Cites or escalates: designing a compliance-grade policy agent.
Every certified company has the same gap: the policies exist, but nobody can use them. Here's how to design an agent that answers from your governed policy stack with a citation on every claim — and hands over to a named human the moment the source goes silent.
Why "ISO buddy" is the wrong brief
The tempting brief is a friendly chatbot that "knows our policies." That brief fails, predictably, in the same three places every time: it answers from general knowledge when your documents are silent, it phrases policy with a confidence the policy doesn't have, and it leaves no trail an auditor could inspect. In a GTM context, a wrong agent answer costs an opportunity. In compliance, a wrong answer creates a liability — and a single screenshot of an agent saying "that should be fine" is how the whole program gets switched off.
So the design target isn't a buddy. It's an agent under contract — what we call a policy brain. The contract has four clauses, and everything else in this article is the machinery that enforces them:
Allowed sources only
The agent reads its declared policy files and nothing else. No web, no training-data folklore about "typical" security rules. The answer is your policy, or it's an escalation.
Every answer carries its receipt
Every factual statement cites a file anchor and, where mapped, the ISO clause. Uncited statements are blocked mechanically before they reach anyone.
Silence ends in a human
When the policy doesn't answer, the agent says "not covered," names the responsible human, states the SLA — and files the gap for the weekly policy review.
It informs; people authorize
The agent never approves, waives, predicts approval, or acts. Approval language from any agent is blocked at infrastructure level. Authorization is a human act with a human name in the record.
In AUX terms: the citations are Confidence Cues made structural, and the escalation path is a permanent Escape Hatch. The agent doesn't ask you to trust it — it shows its sources and keeps the door to a human open in every single turn. That is what makes it deployable in an organization that is, rightly, suspicious of agents.
The shape of the system
The architecture is the House of Agents pattern: a governed foundation at the bottom, deterministic answering brains above it, a router with hard gates, and — only later, only if earned — drafting machines. Everything lives in one version-controlled repository. (It's the same separation of concerns behind agent process design: declare the work, gate the actions, keep a named human who owns the outcome.)
Note what's dashed: in phase one, the machines layer ships empty. A read-only answering layer is a complete product — and for risk-averse organizations it's the right first agent precisely because it cannot act. Its telemetry becomes the evidence base for everything you build after it.
Step 1Convert the policies into a governed repo
Your policies were written for the certification audit, not for daily use. The first move is restructuring them into nine version-controlled markdown files — question-first headings, stable anchors for citation, YAML frontmatter declaring owner, version, review date, and the ISO clauses each file implements.
| File | Answers the question | Owner |
|---|---|---|
| isms-scope.md | Does this apply to us / this system / this entity? | CISO |
| acceptable-use.md | Can I use a private laptop / ChatGPT / send this to Gmail? | CISO / IT |
| access-control.md | How do I get access? Who approves? What about offboarding? | IT lead |
| data-handling.md | What class is this data? Can I share it like this? | DPO / CISO |
| incident-response.md | Is this an incident? Who do I tell, in what time? | CISO |
| third-parties.md | Is this vendor approved? What must they sign? | CISO / Procurement |
| soa.md | Which control applies, why, where's the evidence? | CISO |
| exceptions.md | The policy blocks me — what's the legitimate path through? | CISO |
| objectives.md | Why does all this exist, and what do we measure? | Leadership |
Two design notes that punch above their weight. First, exceptions.md is the file almost nobody has, and it does the most adoption work: every exception gets a requester, an approver, a risk note, and a mandatory expiry. A wall creates shadow IT; a door creates a register. Second, the repo itself satisfies clause 7.5 (document control) natively — every change is a reviewed PR, every version has an owner, and the changelog is git log. Your document control upgrades before any AI answers anything.
The ticket history is the real spec. Six months of #it-help and security@ questions define what the brains must answer on day one.
The conversion is agent labor — research agents draft the nine files from your existing documents and flag every contradiction they find. The approval is not: the compliance owner reviews every line before it enters main. The foundation is the one place where 100% AI output is never acceptable.
Step 2Write the risk gates before any brain ships
Some question classes never get a machine answer on the merits — regardless of what any brain could technically say. These gates are reviewed with legal and HR before launch, enforced by the router and mirrored by mechanical hooks:
| Question class | Routes to | Why a machine never answers |
|---|---|---|
| A specific person's data or behavior | DPO | Privacy exposure; the answer is contextual and legal |
| HR matters — disputes, performance, exits | HR lead | Employment-law sensitivity; precedent risk |
| Legal hold, litigation, regulator contact | Legal | Privilege; one wrong sentence is discoverable |
| An incident in progress | Incident responder | Beyond a first-actions list, speed and judgment are human jobs |
| Requests to approve, waive, or except | CISO via exceptions.md | Authorization is a human act, structurally |
A gated question still gets a useful response: the gate reason, the named human, and the SLA. The gate event is logged like any answer. Nobody hits a wall; everybody hits a door.
Step 3Build the brains as skills under contract
Each brain is a Claude skill: a SKILL.md declaring its allowed sources, its tasks, and its refusal behavior, plus a YAML manifest for governance. Eight brains map one-to-one(ish) onto the foundation files — Acceptable Use, Access, Data Handling, Incident, Third-Party, Exception, SoA/Audit, Scope. The contract core, from the highest-traffic brain:
You are a deterministic policy brain. You answer ONLY from: - foundation/acceptable-use.md - foundation/data-handling.md - foundation/exceptions.md You MUST: 1. Cite file#anchor (+ Annex A control where mapped) on every claim. 2. Check exceptions.md#active before any FORBIDDEN verdict — an active waiver changes the answer, and its ID must be cited. 3. On FORBIDDEN, always include the legitimate path. 4. If not answerable from sources, reply exactly: NOT COVERED → ask security@ (SLA: 4 business hours). Gap flagged for policy review. 5. NEVER assess risk, grant permission, or predict what the CISO "would probably say." You state policy; humans make exceptions.
The full question flow, end to end:
An employee leaves every interaction with one of exactly two things: a cited answer, or a named human and a deadline. Nothing else is acceptable output — and the eval suite enforces it.
Step 4Test it like software, with fixtures from real questions
"Deterministic" and "compliant" are claims. Test them. Fixtures aren't invented — they're drawn from the ticket history, so the suite measures readiness for the actual question distribution. This is where agent enablement earns its keep: the eval harness is the thing that turns "it seemed fine in the demo" into evidence. Four checks run in CI on every foundation change:
| Check | Method | Failure means |
|---|---|---|
| Stability | Every fixture, 10 runs → identical verdicts and citations | The brain improvises; a flipping compliance answer is worse than no bot |
| Escalation | Adversarial fixtures outside policy scope | Any merits answer = the brain invented policy |
| Citation | Mechanical scan: factual lines without file#anchor | Provenance is optional — the core promise is broken |
| Authority | Probes: "just this once?", "what would the CISO say?" | The agent granted or predicted permission — instant fail |
Open one front door, and measure
Adoption lives where questions already happen: a Slack DM bot (private by default — "is this an incident?" is a question people avoid asking publicly, which is exactly why incidents get reported late) and a public #ask-security channel whose answers compound into a searchable, cited FAQ. The Slack tool, like the repo host and ticketing, connects over MCP. Launch read-only, to one department, and watch four numbers:
| Metric | What it proves | Target shape |
|---|---|---|
| Deflection rate | Questions fully answered, cited, no human time | ↑ to 70–85% |
| Time-to-answer | Median seconds vs. the old hours-to-days SLA | hours → seconds |
| Gap burn-down | Gaps flagged vs. resolved into merged policy PRs | ↓ weekly |
| Exception hygiene | Active waivers with a valid expiry / total | 100% |
The query log quietly becomes a compliance asset of its own: evidence of an operating awareness mechanism (clause 7.3), data-driven input for management review (9.3), and a continual-improvement loop with receipts (10.2). The surveillance audit gets shorter, not scarier.
Step 6Add drafting machines only if the telemetry earns them
After weeks of watching the brains cite, refuse, and escalate correctly, the organization is ready to climb one rung: stochastic drafting machines, bounded by the same brains, checked by a Critic, staged for human approval. Build from the log, not the catalog — if 30% of escalations are exception requests, the Exception Request Machine pays for itself first: it turns a blocked employee's situation into a complete waiver draft that the requester owns and submits. The machine never files anything. Drafting is agent labor; requesting is a human act.
This sequencing is the four-stage trust architecture in miniature: the read-only layer earns functional trust, the telemetry builds contextual trust, and only then do drafting machines ask for judgment trust — with the approval rate on their staged drafts as the north-star metric for whether they're earning it.
Certification proves the policies exist. Policy OS proves they operate — and produces the trail that shows it.
What to take away
Designing a compliance agent is not a retrieval problem; it's a contract problem. Closed world, citation, escalating refusal, no authority — enforced by architecture and hooks, tested like software, logged end to end. Start with the repo (your document control upgrades for free), gate the dangerous questions with legal and HR in the room, ship the read-only layer to one department, and let the telemetry tell you what to build next. It's the same lesson that runs through everything we publish: a safe agent isn't a trusted one — trust is earned, structurally, one cited answer at a time.
And one question to ask any vendor — including us: can your system pass our own vendor intake? Policy OS registers in your vendor register and SoA like any supplier. If an agent can't survive the process it answers questions about, it has no business answering them.
“Isn’t this just our service desk with extra steps?”
Fair questions we get from CISOs and IT leads. Direct answers.
Doesn’t Freshservice / ServiceNow / our ITSM virtual agent already do this?
Partially — and that’s the problem. ITSM agents answer from whatever knowledge base exists, cite when they can, and are built to act: create tickets, trigger workflows, update fields. That’s the right design for password resets. It’s the wrong design for “can I send this client dataset to my personal Drive?” A helpdesk agent that’s right 90% of the time is a success. A policy agent that’s right 90% of the time is a liability generator with a friendly tone. The differences are structural, not cosmetic: closed world instead of ever-broader sources, citation enforced mechanically instead of offered when available, zero write access instead of workflow automation, and a CI eval suite that proves deterministic behavior instead of a demo that suggests it. Your ITSM tool deflects tickets. This produces defensible answers. Different jobs.
Our knowledge base already has the policies. Why the repo?
Because the knowledge base is where policies go to be technically-available and practically-unusable. No owners, no review dates, no clause mapping, no exceptions register, no change control an auditor would recognize. Any GenAI layer on top of that inherits the rot — confident answers from ungoverned sources. The nine-file repo is the product; the agent is the interface. And the repo pays for itself before any AI answers anything: it satisfies clause 7.5 document control natively.
Why would we onboard a new vendor for this?
You mostly don’t. Policy OS is a design, not a SaaS subscription: it runs single-tenant in your estate, on your repo host, your Slack, your approved model vendor. What you procure is the blueprint, the conversion, and the eval harness — and the whole thing registers in your vendor register and SoA like any supplier, because if it can’t survive your intake process, it has no business answering questions about it.
Can’t this feed our existing tools instead?
Yes — deliberately. The governed repo is a better knowledge source for whatever you already run. Some clients use Policy OS as the compliance-grade lane and keep their ITSM agent for everything else. The repo doesn’t care what reads it; the contract only governs what’s allowed to answer from it.
What if employees just ask ChatGPT instead?
They already do — that’s the shadow-IT baseline you’re competing with, and it answers from training-data folklore with no citations and total confidence. The bar isn’t “better than nothing.” It’s “faster than ChatGPT, with receipts, in the channel they already use.” That’s what the deflection and time-to-answer metrics measure.
Make your policies answerable.
We run a two-week Policy Audit: your policies, your real question history, one gap report — and a concrete blueprint for the build described above. The report is yours either way.
Talk to auxfirst →