AI that works. People who decide.
Kōan brings agentic work to compliance. Specialist agents read the governed graph and live evidence, draft cited mappings and assessments, and stop for human review.
A kōan is a Zen question that sharpens judgement. Yōjin's Kōan is grounded in a graph of controls, obligations and threats with more than two million nodes.
Mappings you can trace to the law.
The graph maps a canonical control spine to the obligations of NIS2 and its national transpositions, DORA, GDPR, CER, the CRA and the AI Act, and to MITRE ATT&CK techniques. It is built the slow way: sources are ingested, candidate mappings are generated, people review them, and only reviewed mappings are published. A connection Kōan cites is a connection someone stood behind.
Reviewed before published
Candidate mappings never reach the live graph unreviewed. Publication is a deliberate act with a version history.
Traceable to source
Every mapping carries its provenance — which text, which version, which reviewer. Citations aren't decorative.
Threat-aware
Controls link to the MITRE ATT&CK techniques they mitigate — kept current with upstream releases — with CVE, KEV and EPSS exploitability context on the same spine. "Why do we have this control?" always has a concrete answer.
Specialists, not a chatbot.
Kōan's agents are narrow by design — each one does a specific job for a specific module, grounded in the graph and in your tenant's own objects. These are some of them, by their real names:
policy.gap_assessmentReads a policy against your obligations and drafts the gap analysiscontrol.threat_mappingProposes which attack techniques a control actually mitigatesrisk.hydrationDrafts risk scenarios grounded in incident intelligenceaudit.evidence_sufficiencyAssesses whether collected evidence satisfies an audit itemcoo.extract_and_reconcileExtracts organisational facts from uploaded documentspolicy.obligation_mappingMaps policy clauses to framework articles
Human review isn't a setting. It's the architecture.
Compliance buyers are right to be nervous about autonomous AI. Kōan's guarantees aren't policy promises — they're how the runtime is built:
- Agents cannot write to your record. They produce proposals; a deterministic layer applies changes only after review. There is no code path from an agent straight to your compliance data.
- No agent can declare itself done. By contract, a run that needs review cannot reach "succeeded" until a person completes that review.
- Everything AI-derived is marked. AI provenance is a visible badge on every derived object — purple, labelled, never mistaken for a human decision.
- Every run is on the record. What was asked, what was read, what was proposed, who decided: recorded per run, reviewable later.
- Inference stays in Europe. Kōan runs on European foundation models hosted on EU infrastructure — currently Mistral models served from Paris. Your prompts and your data do not cross the Atlantic.
Ask Kōan something hard.
Bring a real mapping question from your frameworks to the demo.