Fleet 1.17.0 is out.See what's new →
FleetFleet
Use case

AI Workflows for Compliance Evidence

Audit season turns senior engineers into librarians: weeks assembling evidence packs — access review records, policy attestations, change-management samples — from documents that existed all along but were never collected. The work is miserable precisely because it is recurring, structured, and deadline-driven: the exact profile of work that should be a pipeline and is instead a fire drill.

Worse, evidence assembled by hand has provenance problems. 'Where did this number come from and is it the current version?' is a question auditors ask and spreadsheets can't answer.

How it works with an agent fleet

A scheduled Fleet workflow assembles the evidence summary from your policy and procedure corpus, a review step checks completeness against the control list, and the compliance owner signs off — with every artifact content-addressed and the approval recorded.

genflows:
  - name: quarterly-evidence
    schedule: "0 9 1 1,4,7,10 *"   # quarterly
    steps:
      - {name: assemble, prompt: "Assemble the quarterly evidence summary: map each control in controls.md to its current policy/procedure evidence in the corpus.", corpus: ["policies/**/*.md", "procedures/**/*.md", "controls.md"], kind: report, out: evidence-pack.md}
      - {name: completeness, prompt: "Check the pack against controls.md. Flag any control with missing, stale, or contradictory evidence.", depends_on: [assemble], kind: review, out: gaps.md}
      - {name: officer-signoff, depends_on: [assemble, completeness], kind: approval, out: decision.md}

The quarterly schedule means evidence is collected when it's cheap (continuously) instead of when it's urgent (audit week). The completeness review flags the gaps while there's still a quarter to fix them.

The fleet pattern

Schedule → assemble from policy corpus → completeness review against the control list → compliance officer approval. Audit week becomes 'export the last four approved packs' instead of a scramble.

Guardrails that matter here

  • Artifacts are content-addressed and versioned with lineage — each evidence pack is provably the pack that was approved, traceable to its source revisions
  • The approval record (who, when, which revision) is itself evidence of the review control operating
  • Runs execute on your own worker; policy documents never leave your infrastructure

Who this is for

Compliance owners at companies doing SOC 2, ISO 27001, or similar recurring audits, where policies and procedures already live (or belong) in version control.

Frequently asked questions

Will auditors accept AI-assembled evidence?

The evidence is your documents — the workflow assembles and cross-references them. What auditors evaluate is whether controls operate: the recorded review step, the named approver, and the versioned artifacts demonstrate exactly that, more legibly than a folder of screenshots.

What happens when evidence is missing?

The completeness review flags the control with missing or stale evidence, and the run parks at the approval gate with those flags visible. The officer sees the gaps a quarter before the auditor would have.

Related use cases

AI Workflows for Policy Review and UpdatesAI Workflows for Release GatingAI Workflows for Security Advisories

Run your first agent fleet

One binary. Five minutes. See every agent, coordinate every handoff, and keep a full audit trail of what your fleet did.

See how it worksInstall Fleet