Enterprise-as-Code: Why a lawyer found what engineers missed
April 21, 2026
The enterprise AI stack was built by engineers, so it observes behaviour upward when the missing layer is normative and the instinct to compile rules before acting is legal, not engineering. This paper explains why no amount of observation will turn a context graph into the operome.
Several jurisdictions have experimented with automated legal decision-making: Brazil with rule-based judicial assistance for remote areas, Estonia with small-claims algorithms, China with smart courts. The backlash, where it occurred, was immediate and justified. A computer cannot weigh a single mother's circumstances against a landlord's contract rights. A computer cannot look at a defendant and decide that the letter of the law would produce an unjust result. Courts exist because human judgment has to operate on top of rules, and people understood this in their bones.
But the backlash conflated two things. Automating judgment is dangerous. Compiling the rules that judgment operates on is a different act. A judge opens the Penal Code before hearing the case. The code does not replace the judge. It tells the judge what the law says, so the judge can decide how to apply it. Without the code, the judge is guessing from memory and custom. With it, the judge has a foundation for reasoning.
I spent the last several years building a system that compiles the operational rules of entire organizations into structured, machine-enforceable models. Contracts, regulations, policies, procedures, compliance manuals. The complete logic of how a business operates, extracted from documentation and made executable. We call the output the operome.
The question I keep getting asked is: how did you see this? The honest answer is that I am a lawyer, and the entire AI infrastructure community is built by engineers. Engineers and lawyers think about rules in opposite directions.
The empirical ceiling
The AI infrastructure stack works in one direction: observe what systems do, capture the traces, find patterns, build models from the data. This is the engineering instinct and it runs through the entire field.
Process mining (for example what Celonis does1) watches enterprise workflows and maps what happened. Context graphs (Foundation Capital's thesis, now generating 50+ industry responses)2 capture agent decision traces to record why a decision was made and what precedent exists. Agent evals (the work Fabian Williams at Microsoft is doing with OpenClaw3) grade whether an agent's actions produced the intended result. Jack Dorsey, CEO of Block and Founder of Twitter, and Roelof Botha of Sequoia published "From Hierarchy to Intelligence",4 arguing that Block is replacing hierarchical coordination with a "company world model" built from observed artifacts: decisions, discussions, code, transactions. Their intelligence layer composes financial capabilities into customer solutions based on what the world model sees.
All of these are valuable. All of them share the same assumption: you start with behavior and work upward toward understanding. Dorsey and Botha describe four building blocks (capabilities, world model, intelligence layer, interfaces) and not one of them addresses where the rules come from. Their intelligence layer composes a loan. Who tells it the lending criteria? The rules governing that loan exist in regulation and policy documents and, most importantly, in the loan agreement itself. The world model cannot observe them into existence.
That assumption hits a ceiling when you meet an auditor.
I have been through regulatory examinations. SOC 2, ISO 27001, CSSF supervision. An auditor does not ask what your systems did last quarter. They ask: show me your controls. Show me the rules your systems are required to follow. Show me evidence that those rules are enforced. The distinction between "we tend to do it this way" and "here is the rule, here is the enforcement mechanism, here is the evidence" is the distinction between failing and passing. You cannot certify an observation. You certify a control.
The US Treasury published an AI risk framework earlier this year with 230 control objectives.5 97% of them require detection and response mechanisms that presuppose reproducible outputs. Only recently, US banking regulators issued SR 26-02, the revised guidance on model risk management that supersedes fifteen years of precedent under SR 11-7.6 Footnote 3 of the new guidance explicitly excludes generative and agentic AI from its scope, conceding that the framework which has governed model validation in regulated banking for fifteen years does not cover the systems enterprises are now deploying. Nonetheless, a banking organization’s risk management and governance practices should guide the determination of appropriate governance and controls for any tools, processes, or systems not covered by SR 26-02. The EU AI Act requires explainability for high-risk decisions by August 2026.7 All three frameworks assume the same thing: that the same inputs produce the same decisions. Observed behavior cannot guarantee that. Encoded, enforced rules can.
Richard Tynan, who leads our commercial strategy, put it in one sentence: context graphs would not pass a SOC 2 audit, because they are observations, not controls.
The entire infrastructure ecosystem is building the richest possible record of what agents did. That record is useful. But no auditor in history has certified an organization based on it.
McKinsey's senior partners released their "AI transformation manifesto,"8 twelve themes they say separate companies successfully transforming with AI from those that are not. Theme 10, stated without qualification: "No trust, no right to deploy AI." That is the concession the establishment consulting view has now made. Trust is not a feature of AI systems. It is the precondition for deploying them at all.
What the manifesto does not answer is where trust comes from. McKinsey describes agentic engineering as the next capability to master and lists the work required: ingesting unstructured data, extending AI platforms with agentic capabilities, automating guardrails and controls. Each item is the description of a problem. None is a substrate. A substrate that reads the policy documents, compiles the rules into executable form, and enforces them before an agent acts is the architecture that produces the trust McKinsey names as the permission to deploy. Everything else is description.
The normative gap
Lawrence Lessig saw the principle two decades ago. His 1999 book "Code and Other Laws of Cyberspace"9 proposed that software architecture constrains behavior the same way legal systems do. Code determines what is permitted, what is blocked, what requires authorization. Lessig identified four regulators of human behavior: law, social norms, markets, and architecture. In cyberspace, architecture means code. And code, unlike law, does not punish violations after the fact. It prevents them before they happen. A door that requires a keycard does not fine you for entering without one. It stops you from entering.
That distinction is the one the AI infrastructure community has failed to implement. Lessig wrote that traditional law sets rules for behavior and punishes violations after the fact, but code can determine what people can or cannot do in the first place. The context graphs movement, the agent eval frameworks, the process mining platforms, all of them are building the after-the-fact layer. They record what happened and grade it afterward. Lessig's deeper insight, that code can enforce rules before execution, remains unbuilt in enterprise AI.
The operome is that missing implementation. It compiles the rules from source documentation and enforces them before an agent acts. Not after.
In 2025, researchers at the Institute for Law & AI published "Law-Following AI,"10 a paper that builds on Lessig's framework to argue that AI agents should be designed to follow applicable laws by architecture, not by instruction. Their argument: since AI agents are human-designed artifacts, we should design them to refuse to violate certain laws in the first place, rather than relying on post-hoc penalties. John Nay at Stanford has extended this into "Law Informs Code,"11 the project of using human law as the target for AI alignment. These scholars are building the theoretical bridge between Lessig's 1999 thesis and the operational reality of AI governance. SynapseLayer is building the infrastructure that makes their theory executable.
The gap between Lessig's principle and its implementation has persisted for 27 years because the people building AI infrastructure are engineers, not lawyers. Engineers read "code is law" and built systems that derive rules from observed behavior. They built the empirical version of Lessig's thesis. The normative version, compiling the actual written rules into executable code, requires a different instinct.
Engineers think in data. They observe, measure, and infer. Give an engineer a complex system and they will instrument it, capture data, and build a model of how it behaves. That model gets better as more data flows through it. This is how the field trains language models, builds recommendation engines, and designs agent evaluation frameworks. Observation is the foundational method.
A lawyer trained in the Austrian analytical tradition thinks in the opposite direction.
Hans Kelsen, working in Vienna in the early 20th century, proposed the Pure Theory of Law: a legal system is a hierarchical structure of norms where every lower rule derives its validity from a higher one.12 The constitution authorizes the legislature. The legislature passes statutes. Statutes authorize regulations. Regulations govern contracts. Contracts define obligations. Each layer derives its authority from the layer above it.
You do not learn the law by watching what people do in courtrooms. You read the statute. The statute is the source of truth. Court decisions are interpretive and secondary. Precedent matters, but it operates within a normative framework that exists before any case is heard.
The operome applies this structure to business. Operational rules derive from policies. Policies derive from contracts. Contracts derive from regulations. The hierarchy is normative. It flows downward from source documentation to executable logic. When SynapseLayer reads an organization's documents, it builds this hierarchy: every rule traced to its source paragraph, every variable mapped to its document of origin, every constraint auditable against the regulation or contract that created it.
An engineer would not build this system because the engineering instinct is to observe and infer. A lawyer sees the structure because that is how legal systems have worked since Empress Maria Theresia ordered Austria's civil code in 1753 (Codex Theresianus). Law is normative. It tells you what is permitted before you act. The AI infrastructure stack is empirical. It tells you what happened after the fact. The normative layer comes first, because you need the rules before you can evaluate whether anyone followed them. A context graph cannot implement business logic by design. It is a descriptive artefact, built from observed behaviour, and it answers one question: what happened here, and how did similar cases turn out. That is a useful question. It is not the question an auditor asks. A context graph that has observed a thousand renewals where the discount cap was bypassed will infer that the cap is fifteen percent when the documented cap is ten. The rule lives in the policy document. The graph lives in the exhaust of past decisions. The two are not the same artefact, and no amount of observation turns one into the other. The standard defence is that both are needed, the normative for the rules and the empirical for the reality. This is not quite right. Once the operome compiles the rules from the source documentation and the operational data maps against it, the operome is the single source of truth for how the business runs. The context graph becomes optional observation on top of the real structure, useful for analytics, not required for execution. It is not the complement of the operome. It is a partial, empirical version of what the operome does completely.
The diffusion bottleneck
Steven Sinofsky, who led Microsoft Office and Windows for two decades, made an observation in April 202613 that explains why the current wave of enterprise AI adoption is failing in a way that no engineering improvement can fix. He pointed out that algorithmic thinking is hard for the vast majority of people who hold jobs. If you ask someone to draw a flow chart for the work they do every day, they will fail. Within any organization, exactly one person typically understands a given process well enough to document it, and that person is rare. When you put an agent or a coworking tool in front of normal employees, they cannot tell it what to do because they cannot articulate what they themselves do. Sinofsky concluded that the AI revolution depends on a small number of highly skilled individuals who can stitch the toollets together, and the supply of such people is the binding constraint on enterprise adoption.
His diagnosis is exactly right. His implicit assumption is wrong, and the assumption is the same one that produces the empirical ceiling described above. He assumes that the rules governing operational work live in employees' heads and have to be extracted from there. The interview is the tool. The flow chart is the artifact. The skilled employee is the only viable source.
The rules are not in employees' heads. The rules are in the documents that already govern the employees' work. Insurance has policy wordings, underwriting guidelines, claims manuals, and regulatory filings. Banking has credit policies, KYC procedures, AML rules, and treasury operating manuals. Healthcare has clinical protocols, prior authorization criteria, billing guidelines, and formulary rules. Real estate has lease agreements, property management contracts, and jurisdictional regulations. These documents exist because regulators, auditors, lawyers, and senior management require them to exist. They are dense, structured, and often complete. The marketing manager who cannot draw a flow chart of her own process can still point at the brand guidelines, the campaign approval policy, the legal review requirements, and the budget authorization matrix. Those documents are her flow chart. She has never seen them compiled because nobody has ever compiled them.
The empirical approach to enterprise AI fails twice. It fails on the auditor side because observations cannot be certified. It fails on the deployment side because employees cannot describe what they do. Both failures share a single cause: the normative source is being ignored. The documents are the source of truth, both for what the rules are and for what the employees are supposed to be doing. Compile the documents and both failures dissolve. The auditor gets controls instead of observations. The employee gets tools that already know the rules instead of being asked to teach them.
Palantir's Forward Deployed Engineer model is the engineering response to Sinofsky's bottleneck. Palantir hires extremely smart people to sit inside customer organizations and translate operational knowledge into ontology structures. The model works for Palantir because they charge enough to support a large FDE workforce. It does not generalize because it depends on a human doing the translation, and the supply of FDE-quality humans is exactly the constraint Sinofsky identifies. SynapseLayer eliminates the FDE step by extracting from the documents directly. The documents already contain the structure. The human who would have done the translation is replaced by a compiler that reads the source.
This is the deepest reason the operome matters. It is not merely better infrastructure. It is the answer to a structural problem in enterprise AI that nobody else is addressing because everyone else has accepted the assumption that rules come from people.
Two Austrians
Peter Steinberger built PSPDFKit, a document SDK used across the industry. After selling it, he built OpenClaw, the open-source AI agent framework that became the fastest-growing repository in GitHub history: 196,000+ stars, Sam Altman's attention, and a role leading personal AI agents at OpenAI.
Steinberger built the hands. The framework that lets agents act in the world: call APIs, send messages, manage files, execute tasks.
I built fDesk, a regulated European debt capital markets platform that processed €600M+ in bond transactions. The platform runs on an operational model I compiled from capital markets documentation: ~7,000 variables, ~35,000 business rules across 10 functional domains, 99.98% accuracy across 100,068 validations, zero compliance violations.16
Steinberger comes from documents. I come from regulated operations. We arrived at the same boundary from opposite sides. Agents need to act, and agents need to know what is permitted. He built the acting. I built the knowing.
The Austrian connection is not incidental. Austria began compiling its civil code in 1753 under Empress Maria Theresia, half a century before Napoleon. The Josephinisches Gesetzbuch of 1787 was, as legal historian Wilhelm Brauneder put it, Europe's first codification of private law,14 enacted seventeen years before the Code Civil. Napoleon got the complete version done first because revolution gave him the political urgency that the Habsburgs lacked. But the instinct to compile scattered rules into unified, enforceable systems is Austrian before it is French.
The same culture formalized the Grundbuch, the property register. Austrian sovereigns documented property rights on lists from the 13th century. Maria Theresia created the first land registers in book form in 1770.15 The modern Grundbuch made land ownership authoritative and verifiable across the empire: who owns what, encumbered by which obligations, traceable to which transactions. The Grundbuch did for property what the ABGB (General civil code (German: Allgemeines bürgerliches Gesetzbuch or ABGB) is the Civil Code of Austria, which after about 40 years of preparatory work was published on 1 June 1811 and came into force on 1 January 1812) did for civil law: it took something complex, fragmented, and contested and made it structured, auditable, and enforceable. That same structural instinct, the conviction that you can formalize complex systems without destroying their purpose, produced Kelsen's Pure Theory, Lessig's "code is law," Steinberger's agent framework, and the operome.
Compiling rules empowers the people who use them
The Brazil objection matters and I respect it. People resist automated rules because they fear losing the human judgment that makes systems fair. A computer that sentences a defendant without considering circumstances is an injustice machine. Every critic who raised this alarm was correct.
But compiling rules is not automating judgment. The judge reads the Penal Code and then decides. The operome gives the decision-maker the complete rule set. The COO can look at it and say: "The rule requires board approval for this deal, but given these circumstances, I am making an exception, and here is my documented reasoning." That exception is now visible, auditable, and traceable. Without the operome, the exception is invisible because nobody knew the rule existed.
Napoleon's judges did not lose discretion when the Code Civil was published. They gained clarity about what they were exercising discretion over. A judge applying an unwritten custom is guessing. A judge interpreting a codified article is reasoning. The Code Civil made French judges more powerful, not less, because it gave them a shared foundation for their judgment.
India's codification tells the same story. Between 1860 and 1882, four Law Commissions compiled contract law, evidence law, commercial law, and civil procedure into a unified framework that connected India to the global English common law network. Independent India kept the entire codified structure because Indian legislators recognized that compilation served their purposes and connected them to the world. They modified the content over 160 years. They preserved the architecture. The structure empowered Indian governance and global commerce long after the political context of its creation had been rejected.
The executive who holds the operome gains the same advantage. The Chief Compliance Officer who can prove to a regulator that every AI decision is verified against the organization's complete rule set is the one who made the organization certifiable. The CIO who deployed agents with a deterministic control plane solved the trust problem that keeps every other CIO awake. The COO who answers "can we do this deal?" in seconds instead of days, traced to the exact governing clause, stops bringing opinions to meetings and starts bringing answers.
None of these people are replaced. Each one becomes the person who gave the organization something it never had: complete visibility into how it operates. That is a career-defining move, and the person who makes it will be the most valuable executive in any company that runs on AI agents.
The law before the log
The AI infrastructure community is building rich, sophisticated systems for recording what agents do. Context graphs capture decision traces. Agent evals grade action correctness. Process mining maps workflows. Whether any of this is sufficient on its own is the question the empirical stack has not answered.
But all of it is empirical. It works upward from observation. It answers "what happened?" and "did the agent do the right thing?" Those are important questions. They are also secondary.
The primary question is: what are the rules? Where do they come from? Are they enforced? Can you prove it? What is the right thing in the first place?
Lessig wrote in 1999 that code can determine what people can or cannot do in the first place. Twenty-seven years later, the enterprise AI stack still has not built that layer. The operome is the law the audit trail references. The law comes first, because you cannot evaluate whether someone followed the rules if the rules have never been compiled.
Maria Theresia understood this in 1753 when she ordered Austria's civil code. Napoleon understood it in 1804 when he compiled the Code Civil. Kelsen formalized the theory in Vienna a century later. Lessig translated the principle into the language of software architecture in 1999. The scholars at Stanford and the Institute for Law & AI are building the theoretical bridge to AI agents right now.
SynapseLayer is the implementation. The compiler that turns documented rules into executable operational logic. Built by a lawyer, because the normative instinct is a legal instinct. Validated in production, because theory without proof is philosophy.
Every company runs on rules. Some are statutes. Most are contracts, policies, procedures, and the commitments made to customers and counterparties. If an agent is going to act on the company’s behalf, it has to know the rules. That is not a compliance requirement. That is what acting on behalf of someone means.
Notes
1. Celonis Process Intelligence Platform. Celonis pioneered process mining and built it into the reference category for empirical workflow observation.
2. Jaya Gupta and Ashu Garg, “AI’s trillion-dollar opportunity: Context graphs,” Foundation Capital, December 2025. The thesis has generated extensive industry response throughout late 2025 and 2026.
3. Fabian Williams, Principal Product Manager at Microsoft (M365 DevX, Copilot) and OpenClaw maintainer. Active work on agent evaluation for Microsoft 365 and OpenClaw integration patterns.
4. Jack Dorsey and Roelof Botha, “From Hierarchy to Intelligence,” Sequoia Capital and Block, March 31, 2026.
5. Financial Services AI Risk Management Framework (FS AI RMF), Cyber Risk Institute with the U.S. Department of the Treasury and the Financial Services Sector Coordinating Council, February 19, 2026. The Risk and Control Matrix contains 230 control objectives mapped across the AI lifecycle.
6. Board of Governors of the Federal Reserve System, Office of the Comptroller of the Currency, and Federal Deposit Insurance Corporation, Revised Guidance on Model Risk Management, SR 26-02, April 17, 2026, superseding SR 11-7 (April 4, 2011). Footnote 3 of the revised guidance expressly excludes generative AI and agentic AI models from its scope, noting that their novelty and rapid evolution place them outside the traditional model risk framework.
7. Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 (Artificial Intelligence Act), Articles 13 (transparency and provision of information to deployers) and 86 (right to explanation of individual decision-making). High-risk obligations apply from 2 August 2026.
8. McKinsey & Company, “The AI transformation manifesto,” April 2026.
9. Lawrence Lessig, Code and Other Laws of Cyberspace (New York: Basic Books, 1999); revised as Code: Version 2.0 (New York: Basic Books, 2006). The four-modalities framework is also developed in Lawrence Lessig, “The New Chicago School,” 27 Journal of Legal Studies 661 (1998).
10. Cullen O’Keefe, Ketan Ramakrishnan, Janna Tay, and Christoph Winter, “Law-Following AI: Designing AI Agents to Obey Human Laws,” 94 Fordham Law Review 57 (2025).
11. John J. Nay, “Law Informs Code: A Legal Informatics Approach to Aligning Artificial Intelligence with Humans,” Northwestern Journal of Technology and Intellectual Property, vol. 20, 2023; preprint at arXiv:2209.13020 (December 2022).
12. Hans Kelsen, Reine Rechtslehre (Vienna: Franz Deuticke, 1934); 2nd ed. 1960. English translation by Max Knight, Pure Theory of Law (Berkeley: University of California Press, 1967). See also the Hans Kelsen Institut, Vienna.
13. Steven Sinofsky, in conversation with Aaron Levie and others, a16z podcast on AI agents, orchestration, and enterprise adoption, April 2026.
14. Wilhelm Brauneder, Österreichische Verfassungsgeschichte (Vienna: Manz), characterising the Josephinisches Gesetzbuch of 1787 as “Europas erste Privatrechtskodifikation.” The codification process began in 1753 under Maria Theresia with the Codex Theresianus and culminated in the Allgemeines bürgerliches Gesetzbuch (ABGB) of 1811.
15. On the history of the Austrian Grundbuch: medieval Austrian sovereigns documented property rights on Urbare from the 13th century. The first land registers in book form were created under Maria Theresia in 1770. The cadastral system for the Austrian crown lands was completed in 1861 and linked systematically to the Grundbuch from 1883. See Allgemeines Grundbuchsgesetz 1871, RGBl. 1871/95.
16. fDesk production data, NowCM Luxembourg S.A., CSSF-regulated platform, cumulative through April 2026. Author’s own data, available on request under appropriate confidentiality protections.
For a European critical reception of Lessig’s “code is law” thesis, see Markus Fallenböck and Johann Weitzer, “Digital Rights Management: Recent Legal and Technological Developments in the United States and Europe and Their Impact on Society,” International Journal of Communications Law and Policy, Issue 7 (Winter 2002/2003).
Robert Koller, CAIA, is the Founder and CEO of SynapseLayer, which builds automated ontology infrastructure that compiles operational rules from enterprise documentation. He is a securities lawyer qualified in three jurisdictions with 20+ years in capital markets, including a landmark European Court of Justice case (C-118/09 Koller). He built and operated a Luxembourg-regulated capital markets platform processing €600M+ in debt instruments.
rk@synapselayer.ai | synapselayer.ai