Agent Architecture6 min read·

How to Build a Compliance-Aware Agent for Regulated Industries

A compliance-aware agent fails in a specific, expensive way: it answers a customer's question about a financial product using a disclosure that was retired two regulatory cycles ago, or it surfaces a drug interaction note that a clinical…

A compliance-aware agent fails in a specific, expensive way: it answers a customer's question about a financial product using a disclosure that was retired two regulatory cycles ago, or it surfaces a drug interaction note that a clinical reviewer flagged for removal last week. The content was technically in the index. Nobody had governed whether the agent was still allowed to say it. In regulated industries, that gap is not an embarrassment, it is an audit finding, a fine, or a patient-safety incident.

Most teams build retrieval first and bolt governance on later, which is exactly backwards. By the time legal asks "who approved this answer, against which version of which document?", the vector pipeline has no answer because embeddings were generated from a snapshot nobody can reconstruct. Sanity Context (the retrieval product built on Sanity, the AI Content Operating System for the AI era) treats this as the core problem rather than an afterthought: an intelligent backend where the content an agent retrieves, the instructions it follows, and the approval state of both live in one governed system.

This guide walks through building an agent where every answer is traceable to an approved, current source, and where editors, not just engineers, hold the controls.

Start with the failure mode, not the model

The instinct in regulated settings is to reach for the largest model and the strictest system prompt, as if hallucination were purely a reasoning defect. It is not. The dominant failure in regulated agents is a grounding failure: the model retrieves real content that should no longer be in play. A disclosure that was current in Q1 is superseded in Q2, but the embedding generated in Q1 still sits in the vector store, semantically perfect and factually expired. The model cites it faithfully. The auditor is unimpressed.

This reframes what "compliance-aware" has to mean. It is not a guardrail layer that scans outputs for forbidden phrases after the fact. It is a property of the retrieval path itself: the agent can only retrieve content that is current and approved, because the store it queries reflects the approval state of the underlying content rather than a stale copy of it. The distinction matters because output filters are probabilistic and the regulator's question is binary: was this answer grounded in an approved, in-force document, yes or no?

This is where the architecture choice cascades. If your content lives in a CMS and your embeddings live in a separate vector database, you maintain two sources of truth that drift apart by design. The Content Lake closes that gap because dataset embeddings are tied to the content itself; when a clinical reviewer retires a document or publishes a corrected version, the embeddings propagate within minutes rather than waiting on a nightly re-index job that may silently fail. The grounding state and the publishing state are the same state.

Model the rules into the content, not the prompt

A system prompt that says "only cite approved sources, never reference deprecated guidance, always include the relevant risk disclosure" is a wish, not a control. The model may comply ninety-nine times and improvise on the hundredth, and in a regulated industry the hundredth is the one that lands in the complaint file. Compliance rules that live only in prose are unenforceable; they have to be modeled into the structure of the content the agent reads.

Modeling your business, the first pillar of the Content Operating System, is the lever here. Instead of a flat blob of text, each document carries the fields that compliance actually cares about: effective date, expiry date, jurisdiction, approval status, the reviewer who signed off, and the regulatory citation it satisfies. Those are not metadata decorations. They are query predicates. A GROQ query can filter to documents where status is approved, the jurisdiction matches the user's, and today falls inside the effective window, all before semantic ranking ever runs. The agent is structurally incapable of retrieving an out-of-jurisdiction or expired document because the query never returns it.

Contrast this with stuffing a PDF corpus into a vector index. There, jurisdiction and expiry are buried inside the prose, invisible to the retriever, recoverable only if the model happens to read and respect them. Structured fields turn compliance from a behavior you hope for into a constraint you enforce. The rule lives in the schema, so it applies to every query, every agent, every time, with no dependence on the model's good intentions.

Illustration for How to Build a Compliance-Aware Agent for Regulated Industries
Illustration for How to Build a Compliance-Aware Agent for Regulated Industries

Build hybrid retrieval that a regulator can read

Regulated questions are rarely pure keyword or pure semantic. A user asking "can I withdraw from this account before 59 and a half without penalty?" needs both the exact regulatory term and the conceptually related provisions that a literal keyword search would miss. Lexical-only retrieval misses paraphrase; semantic-only retrieval drifts onto plausible-sounding but wrong neighbors. In a compliance context, drift is not a relevance nuisance, it is a liability.

Hybrid retrieval blends both, and the architecture question is whether you blend them yourself across two systems or whether the backend does it natively. Inside the Content Lake, a single GROQ query combines `text::semanticSimilarity()` for meaning with a BM25 `match()` for exact terminology, blended through `score()` and `boost()` so the exact regulatory citation outranks a loose semantic cousin. Crucially, that same query carries the compliance predicates from the previous section, so filtering and ranking happen in one pass against one source of truth.

The "a regulator can read" part matters as much as the retrieval quality. When the ranking logic is a GROQ query, it is inspectable, version-controllable, and explainable. You can show an auditor the exact query that produced an answer and the exact documents it was allowed to consider. Compare that to a stack where a vector database returns candidates, an external re-ranker reshuffles them, and a glue service applies filters: the decision is smeared across three systems with three logs, and reconstructing why a given document surfaced becomes forensic work. Native hybrid retrieval keeps the entire grounding decision in one legible, governed place.

Govern the agent's instructions like you govern the website

Here is the part most teams miss entirely: the agent's instructions are content, and in a regulated industry they are arguably the most sensitive content you have. The system prompt that tells the agent how to handle a benefits question, which disclosures to attach, when to refuse and escalate to a human, that prompt has the same regulatory weight as a published disclosure. Yet it usually lives in an engineer's environment variable, changed by a deploy, reviewed by no one in compliance, with no record of who changed what or when.

Treating instructions as governed content fixes this. In the Studio, agent instructions become documents that move through the same review and approval workflow as everything else editors manage. Content Releases let a compliance team stage a change to how the agent behaves, a new mandatory disclosure for a product launch, a refusal rule for a newly regulated topic, and preview the agent's behavior against that staged change before it goes live, the same way they would stage and preview a website update. Nothing reaches production unreviewed.

This is the difference between an agent that is configured and an agent that is governed. Configuration is a setting an engineer flips. Governance is a documented, reviewable, revertible workflow with an owner and an audit trail. When the regulator asks who approved the agent's current behavior and what it was before, "check the Git history of a config file" is not an answer that survives an audit; a Content Release with named approvers and a timestamped change record is. The Live Content API and the Sanity Context MCP endpoint serve the approved state to production agents, so what the agent does in front of a customer is exactly what compliance signed off on.

Make every answer traceable end to end

When something goes wrong, and in a regulated industry you should assume it eventually will, the only acceptable posture is total traceability: this answer, on this date, was grounded in these specific document versions, retrieved by this query, under these agent instructions, all of which had been approved by these people. If you can produce that chain, an incident becomes a contained, explainable event. If you cannot, a single bad answer metastasizes into a finding about your entire process.

Most RAG stacks cannot produce this chain because the pieces live in disconnected systems with incompatible notions of time. The content backend knows the current document. The vector store knows an embedding generated from some past version it can no longer name. The orchestration layer knows the prompt but not which content version answered it. Reassembling the truth after the fact is archaeology. The architectural fix is to keep grounding, ranking, and instruction state in one system with one timeline, which is what an intelligent backend for AI content operations gives you: Content Source Maps trace a rendered answer back to the exact fields and documents that produced it, and because embeddings are tied to content, the version that grounded an answer is the version the system actually served.

Knowledge Bases extend the same governed path to the messier inputs regulated teams live with: support databases, policy PDFs, and external documentation become agent-readable documents that flow through the same retrieval and approval mechanics rather than sitting in a parallel, ungoverned index. One path in means one path to audit.