AI Orchestration

GRC that runs on agents, not on you

Vanta and Drata automate evidence collection. episki automates the whole program — agents draft policies, answer questionnaires, manage vendors, and keep your trust center current, with humans approving the work that matters.
Start free trialBook a demo
Watch an agent work
GRC that
pulls evidence
app.episki.com
Evidence run · CC6.1 · 2026-05-23
AWS · IAM policies
142 artifacts
Okta · MFA enrollment
87 artifacts
GitHub · branch protection
36 artifacts
GCP · encryption at rest
24 artifacts
Evidence freshness: 100% · Next sweep in 4h
Anatomy

How an episki agent does work

Agents don't ship work directly. They propose plans, run discrete steps, and surface approvals — every action observable and reversible.
Step 1
Request

You ask the agent to do something — in chat, in a workflow trigger, or via webhook.

Step 2
Plan

The agent proposes a plan: a sequence of step-runs with the tools and data it will use.

Step 3
Step-runs

Each step is a discrete, observable unit of work. Logged, replayable, debuggable.

Step 4
Tools + MCP

Steps call native integrations or your MCP servers. Allowlisted per workspace.

Step 5
Approvals

Sensitive actions wait on human approval. Routed by policy, captured in audit log.

Step 6
Safety floors

Hard limits the agent cannot exceed at the runtime level — not the prompt level.

Recipes

Evidence pulls are deterministic, not AI-generated

The hardest objection to AI in compliance: 'I can't audit a model's output.' We agree. So evidence pulls don't run on AI.
Step 1
AI writes the recipe

A human asks for evidence (e.g., "MFA enforcement across all admin accounts"). The agent inspects your environment, drafts a deterministic recipe, and proposes it for approval.

Step 2
Recipe runs deterministically

Once approved, the recipe is plain, inspectable code. It runs on a schedule. No model in the loop. Same input → same output. Auditors can read the recipe and the run history end-to-end.

Step 3
AI jumps in to fix breakage

When an upstream API changes or a recipe fails, an agent investigates, proposes a fix, and waits for human approval. Operations don't drift — and you have a paper trail.

Why this matters: compliance evidence has to be reliable and auditable. An LLM is neither — same prompt, different outputs, no guarantees. By using AI to author recipes and not to execute them, episki gets the speed of AI authoring with the reliability of deterministic code. Your auditor reviews recipes, not model outputs.
Skills catalog

Agents with skills, not generic chatbots

Each skill is a tuned, tested unit of work — wired to your frameworks, evidence, and integrations.
Draft policy
Author or revise policies aligned to your frameworks and existing library.
Answer questionnaire
Draft answers to security questionnaires using your evidence store.
Map controls
Crosswalk controls across frameworks; surface unmapped or duplicate controls.
Collect evidence
Author deterministic recipes that pull evidence on a schedule — agents fix recipes when they break.
Review vendor
Read incoming SOC 2 reports and CAIQ responses; score posture against your bar.
Assess risk
Draft risk descriptions, score consistently, propose treatments and acceptance language.
MCP support

Bring your own tools via Model Context Protocol

MCP is the open standard for letting AI safely use external tools. episki agents can call any MCP server you allowlist — your internal docs, your ticketing system, your bespoke compliance tooling.
Any tool
If it speaks MCP, episki agents can use it.
Allowlisted
Per workspace, per agent, per skill. Governed by AI Governance.
Logged
Every tool call captured for audit and incident review.
Safety floors & approvals

Hard limits the agent cannot exceed

Safety happens at the runtime, not the prompt. Floors and approvals are configured at the workspace level — agents inherit them.
  • Allowlist exactly which MCP servers each agent can call
  • Block destructive actions at the runtime, not the prompt
  • Route every external-facing action through human approval
  • Log every prompt, every tool call, every output — searchable + exportable
  • Set workspace-wide ceilings on what data agents can leave the workspace with
  • Pause agents instantly from a single workspace switch
Plans & step-runs

Every agent action is auditable

Step-runs are the unit of agent work. They're persisted, replayable, and visible in the audit log. If a step fails or surfaces something surprising, you can rerun it — or roll it back.
plan #4f2a · vendor.renewal_review · approved by sarah@
step-run 1 · fetch CAIQ response from Northwind (MCP: northwind-tprm)
step-run 2 · diff against previous response · 3 control answers regressed
step-run 3 · open risk register entry · tier: critical (data processor)
step-run 4 · request approval from CISO before notifying Northwind

Token economics

Agent work uses tokens from your workspace's shared pool. The Compliance Platform includes 2M tokens/month; each module adds 1M. Year 1 gets a 5× onboarding boost.
See token details

More on AI in GRC

GRC engineering: treating compliance as software

The compliance team used to live in spreadsheets. GRC engineering treats programs like software — APIs, deterministic recipes, version-controlled policies, agent-authored automation, and audit trails as a side effect.

Autonomous GRC and the new shape of the compliance program

Autonomous GRC isn't AI doing your job. It's a program structure where the platform operates the lifecycle and humans gate the decisions. Here's what that means in practice — and what it doesn't.

Agent-first GRC: what changes when AI runs the program

Most GRC tools added AI as a feature. Agent-first GRC treats agents as the operator — drafting policies, answering questionnaires, and running the program with humans approving the work that matters.

AI Governance and Compliance: What Every SaaS Company Needs to Know

A practical guide to AI governance for SaaS companies – covering regulatory requirements, model documentation...

GRC that runs itself

Start a free trial and let an agent draft your first policy in under five minutes.
Start free trialBook a demo