Monthly compliance digest from your AI pipeline

Most compliance work isn't a fire — it's a recurring obligation. Run the checks, format the result, send it to the people who need to see it, keep the record. The cost of doing it by hand isn't doing it; it's remembering to do it, and proving later that it was done.

A routine handles the recurring part and provides the audit trail by construction.

The setup

• Skill. A Markdown skill that runs your standard compliance checks — PII scans across logs, access-review summaries, third-party-processor changes, AI-policy violations, retention-policy adherence. Outputs HTML with the checks, the findings, and a tidy summary at the top.
• Report. A long-running Comma report — Monthly compliance digest — with role-based access so legal, security, and the board can read it but the wider company can't.
• Cadence. Monthly on the first of the month (Free is enough for this cadence). Pro or Team if you want weekly previews.
• Reviewers. Compliance lead, head of security, legal, board observer.

The shape, month by month

First of the month, 06:00 UTC. Routine fires. The compliance check runs. HTML revision lands on the digest report. Reviewers get notified.

First, 10:00. Security lead opens the link, selects the "third-party processors" section, and pins a comment: "new processor was added last week — has the DPA gone through legal review?"

Third. Legal replies inline, marks the thread resolved, attaches a reference to the signed DPA.

End of month. The board observer opens the report before the board meeting. The full history of comments, resolutions, and revisions is one URL — not a folder of PDFs.

First of next month, 06:00 UTC. New revision lands. Resolved comments stay attached to the previous revision in history. Open items carry forward. The audit trail compounds.

Why a routine + Comma report is the right shape

Compliance is one of the places where the artifact and the conversation about the artifact need to live together. A PDF attached to an email gives you the artifact but loses the conversation. A Slack thread gives you the conversation but loses the artifact. A wiki page gives you both — until someone edits the page and the snapshot of "what we believed in March" is gone.

A Comma routine produces a new revision per run; revisions are immutable in revision history. Comments attach to specific text or table cells inside the revision. The artifact and the discussion are both preserved, both linked, both replayable later.

Audit trail by construction

• Per-routine run history. Every run logs success, failure, cost, and output diff.
• Per-report revision history. Every revision is immutable; you can open any previous month.
• Anchored comments. Tied to a specific revision and a specific text selection. Resolution state is preserved.
• Scoped credential. The routine runs under a comma_sk_… token you control; revocation is one motion.
• Role-based access. Compliance reports stay scoped to the people who should see them.

When a regulator or an auditor asks "show me your access reviews for Q1," the answer is a URL plus a date range, not a slack archive search.

Cadence and cost

Monthly cadence fits the Free plan's floor — meaning the compliance digest can run forever at no charge against the Comma rail, as long as the underlying Bedrock cost stays under the $0.50 monthly cap.

Most monthly compliance digests cost cents per run unless they're doing heavy log analysis, in which case Pro or Team gives you the headroom (and BYO Bedrock keys on Team ships the cost directly to your AWS account where your tagging and budgets already apply).

Honest scope

This is the right shape for recurring compliance digests, monthly access reviews, AI-policy summaries, processor-change tracking, retention audits.

It is not the right shape for:

• Incident response. A real incident wants a real incident tool, not a monthly digest.
• Continuous monitoring. A routine fires on a cadence; for always-on monitoring use a real monitoring system and let the routine summarize.
• Document generation under regulatory deadlines. A routine is a fine draft tool; the final document still wants human sign-off.

Routines are for the obligation that recurs reliably and deserves an immutable audit trail without manual labor.

Setup

1. Wrap the checks as a skill. Comma doesn't dictate the inside of the skill. It can call your existing compliance scripts, pull from your SIEM, summarize from your wiki, hit your processor list — whatever your stack does.
2. Create the compliance report with the right access. Role-based access means viewers can't accidentally share outside the scope.
3. Wire the routine. Monthly cadence. Cap defaults to plan.
4. Subscribe the reviewers. They get one link, one place to comment, one place to look during board prep.

Try it

Create your first routine →

Related

• Routines — full feature reference
• Automated HTML report delivery
• Hosted cron for AI agents