TL;DR: Forseti is not an autonomous AI agent pretending to be legal counsel. It is an auditable AI advisor built into AesirX ComplianceOne for compliance, privacy, risk, audit, and legal operations. It grounds answers in the customer's installed regulatory packs and their own records, automates the deterministic and citation-bound slice of work across 20 workflows, remembers prior organisational decisions through an org-scoped memory model, extends into the customer's external tools through MCP, and records every meaningful interaction in a chain of custody. In compliance, AI is only useful if it can be inspected. Forseti is built on that premise.
This article is written for DPOs, compliance managers, legal counsel, CISOs, internal audit leads, vendor risk leaders, contract counsel, and digital transformation leaders who are evaluating where an AI advisor fits inside a regulated compliance product. It is especially relevant for organisations operating under the Vietnamese personal data protection regime, the Cybersecurity Law, sector-specific governance instruments such as the new banking internal-control circular, and parallel international frameworks like ISO 27001, SOC 2, GDPR, NIS2, ePrivacy Directive, and DORA.
What Forseti is, named for the Norse God of justice
The name Forseti derives from the Norse god of justice and reconciliation, who hears every party’s case and settles disputes with reasoned judgment.
Forseti is a chat-first AI advisor wired into every record-bearing surface in AesirX ComplianceOne. It grounds every answer in two sources of truth: the customer's own data (DPIAs, vendor records, contracts, rights-request cases, breach notifications, governance documents, controls, audit findings) and the regulatory frameworks installed in their organisation (Vietnamese PDPL, EU GDPR, ePrivacy, DORA, NIS2, ISO 27001, SOC 2, the Vietnamese Cybersecurity Law, the Banking Circular 83 sector overlay, the AI Law, and the per-country ePrivacy national overlays). The full 14-locale fan-out is on the roadmap.
“Autonomous AI optimises for speed. Auditable AI optimises for survival under inspection.”
That is the load-bearing distinction. Everything else in this article is a consequence of it.
Six personas serve every customer:
→ Forseti Generalist: the entry-point persona. Knows every framework, can answer cross-module questions, hands off to a specialist when the question warrants it.
→ Compliance Specialist: the framework-fluent persona for the compliance officer's day-to-day. Owns the framework cross-walk, gap analyses, control mappings.
→ Legal Counsel: the contract-fluent persona for legal review. Owns clause libraries, redline review, jurisdiction-aware risk language.
→ DPO Advisor: the privacy-fluent persona for the data protection officer. Owns DPIAs, RoPA, transfers, breach notifications, rights requests.
→ Risk Analyst: the risk-fluent persona for the second line. Owns risk acceptances, vendor risk, sub-processor change impact.
→ Auditor's Eye: the auditor-fluent persona for the third line. Owns walkthroughs, control evidence sufficiency, privilege creep detection.
Personas are runtime artefacts, not training. Each includes a system prompt template, an off-topic refusal block, a citation-discipline block, persona-specific tool affinities, and an example greeting. Customers on the Enterprise tier can override the system prompt at the tenant level (with a legal-review attestation). The prompt for each persona is reviewable on request. Customers can inspect it directly, read it, and audit the voice.
What Forseti can do: the 14 production tools
Forseti's tool surface is the operational core. Every capability operates as a registered tool with a Tool Policy Manifest that declares the cost class, whether the tool is destructive, whether it requires human confirmation, and what audit event it emits. The current production set:
Read tools (6, MCP-exposed): search_regulatory (the regulatory index, returns matches with inline citations naming the framework and requirement), search_documents (org governance documents), read_document (retrieve a specific document), search_module (cross-module record search across DPIAs, RoPA, contracts, vendors, etc.), detect_framework_conflicts (cross-framework requirement conflict surfacing), search_workflows (saved AI workflows by name + status).
Memory tools (2, MCP-exposed): get_org_memory_by_anchor (look up Forseti memories by anchor), search_org_memories (free-text search across the org's memories). Both are read-only; memory writes happen automatically at workflow accept-time.
Sub-agent tool (1, MCP-exposed): suggest_persona_handoff (advisory; recommends a Forseti specialist persona for a question excerpt; does NOT mutate the chat session).
Write tools (5, gated by approval flows): propose_edit (proposes a partial record edit; operator accepts the patch atomically), attach_evidence (links existing evidence to a parent record), generate_docx (renders a DOCX deliverable through the platform's unified export pipeline; the customer downloads), create_task (creates a task in the org task list; the operator picks the assignee), bulk_create_tasks (creates up to 50 tasks in one call).
MCP-exposed write tools: the same write tools, plus convert_chat_to_workflow_run, also exposed via the MCP connector. External Claude clients can propose writes; every proposal lands in an in-product approval queue and executes only after admin sign-off. There is no bypass for trusted keys.
Tools that do NOT exist: and this matters as much as the inventory above. Forseti has no delete tool of any kind. It has no submit_to_regulator tool. It has no approve_evidence tool (the customer's evidence approval workflow remains the customer's). It has no assign_user_to_task tool, it can create the task and propose an assignee, but the operator has to confirm. The reason every refusal is a constraint is that an AI advisor with the power to fabricate a citation, autonomously file with a regulator, or auto-approve evidence cannot be inspected back into safety once the bar moves down.
What Forseti can automate: the 20 cross-module workflows
Forseti includes 20 cross-module workflows that follow a single locked pattern. Each workflow takes a parent record and one or more context records, prefetches what it needs deterministically (no tool-loop dance), composes a single LLM call, returns a structured draft, lets the user accept-or-reject per field, and emits three audit events joined by a shared draft id.
Privacy + Compliance lane (10 workflows): DPIA auto-completion (extends the framework-aware DPIA registry), DSR batch processing (CSV intake → per-row resolution drafts), RoPA hygiene auto-fix (per-gap suggestion against the 4-framework completeness registry), cross-border TIA auto-draft (with the Singapore + EU + UK + US adequacy table), consent gap analysis (4-framework × 7-attribute matrix), breach notification timeline (8-rule jurisdiction matrix), authority-request response drafting (per-question synthesis with counsel-review flag), privacy-scanner anomaly explanation (4-bucket categoriser with deterministic severity), cookie/ePrivacy AI insight (per-cookie classification + national overlay citations + banner copy), dossier-filing pre-flight (per-pack assembly readiness + ZIP packaging through the platform's unified export pipeline).
Risk + Operations lane (10 workflows): vendor onboarding evidence collector (filename classifier + tier-driven artefact list), sub-processor change impact assessment (Art.28(4) customer notification template + SLA-aware deadline), contract obligation extraction (6-class pattern library + due-date math + auto-task creation), contract redline assistant (clause library + jurisdiction-aware), risk acceptance reasoning generator, maturity assessment AI gap walkthrough (improvement-roadmap DOCX), governance document policy gap detection (8-policy-type required-clause registry), remediation plan generator (4-phase deterministic timeline + DOCX deliverable + auto-task creation), compliance rule auto-mapping (regulatory pack → control library), audit walkthrough generator + privilege creep detection (per-control walkthrough script + role-assignment scan).
Every workflow comes with the same audit lineage shape: a "workflow started" event, an "assisted draft produced" event, and a terminal "draft accepted, rejected, or partially accepted" event, all stitched together by a shared draft identifier. Every accepted field carries a back-reference to the workflow run that produced it, so the audit trail can trace any record change back to its originating workflow.
The headline insight is the cost compression. The DPO's two-day legal-counsel turnaround on a DPIA question becomes a two-minute grounded answer with citations. The Country Manager's monthly framework-conflict triage becomes a single page with severity-sorted conflicts. The Compliance Specialist's annual ISO 27001 control coverage exercise becomes a workflow run with a structured task list. The Auditor's quarterly access review becomes a privilege-creep scan with severity-tagged findings + suggested remediation. None of this is the AI doing the work autonomously, it is the AI doing the deterministic + grounded slice of the work and handing the operator a structured draft.
What Forseti remembers: the org-scoped memory model
Forseti ships an org-scoped semantic memory model. The underlying insight: a Forseti chat that opens fresh every time forces the operator to re-explain the org's context. A chat that pre-loads the org's previously-decided framework interpretations, process preferences, and risk acceptances skips that re-litigation.
Memories are typed:
- framework_interpretation: how the org reads a regulation. "We treat PDPL Art.19 biometric processing as requiring a separate DPIA." Persisted when the operator accepts a workflow draft that documents the interpretation.
- process_preference: the org's documented workflow choices. "We do not use auto-task assignment; the team lead assigns manually." Persisted when the operator dismisses a Forseti suggestion with a note.
- risk_appetite: recorded acceptance positions. "Vendor risk above 8/10 must escalate to the CRO." Persisted when the operator approves a Risk Acceptance with reasoning.
- known_gaps: flagged but unresolved findings. "The retention period table is missing from the data retention policy." Persisted when the operator rejects a policy-gap auto-fix suggestion as "track for later."
Three guarantees:
- Org-scoped. Every read is filtered to the customer organisation. Cross-org leakage is impossible by construction. The MCP memory tools enforce the same scoping.
- Read-only externally. The MCP connector exposes only the two memory-read tools, both read-only. Memory writes happen at workflow accept-time only; no integration can write a memory directly.
- Curatable. An in-product memory curation view lets operators browse, edit, soft-delete, and promote memories. A retention sweep clears stale entries nightly.
The country manager benefit: Forseti's answers grow more org-specific over time without retraining and without hand-curated prompts. By month three, Forseti opens DPIA chats with "your org has previously ruled that PDPL Art.19 requires a separate DPIA for biometric data, do you want to apply the same reasoning here?"
Where Forseti goes: the MCP Connector
Adopting MCP (Anthropic's Model Context Protocol) lets Forseti meet customers where they already work. Three integration patterns are live:
Anthropic Console as a regulatory-research surface. Issue a key with search_regulatory + read_document only. An analyst opens Claude in the Console, asks "What does GDPR Art.30 require?", and Claude calls search_regulatory(query='GDPR Art 30') against your org's installed pack set. The answer is grounded in the org's installed regulatory text, not in the model's training data.
Claude Code as a DPIA-drafting assistant. Issue a key with search_regulatory + search_module + read_document + create_task + propose_edit. The privacy engineer runs Claude Code in their IDE; Claude reads existing DPIAs via search_module, drafts a new one, and proposes a create_task for follow-up review. Each proposed task lands in the in-product approval queue; the DPO approves the legitimate ones.
Custom Slack bot for compliance Q&A. Issue a key with get_org_memory_by_anchor + search_org_memories + suggest_persona_handoff. The bot listens to #compliance-questions; for each message it surfaces relevant org context from memory and recommends the right Forseti specialist persona.
The approval queue is the load-bearing piece. External Claude clients propose writes; the proposal lands in the in-product approval queue with a 24-hour expiry; the admin reviews the preview, the arguments, and the requesting key's prefix; approve executes the tool with the API-key holder's resolved permissions; decline marks the proposal declined and the tool never runs; an hourly sweep clears unaddressed proposals older than 24 hours. Five audit events fire across the lifecycle, proposed, approved, executed, declined, expired, all stitched together by a shared proposal identifier.
The constraint to internalise is that the queue has no bypass for trusted keys. Every write is human-gated. The argument for this constraint is the same as the argument against autonomous filing: granting autonomous write authority turns safety from something verifiable into something assumed.
What Forseti will refuse to do: the guardrails
The constraints from the foundation article still hold, restated for the post-launch surface:
- Off-topic refusal: each persona includes an explicit "off-topic handling" block. When a user asks about astrophysics or restaurant reviews, Forseti politely refuses and redirects.
- Citation grounding: no legal conclusion without an inline citation naming the regulatory framework and the specific requirement. When grounding is unavailable Forseti says so explicitly: "I cannot conclude on this without grounding."
- Human-gated writes everywhere: Forseti drafts; humans accept. Record edits, task creation, evidence attachments, and dossier filing all wait on operator confirmation. External proposals through MCP land in the same approval queue. There is no "trusted key" bypass.
- No deletion, no autonomous filing, no AI-side evidence approval: the tool surface offers none of these by construction. Forseti can read, summarise, draft, and propose. It cannot remove a row, file with a regulator, or sign off on its own output.
- No legal conclusion fabrication: citation grounding plus the installed-pack-only source of truth close the fabrication loop. Forseti does not synthesise an answer from training data when the regulatory search returns nothing.
- Memory privacy: every memory read is scoped to the customer organisation. The MCP memory tools are read-only.
What Forseti costs: the per-tier per-feature per-workflow visibility
Forseti is included in every ComplianceOne tier. The differentiator is the monthly token bucket:
→ Light tier: modest monthly token allowance suitable for individual practitioners and small teams running a single regulatory framework.
→ Standard tier: larger allowance suitable for organisations running 2–4 frameworks across a small compliance team.
→ Enterprise tier: the largest allowance, plus the org-wide admin view of usage, plus the ability to override persona system prompts at the tenant level (with a legal-review attestation).
Customers buy supplementary token bundles through the Usage Dashboard when they exhaust the monthly allowance. There is no "AI add-on" SKU; AI is part of every tier.
The Usage Dashboard breaks consumption down by:
- User: the top consumers in the period.
- Persona: which specialist personas the team is reaching for.
- Feature: chat / workflow / tabular review / document redline.
- Workflow: which of the 20 cross-module workflows is firing most often (the dashboard joins ledger rows by the workflow run identifier).
- MCP key: for orgs running the MCP connector, which external integration is consuming the most tokens.
The Reconciliation page lets the country manager match the platform's bucket draw against the upstream provider's invoice. Bucket exhaustion surfaces as an in-product affordance ("monthly bucket exhausted, buy a top-up bundle?") and as an HTTP 402 to the underlying tool-runner, workflows do not silently fail.
What Forseti's audit lineage proves: chain of custody
Forseti's audit events are integrated into the IAT (Immutable Audit Trail) pipeline. The same chain-of-custody anchor that protects every other audit event in ComplianceOne now protects every Forseti event: chats, tool calls, workflow runs, evidence drafts, redline reviews, memory curation, MCP calls, write approvals, all flow through IAT.
When a regulatory inspector asks "what did the AI say about this?", the customer points to:
- The Audit Trail page: the canonical org-wide audit log, with a Source filter that isolates Forseti or MCP traffic.
- The Forseti Audit Lineage page: the per-chat and per-workflow lineage view, with the contributing tool calls and resulting record changes inline.
- The IAT proof tap: the tamper-evident hash chain emitted nightly. Auditors can verify the chain end-to-end.
The point is not that Forseti is always right. The point is that every claim is cited, every artifact is reviewable, every interaction is in the chain of custody. The customer can hand over a defensible answer.
Closing
If you are a DPO, compliance manager, legal counsel, CISO, internal audit lead, vendor risk leader, or contract counsel, the next step is to ask your ComplianceOne contact for a pilot organisation with the MCP connector enabled. Issue a key. Open Claude in the Console. Ask it about your installed regulatory packs. Read the citations. Look at the audit lineage. Decide whether Forseti is the AI advisor your inspection-hardened compliance posture needs.
The persona prompts, the audit event taxonomy, and the architectural decisions behind Forseti are all reviewable on request. Nothing about Forseti is hidden. That is by design.
Where Forseti goes next
The deliberate decision is to stop adding features and start operating. Six personas, 14 production tools, 20 workflows, the memory model, the MCP connector, the audit lineage, the cost dashboard, that is the surface. The near-term roadmap is short: complete the 14-locale fan-out, and let the Usage Dashboard surface patterns that earn first-class features later. Cross-org learnings and federated MCP remain out of scope until customer demand justifies them. Anything new has to earn its place against the same constraints set out at the foundation.
You can follow the rest of the Forseti roll out at https://aesirx.io/compliance-one. We would also be happy to walk through the engineering contract, the Tool Policy Manifest pattern, and the regulatory pack model with your DPO, your CISO, or your head of internal audit.
Ronni K. Gothard Christiansen
Technical Privacy Engineer & CEO, AesirX.io
Laws and instruments referenced
- Luật Bảo vệ dữ liệu cá nhân (PDPL): Vietnam Personal Data Protection Law
- Luật An ninh mạng: Vietnam Cybersecurity Law
- Thông tư 83 (Banking Circular 83): Vietnam banking internal control sector overlay
- Luật Trí tuệ nhân tạo: Vietnam AI Law
- General Data Protection Regulation (EU) 2016/679 (GDPR)
- Directive on Privacy and Electronic Communications (ePrivacy Directive)
- Digital Operational Resilience Act (EU) 2022/2554 (DORA)
- Directive on Security of Network and Information Systems (EU) 2022/2555 (NIS2)
- ISO/IEC 27001:2022: Information security management systems
- AICPA Trust Services Criteria (SOC 2)
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Forseti is an AI assistant for compliance work. It does not replace qualified legal counsel and is not a substitute for human review and approval of compliance evidence and filings.
