Skip to content
GRC ToolingField guide

How Compass Works: A Compliance Agent Run, Step by Step

Follow a Compass agent run start to finish: the four states, cited output, pending-change review, and an audit trail designed for skeptical practitioners.

TT
Truvara Team
July 11, 2026
5 min read

A Compass agent run moves through four explicit states — Reading workspace, Attaching citations, Waiting for review, and Accept proposal — each visible, every claim cited to its source, nothing final without a human decision.

The Four Run States

Every interaction with a Compass agent follows the same sequence inside a compliance harness — guardrails that catch hallucinations, block fabrication, and enforce grounding in the user's own documents.

StateWhat happensHuman role
Reading workspaceThe agent surveys documents, evidence files, grids (risk registers, evidence trackers, SoA), and pre-loaded framework knowledgeNone — automatic
Attaching citationsThe agent drafts the requested artifact and links every claim to its source — document title, evidence ID, or control numberNone — automatic
Waiting for reviewProposed changes appear as pending entries, each citation checkableReview, edit, or reject
Accept proposalApproved changes are written to the artifact and loggedAccept or reject per change

The sequence is not skippable. The agent never moves from drafting to approval without a human decision in between.

What a Citation Carries

When the agent proposes a policy, fills a questionnaire answer, or drafts a control narrative, every substantive claim carries a visible reference. A citation may point to:

  • A document in the workspace — a policy PDF, an evidence folder, a previous audit memo
  • An evidence ID linked to a specific control
  • A control number from a pre-loaded framework — SOC 2 CC6.1, ISO 27001 A.9, NIST CSF ID.AM

If the agent finds no source to support a required answer, it marks that answer as "Not Provided / no source found" rather than inventing a plausible-sounding one. The gap stays visible in the proposal. This is the most testable difference between a compliance harness and a general chatbot: a chatbot guesses; Compass shows you the hole.

What "Accept Proposal" Actually Commits

Accepting a proposal writes the change into the artifact — a control narrative enters the policy document, a questionnaire answer is recorded in the answer library grid, a risk treatment appears in the risk register.

What it does not do:

  • It does not deploy the change to any external system. Compass is local-first; there is no cloud endpoint that auto-syncs accepted changes to a shared dashboard, a ticketing system, or an auditor portal.
  • It does not send the output to anyone. Export is a separate, manual action — MD, HTML, CSV, DOCX, PDF, XLSX.
  • It does not bypass future review. Every new run starts fresh. Accepted changes become part of the workspace record, but the next proposal still goes through the same four-state sequence.

The Operation Log — What Is Left Behind

Every agent run produces an immutable operation log that records:

  • What the agent read: which documents, evidence IDs, and controls were consulted
  • What the agent wrote: the text of every proposed change
  • What the human decided: which proposals were accepted and which rejected
  • A timestamp and run ID for every event

The log is not editable by the user or the agent. It is the chain of custody from instruction to published artifact. An auditor can review it to see exactly what evidence was consulted, what was proposed, and what was accepted — no need to trust a claim that "the AI did it correctly."

Before and After: How the Review Changes

Before an agent run, reviewing a draft meant reading for plausibility — does this control sound right? Does this date match our records? The reviewer reconstructed the source behind every statement mentally.

After an agent run, the reviewer gets a proposal where every claim is already linked to its source. Review shifts from source archaeology to judgment: given this evidence, is this the right answer? Gaps surface as "Not Provided" markers instead of hiding behind fluent text.

The difference is small in a five-question review and significant in a two-hundred-question security questionnaire or a sixty-framework control mapping.

Compass by Truvara

Every Compass agent run produces a cited proposal, waits for human review, and leaves an uneditable log of what was read, written, and decided. The run does not act on accepted changes outside the workspace — your output is yours to export, share, and defend. The agent is not infallible; the design is that every mistake is catchable because every claim is traceable. Compass by Truvara is in preview — join the waitlist.

FAQ

What happens if the agent cannot find evidence for a control?

The agent answers "Not Provided / no source found" and moves on. The gap stays visible in the proposal. You can add your own evidence and re-run, or answer manually. The agent does not fill gaps with plausible text. See the section on citations for how this behavior differs from general chatbots.

Can I accept some changes and reject others in the same run?

Yes. Each pending change is reviewed individually. You can approve one questionnaire answer and reject another, or accept a policy change while sending a control narrative back for revision.

Does the operation log survive export?

The log stays with the workspace. Exported files (MD, HTML, DOCX, PDF) contain the artifact content plus citation references but are not themselves the chain-of-custody record. The full log — including rejected proposals and evidence-read events — lives in the workspace SQLite database and can be reviewed there.

Can the operation log be tampered with?

The log is stored in the local workspace database and is not editable through the Compass UI. Because Compass is local-first, physical access to the machine is the boundary condition. Truvara is building toward a signed artifact format that would make tampering detectable across transfers, but the current local log already prevents accidental or UI-based editing.


TT

Truvara Team

Truvara