How can companies keep track of their processes, risks, and compliance all at once? How can they simulate changes early, instead of reacting only when problems arise? And how can AI help make decisions understandable and secure? Sophia Eastman, Chief Product Officer (CPO) of the CISPA-funded startup Xpect, explains in the interview how their platform provides companies with a digital operating system that maps processes, roles, risks, resources, and regulatory requirements in a connected digital twin. Unlike traditional providers, Xpect does not analyze processes in isolation but systematically links them with goals, controls, and compliance requirements. This creates not only a clear picture of how a company operates but also the ability to actively manage workflows, identify risks early, and simulate changes safely.
What is your vision at Xpect, and how do you differ from other providers in the field of process intelligence?
Our vision at Xpect is to create the operating system for corporate management. We want to enable organizations to understand their structures, processes, risks, resources, and regulatory requirements holistically, continuously monitor them, and manage them in a targeted way. To achieve this, we represent companies as a semantic digital twin that not only documents how processes are designed but also how they are actually executed.
The main difference from traditional process intelligence or process mining providers is that we do not view processes in isolation. Instead of relying solely on event logs or operational metrics, we systematically link processes with goals, roles, qualifications, risks, controls, and regulatory requirements. This results in a consistent overall picture that supports both operational management and governance, risk, and compliance (GRC) matters.
While many solutions create transparency, Xpect goes one step further: we allow the impact of changes—such as new regulations, organizational adjustments, or resource constraints—to be simulated and evaluated in advance. Compliance thus becomes a continuous, integrated part of corporate management rather than a reactive audit process.
Which technologies and AI methods do you use to align process models with real-world operations?
Xpect uses a hybrid AI approach that combines the strengths of modern generative AI with symbolic AI, formal logic, and knowledge graphs. At the core is a proprietary ontology that formally describes and relates key business concepts such as processes, roles, resources, risks, controls, and regulatory requirements.
On this basis, we use generative AI to extract knowledge from a wide range of sources—process documentation, internal documents, audit records, or even videos and interviews. Crucially, this extraction is always guided by the ontology, so the AI knows what to look for and integrates new information directly into existing structures.
The alignment of modeled processes with regulations is then performed using logic-based inference methods, allowing us to identify rule violations or missing information. This combination keeps AI usage explainable, transparent, and suitable for sensitive applications such as audits or GRC.
Can you give an example of how companies have achieved tangible improvements like efficiency gains or cost savings through your approach?
A concrete example is XactAudit, a solution based on Xpect technology for risk-oriented financial statement audits, used among others by the auditing firm Dornbach. There, XactAudit improves audit planning and execution efficiency by up to 30%.
The added value comes from systematically linking processes, risks, controls, and audit procedures. XactAudit automates complex dependencies arising from ISA [DE] 315 and ensures a continuous, traceable “red thread” throughout the audit strategy. Auditors can focus more on key risks and audit areas while reducing unnecessary or redundant tasks.
In addition to time savings, users benefit from significantly improved documentation quality and transparency. Risks, controls, and decisions are always traceable, which enhances not only efficiency but also overall audit quality.
What obstacles do you encounter when implementing your solution in companies, whether technical, organizational, or cultural?
Technically, we often encounter heterogeneous and incomplete data landscapes as well as historically grown, inconsistent process documentation. Organizationally, knowledge and responsibilities are often siloed across departments, compliance, IT, and management.
Culturally, there is some skepticism toward AI, especially in GRC and audit contexts, when decisions are not easily explainable. Our approach addresses this by enabling incremental adoption with template-based data collection, providing measurable benefits early on. At the same time, human oversight remains in place, as all results are explainable and verifiable.
How do you ensure sensitive corporate data remains protected while maintaining the traceability of your results?
Protecting sensitive corporate data is a core requirement for us, especially in highly regulated areas like compliance, audit, and risk management. Therefore, Xpect is designed as a fully on-premise solution. The software can be operated entirely on the customer’s infrastructure—on their hardware or in a private cloud. Data never leaves the company or is shared with external parties.
This architecture ensures that all compliance-relevant information remains where it belongs: with the company. In regulated environments, this is a decisive advantage over many cloud-based AI solutions, where data is at least temporarily processed externally. Customers thus retain maximum control, data sovereignty, and adherence to internal and regulatory data protection requirements.
At the same time, we place great emphasis on the explainability and traceability of our results. AI is not used as a black box but is always embedded in a structured knowledge graph and formal logic. Analyses, risk assessments, and recommendations can be traced back to specific rules, process relationships, and underlying information at any time—building trust and acceptance in sensitive corporate environments.
How flexible is your solution for different company sizes and industries, and how easily can it be adapted?
The Xpect platform is deliberately scalable and industry-agnostic. Small and medium-sized companies can start with simple process models or preconfigured templates to quickly gain transparency. Larger organizations can gradually build the knowledge graph into a full digital twin, mapping complex structures and international requirements.
Industry-specific nuances can be integrated via domain-specific ontology extensions, process and risk templates, and configurable rules. This keeps the core platform stable while remaining adaptable to different contexts.
How does your collaboration with the CISPA Helmholtz Center for Information Security benefit you, for example through research, methods, or networks?
The collaboration is primarily strategic and network-based. It strengthens our position in trustworthy, explainable, and secure AI, enabling exchange with leading players from research, deep tech, and the public sector.
For applications where security, reliability, and governance are critical, this environment is invaluable. It supports our goal of deploying AI not only powerfully but responsibly and practically.
What are your next steps, in product development, features, or market expansion?
In product development, we are focused on improving the extraction and structuring of knowledge in the knowledge graph. The goal is to make onboarding into Xpect easier and lower the adoption barrier for new customers. The faster relevant knowledge is structured, the sooner value is realized.
At the same time, we are strengthening sales this year with a newly established team, proactively promoting Xpect and solutions like XactAudit. This lays the foundation for further growth and the exploration of additional application areas.
More information about Xpect: xpect.ai
