Triagen explains: how much AI can really speed up your compliance journey

There is a persistent belief in the market that AI will eventually make compliance redundant. Give the system enough access and it will sort out your ISO 27001 or SOC 2 for you, so the thinking goes. That belief is wrong. Compliance is about accountability, about demonstrably managing risks, and about making choices that fit your organisation. A model that recognises and reads patterns cannot bear that responsibility.

But ignoring AI is equally unwise. The gains lie in work that requires many hands and little judgement: comparing a policy document with a configuration, creating tasks based on audit findings, summarising the status of open risks. That is where AI excels. The substantive decision stays with the human; the execution work becomes more efficient through AI.

In this article we show what that can look like in practice in the compliance space. We start with the Model Context Protocol (MCP), the technology that makes it possible, and then zoom in on Triagen, which uses it every day.

What AI can do through the Model Context Protocol (MCP)

The Model Context Protocol (MCP) is an open standard that enables AI assistants to perform actions in external platforms such as Tidal Control through a standardised API. In short: MCP is the technical bridge that allows AI assistants like Claude or ChatGPT to connect to a platform like Tidal Control and take actions within it. Inside Tidal Control you connect your AI tool to your tenant and give instructions in plain language. The assistant can, for example, search your compliance data, create or update items, link entities to one another, and summarise KPIs.

Before, you would open the policy in Tidal, read it, copy it, paste it, move from one screen to another. Now I just say: put the encryption policy next to our infrastructure, and the MCP adjusts it automatically for me. That works incredibly well.

Stefan

CTO | Triagen

Your existing permissions still apply throughout. If you only have read access in the portal, the assistant can only read via MCP as well. The connection runs under your identity, after you have logged in once through your browser. So the AI never gets more power than you have yourself.

The scope is broad. You can ask questions like "which of my critical risks have no controls linked" or "show all suppliers with an expired review". You can run bulk actions, for example adding multiple assets or controls in a single prompt to your list or plans, such as a "quarterly review". You can also have the MCP search documents and policy documents by meaning, and easily have controls linked to risks and assets. The assistant knows your context, so a question like "what is scheduled for me next week" works without you having to spell out names or dates.

Case study: how Triagen uses the MCP

Triagen builds AI-driven triage and intake software for occupational health services and company doctors, automating employee intakes and building structured case files. They are a health-tech start-up working towards certification for ISO 27001 and NEN 7510 together with Tidal Control and Fendix. The inclusion of NEN 7510 makes sense: NEN 7510 covers information security in healthcare, and Triagen works with health data. It is a small, fast-moving team, and that is exactly where every saved minute counts. Stefan Samba, co-founder and CTO, codes virtually all day and uses the MCP integration directly from his code editor. He talks to Claude Code as shown in the image below.

Stefan shared that his first application revolves around aligning policy with reality. Triagen works with a monorepo that also describes the infrastructure. This is a software strategy in which the source code of multiple, often independent projects (microservices, frontend and backend) is kept in a single central repository.

Previously, checking a policy meant looking up the document in Tidal, reading the relevant section, checking the code, and manually writing the result back. Now Stefan gives a single instruction: put this encryption policy next to our infrastructure. The assistant reads the policy template, searches the code for the encryption settings, finds for example TLS 1.3 there, and updates the policy accordingly with his approval. The judgement stays with Stefan; the search work goes from minutes to seconds.

Adding tasks without administrative detours

His second application is more everyday, and that is precisely what makes it valuable.

When you build all day, you constantly get stray thoughts: an asset or supplier that is still missing. In the past, that task would disappear into Jira and onto the backlog. Now I prompt my AI tool: add them in Tidal Control. Done in 10 seconds, and I review them all at once later. Much more efficient.

Naam

Functie | Bedrijf

And Stefan is already looking further ahead. Compliance is not a one-off journey but a recurring cycle, with audits and checks that come back every year. The MCP can therefore continue to assist well throughout the annual PDCA cycle, making the maintenance work even more efficient than Tidal already does on its own. For growing start-ups, scale-ups, and even larger organisations with compliance teams, it will probably feel familiar how keeping up with compliance creates friction in exactly the places where you have the least time. The MCP is then a great efficiency booster.

The consultant works more efficiently too

The gains are not limited to the customer. Fendix carries out implementations together with Tidal at a growing number of customers and brings the MCP way of working along. For a consultant guiding multiple organisations at the same time, being able to ask targeted questions saves a great deal compared to manually navigating through different customer tenants (environments).

This becomes concrete with the work that normally takes up the most time: gathering evidence. Instead of manually collecting files for a quarterly review, a single prompt such as "collect all incidents from Q2 and summarise the open action points for management" is enough. Or, during an internal audit: "create tasks for all non-conformities from the last audit and assign them in Tidal to the right system owners". The compiling and linking happens in one instruction, while the consultant checks whether it is correct.

Aligning policy to a customer's specific situation also goes faster. A prompt like "rewrite this password policy so that it matches the current Entra ID configuration" produces a first draft that the consultant only needs to refine, rather than writing from scratch. The consultant keeps control and safeguards quality, while the execution part moves faster. Time shifts from administration to advice and guidance, which is exactly what a customer hires a consultant for.

Using an AI assistant safely

The MCP integration of Tidal Control is secure because the AI assistant acts exclusively within the existing user access rights of the logged-in employee. That said, having an AI assistant in your compliance environment does require deliberate choices. The most important safeguard is already built into the technology: because your existing permissions apply via MCP, an assistant can never do more than you are allowed to do yourself. A read-only user stays a read-only user.

Only give your AI tool the access it needs. Check with your provider whether your data is used to train models and consciously disable that setting. Bear in mind that data sent to a non-local assistant goes to the provider, so weigh up what level of sensitivity you allow. The same principles of access control and data protection that you already apply elsewhere apply here too.

Embrace AI, don't outsource to it

Tidal Control is a GRC automation platform that serves as a single source of truth for your compliance. The MCP integration adds a conversational layer on top of that, available for tools including Claude Desktop, Claude Code, Codex, and ChatGPT.

The experience of Triagen.ai combined with the consultancy of Fendix shows where AI in Tidal is at its best. Not as a replacement for the judgement that compliance requires, but as an accelerator of the work around it. Embracing AI in this way helps you become compliant faster and stay that way, while keeping humans in control. That is a healthier promise than automation that cuts people out, and it is one that holds up in practice.

Want to see how the MCP integration works for your compliance? Book a demo or sign up for a free trial on our homepage and try it out.