I’m building an early proof-of-concept for an AI-assisted compliance risk engine and I’m trying to validate whether this direction makes sense in real security environments.

Instead of treating compliance as checklists and PDFs, I’m modeling the environment as a Neo4j graph:

• assets • controls • policies • findings • risk relationships • remediation paths 

The engine scores compliance state over time and keeps a structured audit timeline. Every issue is attached to a remediation playbook, and the system generates explainable reasoning instead of opaque alerts.

Right now it can:

• score a clinic environment repeatedly and track risk history

• snapshot decision states for audit trails

• attach remediation guidance to each issue

• show how risk propagates across the graph

• provide explainable analysis instead of black-box output

This is not a product launch. It’s a working prototype.

My question is:

Would a graph-native compliance/risk model actually be useful in production environments, or does this solve a problem nobody cares about?

Where would something like this realistically fit?

GRC teams? Security ops? MSSPs? Healthcare compliance?

Or is the industry already saturated with better tooling?

I’d genuinely appreciate blunt feedback from people who work in security/compliance.

If this is naive, overengineered, or missing the real pain,I want to know now.