Platform · ISO 27001 · AI agents

ISO 27001 compliance, run by AI agents.

Your AI agents send evidence, logs, versions and catalog straight to the platform — and governance shows which agents, skills, MCPs and extensions are running in the company. Exponencial runs the ISO work; you follow risk, evidence and approval.

01 The platform

AI agents + ISO 27001 + security, in one place.

The same platform Exponencial uses for its own ISO 27001 certification now serves you — and starts with the question IT and security teams need to answer: which AI agent is running, with which skill, extension and privilege?

Your AI agents

Your company's AI agents talk to the platform: they send evidence, logs, versions and catalog automatically. Your compliance feeds itself — no manual spreadsheets.

Sec-AI — AI watch

Risk signals (vulnerabilities and alerts from monitored sources) arrive AI-triaged. One click turns them into a risk or evidence inside the standard.

ISO/IEC 27001, run for you

93 Annex A:2022 controls, risk register and internal audit in a single flow. Exponencial runs the certification; you follow along in real time.

02 Agent governance

The new pain: agent, skill and extension inventory.

AI agents entered development workflows before many companies had policy, inventory and controls. Our proposal connects this surface to ISO 27001, ISO 42001 and practical security: discover, classify, approve and evidence.

Agents and skills

Which agents, skills, MCPs and automations are running? Who installed them? In which project? From which origin and version?

VS Code extensions

Which extensions can read workspaces, execute commands, call networks or install tools in the team's environment?

Technical shadow AI

Unapproved use stops being an abstract conversation: it becomes inventory, risk, exception, approval and evidence.

03 AI agents

Compliance that feeds itself.

Instead of hunting for proof before the audit, your company's AI agents deliver the material continuously — each item already tied to the right ISO control.

Evidence

The agent collects the proof (configuration, scan, report) and publishes it already tied to the matching ISO control.

Logs

Audit trails and access records streamed continuously — monitoring evidence stays alive.

Versions & dependencies

Software and dependency inventory (with vulnerabilities) feeds control A.8.8 — no ticket needed.

Asset catalog

The agent keeps the information and asset inventory up to date — the basis of Annex A — straight from your infrastructure.

Each agent connects with its own credential and limited scope — it feeds your compliance and never sees another client's.

04 How it works

From connection to audit, in one flow.

  1. 01

    Connect your agents

    Each AI agent gets its own credential, scoped to exactly what it needs, to talk to the platform securely.

  2. 02

    Evidence comes in by itself

    Evidence, logs, versions and catalog arrive from your agents and from automatic collection (DMARC/SPF/MX, headers, runtime/KMS), already dated.

  3. 03

    AI prioritizes the risk

    Sec-AI triages the signals and proposes risks, events and evidence. You decide with one click — the standard stays current.

  4. 04

    Audit-ready, always

    Export the Statement of Applicability (SoA) and the evidence spreadsheet whenever the audit asks. No last-minute scramble.

05 Features

Everything the audit asks for — versioned and exportable.

Readiness dashboard

How far to certification, as a percentage, with open risks and pending items highlighted.

93 Annex A controls

Status, owner, justification and evidence per control. Applicability flagging for the SoA.

Risk register

Append-only: a risk from Sec-AI is never deleted — it only evolves from open to treated to closed.

Internal audit

Audits, management reviews, nonconformities and corrective actions, recorded and dated.

Evidence collection

Live technical checks of the environment, turned into dated evidence with one click.

SoA + CSV export

Statement of Applicability as a document and an evidence spreadsheet ready for the auditor.

06 Trust

Security isn't just the topic — it's how the platform is built.

  • Per-client data isolation — each company sees only its own compliance; access is verified server-side on every request.
  • Flexible, secure access — the team signs in with Google; clients get a single-use magic link by email.
  • Least-privilege agents — every AI agent has its own credential, scoped to what it needs to send.
  • Dedicated encryption — a dedicated key (KMS) for sensitive data.

07 ISO/IEC 27001:2022 (+ Amd 1:2024)

A real standard, run by a certified team.

Exponencial is certified to ISO 9001, ISO 14001 and ISO 27001. The platform loads the full Annex A:2022 catalogue — the same standard you'll present to your audit.