Skip to main content

Compliance Ontology

The compliance ontology is a directed graph encoding the relationships between regulatory frameworks, categories, articles, risk factors, mitigations, action types, data classifications, and resource types. It powers both the forward-chaining engine (rule-to-article mapping) and the Memgraph co-processor (graph traversal for RAG).

Graph Statistics

MetricValue
Total nodes1,948
Total edges1,075
Frameworks7
Categories43
Articles259
Risk Factors12
Mitigations1,068
Action Types34
Data Classifications6
Resource Types6

Node Types

Top-level regulatory frameworks.Supported: GDPR, HIPAA, SOC2, PCI-DSS, PII (general), OWASP (including LLM Top 10), ISO27001Properties: id, label, jurisdiction
Groupings within frameworks. E.g., gdpr:consent_management, hipaa:phi_safeguards.Properties: id, label, framework, pagerank, community_id
Specific regulation text. E.g., GDPR Art. 5(1)(c), HIPAA §164.312(a)(1).Properties: id, label, description, text (full regulatory text), pagerank, betweenness, community_id
Abstract risk concepts that link actions to articles. E.g., rf:data_exfiltration, rf:gdpr_consent_violation.Properties: id, label, description, severity_weight, pagerank
Recommended controls and remediation steps.Properties: id, text, effectiveness_score, community_id
Action taxonomy entries. E.g., at:email_send, at:database_query.Properties: id, label, risk_weight
Data sensitivity classifications: public, internal, pii, pii_sensitive, financial, health, auth, legal.Properties: id, label, sensitivity_level
Resource categories for target classification.Properties: id, label

Edge Types

Edge TypeSource → TargetDescription
has_categoryFramework → CategoryFramework contains this category
governed_byCategory → ArticleCategory governed by this article
triggersRiskFactor → ArticleRisk factor triggers this article’s applicability
mitigated_byRiskFactor → MitigationRisk factor addressed by this mitigation
implies_riskActionType → RiskFactorAction type implies this risk
accessesActionType → DataClassAction type accesses this data class
has_policyFramework → PolicyFramework defines this policy
subscribes_toTenant → FrameworkTenant subscribes to this framework

Graph Traversal Patterns

Article Discovery for Risk Factors

MATCH (at:ActionType {id: $action_type})-[:IMPLIES_RISK]->(rf:RiskFactor)
MATCH (rf)-[:TRIGGERS]->(article:Article)
MATCH (cat:Category)-[:GOVERNED_BY]->(article)
MATCH (fw:Framework)-[:HAS_CATEGORY]->(cat)
WHERE fw.id IN $tenant_frameworks
RETURN fw.id AS framework, article.id, article.pagerank
ORDER BY article.pagerank DESC

Mitigation Coverage

MATCH (rf:RiskFactor)-[:MITIGATED_BY]->(mit:Mitigation)
WHERE rf.id IN $risk_factor_ids
WITH mit, COUNT(DISTINCT rf) AS covers
RETURN mit.text, covers
ORDER BY covers DESC

Cross-Framework Impact

MATCH (rf:RiskFactor {id: $rf_id})-[:TRIGGERS]->(article:Article)
MATCH (cat:Category)-[:GOVERNED_BY]->(article)
MATCH (fw:Framework)-[:HAS_CATEGORY]->(cat)
RETURN DISTINCT fw.id AS framework, COUNT(article) AS violations

Storage

The ontology is stored as a JSON file at graph/src/quint_graph/data/compliance_ontology.json (~558 KB) and loaded as a networkx.DiGraph at startup: 
from quint_graph.graph import load_ontology

ontology = load_ontology()  # Cached singleton
articles = ontology.get_nodes_by_type("article")
mitigations = ontology.get_mitigations_for_risk("rf:data_exfiltration")
When Memgraph is enabled, the ontology is loaded into Memgraph via scripts/load_ontology_memgraph.py for graph-native queries.