A pattern shows up in almost every conversation we have with teams shipping AI agents at any meaningful scale. It isn’t about a specific framework, and it isn’t about whether the agents are “production-ready.” It’s about something quieter — and harder to fix with another framework or another platform.
Two functions inside the same organization are working from different maps of the same agents.
The Map AI Engineering Holds
The AI engineering team is the closest to the agents. They wrote the system prompt. They picked the tools and decided how many to register. They know which agents talk to other agents, which call the production database, which run autonomously, and which require human approval before they act.
When an issue surfaces in their world, the language is concrete:
“Tool registration on the support agent is unbounded — it can call every Stripe API, not just the refund endpoint.” “The orchestrator’s max-iterations limit is missing. We’ve seen it loop nine times before timing out.” “Our agent has buffer memory with no summarization. The context grew past 100K tokens in production yesterday.”
The artifacts they work with are code, config, and CI checks. The fix for any given issue is a pull request.
The Map Security and GRC Holds
The security and GRC team is reading a different document. Their map is composed of articles, paragraphs, and clauses — written by regulators and auditors in a different vocabulary.
“Where are we on EU AI Act Article 14 — human oversight for high-risk AI systems?” “NIST AI RMF MEASURE-2.7 asks for event logging and traceability. Can we produce that evidence?” “ISO/IEC 42001 §8.5 requires human oversight processes. Is the agent’s design documented to satisfy this?” “Auditor visits in six weeks. What’s our SOC 2 CC7.2 monitoring posture for the agent stack?”
The artifacts they work with are control catalogs, evidence binders, and quarterly audit prep cycles. The fix for any given gap is, eventually, a control improvement — but first, it’s an understanding of which agent corresponds to which control.
Both Teams Are Doing the Right Work
Neither of these maps is wrong. Each is correct for what its function is responsible for.
The friction shows up in three places that everyone who has lived through it will recognize:
Translation rounds. When the auditor or the board asks the GRC team a framework-specific question, they go to AI engineering and translate. “Can you tell me which agents have human-in-the-loop approval gates? It’s for Article 14.” The AI engineering team answers from their map. The translation back into the GRC team’s framework happens by hand, in a spreadsheet, every time.
Coverage doubt. When the answer comes back, it’s hard for the GRC team to be sure they got all the relevant evidence. The AI engineering team answered the question they were asked — but the team asking didn’t necessarily know all the questions they should have asked.
Audit-prep sprints. A few weeks before an audit, both functions stop their primary work and spend cycles assembling, by hand, the evidence the auditor will want. Spreadsheets, screenshots, exports. The week of the audit, the AI engineering team is doing GRC’s job because the only place the underlying truth lives is in the code.
None of these are signs that anyone is doing a bad job. They’re signs that the same agent is a different object in each function’s view, and the work of translating between the two views is being done by hand, repeatedly, by both sides.
What Closing the Gap Looks Like
The shape of the fix isn’t another map. It’s a single source of truth that projects through whichever lens the reader needs.
Today we’re shipping Compliance Posture in ARIAS. It takes the agent inventory and findings that ARIAS already maintains for every customer, and projects them through the framework lens an auditor uses.
For AI engineering, nothing changes about how they see their work. The findings, the rules, the remediation — same dashboard, same workflow.
For security and GRC, the same evidence is reorganized by framework. EU AI Act, NIST AI RMF, ISO/IEC 42001, SOC 2, GDPR, OWASP LLM Top 10, OWASP Agentic AI Top 10, and MAESTRO. For every control in every framework, the dashboard shows whether the agents in scope are aligned, partially aligned, or have a gap — and which specific findings produced that status.
For the GRC platform that the security team is already using, the evidence flows in automatically. ARIAS exports OSCAL-format assessment results and posts webhook events whenever a control’s status changes. The evidence that used to require a translation round now arrives in the GRC tool’s data layer the same day a scan completes.
Coverage That Stays Honest
The principle Compliance Posture is built on is one we feel strongly about, because it’s the principle that makes the difference between a credible feature and a marketing surface.
ARIAS does not claim to cover every control in every framework. The dashboard surfaces a percentage of framework assessed on every card — the controls where ARIAS provides direct evidence via the rules in its knowledge base, anchored on the Secure Controls Framework. For each framework, the unassessed controls are visible, named, and grouped with the assessed ones.
This matters because the audience that cares most about compliance posture also cares most about whether the posture is real. A dashboard that says “100% of EU AI Act covered” and walks an auditor into a meeting where five articles can’t be evidenced is worse than one that honestly says “8 of 22 EU AI Act controls assessed; here’s what we evidence, here’s what we don’t.”
Compliance Posture takes the second path, always.
What Changes When Both Teams Read the Same Picture
The friction this closes isn’t between the two teams. It’s the friction caused by both teams doing high-quality work against artifacts that don’t natively talk to each other.
When both functions can read the same picture in the language they each need:
- AI engineering ships agents knowing whether the design change they just made affects a regulatory commitment, before the regulatory commitment becomes an audit finding.
- Security and GRC enters the audit cycle with continuously refreshed evidence, not a four-week assembly sprint.
- Leadership reads a single compliance posture report that’s grounded in the same source data as the engineering view — there’s no mismatch to reconcile when the numbers reach the board.
The conversation between these two teams doesn’t go away. It changes character. Less translation, more shared decisions. Less audit-prep firefighting, more proactive control improvement.
Available Today
Compliance Posture is live for ARIAS customers today. Read the integration guide for how to connect your GRC tool to ARIAS in five minutes.
ARIAS is the pre-production control plane for AI agents. We read your agents, your tools, your prompts, and your orchestration patterns, and surface the issues before they ship — in the language each function in your organization actually uses. Start a free trial.