Skip to content
GRC ToolingField guide

Not a Point Solution, Not General AI: Where Compass Fits

Point solutions collect evidence but rarely produce output. General AI lacks workspace awareness. Compass fills the gap: grounded, cited, human-approved.

TT
Truvara Team
July 11, 2026
7 min read

If you evaluate tools for trust work today, you are choosing between two kinds of software. One collects evidence; the other talks fast. Neither was built for what trust work actually requires.

What Point Solutions Do Well — And Miss

Point solutions — cloud GRC platforms, compliance automation tools, vendor risk dashboards — have a genuine strength. They connect to your infrastructure (AWS, Azure, GCP, your log stream) and check whether controls are in place. If you need to know whether encryption-at-rest is enabled across thirty services, a point solution tells you within the hour.

That capability serves the check phase of the operating loop well.

What these tools rarely do is produce the output that trust work ultimately demands. An audit memo gets written outside the tool. A security questionnaire answer gets drafted in a document editor, not inside the compliance dashboard. A risk-treatment recommendation for leadership turns into a slide deck — separate from the risk register that feeds it.

Evidence collection is strong. The output that actually matters during an audit, a board update, or a customer review is someone else's problem.

What General AI Does Well — And Miss

General AI chatbots (ChatGPT, Claude, Gemini) solve the output problem differently. Ask about SOC 2 control requirements or GDPR data-processing obligations and you get a coherent, well-structured answer in seconds. No setup, no connectors, no learning curve.

For trust work, fluency is not the scarce resource. Accuracy and provenance are.

A general chatbot does not know your workspace. It has not read your policies, evidence files, risk register, or framework-in-use. Every conversation starts in isolation. And when it does not have the answer — when a control ID does not match your actual environment or a regulatory clause has been updated — it does not tell you. It invents.

This is not a failure of the technology. General chatbots are optimised for plausible conversation, not for defensible trust work. The risk is structural: a confident wrong answer that lands in an audit memo or a customer questionnaire is more dangerous than an honest gap, because it looks correct and stops the search.

The Overlap: Grounded · Cited · Human-Approved

Neither category provides a workspace that produces verified output. That opens a gap that purpose-built tooling can fill.

Compliance Point SolutionsGeneral AICompass
Evidence collectionStrongNo workspaceWorks with your own workspace
Produces the output (policies, answers, packets)RarelyFluent but genericCore — cited output
Knows your workspacePartiallyNoYes — reads your files
Admits when it is guessingn/aNoYes — marks "Not Provided"
Review and approval gateOutside the toolNoneBuilt in (pending changes)
Data locationCloud / SaaSVendor cloudLocal, BYOK

The overlap — the capability both categories leave unfilled — is three qualities together:

Grounded. Every answer connects to a source in your own workspace — a policy file, an evidence document, a control definition. The output is drawn from what you already keep, not from general knowledge.

Cited. Every claim carries a reference. Document ID, evidence ID, control number — the trail is visible to the reviewer and traceable when an auditor asks where it came from.

Human-approved. Nothing becomes official without someone deciding it should. The agent proposes; a human reviews and accepts or rejects. The tool does not silently turn a proposal into truth.

A Buyer's Checklist for Trust-Work Tooling

When evaluating any tool for trust work — whether it calls itself GRC, AI-powered compliance, or something else — ask these questions:

  • Does it work with my data? Can it read your policies, evidence, risk register, and past frameworks, or does it start from scratch every time?
  • Does it cite its sources? Or does it produce claims with no visible provenance?
  • Can it say "I do not know"? When there is no source for an answer, does it mark the gap or fabricate a plausible-looking response?
  • Is there a human step? Can output become official only after review and approval, or does the tool act autonomously?
  • Where does my data live? On your machine or in a vendor's cloud?

These questions separate a trust-work tool from a chatbot with a compliance prompt or a point solution with an AI add-on.

FAQ

Why not just use a GRC platform that has added AI features?

Many GRC platforms have added AI copilots or summary features. The difference is structural: these AI layers sit on top of a SaaS data model where your evidence already lives on the vendor's infrastructure. They also typically lack grounding in your specific files — the AI reads the platform's schema, not your attachments, policies, and notes. The workspace and the AI remain in separate domains.

Is general AI ever useful for compliance work?

Yes — for first drafts, exploration, and understanding a framework's requirements. A general chatbot can explain what SOC 2 CC6 covers or summarise GDPR Article 30. The risk is treating the output as reviewed work. If the answer goes into a customer-facing questionnaire or an audit submission, it needs to cite your specific evidence, not general knowledge. That requires access to your workspace.

Does "Not Provided" help in a real audit?

An auditor cares about the chain from claim to source. A visible "Not Provided" label tells the reviewer that the gap was recognised and surfaced rather than hidden. An auditor who sees a gap you have acknowledged and addressed is better off than one who discovers an invented answer. Every major audit framework — SOC 2, ISO 27001, PCI DSS — requires evidence; none requires that the evidence be generated by a tool that never misses.

How do I evaluate whether a tool is "grounded" or just marketing?

Practical test: ask the tool to produce an answer about a control in your environment using a document you provide. If the tool cannot point to the line, paragraph, or clause in your document that supports the answer, it is not grounded — it is generating output from training data and calling it evidence.

Which teams benefit most from purpose-built trust-work tooling?

Teams running multiple frameworks simultaneously, fielding frequent customer questionnaires, or preparing for their first or next SOC 2 or ISO 27001 audit. The common thread is repeat cycles: the same controls get evidenced, mapped, and reported across frameworks and across quarters. A tool that reads your workspace, cites your evidence, and requires approval before output becomes official reduces the re-stitching labour each cycle.

Where Compass Fits

When the evaluation is done — when you have mapped what a point solution provides and what a general chatbot cannot — the shape of the missing category becomes clear. A tool that reads your workspace, produces cited output, marks unsupported claims as "Not Provided" instead of inventing them, and requires human approval before anything becomes official.

That is what Compass by Truvara builds. It is not an evidence-collection scanner and it is not a general chatbot. It is a compliance harness that works with the evidence you already keep — grounded, cited, and human-approved — so every cycle is not a blank page and every claim carries a source.

Watch Compass work.


TT

Truvara Team

Truvara