KōanYōjin's governed AI

AI that works. People who decide.

Kōan brings agentic work to compliance. Specialist agents read the governed graph and live evidence, draft cited mappings and assessments, and stop for human review.

A kōan is a Zen question that sharpens judgement. Yōjin's Kōan is grounded in a graph of controls, obligations and threats with more than two million nodes.

The graph

Mappings you can trace to the law.

The graph maps a canonical control spine to the obligations of NIS2 and its national transpositions, DORA, GDPR, CER, the CRA and the AI Act, and to MITRE ATT&CK techniques. It is built the slow way: sources are ingested, candidate mappings are generated, people review them, and only reviewed mappings are published. A connection Kōan cites is a connection someone stood behind.

Reviewed before published

Candidate mappings never reach the live graph unreviewed. Publication is a deliberate act with a version history.

Traceable to source

Every mapping carries its provenance — which text, which version, which reviewer. Citations aren't decorative.

Threat-aware

Controls link to the MITRE ATT&CK techniques they mitigate — kept current with upstream releases — with CVE, KEV and EPSS exploitability context on the same spine. "Why do we have this control?" always has a concrete answer.

The agents

Specialists, not a chatbot.

Kōan's agents are narrow by design — each one does a specific job for a specific module, grounded in the graph and in your tenant's own objects. These are some of them, by their real names:

  • policy.gap_assessmentReads a policy against your obligations and drafts the gap analysis
  • control.threat_mappingProposes which attack techniques a control actually mitigates
  • risk.hydrationDrafts risk scenarios grounded in incident intelligence
  • audit.evidence_sufficiencyAssesses whether collected evidence satisfies an audit item
  • coo.extract_and_reconcileExtracts organisational facts from uploaded documents
  • policy.obligation_mappingMaps policy clauses to framework articles
The contract

Human review isn't a setting. It's the architecture.

Compliance buyers are right to be nervous about autonomous AI. Kōan's guarantees aren't policy promises — they're how the runtime is built:

  1. Agents cannot write to your record. They produce proposals; a deterministic layer applies changes only after review. There is no code path from an agent straight to your compliance data.
  2. No agent can declare itself done. By contract, a run that needs review cannot reach "succeeded" until a person completes that review.
  3. Everything AI-derived is marked. AI provenance is a visible badge on every derived object — purple, labelled, never mistaken for a human decision.
  4. Every run is on the record. What was asked, what was read, what was proposed, who decided: recorded per run, reviewable later.
  5. Inference stays in Europe. Kōan runs on European foundation models hosted on EU infrastructure — currently Mistral models served from Paris. Your prompts and your data do not cross the Atlantic.

Ask Kōan something hard.

Bring a real mapping question from your frameworks to the demo.