The biggest Compyl release yet is live. Here’s everything that’s new across risk, blueprints, evidence, policy, and audit — and why it changes how your team works.
Key takeaways
- FAIR risk quantification expresses risk in dollars with an interactive factor tree and a simulation of annual loss expectancy, alongside traditional scoring.
- AI Blueprint Builder turns a plain-English prompt into a working evidence-collection query — no SQL required — on top of 1,500+ prebuilt blueprints.
- Evidence Health continuously scores every piece of evidence for relevance, freshness, and completeness, surfacing audit gaps weeks in advance.
- A rebuilt policy suite adds real-time collaborative editing, external publishing to SharePoint, Google Drive, and Confluence, and legally binding, tamper-proof acknowledgements.
- An audit command center runs audits end to end and gives external auditors a dedicated portal.
GRC tools have spent years getting better at storing information. Compyl 26.2 is about something different: getting the platform to do the work with you. This release touches nearly every corner of the platform — risk, blueprints, evidence, policy, and audit — and ties them together with AI that surfaces what matters before it becomes a problem.
FAIR risk quantification: put a dollar value on risk
Most risk programs still score risk on a color-coded grid. It’s fast, but it doesn’t answer the question executives actually ask: what is this going to cost us? Compyl 26.2 brings FAIR (Factor Analysis of Information Risk) to the platform as an option alongside traditional scoring. Build your analysis with an interactive factor tree, enter your loss event frequency and loss magnitude, and Compyl runs the simulation to calculate your annual loss expectancy — risk expressed in dollars, not adjectives.
Traditional scoring stays the default, so nothing changes for teams that aren’t ready for FAIR. New risk hierarchy also lets you link parent and child risks to see how a single event cascades across your register.
Why it matters: Quantified risk turns a compliance artifact into a board-level conversation. When you can say “this exposure is $1.2M annually,” budget and prioritization decisions become clearer.
AI Blueprint Builder: build evidence queries in plain English
Compyl’s blueprints automate evidence collection by querying your connected systems. But building one used to mean understanding data models, table joins, and query logic — a real barrier for anyone who isn’t fluent in SQL. Compyl 26.2 introduces the AI Blueprint Builder: describe what you want to monitor in plain language — “list all users in AWS without MFA” — and Compyl generates the blueprint for you. Preview the results, refine the prompt, set your pass/fail condition, and create.
It works alongside the 1,500+ prebuilt blueprints already in the platform, so you can start from a template or build from scratch with AI.
Why it matters: It puts evidence automation in the hands of the people who own the controls — not just SQL experts. More of your program gets automated, faster.
Evidence Health: know you’re audit-ready, automatically
Evidence is where audits are won or lost, and checking it has always been manual. Is this file still relevant? Is it current? Does it actually prove the control? Teams review hundreds of artifacts by hand and usually find the gaps at the worst possible time — during the audit. Compyl 26.2 adds Evidence Health: Compyl now continuously reviews every piece of evidence and scores it on three dimensions:
- Relevance — does it support the control?
- Freshness — is it current?
- Completeness — does it tell the whole story?
It runs automatically the moment evidence changes, with an AI summary of exactly what’s missing, so gaps surface weeks ahead of an audit — with time to fix them.
Why it matters: This is continuous control monitoring (CCM) done right. It’s the difference between hoping you’re audit-ready and knowing you are — and it’s where modern GRC platforms pull ahead of legacy tools.
A reimagined policy management suite
Policy is the backbone of a strong security posture, but the tooling has always gotten in the way — version control in shared drives, approvals buried in email, attestations tracked in spreadsheets. Compyl 26.2 rebuilds the entire policy experience:
- A brand-new editor with light/dark mode and real-time collaborative editing
- Policy types and structured approval workflows
- Token-driven personalization that’s far easier to use
- External publishing to SharePoint, Google Drive, and Confluence in one click
- Version history that shows exactly what changed
- Legally binding acknowledgments — built in-house, with a complete signature audit trail capturing version, signer, timestamp, IP, and a tamper-proof document hash
Why it matters: Policy moves from a static document problem to a living, defensible process. When acknowledgments are tamper-proof and tied to the exact version signed, “strong governance” stops being a claim and becomes something you can prove.
A true audit command center
Audits in most GRC tools are little more than a list. Compyl 26.2 makes audit a first-class workflow. Plan and run audits end-to-end with a guided setup, assign internal auditees and external auditors, and track everything by status and date. Requests work like a conversation — exchange documents and evidence right inside the platform. And external auditors get a dedicated portal: they log in, see only the audits they’re attached to, review evidence, ask questions, and mark controls met or close out requests — without touching the rest of your environment.
Why it matters: The back-and-forth of an audit finally lives in one place, with a clean experience for the auditor. Less email, fewer spreadsheets, and a defensible trail of everything that happened.
When is Compyl 26.2 available?
Compyl 26.2 is already live in every customer environment. There’s nothing to install and nothing to configure — log in, and it’s there, with your data and workflows intact.
If you would like to learn more about this latest release, book a demo with our team today!
Frequently asked questions about Compyl 26.2
What is new in Compyl 26.2?
Compyl 26.2 adds FAIR risk quantification, an AI Blueprint Builder, automated Evidence Health scoring, a rebuilt policy management suite with external publishing and legally binding acknowledgments, a dedicated audit command center with an external auditor portal, and platform-wide performance improvements.
What is FAIR risk quantification in Compyl?
FAIR (Factor Analysis of Information Risk) is a method for quantifying risk in financial terms. In Compyl 26.2 you build an analysis on an interactive factor tree, enter loss event frequency and loss magnitude, and the platform simulates your annual loss expectancy — expressing risk in dollars alongside traditional likelihood-and-impact scoring.
Do I need to know SQL to build a blueprint in Compyl?
No. The AI Blueprint Builder in Compyl 26.2 lets you describe what you want to monitor in plain English and generates the underlying query for you. You preview the results and set a pass/fail condition before creating it, and you can still start from 1,500+ prebuilt blueprints.
How does Compyl Evidence Health work?
Evidence Health continuously reviews every piece of evidence attached to a control and scores it for relevance, freshness, and completeness. It runs automatically whenever evidence changes and summarizes what’s missing, so control gaps surface well before an audit instead of during it.
Are Compyl policy acknowledgments legally binding?
Yes. Compyl 26.2’s policy acknowledgments are built in-house and capture a full signature audit trail — policy version, signer, timestamp, IP address, and a tamper-proof document hash — tying each acknowledgment to the exact version that was signed.
When is Compyl 26.2 available?
Compyl 26.2 is live in every customer environment now. There is nothing to install or configure; it rolls out automatically with your existing data and workflows intact.
Compyl is the unified GRC platform that brings risk, compliance, policy, audit, and third-party risk management into one place — with AI built in from day one.
