AI agents · Evidence · ISO 27001

AI agents for ISO 27001, with least privilege and human review.

Agents help keep ISO 27001 alive when they have a clear job: collect proof, classify context and send evidence to a platform that enforces isolation and approval.

01 Search intent

The agent does not need to understand the whole company.

The right architecture is scoped: a project agent sends what it knows about that project; an infrastructure agent sends technical checks; the platform consolidates and requires approval for critical decisions.

  • Dedicated credential per agent, without global admin access.
  • Organization resolved server-side, not trusted from agent text.
  • Evidence linked to reviewable controls and events.
  • Prompt injection treated as operational risk, not a UX detail.

02 What we deliver

Technical collection

Versions, headers, dependencies, logs and configurations become evidence when collected with date, origin and clear scope.

Assisted triage

AI suggests links to controls, risks and treatments. The auditor or owner approves what enters the ISMS.

Continuous operation

Certification stops depending on evidence sprints. Each run feeds a timeline of evidence and pending work.

03 Workflow

From intent to evidence.

  1. 01

    Define agent roles

    Separate agents by context: npm project, infrastructure, email, runtime, asset catalog or security monitoring.

  2. 02

    Issue limited credentials

    Each agent has its own token and write permission only for the corresponding organization.

  3. 03

    Send structured evidence

    The platform receives event, risk or evidence with origin, date, summary and suggested control.

  4. 04

    Approve and export

    Owners review, approve and export evidence, risks and SoA when the audit asks.

04 Practical proof

The first public skill solves a concrete control.

Exponencial started with A.8.8 because technical vulnerabilities are recurring, verifiable and easy to demonstrate in a real repository.

  • The skill runs inside the client's project.
  • The credential is not super-admin.
  • The panel shows what was opened, closed and evidenced.

05 FAQ

Direct answers before the conversation.

Can I use it with Claude Code, Cursor or CI?

Yes. The skill is a Node script and can also be installed as an agent skill. The channel matters less than scope and audit trail.

Do AI agents increase security risk?

They can if they have excessive privilege. Exponencial's design uses least privilege, token-resolved organization and human review.

Does this replace traditional GRC?

Not necessarily. It creates an operational layer for technical evidence and risk. It can coexist with existing GRC or operate as Exponencial's compliance platform.