New Agentic Controls & Tests application lets security teams prove their controls are working, not just documented, with Browser Agent verification and a permanent evidence trail.
, /PRNewswire/ — Whistic, the AI-first Risk Operations platform, today announced at the ISACA 2026 Conference the general availability of Whistic Compliance, a new agentic AI application that lets security and compliance teams define internal controls, run tests against them, and capture timestamped evidence on a recurring schedule. Compliance becomes the fourth application on the Whistic platform, joining Trust Center, Whistic Assess, and Vendor Monitoring, and stakes a deliberate position against what the company calls the industry’s drift toward compliance theater.
The release lands at a moment when high-profile incidents are exposing a structural design flaw across the risk industry. Recent examples range from alleged compliance fraud at a fast-growing SOC 2 automation startup to a third-party vendor breach that exposed millions of consumer records at a major streaming platform. Both point to the same underlying issue: most programs are built to collect evidence, not verify trust. Polished documentation can be mistaken for assurance, and point-in-time assessments leave organizations blind to risk that develops after a vendor is approved.
“Half of this industry is racing to help companies check boxes faster, and the other half is starting to realize that’s not the same thing as being secure,” said Juan Rodriguez, CEO of Whistic. “Clean audits didn’t stop the breaches making headlines this year. Annual reviews didn’t either. The market is correcting in real time, and we’re building for the side of that correction that actually reduces risk.”
Whistic Compliance ships with three test types: manual evidence upload, AI-powered Browser Agent verification, and recurring scheduled runs. The Browser Agent navigates to a target system, follows natural-language instructions, and captures screenshots for human review, eliminating the audit-cycle scramble of stitching evidence together from spreadsheets, shared drives, and email threads. Every test execution creates a permanent, timestamped record.
The application also closes a loop the rest of the market leaves open. Whistic customers already use the platform to verify their vendors through Whistic Assess and Vendor Monitoring, and to share their own security posture with their customers through Trust Center. Compliance now does for internal controls what Whistic has always done for external trust: replace static documentation with continuous, evidence-backed proof. The same vendor that demands real evidence from its suppliers can finally produce real evidence for its own auditors and customers, in one platform, on one timeline, under one AI architecture.
“We’ve used the big compliance platforms. They’re great at telling you a control exists,” said the Director of Security at a Whistic customer in financial services. “Whistic is the first tool that actually helps us prove it’s working, without hiring a consultant or running a six-week implementation. And the fact that it sits next to our vendor program means we’re finally telling one risk story instead of two.”
Whistic Compliance is available immediately to existing customers as a paid add-on and to net-new buyers as a standalone application. Rodriguez will discuss the broader market shift toward risk-first compliance in his ISACA session, Beyond Assessments: The New Standard for Agentic TPRM, Vendor Monitoring & the Future of Compliance, on Wednesday, May 6 at 9:50 a.m. PT on the Innovation Stage. Whistic is exhibiting at ISACA Booth 303 (May 6 to 8), will demonstrate Compliance at a webinar on May 14, and will be on-site at the Gartner Security & Risk Management Summit in National Harbor, MD (June 1 to 3).
About Whistic
Whistic is the AI-first Risk Operations platform built for the teams who actually do the work. Agentic AI handles the heavy lifting across the full risk lifecycle: vendor assessments, a Trust Center Exchange network of thousands of vendor profiles, always-on monitoring of public, dark web, and SEC sources, and internal control testing that captures evidence automatically. Every alert, response, and test is logged with timestamps, so security and risk teams scale their programs, take action in one workflow, and stay audit-ready from day one. Learn more at whistic.com.
Media Contact
Wade Tibke, VP of Marketing, Whistic | 2064999019 | [email protected]
SOURCE Whistic
