Policy Query Language for AI-First Governance
WYCIWYGβ’ - What You Compile Is What You Governβ’
Founded in June 2025, OpenPQL is building the world's first governance compiler. This repository contains PQL code examples and language documentation - the compiler is proprietary technology protected by 57 USPTO filings.
OpenPQL embodies a new paradigm for building AI-powered systems. These principles guided our architecture:
Express what you want, not how to build it.
Traditional Approach:
# Imperative: Tell the system HOW to do it
if customer.tier == "enterprise" and risk_score > 0.8:
provider = AnthropicProvider()
response = provider.complete(model="claude-sonnet-4", temp=0.3)
log_decision(response)
return responseAI-First (PQL):
# Declarative: Tell the system WHAT you want
WHEN customer.tier == "enterprise" AND risk_score > 0.8 THEN {
provider: "anthropic",
model: "claude-sonnet-4",
explainability: "required",
compliance_mode: "strict"
}
The runtime handles HOW. You specify WHAT.
Orchestrate AI providers, models, and workflows through declarations, not code.
INTENT fraud_detection {
triggers: ["transaction_analysis"],
context: [transactions, customer_profiles, fraud_patterns],
conditions: {
# Ensemble for high-risk
WHEN amount > 10000 AND location != customer.home THEN
provider: "ensemble"
models: ["claude-sonnet-4", "gpt-4-turbo"]
consensus_required: true
# Fast path for normal transactions
DEFAULT
provider: "anthropic"
model: "claude-haiku"
}
}
No SDK calls. No API wrappers. Pure business logic.
The system adapts to changing conditions without code changes.
INTENT adaptive_routing {
triggers: ["ai_request"],
context: [provider_metrics, cost_tracking, audit_status],
conditions: {
# Fallback when provider is slow
WHEN provider_latency > 2000ms THEN {
action: "fallback",
target_model: "faster_model",
reason: "latency_threshold_exceeded"
}
# Cost optimization
WHEN cost_per_request > 0.05 THEN {
optimization_mode: "cost_over_speed",
budget_alert: true
}
# Audit mode activation
WHEN compliance_audit_active == true THEN {
logging: "comprehensive",
explainability: "mandatory",
retention: "extended"
}
}
}
Conditions trigger adaptations. The runtime synchronizes state automatically.
Reuse governance patterns across use cases by composing INTENT logic.
# Base pattern for high-risk assessments
INTENT high_risk_assessment {
triggers: ["risk_evaluation"],
context: [risk_score, assessment_type],
conditions: {
WHEN risk_score > 0.7 THEN {
provider: "anthropic",
model: "claude-sonnet-4",
explainability: "detailed",
audit_level: "comprehensive"
}
}
}
# Compose for specific domains
INTENT credit_risk_assessment {
triggers: ["credit_decision"],
context: [credit_score, loan_amount, applicant_history],
conditions: {
# High-stakes decisions use premium models
WHEN credit_score < 650 AND loan_amount > 100000 THEN {
provider: "openai",
model: "gpt-4-turbo",
explainability: "required",
compliance_framework: "fair_lending"
}
# Standard decisions use efficient models
DEFAULT {
provider: "anthropic",
model: "claude-haiku"
}
}
}
Patterns adapt across domains. No code duplication.
Route requests based on context, not hardcoded logic.
INTENT customer_service {
context: [customer_profile, ticket_history, product_usage],
conditions: {
# VIP customers β premium model
WHEN customer.lifetime_value > 100000 THEN
provider: "anthropic"
model: "claude-opus"
sla: "1_minute"
# Technical issues β specialized model
WHEN ticket.category == "technical" THEN
provider: "openai"
model: "gpt-4-turbo"
knowledge_base: "technical_docs"
DEFAULT
provider: "anthropic"
model: "claude-haiku"
}
}
Context drives decisions. No if/else pyramids.
Every AI decision is traceable, auditable, and explainable.
MONITOR ai_operations {
metrics: [
"response_time",
"accuracy_score",
"cost_per_request",
"compliance_violations"
],
alerts: {
accuracy_score < 0.95: escalate("ai_team"),
compliance_violations > 0: escalate("legal_team")
},
audit_trail: {
every_request: true,
retention: "7_years",
immutable: "blockchain_anchored"
}
}
Observability is declarative, not bolted on.
Start simple. Add sophistication as needed.
# V1: Basic routing
INTENT analyze_contract {
DEFAULT
provider: "anthropic"
model: "claude-haiku"
}
# V2: Add risk-based routing
INTENT analyze_contract {
WHEN contract_value > 1000000 THEN
provider: "anthropic"
model: "claude-sonnet-4"
DEFAULT
provider: "anthropic"
model: "claude-haiku"
}
# V3: Add ensemble for critical decisions
INTENT analyze_contract {
WHEN contract_value > 1000000 THEN
provider: "ensemble"
models: ["claude-sonnet-4", "gpt-4-turbo"]
consensus_required: true
DEFAULT
provider: "anthropic"
model: "claude-haiku"
}
Each version is production-ready. No rewrites.
Traditional governance tools make unrealistic promises.
Many GRC vendors advertise "3-click compliance" and "configuration-based governance." But effective governance requires precision: mathematical correctness, cryptographic proof, and regulatory auditability.
OpenPQL takes a different approachβgovernance is compiled, not configured. We treat compliance as code, bringing the rigor of software engineering to regulatory requirements.
TypeScript published their language specification publicly while keeping the compiler proprietary initially. This strategy:
- β Built massive developer adoption
- β Established the language standard
- β Protected core IP (compiler implementation)
- β Enabled ecosystem growth
We're following the same playbook. PQL syntax is open. The 5-stage compilation pipeline (Lexer β Parser β Semantic β ExecIR β Artifacts) and Ξ©-SGK routing algorithms remain our moat.
- π Quick Start Guide - Get started in 5 minutes
- π Complete Language Reference - Enterprise user's guide (50+ pages)
- π PQL Syntax Guide - Essential syntax patterns
- π€ Contributing - Add your regulation examples
EU AI Act - Articles 5-85
- β Prohibited Practices Detection (Article 6)
- β Risk Management Systems (Article 9)
- β Data Governance (Article 10)
- β Transparency Requirements (Article 13)
- β Human Oversight (Article 14)
- β Robustness & Accuracy (Article 15)
GDPR - All 99 Articles
- β Consent Management (Article 6)
- β Right to Erasure (Article 17)
- β Data Portability (Article 20)
- β Privacy by Design (Article 25)
HIPAA - Privacy & Security Rules
- β PHI Access Controls
- β Minimum Necessary Rule
- β Breach Notification Requirements
Basel III / AML - Financial Compliance
- β Customer Risk Assessment (CDD/KYC)
- β Transaction Monitoring (AML-396)
- β Sanctions Screening (OFAC)
# Detect manipulation techniques in AI systems
INTENT detect_prohibited_practices {
triggers: ["ai_system_execution"],
context: [ai_output, user_profile],
conditions: {
# Article 6(1)(a) - Subliminal manipulation
WHEN manipulation_score > 0.7 THEN {
prohibited_practice_type: "subliminal_manipulation",
article_reference: "6_1_a",
risk_level: "critical",
compliance_action: "block_immediately"
}
# Article 6(1)(b) - Exploitation of vulnerabilities
WHEN user.age < 18 AND psychological_pressure_detected == true THEN {
prohibited_practice_type: "child_exploitation",
article_reference: "6_1_b",
risk_level: "critical",
compliance_action: "block_and_report"
}
}
}
This PQL compiles to:
- FastAPI governance microservice
- PostgreSQL audit schema
- Cryptographic evidence chains
- Real-time compliance dashboards
WHEN customer.country IN sanctions_list THEN
deny: "Sanctioned jurisdiction" WITH {
regulation: "OFAC",
severity: "blocking"
}
context: [customer_data, transaction_history, watchlist_screening]
requires: [gdpr_consent_check, hipaa_authorization, sox_audit_trail]
WHEN risk_detected THEN {
risk_type: "high_value_transfer",
risk_score: 0.85,
mitigation_required: true
}
- PQL Syntax Guide - Complete language reference
- PQL Best Practices - Production patterns
- Regulation Mapping - Law β PQL examples
These examples compile via the OpenPQL GovernFourβ’ Platform:
- β¨ / β© GovernOrβ’ - Policy compilation engine (PQL β ExecIR)
- β¨β‘β© GovernOpsβ’ - Runtime execution with Ξ©-SGK routing
- β¨πβ© GovernEyeβ’ - Audit evidence generation (AEaaS)
- β¨π¦β© GovernSHARKβ’ - Shift-left compliance validation
Compilation Performance:
- 0.6 seconds (PQL β production artifacts)
- ~80 artifacts generated per framework
- O(1) shard routing for million-transaction scale
Read the examples to understand how to express compliance policies as code.
The OpenPQL compiler is in private beta. Contact us for access:
- π Website
- π€ NISHKA AI Beta (AI-powered PQL generator)
- π§ Contact
For regulated enterprises (FinTech, HealthTech, AI platforms):
- Custom regulation libraries
- Dedicated compliance engineering
- On-premise deployment
- 24/7 support with SLAs
These examples are provided for educational purposes to demonstrate:
- How compliance policies can be expressed as compilable code
- The declarative nature of governance logic
- Multi-regulation orchestration patterns
They are NOT:
- A substitute for legal advice
- Complete compliance implementations
- Ready for production without review
Always consult qualified legal counsel for compliance decisions.
We welcome contributions of PQL examples for additional regulations:
- Fork this repository
- Add examples following our structure (see CONTRIBUTING.md)
- Submit a pull request
Note: This repo contains examples only. The OpenPQL compiler is closed-source.
Apache 2.0 License - See LICENSE
PQL Syntax: Open specification
OpenPQL Compiler: Proprietary (57 USPTO filings)
- π OpenPQL Website
- π€ NISHKA AI - AI-powered compliance code generation
- πΌ LinkedIn
- π¦ Twitter
- π§ Contact
If you find these examples useful, please star the repo to help others discover policy-as-code!
Built with precision. Compiled with confidence. Governed with cryptographic proof.
Β© 2025-2026 OpenPQL, Inc. Protected by 57 USPTO filings. Cincinnati, Ohio.