[{"data":1,"prerenderedAt":165},["ShallowReactive",2],{"changelog-2026-07-16-open-signup-pci-vendor-agent":3,"changelog-2026-07-16-open-signup-pci-vendor-agent-surround":154},{"id":4,"title":5,"api":6,"authors":7,"body":13,"category":57,"date":58,"description":59,"extension":60,"faq":6,"features":61,"fixes":92,"highlight":110,"image":119,"improvements":121,"meta":148,"navigation":149,"path":150,"seo":151,"stem":152,"__hash__":153},"posts\u002F3.blog\u002F2026-07-16-open-signup-pci-vendor-agent.md","Open Signup, PCI DSS, and Agent-Run Vendor Reviews",null,[8],{"name":9,"to":10,"avatar":11},"Justin Leapline","https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fjustinleapline\u002F",{"src":12},"\u002Fimages\u002Fjustinleapline.png",{"type":14,"value":15,"toc":53},"minimark",[16,28,31,34],[17,18,19,20,27],"p",{},"The waitlist is gone. Anyone can ",[21,22,26],"a",{"href":23,"rel":24},"https:\u002F\u002Fapp.episki.com",[25],"nofollow","sign up"," and start a workspace — no invite, no waiting.",[17,29,30],{},"This release also puts the agent runtime from June to work on the most tedious loop in GRC: vendor reviews. Every workspace gets its own agent email address. Send a questionnaire or evidence request from a vendor's Communications tab, and when the vendor replies, the agent triages the attachment, links it to the vendor with recorded provenance, and threads a conversational response. Accept the evidence and the review cadence advances on its own. CAIQ v4.1 and CCM Lite questionnaires join the catalog, alongside ISO 27001 and pen-test evidence playbooks.",[17,32,33],{},"PCI DSS lands as a first-class framework: full-fidelity ROC and SAQ assessments with an in-app report, a summary matrix, and export. And the dashboard now shows evidence-backed assurance — scores derived from the actual evidence behind each control, with drill-downs and an attention card for what needs action.",[35,36,37,41,44,47,50],"ul",{},[38,39,40],"li",{},"Trust centers serve at your own domain root — trust.acme.com, clean URLs, no redirect — with versioned resources and expiry reminders",[38,42,43],{},"Integrations map evidence to control coverage, with scoping, one-click AWS connect, and per-assertion sync outcomes",[38,45,46],{},"Crosswalk any two frameworks through the SCF hub, with a controlled mapping vocabulary and provenance",[38,48,49],{},"Global command palette, unified activity-and-comments feed, rich-text descriptions, and tabbed list views",[38,51,52],{},"Workspace scoping enforced at the database layer, plus a security and reliability hardening pass from a full codebase review",{"title":54,"searchDepth":55,"depth":55,"links":56},"",2,[],"changelog","2026-07-16","The waitlist is gone — anyone can sign up. Plus full-fidelity PCI DSS ROC & SAQ assessments, an agent that runs the vendor evidence lifecycle over email, trust centers served at your own domain root, and an evidence-backed assurance dashboard.","md",[62,65,68,71,74,77,80,83,86,89],{"label":63,"text":64},"Open Signup","The pre-launch waitlist is gone — create a workspace and start immediately, no invite required.",{"label":66,"text":67},"PCI","Full-fidelity PCI DSS ROC and SAQ assessments with an in-app report, summary matrix, and export.",{"label":69,"text":70},"Third-Party Risk","Agent-driven vendor evidence lifecycle — inbound email triage with provenance, ISO 27001 and pen-test playbooks, vendor owners, a Communications tab, escalation tasks, and review cadences that advance when evidence is accepted.",{"label":72,"text":73},"Trust Center","Custom-domain trust portals now serve at the domain root (trust.acme.com, no redirect), and resources can be versioned in place with expiry reminders sent to admins.",{"label":75,"text":76},"Dashboard","Evidence-backed assurance scoring with drill-downs into the controls behind each number, plus an attention card for what needs action now.",{"label":78,"text":79},"Integrations","Evidence-to-control coverage mapping, integration scoping, one-click AWS connect, and per-assertion outcomes in sync run history.",{"label":81,"text":82},"AI Governance","An AI asset registry with confidence scoring and automated registry upkeep.",{"label":84,"text":85},"Frameworks","Crosswalk derivation through the SCF hub — map controls between any two frameworks with a controlled relationship vocabulary and recorded provenance.",{"label":87,"text":88},"Search","A global command palette to jump anywhere, plus labels with groups across entities.",{"label":90,"text":91},"Billing","Live Stripe entitlements with per-workspace module overrides.",[93,96,99,102,104,107],{"label":94,"text":95},"Security","Current-workspace scoping is now enforced at the database layer, alongside a hardening pass on security, reliability, and performance from a full codebase review.",{"label":97,"text":98},"Sync","The local cache can no longer hang or wedge app boot.",{"label":100,"text":101},"Auth","Invited users are asked for their name during setup, and onboarding flow-order and race issues are resolved.",{"label":78,"text":103},"AWS external ID persistence, principal foreign keys, and sync history display.",{"label":105,"text":106},"Settings","Team roster is scoped to the current workspace, and new avatar uploads show immediately.",{"label":108,"text":109},"Email","Fixed the outer background seam in branded emails and a broken DPA consent link.",{"title":111,"description":112,"icon":113,"items":114},"Vendor reviews that run themselves","Every workspace now has its own agent email address. Send a vendor a questionnaire or evidence request, and when they reply the agent triages the attachment, links it to the vendor with full provenance, threads a conversational response, and advances the review cadence once you accept the evidence. You approve; it does the rest.","i-lucide-mail-check",[115,116,117,118],"Per-workspace agent email for outbound requests and inbound triage","Evidence linked to vendors with recorded provenance","Review cadence advances automatically on accepted evidence","CAIQ v4.1 and CCM Lite questionnaires in the catalog",{"src":120},"\u002Fimages\u002Fchangelog\u002Fopen-signup-pci-vendor-agent.webp",[122,125,128,131,134,137,140,142,145],{"label":123,"text":124},"Assessment","Evidence, tasks, and issues tabs on assessments, agent-authored assessment drafts, and noticeably faster chat.",{"label":126,"text":127},"Workflow","Redesigned approval review, observable plan-step execution, and conversational replies to inbound email.",{"label":129,"text":130},"Activity","Entity activity and comments unified into a single feed.",{"label":132,"text":133},"Editor","Rich-text descriptions across entities, standardized list views, and a streamlined new-framework wizard with a much faster SCF picker.",{"label":135,"text":136},"Navigation","Tabbed list views for assessments, programs, and goals, with list and detail polish throughout.",{"label":138,"text":139},"Automation","Mode badges and an explainer make it legible what runs autonomously versus what waits for approval.",{"label":100,"text":141},"Branded auth emails, and OTP confirmation now requires an explicit click so inbox link-scanners can't consume your sign-in link.",{"label":143,"text":144},"Recipes","Recipe library cleanup — an active tab, view source, and draft\u002Farchived statuses.",{"label":146,"text":147},"Demo","New demo scenarios for AI governance and integration coverage, seeded through the production sync path.",{},true,"\u002Fblog\u002F2026-07-16-open-signup-pci-vendor-agent",{"title":5,"description":59},"3.blog\u002F2026-07-16-open-signup-pci-vendor-agent","WlTl5hKKVO6P1suqbY9LGJyyvYI_UyPawm6ADjViei0",[155,160],{"title":156,"path":157,"stem":158,"description":159,"children":-1},"episki, rebuilt around agents","\u002Fblog\u002F2026-06-09-agent-first-rewrite","3.blog\u002F2026-06-09-agent-first-rewrite","The biggest release in episki's history — a ground-up, agent-first rewrite. Agents plan, execute, and surface work for approval across a unified compliance platform, with new Risk, TPRM, Trust, and AI Governance modules.",{"title":161,"path":162,"stem":163,"description":164,"children":-1},"Agent-first GRC: what changes when AI runs the program","\u002Fblog\u002Fagent-first-grc","3.blog\u002Fagent-first-grc","Most GRC tools added AI as a feature. Agent-first GRC treats agents as the operator — drafting policies, answering questionnaires, and running the program with humans approving the work that matters.",1784234553359]