Blog

Compliance, as it actually shows up in code.

Field notes on the ordinary pull requests that quietly break a control, and engineering on how we build a compliance reviewer worth trusting. Written for engineers, grounded in the exact clause, honest about where we are.

Get early access by ISMS Copilot

Field notesJune 21, 2026
The one-line PR that quietly broke ISO 27001 A.8.15
Compliance does not fail in the audit. It fails in a five-line pull request that looked like a cleanup.
Field notesJune 19, 2026
Your AI agent doesn't read your SOC 2 policy
Coding agents write code that compiles, passes tests, and quietly widens a control. The policy PDF is not in their context window.
EngineeringJune 17, 2026
False positives are the only metric that matters for a compliance bot
A reviewer that cries wolf gets muted, and a muted reviewer catches nothing. For a compliance tool, precision is the whole game.
Field notesJune 14, 2026
The EU AI Act is a code review, whether you like it or not
For high-risk AI systems, the Act's obligations are not policy. They are properties of the running system, decided in a diff.

Compliance, as it actually shows up in code.

The one-line PR that quietly broke ISO 27001 A.8.15

Your AI agent doesn't read your SOC 2 policy

False positives are the only metric that matters for a compliance bot

The EU AI Act is a code review, whether you like it or not