Top-Level Mental Model for Regulated Knowledge Base
For HIPAA/SEC-type environments, the UI must surface access control, classification, retention, and auditability as first-class citizens - not hidden settings.
Primary Objects
Knowledge Items (Markdown Docs)
Each document has:
- Type - Policy, procedure, guideline, form, record
- Classification - Security/sensitivity level
- Lifecycle state - Draft, review, approved, obsolete
- Owner - Responsible party
- Retention - How long to keep and why
Collections/Spaces
Map to business domains:
- "Clinical Protocols"
- "Policies"
- "Product Knowledge"
- "Risk Procedures"
- "KYC Playbooks"
Workflows
Structured processes for:
- Review and approval
- Periodic re-certification
- Legal hold management
- Attestation
Primary Views
My Work
Personal dashboard showing:
- Assigned tasks
- Reviews to complete
- Documents requiring attention
- Upcoming deadlines
Knowledge Explorer
Main content area:
- Search with filters
- Browse by hierarchy
- Smart folders
- Recent activity
Compliance & Governance
For compliance officers:
- Retention schedules
- Legal holds
- Audit trails
- Exception reports
Admin
System administration:
- Policies
- Roles and permissions
- Regulatory mappings
- Tenant configuration
Design Philosophy
Think of this as an enterprise knowledge console for regulated content: everything is Markdown under the hood, but users experience compliant search, review, and governance workflows tailored to healthcare/finance.
Regulatory Considerations
| Regulation | Key Requirements |
|---|---|
| HIPAA | PHI protection, access logging, 6-year retention |
| GDPR | Data subject rights, consent tracking, DPO access |
| SEC 17a-4 | WORM storage, 7-year retention, audit trails |
| FINRA 4511 | Books and records, supervisory procedures |