How-To · Policy OS · ISO 27001 Reference Build · June 2026

Cites or escalates: designing a compliance-grade policy agent.

Every certified company has the same gap: the policies exist, but nobody can use them. Here's how to design an agent that answers from your governed policy stack with a citation on every claim — and hands over to a named human the moment the source goes silent.

Why "ISO buddy" is the wrong brief

The tempting brief is a friendly chatbot that "knows our policies." That brief fails, predictably, in the same three places every time: it answers from general knowledge when your documents are silent, it phrases policy with a confidence the policy doesn't have, and it leaves no trail an auditor could inspect. In a GTM context, a wrong agent answer costs an opportunity. In compliance, a wrong answer creates a liability — and a single screenshot of an agent saying "that should be fine" is how the whole program gets switched off.

So the design target isn't a buddy. It's an agent under contract — what we call a policy brain. The contract has four clauses, and everything else in this article is the machinery that enforces them:

CLAUSE 1 · CLOSED WORLD

Allowed sources only

The agent reads its declared policy files and nothing else. No web, no training-data folklore about "typical" security rules. The answer is your policy, or it's an escalation.

CLAUSE 2 · CITATION

Every answer carries its receipt

Every factual statement cites a file anchor and, where mapped, the ISO clause. Uncited statements are blocked mechanically before they reach anyone.

CLAUSE 3 · ESCALATING REFUSAL

Silence ends in a human

When the policy doesn't answer, the agent says "not covered," names the responsible human, states the SLA — and files the gap for the weekly policy review.

CLAUSE 4 · NO AUTHORITY

It informs; people authorize

The agent never approves, waives, predicts approval, or acts. Approval language from any agent is blocked at infrastructure level. Authorization is a human act with a human name in the record.

In AUX terms: the citations are Confidence Cues made structural, and the escalation path is a permanent Escape Hatch. The agent doesn't ask you to trust it — it shows its sources and keeps the door to a human open in every single turn. That is what makes it deployable in an organization that is, rightly, suspicious of agents.

The shape of the system

The architecture is the House of Agents pattern: a governed foundation at the bottom, deterministic answering brains above it, a router with hard gates, and — only later, only if earned — drafting machines. Everything lives in one version-controlled repository. (It's the same separation of concerns behind agent process design: declare the work, gate the actions, keep a named human who owns the outcome.)

L6 · Audit trail & learning — query log, gap flags, review cadence L5 · Tools via MCP — Slack front door, ticketing, repo host L4 · Machines (optional, phase 2) — drafts only, never authority L3 · Policy router — classify, risk-gate, escalate, log L2 · Policy brains — 8 deterministic skills: cite or escalate L1 · Policy repo — 9 governed markdown files, PR-only, human-merged ONE REPOSITORY · SINGLE-TENANT · ZERO OPERATIONAL WRITE ACCESS
Fig. 1 — The Policy OS house. Phase 1 ships L1–L3 + L5–L6. L4 is deliberately empty.

Note what's dashed: in phase one, the machines layer ships empty. A read-only answering layer is a complete product — and for risk-averse organizations it's the right first agent precisely because it cannot act. Its telemetry becomes the evidence base for everything you build after it.

Step 1

Convert the policies into a governed repo

Your policies were written for the certification audit, not for daily use. The first move is restructuring them into nine version-controlled markdown files — question-first headings, stable anchors for citation, YAML frontmatter declaring owner, version, review date, and the ISO clauses each file implements.

FileAnswers the questionOwner
isms-scope.mdDoes this apply to us / this system / this entity?CISO
acceptable-use.mdCan I use a private laptop / ChatGPT / send this to Gmail?CISO / IT
access-control.mdHow do I get access? Who approves? What about offboarding?IT lead
data-handling.mdWhat class is this data? Can I share it like this?DPO / CISO
incident-response.mdIs this an incident? Who do I tell, in what time?CISO
third-parties.mdIs this vendor approved? What must they sign?CISO / Procurement
soa.mdWhich control applies, why, where's the evidence?CISO
exceptions.mdThe policy blocks me — what's the legitimate path through?CISO
objectives.mdWhy does all this exist, and what do we measure?Leadership

Two design notes that punch above their weight. First, exceptions.md is the file almost nobody has, and it does the most adoption work: every exception gets a requester, an approver, a risk note, and a mandatory expiry. A wall creates shadow IT; a door creates a register. Second, the repo itself satisfies clause 7.5 (document control) natively — every change is a reviewed PR, every version has an owner, and the changelog is git log. Your document control upgrades before any AI answers anything.

The ticket history is the real spec. Six months of #it-help and security@ questions define what the brains must answer on day one.

Conversion principle · Policy OS

The conversion is agent labor — research agents draft the nine files from your existing documents and flag every contradiction they find. The approval is not: the compliance owner reviews every line before it enters main. The foundation is the one place where 100% AI output is never acceptable.

Step 2

Write the risk gates before any brain ships

Some question classes never get a machine answer on the merits — regardless of what any brain could technically say. These gates are reviewed with legal and HR before launch, enforced by the router and mirrored by mechanical hooks:

Question classRoutes toWhy a machine never answers
A specific person's data or behaviorDPOPrivacy exposure; the answer is contextual and legal
HR matters — disputes, performance, exitsHR leadEmployment-law sensitivity; precedent risk
Legal hold, litigation, regulator contactLegalPrivilege; one wrong sentence is discoverable
An incident in progressIncident responderBeyond a first-actions list, speed and judgment are human jobs
Requests to approve, waive, or exceptCISO via exceptions.mdAuthorization is a human act, structurally

A gated question still gets a useful response: the gate reason, the named human, and the SLA. The gate event is logged like any answer. Nobody hits a wall; everybody hits a door.

Step 3

Build the brains as skills under contract

Each brain is a Claude skill: a SKILL.md declaring its allowed sources, its tasks, and its refusal behavior, plus a YAML manifest for governance. Eight brains map one-to-one(ish) onto the foundation files — Acceptable Use, Access, Data Handling, Incident, Third-Party, Exception, SoA/Audit, Scope. The contract core, from the highest-traffic brain:

brains/acceptable-use-brain/SKILL.mdexcerpt
You are a deterministic policy brain. You answer ONLY from:
- foundation/acceptable-use.md
- foundation/data-handling.md
- foundation/exceptions.md

You MUST:
1. Cite file#anchor (+ Annex A control where mapped) on every claim.
2. Check exceptions.md#active before any FORBIDDEN verdict — an
   active waiver changes the answer, and its ID must be cited.
3. On FORBIDDEN, always include the legitimate path.
4. If not answerable from sources, reply exactly:
   NOT COVERED → ask security@ (SLA: 4 business hours).
   Gap flagged for policy review.
5. NEVER assess risk, grant permission, or predict what the CISO
   "would probably say." You state policy; humans make exceptions.

The full question flow, end to end:

Question Slack DM / channel Router classify + envelope Risk gate? checked first gated Named human + SLA DPO / HR / legal / responder · logged clear ONE brain closed world Source answers → CITED ANSWER verdict · file#anchor · ISO clause · versions Source silent → NOT COVERED named human + SLA + gap flag → weekly PR telemetry/queries.log — every interaction: envelope · brain · verdict · sources+versions · escalated? · gap?
Fig. 2 — Cites or escalates. Every path through the system ends in a citation, a named human, or both — and every path is logged.

An employee leaves every interaction with one of exactly two things: a cited answer, or a named human and a deadline. Nothing else is acceptable output — and the eval suite enforces it.

Step 4

Test it like software, with fixtures from real questions

"Deterministic" and "compliant" are claims. Test them. Fixtures aren't invented — they're drawn from the ticket history, so the suite measures readiness for the actual question distribution. This is where agent enablement earns its keep: the eval harness is the thing that turns "it seemed fine in the demo" into evidence. Four checks run in CI on every foundation change:

CheckMethodFailure means
StabilityEvery fixture, 10 runs → identical verdicts and citationsThe brain improvises; a flipping compliance answer is worse than no bot
EscalationAdversarial fixtures outside policy scopeAny merits answer = the brain invented policy
CitationMechanical scan: factual lines without file#anchorProvenance is optional — the core promise is broken
AuthorityProbes: "just this once?", "what would the CISO say?"The agent granted or predicted permission — instant fail
Step 5

Open one front door, and measure

Adoption lives where questions already happen: a Slack DM bot (private by default — "is this an incident?" is a question people avoid asking publicly, which is exactly why incidents get reported late) and a public #ask-security channel whose answers compound into a searchable, cited FAQ. The Slack tool, like the repo host and ticketing, connects over MCP. Launch read-only, to one department, and watch four numbers:

MetricWhat it provesTarget shape
Deflection rateQuestions fully answered, cited, no human time↑ to 70–85%
Time-to-answerMedian seconds vs. the old hours-to-days SLAhours → seconds
Gap burn-downGaps flagged vs. resolved into merged policy PRs↓ weekly
Exception hygieneActive waivers with a valid expiry / total100%

The query log quietly becomes a compliance asset of its own: evidence of an operating awareness mechanism (clause 7.3), data-driven input for management review (9.3), and a continual-improvement loop with receipts (10.2). The surveillance audit gets shorter, not scarier.

Step 6

Add drafting machines only if the telemetry earns them

After weeks of watching the brains cite, refuse, and escalate correctly, the organization is ready to climb one rung: stochastic drafting machines, bounded by the same brains, checked by a Critic, staged for human approval. Build from the log, not the catalog — if 30% of escalations are exception requests, the Exception Request Machine pays for itself first: it turns a blocked employee's situation into a complete waiver draft that the requester owns and submits. The machine never files anything. Drafting is agent labor; requesting is a human act.

This sequencing is the four-stage trust architecture in miniature: the read-only layer earns functional trust, the telemetry builds contextual trust, and only then do drafting machines ask for judgment trust — with the approval rate on their staged drafts as the north-star metric for whether they're earning it.

Certification proves the policies exist. Policy OS proves they operate — and produces the trail that shows it.

Positioning line · Policy OS

What to take away

Designing a compliance agent is not a retrieval problem; it's a contract problem. Closed world, citation, escalating refusal, no authority — enforced by architecture and hooks, tested like software, logged end to end. Start with the repo (your document control upgrades for free), gate the dangerous questions with legal and HR in the room, ship the read-only layer to one department, and let the telemetry tell you what to build next. It's the same lesson that runs through everything we publish: a safe agent isn't a trusted one — trust is earned, structurally, one cited answer at a time.

And one question to ask any vendor — including us: can your system pass our own vendor intake? Policy OS registers in your vendor register and SoA like any supplier. If an agent can't survive the process it answers questions about, it has no business answering them.

“Isn’t this just our service desk with extra steps?”

Fair questions we get from CISOs and IT leads. Direct answers.

Doesn’t Freshservice / ServiceNow / our ITSM virtual agent already do this?

Partially — and that’s the problem. ITSM agents answer from whatever knowledge base exists, cite when they can, and are built to act: create tickets, trigger workflows, update fields. That’s the right design for password resets. It’s the wrong design for “can I send this client dataset to my personal Drive?” A helpdesk agent that’s right 90% of the time is a success. A policy agent that’s right 90% of the time is a liability generator with a friendly tone. The differences are structural, not cosmetic: closed world instead of ever-broader sources, citation enforced mechanically instead of offered when available, zero write access instead of workflow automation, and a CI eval suite that proves deterministic behavior instead of a demo that suggests it. Your ITSM tool deflects tickets. This produces defensible answers. Different jobs.

Our knowledge base already has the policies. Why the repo?

Because the knowledge base is where policies go to be technically-available and practically-unusable. No owners, no review dates, no clause mapping, no exceptions register, no change control an auditor would recognize. Any GenAI layer on top of that inherits the rot — confident answers from ungoverned sources. The nine-file repo is the product; the agent is the interface. And the repo pays for itself before any AI answers anything: it satisfies clause 7.5 document control natively.

Why would we onboard a new vendor for this?

You mostly don’t. Policy OS is a design, not a SaaS subscription: it runs single-tenant in your estate, on your repo host, your Slack, your approved model vendor. What you procure is the blueprint, the conversion, and the eval harness — and the whole thing registers in your vendor register and SoA like any supplier, because if it can’t survive your intake process, it has no business answering questions about it.

Can’t this feed our existing tools instead?

Yes — deliberately. The governed repo is a better knowledge source for whatever you already run. Some clients use Policy OS as the compliance-grade lane and keep their ITSM agent for everything else. The repo doesn’t care what reads it; the contract only governs what’s allowed to answer from it.

What if employees just ask ChatGPT instead?

They already do — that’s the shadow-IT baseline you’re competing with, and it answers from training-data folklore with no citations and total confidence. The bar isn’t “better than nothing.” It’s “faster than ChatGPT, with receipts, in the channel they already use.” That’s what the deflection and time-to-answer metrics measure.

Make your policies answerable.

We run a two-week Policy Audit: your policies, your real question history, one gap report — and a concrete blueprint for the build described above. The report is yours either way.

Talk to auxfirst →

Emil Krzemiński is the founder of auxfirst, the agency for the agentic era. Policy OS is one instance of a general method — the agent under contract — that auxfirst applies wherever a wrong answer is expensive. For the trust frameworks behind it, see the 10 AUX heuristics and TrustKit & the Trust Harness, or start a conversation.