Termboard

Appearance

Creating a Policy Graph with Termboard

Transform complex regulations, policies, and compliance frameworks into navigable, visual knowledge graphs. This guide shows you how to turn dense regulatory documents into interactive policy maps.

What is a Policy Graph?

A Policy Graph represents regulatory content—articles, requirements, roles, and obligations—as an interconnected network of Terms and Relations. Instead of reading 144 pages of regulation, stakeholders can visually explore compliance paths and understand how different elements relate.

Why Policy as Graph?

Traditional approaches like "Policy as Code" focus on automated enforcement. Policy as Graph focuses on understanding and communication—making complex regulations accessible to non-experts while providing a structured foundation for AI-powered Q&A.

Benefits of Policy Graphs

ChallengePolicy Graph Solution
Dense Legal TextVisual navigation of concepts and relationships
Cross-ReferencesClickable links between related articles and requirements
Stakeholder CommunicationShare with non-experts without requiring full document reading
AI GroundingExport and feed to LLMs for accurate, context-aware Q&A
Compliance Path TracingFollow chains from requirements to roles to obligations

The Policy Metamodel

The Policy Modeling profile provides specialized Term and Relation types for regulatory analysis:

Term Types

TypeIconPurpose
Policy🛡️ mdi-shield-checkA regulation, law, or policy document
Data Subject👤 mdi-accountA natural person whose data is processed
Data Category🗄️ mdi-databaseA category of personal data (e.g., "Health Data")
Purpose🎯 mdi-targetThe declared purpose for processing data
Legal Basis⚖️ mdi-gavelThe legal ground for data processing (e.g., GDPR Art. 6)
Data Controller🏢 mdi-domainThe entity determining the purposes and means of processing
Data Processor⚙️ mdi-cogsThe entity processing data on behalf of a controller
GroupA logical grouping of policy elements
TermGeneric fallback for other policy concepts

Relation Types

RelationDescription
ProcessesIndicates a controller/processor handles specific data
Has Legal BasisLinks processing to its legal justification
For PurposeSpecifies the objective of the processing
Requires ConsentIndicates mandatory agreement from the data subject
Transfers ToData shared with another entity (e.g., third-party processor)
Retained ForSpecifies the data retention period

Building a Policy Graph

Step 1: Select and Scope Your Policy

Before starting, define the boundaries of your policy graph:

  1. Choose your regulatory framework: GDPR, EU AI Act, HIPAA, SOC 2, CCPA, or internal policies
  2. Define scope: Full regulation or specific sections (e.g., "EU AI Act Risk Categories")
  3. Identify your audience: Compliance officers, developers, executives

Domain Profile

Use the Policy Modeling domain profile in the top bar for pre-configured term types (Law, Regulation, Article, Requirement, Role) and relation types designed for policy modeling.

Step 2: Extract Key Terms with AI

Use an LLM to identify the core concepts from your regulatory document:

  1. Use below prompt to extract the key terms and their relationships from your regulatory document:
  2. Open File > Import > Compact Format and paste results of the prompt

Example prompt for the EU AI Act:

Extract the key terms and their relationships from the EU AI Act,
focusing on: AI system risk levels (prohibited, high-risk, limited,
minimal), key roles (providers, deployers, importers), and main
obligations for each.

Deliver the terms and relationsoutput in the following format:

# Model: My Domain Model

## Terms

# name | description  | type | xfield:status
# ------
Customer | A person who purchases goods  | concept | Active
Order | A request for products | concept | Pending
## Relations

# source | relationName | target | description | cardinality | cardinalitySource | xfield:priority
# ------
Customer | places | Order | Customer places an order | * | 1 | High

See for more fields you can specify here

Iterative Extraction

Don't try to extract everything at once. Start with high-level concepts (e.g., risk categories, key roles, main obligations), then drill down into specific articles.

Step 3: Organize by Risk Level or Category

For regulatory frameworks, organize Terms by their classification:

EU AI Act Example:

  • 🔴 Prohibited — Social scoring, predictive policing, emotion recognition in workplaces
  • 🟠 High-Risk — Biometrics, hiring AI, credit scoring, critical infrastructure
  • 🟡 Limited — Chatbots, deepfakes (disclosure requirements)
  • 🟢 Minimal — Spam filters, AI in games (voluntary compliance)

DORA Example (Audience-Based):

  • 🔵 IT — ICT Systems, Threat Intelligence, Legacy Systems, TLPT
  • 🟠 Risk — Major Incidents, Impact Tolerance, Vulnerability
  • 🟢 Compliance — Proportionality, Simplified Frameworks, Reporting
  • 🟣 Board — Governance, Strategy, Ultimate Responsibility
  • Third-Party — Critical Providers (CTPPs), Oversight Framework, Concentration Risk

Color-coding in Termboard:

  1. Add an Extra Field called "Risk Level" or "Audience" with list values
  2. Configure automatic coloring based on the field value
  3. View risk distribution or audience ownership at a glance

Step 4: Add Article Text and Details

Each Term in your policy graph should contain the relevant regulatory content:

  1. Select a Term on the canvas
  2. In the Term Sidebar, expand the Additional Information section
  3. Paste or summarize the article text, including:
    • Direct quotes from the regulation
    • Cross-references to other articles
    • Implementation deadlines
    • Penalties for non-compliance

Rich Content

You can also use a bulk update by requesting the LLM to add the additional information in this format and update it similar to step 2

## terms
# name | additionalInformation
# ------
Customer | A person who purchases goods
Order | A request for products

Step 5: Create Compliance Relations

Connect Terms to show regulatory relationships:

Common Policy Relation Types:

  • requires — Article requires certain actions
  • applies to — Regulation applies to certain AI systems
  • defined in — Term defined in specific article
  • enforced by — Authority responsible for enforcement
  • exempts — Exception or exemption relationship
  • supervises — Oversight relationship

Example Relations:

  • High-Risk AI Systems require Conformity Assessment
  • Provider must comply with Article 16
  • National Authority enforces Regulation
  • GPAI Models defined in Article 3

Step 6: Add Cross-References

Regulations frequently reference other articles, directives, or frameworks:

  1. Create Terms for referenced documents (e.g., "GDPR", "Product Liability Directive")
  2. Add Relations showing dependencies:
    • EU AI Act references GDPR (for personal data processing)
    • Article 13 clarifies Article 9

Use the Find Path feature to trace compliance paths between any two concepts.

Example Policy Graphs

RegulationApproachFocusLink
EU AI ActRisk-basedAI risk categories, provider obligationsView Demo
BCBS 239HierarchicalPrinciples, sub-principles, requirementsView Demo
DORAAudience-basedICT risk, third-party oversight, incident reportingView Demo

Explore all available policy graphs: Policy Demos

Leveraging Your Policy Graph

1. Visual Compliance Navigation

  • Click any Term to view the full article text
  • Follow Relations to understand compliance requirements
  • Use Interactive Graph for exploration mode

2. Stakeholder Communication

  • Export to PDF/HTML for sharing with non-technical stakeholders
  • Generate presentations via PowerPoint export
  • Use the graph as a training tool for new employees

3. AI-Powered Q&A

Export your policy graph as JSON and provide it as context to an LLM:

  1. Export via File > Export > Compact Format
  2. Feed the File to your LLM with a prompt like:
    Based on the following policy graph, answer questions about
compliance requirements
  3. The structured graph provides grounded answers, reducing hallucinations

See Chat with Model for built-in LLM integration.

4. Compliance Path Analysis

Use Find Path to answer questions like:

  • "What connects High-Risk AI to Provider obligations?"
  • "How does the EU AI Act relate to GDPR requirements?"

Best Practices

  1. Start with the table of contents — Use the regulation's structure as your initial hierarchy
  2. Focus on actionable items — Prioritize requirements and obligations over preambles
  3. Include cross-references — Regulations rarely stand alone
  4. Add deadlines — Use Extra Fields to track implementation dates
  5. Version your model — Save versions as regulations are updated (e.g., v1 → v2 → v3)
  6. Use incremental updates — For large regulations, add sections with update files rather than rewriting everything
  7. Validate with experts — Review with legal/compliance teams
  8. Quality check before publishing:
    • All chapters/articles present
    • Articles connected to chapters via contains
    • No orphan terms (every term has at least one relation)
    • No empty relation names
    • Consistent audience/category tags