Use caseInternal policiesCompliance teamISO / PrivacyMark

Using AI to check whether a new internal policy conflicts with higher-level policies or laws

We compared a newly revised information security management policy against higher-level basic policies, work rules, and APPI requirements, then had AI identify conflicting clauses with evidence.

ININDX Editorial TeamProduct Team|May 20, 2026|8 min read

"We revised the policy, but are we sure it aligns with higher-level policies and laws?" Many compliance teams share this concern, so we used INDX Compliance to solve it in practice. This article walks through the real product screens.

Background

Why policy consistency checks are so hard

An information systems department at one company revised its Information Security Management Policy to v2.1. It was an ordinary update to reflect remote work and cloud usage, but Legal and Compliance stopped it before enforcement.

The reason was that no one had confirmed whether it conflicted with the higher-level Information Management Policy, work rules, or APPI. Internal policies do not stand alone; they always sit within higher-level policies and laws. Changing one clause can easily break consistency with another policy.

Challenges encountered

Reviewers lined up multiple policies and laws and manually compared clauses, taking two full weeks
Identifying which clause conflicted with which policy depended on reviewer memory and experience
Review viewpoints varied each time, creating risk that omissions would be found after enforcement
Returns and revisions were buried in email, making later decision history hard to trace

01What we tried

Just describe what you want checked in plain language

First, we did not configure anything difficult."Check whether this policy conflicts with higher-level policies or laws."We entered that in the same language someone would use with a manager. The AI then automatically assembled the procedure, or review viewpoints, to check.

app.indx-compliance.com/start/draft

Your instruction, in plain language

"Check whether the revised Information Security Management Policy v2.1 conflicts with the higher-level Information Management Policy, work rules, or APPI. Review each clause with supporting evidence."

AI generated the review workflowdraft · 4 steps

01Search relevant internal policies and laws
Ingest the information-management policy, work rules, APPI, and ISO 27001
02Evaluate conformity clause by clause
Judge whether each clause in this policy satisfies higher-level policy and legal requirements
03Verify citation validity and confidence
Confirm that cited clauses exist and score reliability
04Final human review
Route only needs-review and non-compliant items to reviewers and record approvals or returns

Screen 1From a natural-language instruction, AI generated a four-step workflow: search relevant policies, judge conformity by clause, verify citations, and route final review to humans. Just review the contents and save.

No programming knowledge or complex rule setup is required. You can inspect and edit the generated workflow, then reuse the same review viewpoints as often as needed.

02What we tried

Run it to see pass/fail results for each clause, with evidence

After saving and running the workflow, the AI checks whether each policy clause satisfies higher-level policy and legal requirements one by one. The results are consolidated on this screen. The key point is thatevery decision always includes which policy and which clause support it. The AI is not taken on trust; humans can verify the source text.

app.indx-compliance.com/runs/run_kitei-v21

Internal policy reviewInformation Security Management Policyv2.1

Compared against Information Management Policy / work rules / APPI / ISO 27001

Internal Policy Conformity Check

Run on 2026-05-20 | 10 review points

Evidence included

Pass

Needs review

Non-compliant

Pass 60%

Evidence for the decisionInformation Management Policy p.4
Article 8 states that when resignation or transfer is announced, the person's access privilegesmust be revoked by the end of the announcement date. The department manager is responsible for revocation.
Checked higher-level policy or law
Information Management Policy
Source-text match
Potential conflict with higher-level policy
AI confidence
88%
The higher-level policy requires revocation on the same day. Policy v2.1 does not define timing or responsibility, creating a potential conflict.

Screen 2A list of 6 pass / 3 needs review / 1 non-compliant items. Click any row to open the highlighted higher-level policy or legal source text behind the decision, along with the conflict reason. You can try tapping rows directly.

This time, the AI found "the access privilege revocation deadline was not written in this policy". This was one non-compliant item: the higher-level policy requires revocation by the end of the announcement date, but the revised policy omitted it. It is a typical gap that manual review can miss.

03What we tried

Humans review only needs-review and non-compliant items, then finalize

The 6 items the AI marked as pass can be cleared quickly because evidence is attached. Humans spend judgment ononly the 4 items that need attention: 3 needs-review and 1 non-compliant item. The reviewer returned the non-compliant clause to the drafting department, reran the amended policy, and finally approved and finalized it.

app.indx-compliance.com/runs/run_kitei-v21/review

Final review (human approval)

Non-compliantProcedures for granting and revoking access privileges

The higher-level policy requires revocation by the end of the same day. Because this policy does not define a revocation deadline, return it to the drafting department.

Humans review only the 4 needs-review and non-compliant items.The 6 passed items can be cleared with evidence, so reviewers can focus on judgment.

Tamper-resistant audit log

14:02AI
Assessed 10 review points (6 pass / 3 needs review / 1 non-compliant)
hash a1f9…3c
14:18Compliance reviewer - Sato
Returned access privilege revocation for an added clause
hash b7c2…0e
15:40Policy drafter - Tanaka
Added the revocation deadline to Article 9 and reran -> pass
hash d3e8…91
15:41Compliance reviewer - Sato
Approved and finalized all items
hash f0a4…22

Screen 3Left: humans review only items requiring action. Right: every operation, from AI decisions through human approval and returns, is automatically saved in a tamper-resistant log.

All operations and decisions are recorded in a tamper-resistant audit logYou can fully trace who decided what, when, and based on which evidence, so it can be used directly in internal audits and external reviews.

Outcome

Result: two-week policy review reduced to half a day

A consistency check that had taken two full weeks manually was completed from viewpoint preparation to final approval inhalf a day. Most importantly, it caught a missing revocation deadline before enforcement that manual review had missed, which gave the reviewer the most reassurance.

2 weeks -> half day
Policy review time: 100%
Decisions backed by evidence: 4 / 10
Items requiring human review

Key points from this case

Review setup uses plain-language instructions only. No specialist setup knowledge or programming is required.
Every pass/fail decision includes source evidence from higher-level policies and laws, so humans can verify it instead of trusting AI blindly.
Humans review only needs-review and non-compliant items. They can focus on judgment and reduce missed issues.
Operations and decisions remain in tamper-resistant logs and can be used directly in internal audits and external reviews.

Summary

Policies, contracts, applications: rule matching follows the same pattern

This example used an internal policy, but INDX Compliance works the same way across use cases. Provide the benchmark documents, such as higher-level policies, laws, and internal standards, together with the document you want checked, then compare them with evidence. Contract reviews, application-deficiency checks, ISO audit preparation, and any other work that involves matching against rules can use the same workflow.

Try it in your workflow,starting with one document.

Bring a policy, contract, or application document, and we will demo the actual judgment screen. Closed-network and on-premise deployments are supported.

Download materials for free Book a free demo

More use cases

View all

Use case

IP departmentPatent applicationsDescription requirements

Using AI to check whether a pre-filing patent specification meets Patent Act description requirements and internal guidelines

We compared a near-final specification against Patent Act Article 36, JPO formatting, and internal filing guidelines, then had AI identify support and clarity issues in the claims with evidence.

Pre-filing check: 3 days to 1 hour, preventing returns for description defects

May 21, 2026|8 minRead

Use case

ManufacturingQuality assuranceISO 9001

Using AI to pre-check an ISO 9001 internal audit and catch gaps in quality manuals and procedures

Before the internal audit, AI performed a first-pass check on whether the quality manual and department procedures met ISO 9001:2015 clauses 4-10, detecting missing corrective-action and audit provisions with evidence.

Audit preparation: 1 week to 2 hours, making missing requirements visible in advance

May 15, 2026|8 minRead

Use case

Legal departmentContract reviewRisk clauses

Using AI to review a counterparty contract against internal contracting standards

We checked a counterparty service agreement against our contract checklist, subcontracting law, and past redlines, then had AI flag one-sided liability terms and unfavorable termination conditions with evidence.

Contract review: half a day to 15 minutes, flagging risky clauses with evidence

May 23, 2026|8 minRead