Compliance evidence only works if it reflects the current state of the system.
At Aikido, we’ve always treated compliance as a byproduct of good security, not a separate exercise teams need to prepare for. That’s why Aikido integrates with multiple compliance platforms. The goal is simple: let teams use the security data generated in Aikido wherever they run their compliance programs, without changing how they work or maintaining parallel processes.
.png)
Comp AI is a natural extension of that approach.
Security data in Aikido is generated on a regular cadence. Repositories are scanned, vulnerabilities are tracked by severity, and remediation happens as part of normal engineering work. This integration makes that same data usable inside a compliance platform built to evaluate checks repeatedly, not just at audit time.
Why Comp AI
Comp AI is where teams define and run compliance programs across frameworks such as SOC 2, ISO 27001, HIPAA, and GDPR. Controls, tasks, and checks are structured with the expectation that they can be evaluated repeatedly, rather than reviewed once and archived.
What makes Comp AI a strong fit is how it treats evidence. Evidence isn’t something teams upload and manage manually. It’s the result of checks that run against connected systems and record what they find. In other words, evidence is checked, not assembled.
From Aikido’s side, that model aligns closely with how the product works. Aikido already maintains an up-to-date view of vulnerability and scanning activity across code, cloud infrastructure, and dependencies. It knows which repositories are being scanned, which issues are open, their severity, and whether remediation has taken place. Feeding that data directly into Comp AI means compliance checks are grounded in the same signals security teams already trust, without introducing new workflows.
What Comp AI receives from Aikido
Once the integration is enabled, Comp AI pulls vulnerability and scanning data directly from Aikido and evaluates compliance tasks against it.
This includes:
- Secure code evidence
- Open security issues, grouped by severity
- Repository scanning activity
- Identification of stale scans, such as repositories not scanned in over seven days
For monitoring and alerting, Comp AI also evaluates:
- Configurable issue count thresholds
- Severity breakdown summaries
These signals are used to satisfy compliance tasks related to vulnerability management and secure code practices, based on the latest available data rather than point-in-time artifacts.
How it works
.png)
After connecting Aikido to Comp AI, teams can configure how strict compliance checks should be.
They can define the minimum severity that causes a check to fail, set limits on how many open issues are acceptable, choose which repositories should be included, and decide whether snoozed issues count toward compliance. This allows checks to reflect internal risk policies instead of relying on fixed defaults.
When a check runs, Comp AI evaluates it against the most recent data from Aikido. If vulnerabilities above the configured threshold are present, the check reflects that state. When those vulnerabilities are remediated and the next scan completes, the result updates accordingly.
There’s no separate step to refresh evidence and no need to re-upload anything when conditions change.
What this means for teams
For engineering teams, daily work doesn’t change. Vulnerabilities are still handled in Aikido.
For compliance teams, the benefit is consistency. Evidence in Comp AI reflects the current state of scanning and remediation activity rather than a snapshot taken at a specific moment.
For auditors, this provides clearer context. They can see how vulnerabilities are identified, tracked, and resolved over time, instead of reviewing isolated artifacts.
We don’t think compliance should pull teams away from how security already works. With the Comp AI integration, compliance stays close to the source: real vulnerability data, refreshed on a predictable cadence, and evaluated where teams already manage their programs.
A note from Henrick
Henrick Johansson, Comp AI’s compliance investor-in-residence, summed it up well:
“Auditors do not enjoy surprises, and neither should founders. Aikido finds the vulnerabilities, Comp AI records the remediation. The audit becomes a review, not an investigation.”
We tend to agree. The Aikido × Comp AI integration is included in all paid Aikido plans and is available today.
Get started → https://trycomp.ai/docs/integrations/aikido
Secure your software now
