Completions

For chief compliance officers + GRC leadership + audit- readiness leads

Vanta and Drata ship the SOC 2 checklist. The per-vertical templates for HIPAA Privacy Rule + cannabis California + FDA wellness substantiation + FINRA disclosure + FTC Franchise Rule are operator-side architecture.

Building per-vertical compliance templates from scratch for a multi-vertical operator takes 6-12 months and ongoing maintenance against quarterly regulatory updates. Pre-built per-vertical overlay templates accelerate onboarding from months to weeks. The same maintained template substrate that ships pre-built feeds the runtime compliance gates across the AI-agent fleet under the broader compliance-overlay-manager 6-axis pipeline.

By Jay Christopher11 min read

What this gets you

  • Pre-built per-vertical overlay templates across every operator regulatory regime — HIPAA Privacy + Security + Breach Notification Rules; FDA Title 21 cosmetics + wellness + supplements + OTC + medical devices + food; FINRA broker-dealer + SEC investment-adviser; cannabis-per-state (38 states); state-by-state alcohol + insurance; GDPR + UK GDPR + Brazil LGPD + India DPDP; CCPA + CPRA + state-by-state US privacy laws; ADA Title III digital + WCAG 2.2 Level AA; FTC Franchise Rule + 14 registration states; SOC 2 Type II + ISO 27001 + PCI-DSS + NIST CSF.
  • Multi-vertical operator onboarding accelerated from months to weeks — new operators load the relevant per-vertical templates as a starting point + customize on top with operator-specific overlays rather than building from scratch.
  • Maintained template substrate with regulatory- update refresh — the Monitor axis tracks upstream regulatory publication sources; the Extract axis parses source documents into structured rules; the Library axis refreshes templates as regulations update. Operators do not maintain the template substrate themselves.
  • Integration with the runtime compliance gates across the AI-agent fleet — the same template substrate feeds the per-vertical-schema-validation gate on master-record + the per-vertical-overlay gate across the AI-agent fleet + the catalog-side product-compliance gate + the customer-side DSAR retention rules + the franchise-disclosure pre-sign gate. One substrate, many runtime consumers.
  • Operator-specific customization layer on top of the templates — per-banner brand-voice rules + per- franchisee customization + per-banner regulated- claim allowlists + operator-specific exception tracking sit on top of the maintained substrate without forking the substrate.

Six to twelve months of per-vertical compliance work before the new vertical even launches

A multi-vertical operator running cannabis dispensaries + retail beauty across California decides to expand into wellness centers offering FDA-regulated supplement sales plus financial-services cross-sell through a partner broker-dealer. The legal team scopes the compliance work for the wellness-plus-financial- services expansion. The scope includes FDA Title 21 Subchapter B Part 101 labeling requirements + Part 111 Current Good Manufacturing Practice for supplements + Part 117 FSMA + FTC marketing-claim substantiation requirements + FTC Made in USA + per- state insurance regulation + FINRA broker-dealer disclosure rules + SEC investment-adviser Form ADV requirements + state-by-state cross-sell licensing.

The legal team estimates 6-12 months of preparation before the new wellness-plus-financial-services vertical can launch compliantly. Outside counsel quotes $200,000-400,000 for the per-vertical playbook build. The general counsel approves the scope and the budget. The work begins. Outside counsel reviews FDA + FTC + FINRA + state regulations + drafts the per-vertical playbooks + maps the playbooks to the operator catalog + customer + marketing surfaces. The work runs 9 months. The wellness-plus-financial- services vertical launches Q3.

Three months later FDA tightens substantiation requirements on a specific wellness-claim category. The playbook is now outdated. Outside counsel updates the playbook. The operator catalog team updates the affected SKU descriptions. The marketing team updates the affected campaign copy. Six months after that FINRA updates disclosure requirements on a specific cross-sell scenario. The playbook updates again. Maintenance fees run $40,000-80,000 per quarter.

Pre-built per-vertical overlay templates compress the initial onboarding from 9 months to 4-6 weeks. The HIPAA + FDA Title 21 + FINRA + cannabis-per-state + GDPR + CCPA + ADA + franchise-disclosure templates load as starting points. The operator legal team customizes the loaded templates with operator- specific overlays. The maintenance pipeline tracks the regulatory-update source documents and refreshes the template substrate as regulations update. The operator team customizes on top of the refreshed substrate without rebuilding the substrate themselves. The 9-month launch shrinks to 4-6 weeks. The quarterly maintenance cost drops by 70-80 percent.

What is in market — and what each category leaves to you

The audit-readiness primitive is mature for security and audit frameworks. The per-vertical operator-specific overlay templates are architecture.

Audit-readiness primary — Vanta, Drata, SecureFrame, Sprinto, Hyperproof, Onspring, LogicGate, OneTrust GRC

Excellent at the audit-readiness primitive for SOC 2 Type II + ISO 27001 + HIPAA Security Rule + PCI-DSS + GDPR + CCPA general frameworks. The per-vertical operator-specific overlay templates going deeper than framework-level into HIPAA Privacy Rule + FDA Title 21 + FINRA broker-dealer + cannabis-per-state product-claim rules + FTC Franchise Rule pre-sale plus the maintenance pipeline tracking regulatory updates are operator- side architecture above the primitive.

HIPAA-specific — Compliancy Group, HIPAA Vault, Atlantic.Net, Accountable HQ

Strong at HIPAA-specific compliance workflow with deep coverage of HIPAA Privacy + Security + Breach Notification Rules. The integration with multi- vertical operator templates spanning HIPAA-plus- cannabis-plus-financial-plus-franchise-disclosure at the same operator is operator-side build.

FDA-specific — Veeva Vault, MasterControl, ComplianceQuest

Strong at FDA-regulated industry compliance with Veeva Vault dominant in pharmaceuticals + life sciences and MasterControl in medical devices. The multi-vertical operator running FDA wellness plus HIPAA plus cannabis plus FINRA faces multiple vertical platforms and needs the cross-vertical template substrate above them.

Generic compliance frameworks — Tugboat Logic (now OneTrust), AuditBoard, MetricStream, Diligent ACL

Strong at enterprise GRC framework management with customizable rule engines. Per-vertical operator- specific template content plus the maintenance pipeline keeping templates current are professional-services engagements above the framework primitive.

The outside-counsel quote for the per-vertical playbook build

The status quo at most multi-vertical operators expanding into a new regulatory regime. Outside counsel quotes $200,000-400,000 for the per-vertical playbook build over 6-12 months. The operator pays. The playbook ships. The next regulatory update arrives. The maintenance fees start. Pre-built per-vertical overlay templates compress the onboarding cost by 70-80 percent and the maintenance cost similarly.

The pipeline, end to end

  1. Position in the 6-axis compliance-overlay-manager pipeline. Monitor (regulatory-change-monitoring) + Extract (rule-extraction-from-source-docs) + Pre-filter (pre-filter-deterministic-gates) + Score (llm- semantic-compliance-scoring) + Route (borderline- routing) + Library (this skill). 6-skill same-agent bundle on compliance-overlay-manager — the densest agent in arc.
  2. Per-vertical template structure.One template per regulatory regime — HIPAA Privacy + Security + Breach Notification Rules separately, FDA Title 21 by Subchapter, FINRA by rule number, cannabis-per-state by state, GDPR plus UK GDPR plus Brazil LGPD plus India DPDP separately, CCPA plus CPRA plus state-by-state US privacy laws, ADA Title III digital plus WCAG 2.2 Level AA, FTC Franchise Rule plus per-registration-state, SOC 2 plus ISO 27001 plus PCI-DSS plus NIST CSF.
  3. Per-template metadata structure. Each template encodes structured rules with severity classification (hard regulatory vs soft policy), source-citation reference (CFR section, USC section, state statute citation, regulator guidance citation), version history with effective dates, per-jurisdiction variant set (federal baseline plus state-by-state), related-template cross-references, and consumption- metadata identifying which runtime gates consume the template.
  4. Operator vertical-classification at onboarding. A new operator onboarding classifies its vertical mix + jurisdiction footprint + customer-data profile. The classification drives which templates load as starting points. Multi-vertical operators load multiple templates and configure the cross-vertical conflict- resolution policies.
  5. Operator-specific customization overlay. Operator teams customize the loaded templates with operator-specific overlays — per-banner brand-voice rules, per-franchisee customization, per-banner regulated-claim allowlists, operator- specific exception tracking. The customization sits on top of the maintained substrate without forking it. Substrate refreshes propagate through the customization layer.
  6. Substrate refresh through the Monitor + Extract axes. The Monitor axis tracks upstream regulatory publication sources (FDA + FTC + FINRA + SEC + state regulators + EU regulators + NASAA EFD + state franchise portals). The Extract axis parses published source documents into structured rules. Detected updates ingest to the relevant per-vertical template with the version bump.
  7. Runtime-gate consumption. The runtime compliance gates across the broader Completions agent fleet consume from the template substrate. The per-vertical-schema-validation gate on master-record reads the per-vertical templates. The catalog-per-vertical-schema-validation on product- catalog-canonicalization reads the same. The marketing-compliance overlay across the AI-agent fleet reads the same. The DSAR retention rules read the same. The franchise-disclosure pre-sign gate reads the same. One substrate, many runtime consumers.
  8. Multi-vertical conflict-resolution policies. Multi-vertical operators face conflicting rules across templates (a claim allowed under FDA wellness but disallowed under a specific cannabis state). Per-operator conflict-resolution policies tune the merge priority. The policies sit in the customization layer and propagate through the runtime consumers.
  9. Exception tracking + audit trail. Operators track exceptions to template rules (compensating control accepted by audit + risk- accepted decision + temporary exception with sunset date). Exception tracking integrates with the per- template metadata so the runtime gates surface the exception status when relevant. Audit trail captures every exception decision with actor + business justification + sunset.
  10. Template versioning + rollback. Template versions follow semver-style numbering with effective dates. Major version bumps require operator acknowledgement before the runtime gates pick up the new version. Rollback to a prior version available inside the retention window for emergency response.
  11. Coverage measurement. Per-vertical coverage percentage (operator regulatory-regime requirements covered by loaded templates vs total requirements). Per-jurisdiction coverage. Per-customer-data-category coverage. Coverage gaps surface as alerts to the compliance team for template-customization or attorney-review.
  12. Template marketplace for emerging regulatory regimes. Emerging regulatory regimes (state-specific AI governance + emerging biometric privacy laws + new cannabis-state launches + international expansion jurisdictions) ship as new templates that operators opt into. The template marketplace surfaces upcoming-effective-date regulations so operators prepare ahead of enforcement.
  13. ROI measurement. Per-vertical onboarding time pre vs post deployment (target 6-12 months pre / 4-6 weeks post). Per- vertical onboarding cost pre vs post (target $200- 400k pre / 70-80 percent reduction post). Quarterly maintenance cost pre vs post (target $40-80k pre / 70-80 percent reduction post). Coverage percentage per operator. External audit findings on operator-coverage gaps. The signal feeds template- prioritization tuning and customization-pattern refinement per cycle.

Frequently asked

What is a compliance checklist?

A compliance checklist is a structured list of regulatory and policy requirements the operator must satisfy to operate compliantly. The category includes framework-specific checklists (SOC 2 Type II for service organizations, ISO 27001 for information security, HIPAA Security Rule for healthcare, PCI-DSS for payment) and operator-specific checklists derived from the operator vertical mix and jurisdiction footprint. Audit-readiness platforms (Vanta, Drata, SecureFrame, Sprinto, Hyperproof, Onspring, LogicGate, OneTrust GRC) ship pre-built checklists for the security and audit frameworks they cover. The per-vertical operator-specific overlay templates that span HIPAA medical plus FDA wellness plus FINRA financial plus cannabis state-by-state plus GDPR plus CCPA plus ADA plus WCAG plus franchise-disclosure for multi-vertical operators is operator-side architecture.

Why do generic compliance checklists fail multi-vertical operators?

A multi-vertical operator running locations across healthcare plus wellness plus cannabis plus financial services faces overlapping regulatory regimes. Vanta + Drata + SecureFrame + Sprinto ship excellent SOC 2 plus ISO 27001 plus HIPAA Security Rule checklists. They do not ship cannabis state-by-state product-claim checklists. They do not ship FDA wellness-claim substantiation checklists. They do not ship FINRA broker-dealer disclosure checklists. They do not ship franchise-disclosure pre-sale checklists. Building these from scratch per vertical takes 6-12 months and ongoing maintenance against regulatory updates. Pre-built per-vertical overlay templates accelerate the operator onboarding from months to weeks.

How is this different from Vanta, Drata, SecureFrame, Sprinto, Hyperproof, Onspring, LogicGate, or OneTrust GRC?

Those platforms ship the audit-readiness primitive for security and audit frameworks (SOC 2 Type II, ISO 27001, HIPAA Security Rule, PCI-DSS, GDPR, CCPA general framework). They are excellent at the framework-readiness layer for the frameworks they cover. The per-vertical operator-specific overlay templates that go deeper than framework-level into specific operator-vertical rule libraries (HIPAA Privacy Rule plus FDA wellness-claim substantiation plus FINRA broker-dealer disclosure plus cannabis-California product-claim rules plus cannabis-New York labeling plus ADA Title III digital plus WCAG 2.2 Level AA plus FTC Franchise Rule), the maintenance pipeline that ingests regulatory updates and propagates them across the templates, the integration with the runtime compliance gates across the AI-agent fleet, and the operator-specific customization on top of the templates are architecture above the audit-readiness primitive.

How does the 6-axis compliance-overlay-manager pipeline work?

The compliance-overlay-manager agent is the densest agent in the broader Completions arc at six skills. Monitor (regulatory-change-monitoring tracks upstream regulatory publication sources). Extract (rule-extraction-from-source-docs parses source regulatory documents into structured rules). Pre-filter (pre-filter-deterministic-gates runs cheap regex checks first to filter obvious violations). Score (llm-semantic-compliance-scoring runs expensive LLM evaluation on outputs that pass pre-filter). Route (borderline-routing handles gray-zone outputs that score borderline). Library (this skill — pre-built per-vertical overlay templates that operators can drop in vs build from scratch). The Library axis sits alongside the runtime pipeline as the packaged-knowledge layer that accelerates operator onboarding for new verticals and new jurisdictions.

What per-vertical overlay templates ship pre-built?

HIPAA Privacy Rule plus Security Rule plus Breach Notification Rule. FDA Title 21 covering cosmetics + wellness + supplements + OTC + medical devices + food. FINRA broker-dealer disclosure plus SEC investment-adviser. Cannabis state-by-state (currently 38 states with cannabis-legal regulatory regimes spanning recreational + medical + hemp). State-by-state alcohol regulation. State-by-state insurance regulation. GDPR + UK GDPR + Brazil LGPD + India DPDP. CCPA + CPRA + state-by-state US privacy laws. ADA Title III digital plus WCAG 2.2 Level AA. FTC Franchise Rule plus 14 state franchise-registration states. SOC 2 Type II + ISO 27001 + PCI-DSS + NIST CSF as security baseline. Each template is structured rules with severity classification + source citation + version history + per-jurisdiction variant set.

How do you handle multi-vertical operator onboarding using the templates?

A new multi-vertical operator onboarding (cannabis + healthcare + financial services + retail) loads the relevant per-vertical templates as a starting point. The HIPAA templates load for the healthcare locations. The cannabis-per-state templates load for the cannabis dispensaries operating in their target states. The FINRA templates load for the financial-services cross-sell. The CCPA + GDPR templates load for the customer-data side. The franchise-disclosure templates load for the franchise-development side. The operator team customizes the loaded templates with operator-specific overlays (per-banner brand-voice rules, per-franchisee customization, per-banner regulated-claim allowlists). The customization sits on top of the maintained template substrate; the substrate refreshes through the maintenance pipeline as regulations update.

Hire the agent that owns the rule-library substrate

The compliance-overlay-manager agent is the densest agent in the broader Completions architecture — 6-skill same-agent bundle on Monitor + Extract + Pre-filter + Score + Route + Library — sitting on top of whichever audit-readiness platform (Vanta, Drata, SecureFrame, Sprinto, Hyperproof, Onspring, LogicGate, OneTrust GRC), vertical-specific platform (Compliancy Group, Accountable HQ, Veeva Vault, MasterControl, ComplianceQuest), or enterprise GRC (Tugboat Logic, AuditBoard, MetricStream, Diligent ACL) you license downstream. Pre-built per-vertical overlay templates for HIPAA + FDA + FINRA + cannabis-state + GDPR + CCPA + ADA + FTC Franchise Rule + SOC 2 + ISO 27001 + PCI-DSS, maintenance pipeline through the Monitor + Extract axes, runtime-gate consumption across the broader agent fleet, operator-specific customization layer, exception tracking, regulator-grade audit trail.

Hire the compliance-overlay agent

We scope on the call and send a private checkout link after.

Related reading: Cross-agent compliance overlay · Per-vertical data validation · Product compliance (catalog)