COMPASS: A Framework for Evaluating Organization-Specific Policy Alignment in LLMs
Dasol Choi, DongGeon Lee, Brigitta Jesica Kartono, Helena Berndt, Taeyoun Kwon, Joonwon Jang, Haon Park, Hwanjo Yu, Minsuk Kahng
TL;DR
COMPASS presents a scalable framework for evaluating organization-specific policy alignment in LLMs by automatically generating policy-aligned queries (base and edge) from allowlists and denylists and judging responses with an LLM. Across eight industry domains and 5,920 verified queries, the study reveals a pronounced asymmetry: models consistently comply with allowed content but struggle to refuse denylisted content, especially under adversarial edge cases. Mitigation strategies such as explicit refusal prompts, few-shot demonstrations, and pre-filtering offer conditional improvements, with pre-filtering delivering the strongest yet imperfect gains (significant denylist accuracy but notable over-refusal of allowed queries). The results highlight a fundamental limitation in current LLM policy reasoning for enterprise safety, while also showing that policy alignment can be learned and generalized through targeted fine-tuning, suggesting a path forward for robust organization-specific safety in production systems.
Abstract
As large language models are deployed in high-stakes enterprise applications, from healthcare to finance, ensuring adherence to organization-specific policies has become essential. Yet existing safety evaluations focus exclusively on universal harms. We present COMPASS (Company/Organization Policy Alignment Assessment), the first systematic framework for evaluating whether LLMs comply with organizational allowlist and denylist policies. We apply COMPASS to eight diverse industry scenarios, generating and validating 5,920 queries that test both routine compliance and adversarial robustness through strategically designed edge cases. Evaluating seven state-of-the-art models, we uncover a fundamental asymmetry: models reliably handle legitimate requests (>95% accuracy) but catastrophically fail at enforcing prohibitions, refusing only 13-40% of adversarial denylist violations. These results demonstrate that current LLMs lack the robustness required for policy-critical deployments, establishing COMPASS as an essential evaluation framework for organizational AI safety.
