About

We're building the compliance copilot we wished we had.

isops.ai is an AI-native trust & compliance platform for AWS-first teams. We started it because preparing for SOC 2 and ISO 27001 still meant nine months of spreadsheets — and the existing tools just turned the spreadsheet into a dashboard. We think the compliance work itself can be done by a copilot, with the operator in the loop.

6
frameworks supported
(ISO 27001, SOC 2, GDPR, HIPAA, PCI DSS, NIST 800-53)
10
integrations
(AWS, GitHub, GitLab, Okta, M365 & more)
100%
data stays in your environment
(self-hostable, single-tenant by default)
2026
founded
(private beta with design partners)
Story

How we got here.

We started as DevOps engineers with a security focus — the people who got pinged at 2am when something broke in production, and the people who had to defend that same production environment in front of an auditor a few months later.

Somewhere along the way we got pulled into ISO 27001 and SOC 2 work. At first it was a chore: spreadsheets, screenshots, control matrices that didn't quite match the cloud we were running. But the more time we spent inside it, the more we realised this is actually the same problem as infrastructure — graphs, evidence, drift, traceability. It just hadn't been treated like a software problem yet.

That's the itch that turned into isops.ai. We're building the compliance copilot we wanted on the operator side of the table — one that understands the AWS account, drafts the evidence, maps the controls, and keeps a human in the loop for every accepted change.

Principles

How we build.

Four ideas that drive every product decision.

01

Operator in the loop, not out of it

The copilot drafts; the operator approves. We never silently push evidence or auto-close a finding. Every AI action is logged with the prompt, the response, and the human who accepted it.

02

Compliance is a software problem

Frameworks are graphs. Evidence is data. Mappings are queries. We treat compliance like infrastructure — versioned, diffable, observable — not like a deliverable folder.

03

Single-tenant by default

Your evidence, your AWS findings, your AI prompts — they live in your environment, on your infrastructure. We don't pool customer data, and we won't.

04

Ship against real audits

Every feature graduates only after a design partner uses it to defend a real control with a real auditor. No vanity demos.

05

AI you can verify

You bring your own provider key (Anthropic, OpenAI, Bedrock). You see every call. You can turn it off. The product still works without AI — it's just slower.

06

Trust comes from posture, not promises

We publish our subprocessors, our security model, and our privacy boundaries. Read the security page, then ask anything our trust pages don't answer.

Team

A dynamic team.

Operators, engineers, and security folks who've lived inside the problem we're solving.

We're a small, dynamic team — DevOps and security engineers by background, compliance practitioners by experience. We work hands-on with our design partners, ship every week, and stay close to the auditor's side of the table so the product actually defends.

We're hiring slowly and intentionally. If you've felt the compliance pain firsthand and want to help fix the category, get in touch.

Want to help build this?

Whether you'd join as a design partner, an advisor, or want to work with us — we'd like to hear from you.

Get in touch See the product