If you want an AI assistant to answer regulatory questions accurately, you have to solve one problem: the model has to reason over real, current data instead of its own memory. There are three ways teams try to do this. Understanding the difference between them, especially between RAG and MCP, is the difference between an assistant that guesses and one you can trust.
This article walks through the three approaches, then focuses on why the Model Context Protocol (MCP) plus a maintained regulatory data layer is the right fit for live regulatory work.
Approach 1: the model on its own
The baseline is to just ask the model. It answers from its training data. As covered in why AI hallucinates on regulatory questions, this fails for compliance: the data is frozen at the training cut-off, citations can be fabricated, and the model cannot tell a draft from a rule in force. No amount of prompting closes that gap, because the facts simply are not in reach. This approach is fine for general reasoning and unacceptable as a source of regulatory truth.
Approach 2: RAG (retrieval-augmented generation)
RAG was the first serious fix. Instead of relying on the model's memory, you retrieve relevant documents at question time and put them into the model's context, so it answers from those documents rather than from training data.
In practice, a RAG system: chunks a set of documents, turns them into vector embeddings, stores them in a vector database, finds the chunks most similar to the user's question, and feeds those chunks to the model. The model then composes an answer grounded in the retrieved text.
Strengths: answers are grounded in real documents, you can cite what was retrieved, and you control the corpus.
Limits for regulation:
- It is only as good as your corpus. RAG retrieves from whatever you loaded. If your document set is incomplete, stale, or missing a jurisdiction, the answer inherits those gaps.
- Freshness is your problem. Someone has to keep ingesting new regulatory publications, re-embedding them, and pruning outdated ones. For a fast-moving, multi-jurisdiction space, that is a continuous data-engineering job.
- Status and structure are lost. Plain chunks of text rarely carry clean metadata for source, date, jurisdiction, and in-force status, the fields that make a regulatory answer defensible.
- It is a build, not a connection. You are standing up and maintaining a pipeline before you get value.
RAG is a powerful pattern. The catch is that for regulation, doing it well means becoming a regulatory data company on the side.
Approach 3: MCP (Model Context Protocol)
MCP is an open standard, originally from Anthropic, that lets an AI model connect to live external tools and data sources at the moment of the question. Instead of you pre-loading documents, the assistant calls a connected server, asks it for exactly what it needs, and gets back structured, current results.
The shift is subtle but important. With RAG, you build and maintain the retrieval layer. With MCP, you connect to one that is already maintained, and the agent itself decides when and how to query it. We cover the protocol in more depth in Model Context Protocol for regulatory intelligence.
RAG vs MCP for regulatory AI
| Dimension | RAG (build your own) | MCP (connect to a maintained layer) |
|---|---|---|
| Data freshness | Your job to keep ingesting and re-embedding | Maintained upstream, queried live |
| Coverage | Limited to the corpus you loaded | The full coverage of the connected source |
| Structure and status | Often lost in text chunks | Returned as structured fields (source, date, status) |
| Setup | Build and run a pipeline | Paste one configuration block |
| Who maintains it | You | The data provider |
| Best for | Your private internal documents | Live, authoritative external data like regulation |
The two are not mutually exclusive. RAG is excellent for your own internal documents, the policies and filings only you hold. MCP is the right tool for live, authoritative external data that you should not be re-hosting and re-validating yourself. Regulation is squarely the second case.
Skip building a regulatory RAG pipeline
Connect Obsidian's maintained, tier-0 regulatory layer to Claude, ChatGPT, or Cursor over MCP. Live data, structured answers, no ingestion to run. Free tier, two-minute setup.
Explore the Obsidian MCPWhy MCP plus a maintained layer wins for regulation
Building a regulatory RAG system means continuously sourcing hundreds of official publishers, normalizing wildly different formats, deduplicating, dating, version-tracking, and validating, before a single answer is better than a guess. That is the work, and it never stops. Connecting over MCP to a layer that already does all of it means your assistant gets current, structured, tier-0 data on day one, and stays current without you touching a pipeline.
You keep your assistant, you keep your workflow, and you add a single connection. That is the practical shape of agentic regulatory intelligence.
The takeaway
Training data alone cannot be trusted on regulation. RAG can, if you are willing to build and run the data layer yourself. MCP lets you connect to one that is already built and maintained, which for live regulatory data is almost always the better trade. The model stays the same. What changes is the quality and freshness of what it can reach.