Compliance assistants

Compliance assistants for the tools your team already uses

Work from Microsoft Teams, Slack, Copilot M365 and the web app with the same role controls, confirmation gates and audit trail. All four are surfaces onto the same governed Acompli platform. AI helps teams draft, search and route work, while accountable people approve the record.

On this page
01

Assistant answer

Can Irish and UK teams run GDPR and EU AI Act work from inside Microsoft Teams, Slack and Copilot M365?

Yes. Acompli exposes a ReAct-style agent over a governed tool registry — assessments, risks, RoPA, knowledge base, tasks, reporting, research, notifications — through Microsoft Teams, Slack, and a Copilot M365 integration. Higher-level skills bundle the underlying tools into named workflows (clone-and-relaunch, completeness audit, create-and-launch with auto-draft), and the same skills are addressable from web chat, Teams, and Slack. The assistant is a thin facade onto the governed platform — not an independent AI.

Key takeaways

  • Every surface runs identical, audited logic. A chat request in Microsoft Teams, Slack or Microsoft 365 Copilot and a button click in the web app call the same governed tool registry — assessments, risks, RoPA (Article 30), knowledge base, tasks, reporting — under one role-based access control and one immutable audit log.
  • The assistant cannot make the legal call. AI drafts, extracts and surfaces; mutating actions require the same minimum role and the same explicit confirmation gate as the UI, and heavy generation pauses at a human-review gate. This is what keeps GDPR accountability (Article 5(2)) and EU AI Act human-oversight expectations demonstrable to the DPC (Ireland) and the ICO (UK).
  • It is grounded, not generative-only. Unlike a generic chatbot, every drafted claim is grounded in your own knowledge base and carries a grounding score and a review-priority flag, so a reviewer sees what to check first.
  • Honest scope. Browser dictation transcription and meeting-minutes extraction are live today; realtime conversational voice is intentionally disabled and treated as roadmap, not a shipping feature.
02

Where it lives

Four surfaces. One tool registry. Same audit trail.

Each conversational and agentic surface is a transport over the same underlying tool registry. The agent's tools call the same service singletons and the same drafting-and-grounding pipeline as the UI; they read and write the same records and knowledge base; they enforce the same role hierarchy and confirmation gates; and they emit to the same audit and observability layer. In Acompli, the surface is only the transport — the governance lives in the tool registry underneath.

See Code Scan · See DSAR · See EU AI Act

In-app agent (web)

ReAct-style agent in the Acompli web app, working over the governed tool registry (assessments, risks, RoPA, and more). Skills bundle these into named workflows.

Microsoft Teams + Slack

Channel gateway exposes the same skills inside Teams and Slack. Commands and notifications route through the shared orchestrator and inherit identical role gates.

Microsoft 365 Copilot

Copilot API plus an MCP server re-expose an RBAC-filtered slice of the tool registry to Microsoft 365 Copilot and compatible agent runtimes. Thin facade over existing service singletons.

Browser dictation

Live dictation transcription across the platform. Meeting minutes surface extracts AI-suggested action items from transcribed meetings for human review.

03
How it's governed

A chat request runs identical, audited logic to a button click

Every assistant action passes through the same five-layer spine that governs every other module — same knowledge base, same identity / legal-entity / business-unit RBAC, same AI pipeline, same immutable audit log, same reporting rollup. This is what keeps GDPR accountability under Article 5(2) and EU AI Act human-oversight expectations demonstrable to the DPC (Ireland) and the ICO (UK), whichever surface the work started from. Here is what that spine enforces on every run.

Last reviewed: 10 June 2026. See how the platform works · EU AI Act governance.

  1. Role-gated tool registry

    Each tool carries a minimum role from the 8-level role hierarchy. Acompli's agent cannot call a tool a user's role does not allow; the role check happens at the same layer as the web app's role check.

  2. Confirmation gates on mutations

    Many tools require explicit confirmation before they mutate anything. The confirmation is rendered to the user in their surface (Teams card, Slack message, web chat) and the action only proceeds on a positive response.

  3. Legal-entity + BU scoping

    Every query Acompli's agent makes is filtered by the user's effective legal-entity and business-unit scope — the same scoping predicate enforced everywhere. The agent cannot see or act on records outside that scope.

  4. Grounded in your knowledge base

    Drafted answers, extracted risks, generated RoPA records, and report narratives are grounded in the organisation's own KB (real systems, third parties, locations, prior approved precedents) — not generic boilerplate. Each claim carries a grounding score and a review-priority flag.

  5. Immutable audit log

    Every agent run writes a durable provenance record (agent steps, token usage, grounding summary) to the same immutable audit log that captures every UI action. An admin can review what the assistant did, by whom, with the same trail as any other operator.

  6. Human-review gates on the heavy generation

    Stage-chains (draft → enhancement → risk extraction → RoPA generation) pause at human-review gates. A reviewer's approval is the only thing that unblocks privileged downstream generation — whether the chain was kicked off from Teams, Slack, the web app, or Copilot. Acompli records that approval on the chain itself, so the audit trail shows who unblocked each step, and from which surface.

04

Difference

Acompli compliance assistant vs a generic GDPR chatbot

A generic chatbot answers from a model and a knowledge file. The Acompli assistant is a governed surface onto the platform — the same RBAC, immutable audit log and human-review gates that the DPC or ICO would expect to see behind any compliance action.

Acompli compliance assistant
Generic GDPR chatbot
Access control: every tool carries a minimum role; legal-entity and business-unit scope enforced by the same RBAC as the web app.
No role model — anyone in the chat can ask anything.
Grounding: grounded in your own knowledge base (real systems, third parties, approved precedents); each claim has a grounding score and review-priority flag.
Answers from a foundation model and an uploaded file; no provenance per claim.
Mutating actions: require explicit confirmation; heavy generation pauses at a human-review gate before anything is recorded.
Cannot write to governed records, or does so with no review gate.
Audit trail: every run writes a durable provenance record to the same immutable audit log as a UI action, reviewable by an admin.
Chat transcript at best; no link to the compliance record.
Who decides: AI drafts, extracts and surfaces; a human approves. The assistant never makes the final legal determination unattended.
Presents model output as the answer.

Evaluation checklist

What to look for in a compliance assistant

  • Same access control as the system of record. Every action the assistant takes should inherit the role, legal-entity and business-unit scope a user already has — not a separate, looser permission model bolted onto a chat window.
  • A confirmation gate before it changes anything. Mutating actions should pause for explicit human confirmation in the surface you are working from (Microsoft Teams card, Slack message, web chat), so the assistant never writes to a governed record unattended.
  • Grounded answers with provenance per claim. Each drafted answer should be grounded in your own knowledge base and carry a grounding score and a review-priority flag, so a reviewer can see what to check first — not free-text from a foundation model alone.
  • One immutable audit trail across every surface. A request from Teams, Slack or Microsoft 365 Copilot should land in the same audit log as a click in the web app, so you can show the DPC or ICO who did what, on which record.
  • A human approves the legal call. The assistant should draft, extract and surface; a named, accountable person approves the final determination, which is what keeps GDPR accountability (Article 5(2)) and EU AI Act human oversight (Article 14) demonstrable.

For the GDPR / EU AI Act seam — how completed assessments feed an Article 30 RoPA, and how data processing flags AI systems for Annex III review — see Assessments, EU AI Act, and when the EU AI Act applies in Ireland.

The Acompli assistant operates over the same registers as the rest of the platform — explore the category pillars for DPIA software, DSAR software, and vendor risk management software.

Acompli compliance assistants are included with the Acompli platform. See Acompli pricing.

Regulatory signals

What the newsroom is tracking

Selected GDPR and EU AI Act news from acompli.ie — implementation timelines, regulator guidance, enforcement, and cross-border effects.

Assistant FAQ

Compliance assistant questions answered

Practical questions about Teams, Slack, Copilot M365, MCP, dictation, RBAC, and audit controls.

Can DPOs work with compliance platforms from inside Microsoft Teams?

Yes. Acompli exposes a ReAct-style agent over a governed tool registry — assessments, risks, RoPA, knowledge base, tasks, reporting, research, notifications — through Microsoft Teams, Slack, and a Copilot M365 integration. A user asking the assistant a question and a user clicking a button in the web app run identical, audited logic. Mutating actions require the same role and the same explicit confirmation regardless of which surface the request came from.

How does an AI assistant for compliance work safely under RBAC?

Every tool in the Acompli assistant registry carries a minimum-role requirement enforced by the same role-based access control that gates the web app. The agent cannot bypass legal-entity or business-unit scope, cannot escalate privileges, and cannot complete a mutating action without the explicit confirmation gates configured per tool. Every agent run emits to the same immutable audit log as a UI action — so an admin can review what the assistant did, by whom, with the same trail as any other operator.

Does Acompli have a Microsoft 365 Copilot integration for GDPR work?

Yes. The same tool registry the in-app agent uses is re-exposed to Microsoft 365 Copilot, and an MCP server is provided for compatible Copilot and agent runtimes. The integration is a thin facade over existing platform services — Copilot queries and writes resolve through the same scoping, the same human-review gates, and the same audit spine that govern every other surface.

Can compliance teams capture dictation and meeting minutes inside the platform?

Yes. Browser-based dictation transcription is live across the platform, and a meeting-minutes surface extracts action items from a transcribed meeting. Realtime conversational voice (a back-and-forth voice agent) is intentionally disabled today and treated as roadmap — dictation transcription is the live capability; conversational voice is not.

What can a compliance bot in Slack actually do?

Higher-level skills bundle the underlying tool registry into named workflows — clone-and-relaunch an assessment, run a completeness audit, create-and-launch with auto-draft, request indexing of a register entry. The same skills are addressable from web chat, Teams, and Slack. Skills inherit the role gate of every tool they wrap, so the Slack surface cannot do more than the user could do in the web app.

How is an AI compliance assistant different from a generic chatbot?

A generic chatbot answers from a model and a knowledge file. The Acompli assistant runs on the same drafting and grounding pipeline as the rest of the platform — every claim is grounded in the organisation's own knowledge base (real systems, third parties, prior approved precedents), every drafted answer carries a grounding score and a review-priority flag, and every mutating action passes through the same RBAC and human-review gates as a UI action. The assistant is a surface onto the governed platform, not an independent AI.

How does a compliance assistant support EU AI Act human oversight (Article 14)?

EU AI Act Article 14 requires that high-risk AI systems can be effectively overseen by a natural person while in use. The Acompli assistant is built to make that oversight demonstrable rather than theoretical: AI drafts, extracts and surfaces, but mutating actions stop at an explicit confirmation gate and heavy generation (draft to enhancement to risk extraction to RoPA generation) pauses at a human-review gate, so an accountable person approves the record before it is written. Every run is logged to the same immutable audit trail as a web-app action, which is the evidence an Irish or UK organisation can show the DPC or ICO that a human — not the model — made the final call.

Bring your team's collaboration tools into compliance work

Teams, Slack, Copilot M365, MCP, and dictation — all on the same governed platform, with the same human-review gates. Talk to us about deployment for your organisation.