Skip to content
Draffin.ai
← All articles

May 10, 2026

Merge coding-agent inventories with policy

By Ben Draffin · Director of Security at Decagon

GRC AI Devsecops Controls

Enterprise buyers do not only ask what your policies say. They ask what your systems do — and whether you can show the connection. For most GRC programs, that question surfaces a gap: policies describe intent, while controls live in code, infrastructure, and release trains that change weekly.

Reconciling the two is one of the hardest and most underinvested problems in AI-native security. It sits at the intersection of engineering velocity, audit evidence, and customer trust. Manual control inventories are often obsolete the week they are finished. Coding agents and automated scanners can help, but only if GRC treats their output as a living inventory to merge with policy — not as a one-off audit artifact.

Why traditional control inventories break down

Classic GRC assumed humans implemented controls and humans updated policies on a recognizable cadence. In AI-native engineering organizations, that assumption no longer holds.

  1. Controls emerge in product first. AuthZ checks, retention configuration, and model routing rules land in PRs before policy language catches up.
  2. Policies still matter. Attestations, customer trust pages, and auditor interviews depend on accurate external claims.
  3. Manual inventories decay immediately. A spreadsheet completed in January does not describe March production.

A practical pattern is forming across teams running GRC at product speed: use coding agents, static analysis, and infrastructure scanning to maintain a living inventory of controls in production, then reconcile that inventory against policy statements continuously.

What to inventory (and where agents can help)

Start with artifacts tools can actually observe. The agent’s job is not to replace auditors. It is to answer: what controls exist in production right now, and where?

Source Examples of control evidence
Application code Authorization checks, PII redaction, rate limits, structured logging
Infrastructure Encryption at rest, network segmentation, key management
CI/CD Required reviews, secret scanning, deployment gates
Model / AI layer Retention configuration, fine-tuning flags, prompt filters, supervisor routing

It is worth noting that agent output requires human review and scope boundaries — the same way voice authentication requires validation before high-risk actions proceed. Automation accelerates discovery; ownership and judgment stay with the security and engineering leads.

Merging with policy: aligned, policy-only, implementation-only

For each policy statement — or mapped SOC / ISO control — run a simple reconciliation:

  1. Link to one or more technical evidences from the inventory.
  2. Flag policy-only claims with no technical anchor. These are audit risk until implemented or narrowed.
  3. Flag implementation-only controls with no policy or questionnaire coverage. These are operational surprises waiting for the next enterprise review.

The output is a reconciliation report in three buckets: aligned, policy-only, implementation-only. That is merge logic, not documentation theater.

Example outcomes

Bucket Meaning Typical action
Aligned Policy, evidence, and questionnaire answers match Maintain; automate evidence collection
Policy-only Claim exists; implementation unclear or missing Implement, narrow policy, or stop claiming
Implementation-only Control exists; not reflected externally Update policy and trust collateral

Why this matters in enterprise AI sales

Buyers now ask for controls that rarely appear in legacy policy libraries — training data boundaries, model input retention, human oversight for sensitive actions, subprocessors in the model stack. If the only source of truth is a PDF policy repository, gaps surface on the security review call.

If the source of truth includes inventories tied to policy clauses, the team can respond with evidence paths: here is the control, here is where it lives, here is when it last changed.

A practical starting sequence

Most teams do not need a platform overhaul to begin.

  1. Pick one high-risk domain — for example, customer data retention in the model pipeline.
  2. Run an agent-assisted or scanner-assisted inventory scoped to that domain.
  3. Map results to a single policy section and your standard questionnaire answers.
  4. Close the largest policy-only or implementation-only mismatch.
  5. Repeat on the release cadence — weekly or per train — not annually.

Frameworks speak in “control activities.” Engineering speaks in merged PRs. Until GRC adopts tooling that bridges those languages, AI-native companies will either look less compliant than they are, or more compliant on paper than they are in production. Merging inventories with policy is how those views get reconciled at the speed the product already ships.

Previous: Vendor contracts reveal your gaps · Next: Audit prep in the age of AI

Newsletter

Email when I publish.

You'll get a confirmation email first.

Pushback? LinkedIn is fine.