current status, and an escalation path if the date slips. Remediation status reviewed at a fixed cadence (monthly minimum for material items). Findings that slip past their target date require documented rationale and a revised timeline approved by a responsible executive — not automatic extension. Board and management reporting must include aging of open items by risk tier, not just aggregate counts.

---

## Failure mode 5: Inventory decay

**What it is.** The regulatory inventory — the list of regulations applicable to the organization — was accurate at a point in time and became stale as organizational scope changed and the regulatory environment evolved. The monitoring program is tracking the wrong universe of requirements.

**How it manifests.** A company launches a new product line, expands into a new state, acquires a business, or changes its business model in ways that trigger new regulatory applicability — and no one updates the regulatory inventory. The monitoring program continues reporting accurately on the original scope while the new scope is unmonitored. Conversely, the company exits a business line and continues devoting monitoring resources to requirements that no longer apply, masking the gap elsewhere.

**How AI monitoring amplifies it.** AI regulatory monitoring tools accept a scope definition from their configuration and operate within it. They do not independently identify when the organization's scope has changed in ways requiring scope expansion. The tool is diligent within its configuration; the configuration is the problem. An organization that deploys an AI monitoring tool and treats the tool's configuration as the regulatory universe has outsourced a judgment to a configuration file.

**What good programs do instead.** Regulatory inventory maintenance must be integrated with business change management. Product launches, M&A activity, geographic expansion, and business line exits should each trigger a regulatory scoping review as part of the change management process — not as a downstream compliance afterthought. The compliance function needs a seat in the product and strategy process, not just notification after decisions are made.

---

## Failure mode 6: Aggregation blindness

**What it is.** Reporting aggregates compliance data to the point where material issues are invisible to the board and senior management. The governance loop fails not because information doesn't exist, but because it is summarized at too high a level to drive decisions.

**How it manifests.** A compliance dashboard shows "94% of controls effective" and "82% of remediations on track." Neither metric reveals that the two open critical-risk controls are in the same business line, that the overdue remediations cluster in a regulatory area under active examination, or that one high-priority finding has slipped its target date four times. The board receives reassuring summary statistics; the underlying picture is not reassuring.

**How AI monitoring amplifies it.** AI reporting tools are often evaluated on their ability to synthesize large volumes of compliance data into concise summaries. Concise summaries are the product; losing material distinctions in the synthesis is the failure mode. A board report generated by aggregating AI compliance outputs is at risk of having its most important information removed at exactly the step designed to make it manageable. The prompt "summarize the compliance program status" produces a different output than "identify which open items, if unresolved, would constitute the most significant regulatory exposure." The second prompt is the right one; most implementations use the first.

**What good programs do instead.** Management and board reporting must preserve granularity on high-risk items while summarizing low-risk ones. The report structure must make material open items visible by name, not aggregated into a category. The compliance function should identify the top three to five risks in the current period — a judgment that cannot be read off a dashboard but can be stated in a paragraph — and that paragraph must appear in the board report alongside the metrics.

---

## AI-specific failure modes

The following failure modes are specific to AI-augmented compliance programs. They have no direct analog in manual programs, or exist in attenuated form that AI amplifies into a qualitatively different risk.

### Failure mode 7: False confidence from automated testing

**What it is.** Automated control monitoring produces continuous evidence of control operation — access logs, configuration states, training completions, transaction flags — that creates a subjective sense of assurance exceeding what the evidence actually supports. The volume and velocity of automated evidence production makes the program feel rigorously tested when substantive assurance is limited.

**How it manifests.** A SaaS compliance platform collects thousands of evidence items per month, flags deviations in near-real-time, and generates executive dashboards with green indicators. The compliance team reads these as "controls are working." But the evidence is of the type "the control was performed" rather than "the control was effective." The access management control shows that access reviews were completed on schedule; it does not show whether the access reviews caught inappropriate access, whether reviewers exercised judgment or approved requests rubber-stamp fashion, or whether the population reviewed was complete. The automation has documented the activity; it has not assessed the quality.

**What good programs do instead.** Maintain a clear distinction between automated evidence collection and substantive testing. Automated platforms are best at detecting absence of control performance (the review wasn't completed, the log wasn't generated). They are not substitutes for periodic substantive testing that probes whether control performance is effective. Schedule periodic manual sampling of automated evidence to verify that what was documented reflects what actually happened.

---

### Failure mode 8: Over-reliance on AI monitoring without human validation

**What it is.** The compliance function treats AI regulatory monitoring output as authoritative without human review of whether the monitoring scope, classification, and triage are correct. The AI system's outputs become inputs to organizational decisions — remediation prioritization, board reporting, examiner responses — without a qualified human having independently verified the classification or completeness of what the system produced.

**How it manifests.** An AI regulatory monitoring tool classifies a final rule as "low priority" based on training-data patterns and the organization's configured scope. A qualified compliance professional reviewing the same rule would classify it as high priority because of a business line expansion that postdates the tool's configuration. The low-priority classification propagates into the remediation queue, the gap inventory, and the quarterly board report. No one catches it because the workflow was designed to route AI output directly to downstream processes. By the time an examiner raises the issue, the organization has a documented record of having deprioritized a material regulatory obligation.

**What good programs do instead.** AI monitoring output must have a human review step before it affects compliance decisions. The review need not re-examine every item — risk-stratified review (human spot-check on high-priority classifications, periodic full-population review) can preserve efficiency while maintaining accountability. The compliance professional who signs the gap inventory or the board report is signing for the contents, not for the tool's output. That accountability must be backed by actual review.

---

### Failure mode 9: Training data staleness passed as current guidance

**What it is.** An AI assistant states specific regulatory requirements — thresholds, deadlines, filing obligations, capital ratios, reportable amounts — that were accurate at training time but have since changed through rulemaking, agency guidance, or regulatory update. The output is delivered with the same confidence as outputs about structural compliance methodology, which does not change quickly.

**How it manifests.** A compliance analyst asks an AI assistant about the current reporting threshold for a specific regulatory obligation. The assistant states a figure from its training data without flagging that the figure may have changed or directing the analyst to a current authoritative source. The analyst records the figure without independent verification. The figure is wrong because a regulatory update changed it after the model's training cutoff. The compliance failure that results has a documented AI-in-the-loop origin.

**What good programs do instead.** Treat any AI output containing specific regulatory numbers, deadlines, or thresholds as unverified until confirmed against a current authoritative source. Configure AI tools used in compliance workflows to explicitly disclaim currency of regulatory specifics and direct users to authoritative sources. The distinction to preserve: structural compliance methodology (how programs are structured, what elements they require, how examinations are conducted) changes slowly and AI outputs on this are generally reliable; specific regulatory requirements change through administrative process and AI outputs on these must be verified.

---

## Summary: the examiner's test

A regulator or federal prosecutor evaluating a compliance program asks:

1. **Did the organization know its regulatory obligations?** (Inventory and monitoring)
2. **When requirements changed, did the organization identify the gap?** (Gap analysis)
3. **Did the organization take steps to close the gap?** (Remediation)
4. **Did the organization verify the gap was actually closed?** (Control testing)
5. **Was this process documented in a way presentable to an external party?** (Defensibility)
6. **Did senior management and the board receive accurate information about compliance risk?** (Governance)

Each failure mode above corresponds to a failure to answer one of these questions convincingly. AI monitoring tools can improve operational throughput at monitoring and gap identification (questions 1 and 2). They do not touch the organizational failure modes — ownership, tracking, testing independence, governance reporting, and scope maintenance. The AI-specific failure modes (7–9) introduce new risks on top of the existing six: false assurance from automation, authority laundering through AI output, and training-data staleness at the point of regulatory specifics. A compliance program that deploys AI monitoring and treats the monitoring tool as the program has addressed one input to a six-part test while introducing three new failure vectors.
<!--fold:966196@file path="sources.md" mode="644"-->
# sources

Fetch these at task time. Ordered by importance.

## Compliance program frameworks

1. COSO Internal Control — Integrated Framework (2013); the foundational model for internal controls, including the five components (control environment, risk assessment, control activities, information and communication, monitoring activities) and seventeen principles:
   https://www.coso.org/guidance-on-ic

2. ISO 37301:2021 — Compliance Management Systems; international standard for compliance program requirements, governance structure, and continual improvement cycle:
   https://www.iso.org/standard/75080.html

3. Federal Sentencing Guidelines for Organizations (USSG §8B2.1) — the seven elements of an effective compliance and ethics program; the legal baseline for evaluating whether a program earns credit under federal sentencing:
   https://www.ussc.gov/guidelines/2023-guidelines-manual/annotated-2023-chapter-8

4. DOJ ECCP — Evaluation of Corporate Compliance Programs (updated 2023); the Department of Justice's current framework for evaluating compliance programs in criminal investigations and enforcement; the operative document for understanding what federal prosecutors actually look for:
   https://www.justice.gov/criminal/criminal-fraud/evaluation-of-corporate-compliance-programs

5. FRB SR 08-8 — Compliance Risk Management Programs and the Role of Compliance Officers; Federal Reserve supervisory guidance on compliance program structure, board and management responsibilities, and the role of the compliance function in financial institutions:
   https://www.federalreserve.gov/boarddocs/srletters/2008/sr0808.htm

## Regulatory change management methodology

6. Thomson Reuters Regulatory Intelligence — methodology papers on regulatory change management, horizon scanning, and compliance workflow; practitioner-grade documentation of how large compliance programs operationalize change management:
   https://legal.thomsonreuters.com/en/insights/articles/regulatory-change-management

7. Deloitte RegTech Insights — regulatory change management frameworks, AI-assisted compliance monitoring methodology, and gap analysis practices; includes industry-specific applications:
   https://www2.deloitte.com/us/en/pages/regulatory/articles/regtech-solutions-regulatory-compliance.html

8. NAVEX Global Definitive Guide to Compliance Program Management — practical program management methodology covering policy lifecycle, training, reporting, and control testing cadence:
   https://www.navex.com/en-us/resources/

## Industry-specific compliance guidance

9. OCC Comptroller's Handbook — Compliance Management Systems; bank regulator guidance on compliance program components, examination procedures, and how examiners evaluate program effectiveness:
   https://www.occ.gov/publications-and-resources/publications/comptrollers-handbook/files/compliance-management-systems/index-compliance-management-systems.html

10. SEC Division of Examinations Priorities — annual examination priorities; the most direct signal of which compliance areas are under active regulatory scrutiny for registered investment advisers, broker-dealers, and funds:
    https://www.sec.gov/exams/announcements/exampriorities/

11. HHS Office of Inspector General — Compliance Program Guidance Documents; sector-specific guidance for healthcare organizations, covering the seven elements of an effective compliance program adapted for healthcare:
    https://oig.hhs.gov/compliance/compliance-guidance/

## AI and RegTech in compliance monitoring

12. DRATA — compliance automation methodology documentation; representative of current SaaS compliance tooling (continuous control monitoring, evidence collection, gap tracking):
    https://drata.com/resources

13. Clausematch — RegTech methodology papers on AI-assisted regulatory change management, obligation extraction, and policy mapping; includes technical documentation of how obligation libraries are built and maintained:
    https://www.clausematch.com/resources/

14. BIS (Bank for International Settlements) — report on machine learning in compliance and supervisory technology; covers RegTech applications for regulatory change monitoring, AML, and conduct risk in financial services:
    https://www.bis.org/fsb/publ/
<!--fold:966196@end-->
PORTDOWN_967F3482

# ── post ──
MARKER=$(awk '/^---$/ { f++; if (f==2) exit; next } f==1 && /^marker:[[:space:]]/ { sub(/^marker:[[:space:]]+/, ""); print; exit }' "$DEST")
[ -z "$MARKER" ] && { echo "seed: archive has no marker — corrupt" >&2; exit 1; }
awk -v m="$MARKER" -v outdir="$TARGET" '
  BEGIN {
    # Match <!--fold:<m>@file path="X"--> with an optional mode attr after
    # the path (fold emits  mode="644"  on executables).
    file_re = "^<!--fold:" m "@file path=\"([^\"]+)\"( mode=\"[0-9]+\")?-->$"
    end_re  = "^<!--fold:" m "@end-->$"
  }
  $0 ~ end_re { if (current) close(current); exit }
  $0 ~ file_re {
    if (current) close(current)
    line = $0
    sub(/^<!--fold:[^@]+@file path="/, "", line); sub(/".*$/, "", line)
    current = outdir "/" line
    dir = current; sub(/\/[^\/]*$/, "", dir)
    if (dir != current) system("mkdir -p \"" dir "\"")
    printf "" > current
    next
  }
  current { print >> current }
' "$DEST"
SEED_EXTRACTED=$(find "$TARGET" -type f -not -path "$DEST" 2>/dev/null | wc -l)
if [ "$SEED_EXTRACTED" = "0" ]; then
  echo "seed: archive contained no files — refusing to delete the source" >&2
  echo "  archive preserved at: $DEST" >&2
  exit 1
fi
rm -f "$DEST"

echo "" >&2
echo "✓ seed unpacked → $TARGET ($SEED_EXTRACTED files)" >&2
find "$TARGET" -type f | sort | while IFS= read -r _sf; do
  echo "  ${_sf#${TARGET}/}" >&2
done
echo "" >&2
if [ -f "$TARGET/SKILL.md" ]; then
  echo "This seed contains a skill (SKILL.md). Install it in your agent's skills directory." >&2
  echo "" >&2
fi
echo "Install the seed skill if not already installed:" >&2
echo "  https://seed.show/skill" >&2
echo "" >&2
echo "Publisher prompt:" >&2
sed 's/^/  /' >&2 <<'__SEED_PROMPT_END_AC1F2B__'
You have regulatory compliance monitoring context. Start with README.md: opens with scope warning (agents give orientation, not compliance opinions), mental model of compliance as a control environment, the full monitoring lifecycle, and what AI is changing. Then failure-modes.md: 9 failure modes — 6 organizational (horizon risk, translation failure, testing theater, remediation drift, inventory decay, aggregation blindness), 3 AI-specific (false confidence from automated testing, over-reliance without human validation, training data staleness). Then sources.md for authoritative frameworks. To share context bundles: curl seed.show/skill | bash
__SEED_PROMPT_END_AC1F2B__
exit 0