[{"data":1,"prerenderedAt":147},["ShallowReactive",2],{"changelog-2026-06-09-agent-first-rewrite":3,"changelog-2026-06-09-agent-first-rewrite-surround":136},{"id":4,"title":5,"api":6,"authors":7,"body":13,"category":73,"date":74,"description":75,"extension":76,"features":77,"fixes":6,"highlight":100,"image":109,"improvements":111,"meta":130,"navigation":131,"path":132,"seo":133,"stem":134,"__hash__":135},"posts\u002F3.blog\u002F2026-06-09-agent-first-rewrite.md","episki, rebuilt around agents",null,[8],{"name":9,"to":10,"avatar":11},"Justin Leapline","https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fjustinleapline\u002F",{"src":12},"\u002Fimages\u002Fjustinleapline.png",{"type":14,"value":15,"toc":69},"minimark",[16,20,23,42,61],[17,18,19],"p",{},"This is the largest release in episki's history: a ground-up rewrite around a single idea — the platform should run the compliance lifecycle, and humans should gate the decisions that matter.",[17,21,22],{},"Every workflow now runs on an agent runtime. Ask an agent to do something and it proposes a plan, executes it as discrete, observable step-runs, and stops for your approval on anything sensitive. Evidence pulls run as deterministic recipes — plain, inspectable code, not model output — so auditors can read exactly how each artifact was gathered. Bring your own tools over MCP, and set runtime safety floors that the agent cannot exceed.",[17,24,25,26,30,31,30,34,37,38,41],{},"On top of that runtime, the Compliance Platform unifies frameworks, controls, evidence, policies, programs, assessments, and reporting in one workspace — and four modules extend it: ",[27,28,29],"strong",{},"Risk",", ",[27,32,33],{},"Third-Party Risk",[27,35,36],{},"Trust",", and ",[27,39,40],{},"AI Governance",".",[43,44,45,49,52,55,58],"ul",{},[46,47,48],"li",{},"Agents plan, run step-runs, and request approval — with deterministic recipes, MCP support, and safety floors",[46,50,51],{},"SCF framework import, evidence lineage, versioned policies, scopes, obligations, and live auditor-ready reports",[46,53,54],{},"Full risk register with qualitative and quantitative scoring, acceptance decisions, threats, and treatments",[46,56,57],{},"Unlimited-vendor TPRM, a branded Trust Center on your domain, and AI Governance for the AI your org uses",[46,59,60],{},"Native AWS \u002F Google \u002F Microsoft \u002F Jira \u002F Slack integrations, semantic search, a unified inbox, and an immutable audit trail",[17,62,63,64,41],{},"For the thinking behind the rewrite, read ",[65,66,68],"a",{"href":67},"\u002Fblog\u002Fautonomous-grc","Autonomous GRC and the new shape of the compliance program",{"title":70,"searchDepth":71,"depth":71,"links":72},"",2,[],"changelog","2026-06-09","The biggest release in episki's history — a ground-up, agent-first rewrite. Agents plan, execute, and surface work for approval across a unified compliance platform, with new Risk, TPRM, Trust, and AI Governance modules.","md",[78,81,84,87,89,92,94,97],{"label":79,"text":80},"AI Orchestration","Agents draft plans, run them as observable step-runs, and route sensitive actions through human approval — with agent chat, deterministic recipes, MCP servers, and runtime safety floors.",{"label":82,"text":83},"Compliance Platform","One-click SCF framework import, controls, an evidence store with full lineage, rich-text policies with versioning, programs, assessments, scopes, obligations, and testing procedures.",{"label":85,"text":86},"Risk Management","A risk register with qualitative (5×5) and quantitative (PERT\u002FALE) scoring, risk-to-control traceability, time-bound acceptance decisions with expiry, the SCF threat catalog, and treatment planning.",{"label":33,"text":88},"Unlimited vendors with risk profiles, outbound questionnaires (CAIQ, SIG, custom), vendor evidence and reviews, and a subprocessor registry that feeds the Trust Center.",{"label":90,"text":91},"Trust Center","A branded public trust portal on your own domain with questionnaire intake, selective control and framework publishing, and subscribers notified automatically when your posture changes.",{"label":40,"text":93},"An approval queue with routing rules, per-workspace safety floors that constrain agent behavior, and immutable run logs capturing every agent decision.",{"label":95,"text":96},"Integrations","Native connectors for AWS, Google Workspace, Microsoft 365, Jira, and Slack — plus inbound email and full MCP support so agents can use the tools you already run.",{"label":98,"text":99},"Audit trail","An immutable activity log attributing every change to a principal — human or agent — with per-entity history and a decision log auditors can read directly.",{"title":101,"description":102,"icon":103,"items":104},"GRC that runs on agents","Every workflow now runs on an agent runtime — agents draft a plan, execute it as observable step-runs, and pause for human approval on anything sensitive. Evidence pulls run as deterministic recipes (not model output), bring-your-own tools connect over MCP, and runtime safety floors hard-limit what agents can do.","i-lucide-sparkles",[105,106,107,108],"Plans, step-runs, and approvals for every agent action","Deterministic recipes for auditable evidence collection","MCP support for any tool you allowlist","Per-workspace safety floors enforced at the runtime",{"src":110},"\u002Fimages\u002Fchangelog\u002Fagent-first-rewrite.webp",[112,115,118,121,124,127],{"label":113,"text":114},"Foundation","Rebuilt on Supabase with row-level security isolating every workspace's data, and role-based access for admins, editors, viewers, and auditor guests.",{"label":116,"text":117},"Auth & SSO","Passwordless sign-in with SAML SSO and SCIM, plus a split OAuth model — lightweight scopes at login, scoped admin grants only when connecting an integration.",{"label":119,"text":120},"Search","Full-text and semantic (embedding) search across every entity, with an ontology browser to traverse control → framework → assessment → evidence.",{"label":122,"text":123},"Inbox & notifications","A unified inbox for tasks, approvals, evidence requests, and risk alerts, routed to email and Slack with per-channel opt-out.",{"label":125,"text":126},"Reporting","Configurable report templates exported straight from workspace data — auditor-ready, with no copy-paste reconciliation.",{"label":128,"text":129},"Modular billing","The base Compliance Platform plus paid add-on modules (Risk, TPRM, Trust, AI Governance), managed in-app.",{},true,"\u002Fblog\u002F2026-06-09-agent-first-rewrite",{"title":5,"description":75},"3.blog\u002F2026-06-09-agent-first-rewrite","fMV6nQuZLn4tE8JVrEXVPqQvnQNfau1KMhMJo7YgiIA",[137,142],{"title":138,"path":139,"stem":140,"description":141,"children":-1},"When Is It Time for a GRC Tool?","\u002Fblog\u002F2026-06-01-grc-tool","3.blog\u002F2026-06-01-GRC Tool","Spreadsheets can only take your compliance program so far. Here's how to know when manual processes are holding you back — and what to look for when you're ready to make the move.",{"title":143,"path":144,"stem":145,"description":146,"children":-1},"Agent-first GRC: what changes when AI runs the program","\u002Fblog\u002Fagent-first-grc","3.blog\u002Fagent-first-grc","Most GRC tools added AI as a feature. Agent-first GRC treats agents as the operator — drafting policies, answering questionnaires, and running the program with humans approving the work that matters.",1781032774329]