Compliance management represents a mandatory set of "sour grapes" for many IT and business managers. The number of laws and regulations, standards and policies that organizations have to conform to is constantly growing. Common measures necessary to improve reactive compliance auditing do not offer a sustainable solution. Axiomatics products however, address the root cause – the inability of an infrastructures to support a consistent implementation of policy based authorizations.

In many organizations the gap between actual compliance management capabilities and the requirements from jurisdictions affecting operations seems impossible to bridge.

However, rather than trying to balance an exploding overhead in governance, risk and compliance management (GRC), some organizations are trying to address the source of the problem. To become compliant in a sustainable fashion, their IT infrastructures must support adaptive and real-time enforcement of policies derived from regulatory requirements.

The Swedish National Health Service's use of XACML and entitlement management in their systems to meet the Swedish Patient Data Act is a case in example.

This Act mandates a number of complex and detailed regulations, such as:

• only personal data needed for the given purpose may be processed
• staff members may only gain access to patient data if they participate in the care of the patient or need this information for other explicit purposes in their work within the medical care service
• individuals are given the opportunity to impede data about them being disseminated within the health care services
• In certain  circumstances processing of personal data may occur even if the individual opposes this
• processing of personal data beyond what is allowed by the Patient Data Act may be conducted, provided the individual has explicitly consented
• sensitive personal data may not be used for search terms
• etc.

These regulations need to be implemented consistently across all private and public organizations that process patient data within the jurisdiction of the legislation. To make it possible, a number of centralized base services have been deployed which in turn enable local XACML-based policy enforcement in all of the various IT systems that need to interoperate.

The mandates of this legislation have thus been "translated" into policies enabling policy enforcement within individual patient data processing applications.

In a similar way, many other compliance regimes require a consistent transfer of high-level directives into "machine-readable" language. Entitlement management solutions based on Attribute-Based Access Control (ABAC) and the XACML standard offer an efficient way to embed adaptive and proactive "policy-awareness" within IT systems to enforce compliance rather than having to wrap an ever increasing compliance auditing control framework around them.

Health care is one example of a highly regulated market. However, the situation is similar in many other industries including telecom, financial services, and pharmaceuticals etc. A common problem in heavily regulated organizations is the inability of an organisation's IT system to "understand" the policy requirements. As a result, mitigating controls need to be implemented with costly manual procedures and a constant growth of the governance, risk and compliance management (GRC) overhead. For instance, in the aftermath of the Sarbanes Oxley Act (SOX) a whole new industry of service and solution providers has emerged and organizations affected have paid a substantial toll to achieve compliance. Yet, so far, the primary scope of advances seem to have been in the field of surveillance, monitoring and auditing.

Axiomatics offers a new approach by embedding more  "risk-intelligence" and proactive policy enforcement within information systems where companies need to prove compliance.