Continuous Compliance at Scale with Agentic AI

Compliance is the work that does not show up on the invoice. An MSSP takes on a client with a HIPAA or PCI DSS obligation, and someone spends hours auditing detection rules against a framework, documenting what is missing, building a remediation plan. Then the next audit cycle arrives and the whole thing runs again, tenant by tenant, framework by framework, year after year. Ken Westin, a senior solutions engineer at LimaCharlie, used this session to make a quiet but pointed argument: most of that labor exists because compliance has been treated as a periodic audit rather than a continuous state, and the same platform plumbing that already runs detection and response is the right place to fix that.

The framing matters because it reorders what the new LC Compliance skill actually is. It is easy to hear "AI for compliance" and picture a report generator. What Westin is really describing is a way to collapse the distance between a control on paper and a detection running in a live environment, then keep that distance closed between audits instead of letting it reopen.

Why the manual cycle leaks margin and misses gaps

The traditional audit fails service providers in two distinct ways, and Westin is careful to separate them. The first is operational. Mapping existing coverage to a framework is genuinely hard when you have just onboarded an organization and lack a clean inventory of its data sources and assets. A tenant might have a hundred detection rules deployed, but answering how many of those actually satisfy HIPAA or NIST 800-53 controls is the kind of question that eats analyst hours and produces a snapshot that is stale almost immediately. The audits a provider inherits are point-in-time by nature, not a live read of what is happening right now.

The second failure is the one attackers exploit. Westin's broader point, echoed in the session's framing, is that frameworks are loose enough that an organization can satisfy the letter of a requirement and still leave the window between audits wide open. A point-in-time audit certifies a moment. Continuous monitoring certifies a posture. Those are not the same product, and only one of them actually protects the client.

Why the platform shape makes this tractable

Westin spends real time on architecture because the argument depends on it. LimaCharlie was built API-first and cloud-first when Max and Christopher founded it in 2018, with the goal of being something like an AWS for security tooling. That decision, made years before agentic AI was a practical concern, turns out to be the thing that makes this work. Because everything is a unified platform rather than an EDR bolted to a separate SIEM bolted to other tools, an agent does not have to reconcile conflicting context from systems that were never meant to talk to each other. Westin is blunt that fragmented stacks confuse AI agents that lack context; a single platform can hand a model rich, coherent context fast enough that it can write detections, route queries, and deploy sensors on command.

Notably, the team moved off a pure MCP server approach. Westin says building the capabilities as plugins and skills delivered more capability while cutting token usage, which is the sort of cost detail an MDR pricing a service will register before anyone else. The compliance skill, built by Westin's colleague Steve Brant, installs the same way as the LC Essentials plugin in Cloud Code. Essentials gives the agent broad fluency in the platform; LC Compliance layers framework awareness on top, covering HIPAA, PCI DSS, CMMC, NIST 800-53, and CIS Controls v8 in this first version, with CMMC added at a specific customer's request.

Reading and writing the same control set

The skill works in two directions, and the symmetry is the interesting part. Pointed at an established tenant, it produces a gap report against a chosen framework, surfacing what is already covered and where the holes are. Pointed at a fresh environment, the baseline deploy goes the other way and writes the coverage itself, creating the rules and, importantly, configuring the telemetry those rules depend on. Westin's example is concrete: it will set up Windows event log collection and Sysmon ingestion so the detections actually have data to fire on, work he estimates saves three or four hours of manual setup per environment. A full HIPAA deployment runs roughly ten to fifteen minutes, because the agent first inspects the org to avoid overriding existing rules, and a provider can stage the whole thing in a throwaway test org before it touches production.

None of this is hidden. Westin repeatedly opens the underlying files on screen and makes the point that the agents are "just prompts" with context and tool access, and the rules are plain files in a public GitHub repository. An operator can read them, modify them, or extend the pattern to a framework the first version does not ship. That openness is not a footnote for the ICP; it is what lets a provider trust an automated control deployment enough to put it in front of a client.

The continuous piece is the case-reviewer agent, and it is where the argument lands. Once deployed, it watches for detections on assets tagged in scope for a framework, say a host handling ePHI under HIPAA, and when a relevant detection fires it opens a case, gathers context, and ties that case to the specific control it implicates. File integrity monitoring fits the same model, flagging changes to sensitive configuration files or registry keys. Westin's own demo gave an honest illustration of the mechanism by misfiring: he had tagged an internet-facing asset as a HIPAA system that morning and was being flooded with alerts, which proved the wiring worked even as it showed why false-positive tuning still matters. The value is that audit evidence now accumulates as incidents happen, each one already carrying its framework linkage, rather than being reconstructed in spreadsheets after the fact.

Westin is careful not to oversell it. This replaces neither the analyst nor the auditor. What it changes is the economics of saying yes. Plenty of MSSPs turn away clients who arrive with a HIPAA or PCI obligation because the work is not worth the friction. A tool that produces baseline coverage in minutes and a gap report on demand lowers that bar enough to get a foot in the door, and the gap report itself tends to surface the next sale: more data ingest, more sensors, more services. Because overlapping frameworks share underlying controls, one body of coverage can be reported through several lenses at once. For a provider, that is the real shift Westin is pointing at. Compliance stops being unbillable overhead and becomes infrastructure you own, continuously, across every tenant.