Greater security, less effort: the compliance agent for IT

I currently use a number of agents that make my work easier: some write texts, others automate processes, and some are just fun to use. But one has quietly and secretly become one of my favorites—because it solves a real problem that has been bothering me for a long time: compliance.

Author

Thomas Jäger

Clearly structured compliance processes enable IT teams to quickly deploy new services and reliably meet regulatory requirements. In their day-to-day work, they encounter numerous standards, guidelines, and technical specifications that must remain consistent at all times.

Even small changes to a specification or law can have a major impact – often resulting in gaps that are difficult to identify. These checks are repetitive and undemanding, as they follow fixed patterns and rules. This is exactly where my current favorite AI agent comes into play: The compliance agent takes on these tasks, checks compliance with all specifications, and thus reliably ensures security and transparency.

The compliance dilemma

Anyone who has ever dealt with topics such as ISO 27001, the Digital Operational Resilience Act (DORA), catalogs of measures, or the basic protection measures of the Federal Office for Information Security (BSI) is familiar with the problem: compliance is multi-layered. And I mean really multi-layered.
It often starts innocently enough with a standard document. This is followed by implementation instructions, internal interpretations, concepts, implementations – and the end result is a productive server that hopefully correctly reflects all these requirements.

A typical process looks like this:

The standard says: Protect your network communication with encryption.
An in-depth document specifies: This is how you handle TLS certificates.
There are also other specific standards and laws such as DORA, TISAX, NIS2, or CRA that may impose additional requirements.
The company's own policy may specify this further: We now only prefer encryption methods that do not use integer factorization.
An internal technical concept describes: This is how we implement this in AWS.
Terraform code configures: This is our infrastructure.
The load balancer is running: Certificates have been rolled out – hopefully correctly.

The challenge here is: How do you keep everything consistent? How do you recognize when a policy has been adjusted but the concept or implementation has not been updated? The compliance agent helps.

The compliance agent – a look inside

My compliance agent connects information from various sources: It reads standards, processes internal guidelines, and compares them with the current cloud configurations. For example, it recognizes when a guideline requires a specific encryption method and checks whether the configuration already implements this. Using a Python script, it monitors the production environment and reports deviations.

Why I like this agent:

The compliance agent not only supports, but also understands the cross-references between the various, sometimes hierarchical requirements.
It helps me master one of the biggest challenges in IT: making the path from requirement to implementation traceable, consistent, and verifiable.

An AI agent significantly reduces the effort required for compliance documentation and audits – and increases security.

An example of the use of the compliance agent

In AWS (Amazon Web Services), load balancers can be rolled out with profiles that specify which protocols (e.g., TLS) are offered with which cryptographic methods. The task usually consists of selecting a suitable profile in accordance with the applicable guidelines and standards. It is not possible to simply select the strictest profile, as a compromise between compatibility and security often has to be found.

In the case of the Compliance Agent, the recommendations of the BSI (BSI-TR-02102-2) are first evaluated, then compared with the Accso guidelines, and a suitable profile is selected based on the AWS documentation.

In a further step, code is generated to check the selected profile in the production environments in accordance with this recommendation.
At the end, I can then ask the agent: Are the load balancer settings for TLS in our production environment compliant with Accso and the BSI specifications?

For the nerds among us

We use Langdock internally as one of our AI platforms. This tool allows you to create assistants that can evaluate a knowledge base according to the RAG pattern using documents. These assistants are comparable to CustomGPTs, as known from ChatGPT. Several subject matter experts are now stored as assistants for the compliance agent: the BSI assistant, the ISO 27001 assistant, and others. The assistants are queried via API for their recommendations and compare the requirements with an assistant for the Accso guidelines. Other assistants provide support in configuring the systems we use, for example with AWS system documentation. Once you have received a recommendation for technical implementation, you can generate the code for audit scripts. Alternatively, you could set up an MCP server with access to the AWS infrastructure and integrate it – there are plenty of ideas.

AI-native compliance: The next level

With agents like these, compliance becomes an integral part of IT, for example when you build infrastructure code with the help of the compliance agent. Routine checks, documentation requirements, and updates can also run largely automatically in the background.

My conclusion on the compliance agent

The compliance agent now enables me to regularly update standards and further develop our guidelines and technical concepts. The automation of compliance checks creates transparency, reduces workload, and allows us to focus clearly on the further development of the IT landscape.

How do you automate compliance tasks? Who else regularly struggles with compliance cascades? Do you already use automation or even AI to make this easier?

I look forward to the exchange – and to more agents that help us crack the really tough nuts.

Shape your future with Accso AI-Native: For us, this means integrating artificial intelligence into every aspect of the software lifecycle. From initial conception to continuous optimization, we combine state-of-the-art AI technologies with decades of development expertise to help you achieve your business goals faster, more efficiently, and more sustainably. With an experienced team of AI specialists and software architects, we develop customized solutions that are perfectly tailored to your business requirements.

Learn more about AI-Native at Accso or contact us directly.

Name:	CraftSessionId
Description:	Craft relies on PHP sessions to maintain sessions across web requests. That is done via the PHP session cookie. Craft names that cookie “CraftSessionId” by default, but it can be renamed via the phpSessionId config setting. This cookie will expire as soon as the session expires.
Provider:	this site
Expiry:	Session

Name:	CRAFT_CSRF_TOKEN
Description:	Protects us and you as a user against Cross-Site Request Forgery attacks.
Provider:	this site
Expiry:	Session

Name:	accso-cookie-consent_en
Description:	Saves the data protection settings you have made.
Provider:	this site
Expiry:	Persistent

Name:	Google Ads Conversion Tracking
Description:	Google Ads Conversion Tracking tracks the conversion rate and success of Google Ads campaigns. It uses cookies to distinguish users and to track their behavior on the site in detail, linking this data with advertising data from the Google Ads advertising network.
Provider:	Google Ireland Ltd
Expiry:	90 Days

Privacy Settings