Introducing Adaptive Compliance: Your controls stay current, automatically

Iru AI watches how your organization changes. Your compliance program keeps up.

It's the end of the quarter. Someone on your compliance team opens your SOC 2 framework, starts reading through controls, and realizes half of them describe an integration you removed six months ago. A policy you retired last year is still referenced in three places. The audit is in eight weeks.

This is what happens when compliance frameworks are built once and maintained manually, when the controls that govern your program are only as current as the last person who thought to check them.

 Every integration change, every policy update, every configuration shift is a signal that your controls might need to catch up. And right now, none of that signal reaches your compliance program automatically.

Not anymore. 

Meet Adaptive Compliance

Adaptive Compliance is Iru AI continuously watching your compliance program for drift and proposing concrete, scoped updates to your controls and actions. Every day, Iru AI checks what has changed in your integrations and policies, compares that against the controls inside each of your frameworks, and surfaces a recommendation when something needs updating.

You review the proposed changes side-by-side. You approve or reject. Iru AI never edits your controls on its own.

The result is a compliance program that stays aligned with how your organization actually operates, not how it operated the last time someone swept the framework manually.

Why control drift is a bigger problem than it looks

Compliance frameworks are descriptions of your security and privacy program. But those descriptions are only useful if they're accurate. A control that says "we review access via our Okta integration" is not evidence of anything if Okta was replaced by Entra six months ago. It is a liability.

Control drift happens because the tools that change your organization don't talk to the tools that describe your organization. Your integrations update. Your policies evolve. And your controls sit there, quietly becoming a less accurate picture of your program with every passing week.

Compliance teams compensate by scheduling manual reviews: quarterly sweeps, pre-audit sprints, spreadsheet comparisons. It works, mostly. But it means the highest-stakes review of your compliance program happens right before the audit that depends on it.

Adaptive Compliance shifts that review from a calendar event to a continuous signal. The controls reflect reality all the time, not just when someone carves out the time to check.

How it works

Adaptive Compliance runs daily in the background.

A new integration gets connected

Your team connects a new SIEM to Iru. Iru AI notices the change. It looks at your SOC 2 framework and identifies that two controls reference your old SIEM by name, and one action describes a log review process that has changed. By the next morning, a Control Update recommendation is waiting in your Insights feed. You open the side-by-side diff, confirm the proposed language, and approve. Three controls updated. Five minutes.

A policy gets retired

Your security team retires your legacy remote access policy and publishes an updated one. Iru AI picks up the change. Three controls in your ISO 27001 framework reference the old policy name. Iru AI drafts updated language that references the current policy and reflects the new scope. You review the diff the next day, uncheck one proposed change you want to handle manually, and approve the rest. Done.

Nothing happened (and that's fine too)

Adaptive Compliance only surfaces a recommendation when there is a signal to react to. If your integrations and policies have been stable, there is nothing to review. The next daily cycle will pick up whatever changes when they land.

Review-first, by design

Fair question: what if Iru AI proposes a change that is not quite right?

Every proposed update surfaces as a diff. Current text on the left, proposed changes highlighted on the right. Every change has a checkbox. You decide what to include before anything is applied. Iru AI proposes. Nothing changes in your controls until you click Approve.

If a proposed change is close but needs a tweak, uncheck it, approve the rest, and edit the control directly. You always have the last word. Iru AI never modifies your policies, your framework configuration, your audit periods, or your uploaded evidence. Only the control and action text you explicitly approve.

What this means for your program

The teams that instrument their compliance program with Adaptive Compliance now are building something that compounds with every change in their organization. Each update that Iru AI catches is a control drift that never accumulates. Each approval is a manual sweep that never had to happen.

For compliance admins, that is audit cycles that are less of a scramble. The framework reflects reality on the day you open it, not the day you last got around to reviewing it. For security leaders, that is a compliance program that keeps pace with the business instead of lagging behind it.

Compliance work does not go away. But the reactive, quarterly-sweep version of it does.

Get started with Adaptive Compliance

Adaptive Compliance is available now for tenants with Iru Compliance and Iru AI Compliance enabled. Reviewers need the Admin Management permission to approve or reject recommendations.

Not enabled yet? Reach out to your Iru rep to be added to the rollout.

Read the setup guide, or book a demo to see Iru AI in action.

Our team is at AICPA & CIMA Engage this week keeping tabs on where compliance is headed. If you're there, come say hi.

Your compliance program should reflect how your organization works today. Now it will.