ComplianceAI-Agent (SpartIA Guardian)

ComplianceAi Agent

Inspiration

The inspiration for ComplianceAI Agent came from the growing need among small and medium enterprises (PMEs) in France to navigate complex cybersecurity compliance requirements affordably and efficiently. Certifications (like SOC2) are critical for building trust with clients and partners, yet many PMEs lack the resources or expertise to assess and maintain compliance. We saw an opportunity to leverage AI to democratize access to compliance tools, automating the tedious process of policy verification and evidence collection. Our goal was to create a solution that feels like a trusted advisor—accessible for startups, scalable for larger organizations, and flexible enough to adapt to different deployment needs, whether on-premise or cloud-based.

What it does

ComplianceAI Agent is an intelligent tool that automates compliance verification for small and medium-sized enterprises (SMEs) targeting cybersecurity standards, such as the ANSSI guidelines. Users begin by selecting a target norm or guideline (for example, SOC2 or ANSSI’s guidelines) and uploading their current security policies and internal documentation (in formats such as PDFs, diagrams, or text files).

The AI Agent analyzes the provided documents against the key requirements of the selected norm or guideline and generates a detailed report highlighting areas of compliance and non-compliance. For non-compliant areas, the system suggests actionable steps (e.g., “Enable MFA”) and can automatically create Jira tickets to track remediation efforts. For compliant areas, it requests evidence (e.g., “Verify MFA status”) and uses API calls—such as to Microsoft Graph or AWS API—to verify real-time compliance, like confirming that RDS database encryption is enabled or multi-factor authentication (MFA) is enabled for all users.

This approach transforms a static large language model (LLM) into a proactive agent, effectively bridging the gap between analysis and actionable compliance management.

How we built it

We built ComplianceAI Agent using a modular architecture to ensure flexibility:

Frontend: A simple web interface using HTML, CSS, and JavaScript, featuring a form for norm selection and file upload, plus a dashboard to display the compliance report.

Backend: A FastAPI server (in /app/) powered by Python, handling file uploads, text extraction with PyPDF2, and API endpoints like /analyze.

AI Core: We chose LangChain to unify LLM backends (e.g., OpenAI, Anthropic) and enable agent functionality. We defined a prompt to compare the PSSI text against ANSSI requirements, outputting a JSON report.

Tools: We extended the LLM into an agent with LangChain’s @tool decorator, mocking Jira ticket creation and Microsoft Graph API calls and AWS API calls for evidence verification (e.g., MFA & Encryption checks). These were placeholders for real integrations due to time constraints.

"CloudCRM" Fictional Customer IS Simulation: For our fictional customer, CloudCRM, we simulated an Information System (IS) environment that mirrors a startup operating on AWS. (link)

Setup: Used uv for fast dependency management and submodules (e.g., /norms/) to organize compliance frameworks, ensuring modularity. We started with a basic LLM test in Claude’s UI, then pivoted to code, deploying locally with uvicorn for rapid iteration.

Challenges we ran into

Choosing the right framework was another hurdle: we debated LiteLLM for its simplicity versus LangChain for its agent capabilities, settling on LangChain but losing time in the decision. Integrating some real API calls for Jira & AWS API worked for the demo, but integrating all API calls for each integration would’ve been a stretch.. Finally, ensuring the agent correctly parsed LLM responses to trigger tools (e.g., spotting “non-compliant: Encryption not enabled” and calling Jira API) took debugging, as early runs missed tool calls. Conclusion: LangChain is a nightmare.

Accomplishments that we're proud of

We’re thrilled to have turned a concept into a working prototype in 36 hours! Key wins include:

A functional end-to-end flow: upload a PSSI (we described the current information system inside it), analyze it against ANSSI's guidelines, and get a report with actionable next steps. Transforming an LLM into an agent with mocked tool integrations (Jira tickets, AWS checks), proving the “LLM-to-agent” hackathon goal, with the reflection design pattern supported.

A flexible design supporting multiple LLM backends (e.g., OpenAI, Anthropic) via LangChain, with config-driven switching for on-premise or cloud use. A clean, demo-ready UI that looks professional despite the rush. Using uv to streamline setup, saving precious minutes for coding over dependency wrestling.

What we learned

This hackathon was a crash course in rapid development. We learned LangChain’s power for agent-building—its tool integration saved us from reinventing the wheel. Time management was critical; we underestimated setup overhead and overestimated API integration feasibility. Mocking tools taught us how to fake it ‘til we make it for demos, while still designing for real extensibility. We also picked up practical skills: FastAPI’s speed, PyPDF2’s quirks, and the value of modularity (e.g., submodules) for future scaling. Most importantly, we learned to prioritize the MVP—analysis and reporting—over nice-to-haves like live monitoring.

What's next for ComplianceAI-Agent

With more time, ComplianceAI Agent has big potential:

Improve API Integrations: Develop more API calls, adding OAuth for secure evidence checks (e.g., real-time Encryption status). Broader Norms: Expand beyond ANSSI's or ENISA's guidelines to SOC2, ISO 27001, and others, building a library in /norms/ for easy norm-switching. and Also us fine-tuned model! Monitoring Platform: Add continuous compliance tracking, with the agent periodically rechecking policies and alerting via Jira or email. On-Premise Support: Fully support local LLMs (e.g., Ollama, vLLM) for clients avoiding cloud APIs, refining the config system. UI Polish: Enhance the dashboard with visualizations (e.g., compliance score charts) and a setup wizard for onboarding. Scalability: Test with larger PMEs and integrate with AWS or Azure infra for real-world validation.

Our vision is a go-to compliance companion for PMEs—affordable, smart, and proactive. This hackathon was just the start!