Connect Comp AI to ChatGPT: Manage Audit Readiness and Policy Content

If you need to connect Comp AI to ChatGPT to automate policy updates, manage vendor risk assessments, or gather audit evidence, you need a Model Context Protocol (MCP) server. This server acts as the translation layer between ChatGPT's JSON-RPC tool calls and Comp AI's REST APIs. You can either build and maintain this infrastructure yourself, or use a managed integration platform like Truto to dynamically generate a secure, authenticated MCP server URL.

If your team uses Claude, check out our guide on connecting Comp AI to Claude, or explore our broader architectural overview on connecting Comp AI to AI Agents.

Giving a Large Language Model (LLM) read and write access to a Governance, Risk, and Compliance (GRC) platform is an engineering challenge. You must handle complex state machines, manage multi-part file uploads for policy evidence, and deal with strict framework synchronization rules. This guide breaks down exactly how to use Truto to generate a secure, managed MCP server for Comp AI, connect it natively to ChatGPT, and execute compliance workflows using natural language.

The Engineering Reality of the Comp AI API

A custom MCP server is a self-hosted integration layer. While Anthropic's open standard provides a predictable way for models to discover tools, the reality of implementing it against a specialized GRC API is painful.

If you decide to build a custom MCP server for Comp AI, you own the entire API lifecycle. You are not just building standard CRUD wrappers; you are dealing with workflows specific to compliance orchestration. Here are the specific integration challenges that break standard assumptions when working with Comp AI:

The Presigned S3 Evidence Maze Uploading evidence (like a signed policy PDF or SOC 2 certificate) is not a single API call. If an LLM needs to attach a document to a policy, it cannot just push a base64 string to a generic endpoint. The agent must first call create_a_comp_ai_pdf_upload_url to get a presigned S3 URL and a specific s3Key. The file must be uploaded directly to that S3 bucket. Finally, the agent must call create_a_comp_ai_pdf_confirm passing the s3Key to finalize the attachment. If your MCP server doesn't orchestrate this multi-step dance, the LLM will hallucinate the upload process and fail.

Asynchronous Security Questionnaires Handling security questionnaires is deeply asynchronous. You cannot just pass a JSON array of questions and get answers back instantly. You have to trigger background auto-answer generation jobs (create_a_comp_ai_auto_answer), retrieve a run handle, and continually poll the endpoint until the answeredQuestions matches totalQuestions. Your MCP server needs to either handle this polling internally or explicitly expose the state machine so the LLM knows it must wait.

Framework Syncing and State Drift In Comp AI, updating a policy or control is often just the first step. Because controls map to multiple compliance frameworks (SOC 2, ISO 27001, HIPAA), modifying a requirement means the overarching framework is now out of sync. To resolve this, you must explicitly call create_a_comp_ai_framework_sync to propagate the changes. If your server doesn't enforce this logic, your compliance tracking dashboards will show outdated readiness scores.

The Managed MCP Approach

Instead of forcing your engineering team to build boilerplate authentication layers, pagination cursors, and backoff logic, Truto provides a managed MCP infrastructure.

Truto automatically generates MCP tools dynamically based on the integration's documented resources and schemas. The platform handles the credential lifecycle, maps complex nested objects into flat parameters the LLM can easily construct, and exposes the entire Comp AI API surface as a single, authenticated JSON-RPC endpoint.

Here is exactly how to set it up.

Creating the Comp AI MCP Server

Truto scopes every MCP server to a specific "integrated account" (a single tenant's connected Comp AI instance). You can generate the MCP server URL in two ways.

Method 1: Via the Truto UI

This is the fastest method for internal tooling or quick prototyping.

1. Navigate to the Integrated Accounts page in the Truto dashboard.
2. Select your connected Comp AI account.
3. Click the MCP Servers tab.
4. Click Create MCP Server.
5. Select your configuration (e.g., name the server, apply method filters like read or write, or restrict access by specific tool tags).
6. Copy the generated MCP server URL (e.g., https://api.truto.one/mcp/a1b2c3d4...).

Method 2: Via the Truto API

For production deployments, you should generate MCP servers programmatically when your users require AI features.

Send an authenticated POST request to /integrated-account/:id/mcp:

const response = await fetch('https://api.truto.one/integrated-account/<COMP_AI_ACCOUNT_ID>/mcp', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${TRUTO_API_KEY}`,
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    name: "ChatGPT Compliance Automation",
    config: {
      methods: ["read", "write"], // Expose both GET/LIST and POST/PATCH/DELETE methods
    },
    expires_at: null // Set an ISO string for temporary access
  })
});
 
const data = await response.json();
console.log(data.url); // The secure MCP endpoint to provide to ChatGPT

Connecting the MCP Server to ChatGPT

Once you have the Truto MCP URL, you need to configure your LLM client.

Method A: Via the ChatGPT UI

If you are using ChatGPT Plus, Team, or Enterprise, you can connect the server directly through the interface:

1. In ChatGPT, go to Settings > Connectors (or Settings > Apps > Advanced settings > Developer mode depending on your tier).
2. Click Add custom connector or Add new server.
3. Name the connector (e.g., "Comp AI Security Console").
4. Paste the Truto MCP URL you generated.
5. Click Add.

(Note: If you are using Claude Desktop or Claude Web, the process is nearly identical: Navigate to Settings > Integrations > Add MCP Server, paste the URL, and save.)

Method B: Via Manual Config File (SSE Transport)

If you are running a custom AI agent, Cursor, or a local headless instance, you configure the connection using the standard @modelcontextprotocol/server-sse wrapper.

Add this to your mcp.json or claude_desktop_config.json:

{
  "mcpServers": {
    "compai_truto": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-sse",
        "https://api.truto.one/mcp/<YOUR_SECURE_TOKEN>"
      ]
    }
  }
}

Comp AI Hero Tools

Truto exposes the entire Comp AI API, but you should focus your LLM's system prompt on high-leverage workflows. Here are the core hero tools to utilize.

list_all_comp_ai_policies

Retrieves all active and draft compliance policies for the organization. Essential for providing the LLM with context on current security rules before answering questionnaires or drafting updates.

"Fetch all active compliance policies. Identify any policies that relate to password complexity or access control, and summarize their current review status."

create_a_comp_ai_policie_version

Creates a new draft version of a policy, cloned from the current published version. This is critical for the policy update lifecycle, allowing the AI to stage changes without overwriting active rules.

"Create a new draft version for the 'Data Classification Policy' (ID: pol_8x9a). Update the draft content to mandate AES-256 encryption for all data at rest."

create_a_comp_ai_task

Creates a compliance task in Comp AI for evidence collection, remediation, or review. Use this to automate the assignment of audit responsibilities to human operators.

"Create a high-priority task assigned to the IT department to 'Upload Q3 AWS access logs as evidence for SOC 2 Control CC6.1'."

list_all_comp_ai_findings

Retrieves audit findings, cloud security alerts, and vulnerability scanner results mapped into the GRC platform. Use this tool to instruct the LLM to triage issues.

"List all critical and high-severity audit findings. For each finding, generate a summary of the affected area and the current remediation status."

create_a_comp_ai_vendor

Creates a vendor record to track third-party risk. Perfect for automating vendor onboarding workflows when a new SaaS tool is requested by an employee.

"Create a new vendor profile for 'Acme Analytics'. Set the category to 'Data Processing' and the inherent risk impact to 'High'."

create_a_comp_ai_questionnaire_answer_single

Generates an AI-backed answer for a specific security questionnaire question by referencing the organization's approved evidence library. This turns ChatGPT into an automated Trust Center agent.

"Use the evidence library to answer this security questionnaire prompt: 'Describe your logical access control procedures and how multi-factor authentication is enforced across the organization.'"

To view the complete schema definitions, required parameters, and the dozens of other available endpoints (including Trust Portal configuration, penetration test tracking, and fleet management), visit the Comp AI integration page.

Workflows in Action

Here is how these tools orchestrate complex GRC and compliance logic when combined by an LLM.

Scenario 1: Automated Vendor Risk Onboarding

When a team requests a new third-party software tool, the AI agent can automatically profile the vendor and trigger a security review.

"A team requested we start using 'DataFlow Pro' for marketing analytics. Create a vendor record for them, trigger an initial risk assessment, and create a compliance task for the security team to review their SOC 2 report."

Execution Steps:

1. create_a_comp_ai_vendor: The agent creates the vendor record, defining the category and capturing the inherent risk metadata.
2. create_a_comp_ai_vendor_trigger_assessment: The agent uses the returned Vendor ID to initiate the assessment workflow inside Comp AI.
3. create_a_comp_ai_task: The agent creates an actionable task assigned to the security group, linking it to the vendor ID, requesting manual review of the vendor's compliance documentation.

Output: The LLM confirms the vendor has been registered in the Trust Center, the assessment state machine is running, and a ticket is sitting in the security team's queue.

Scenario 2: Policy Drift and Draft Iteration

Auditors frequently require minor updates to policy language. You can instruct the agent to analyze an existing policy, draft a new version, and submit it for human approval.

"Review our 'Incident Response Policy'. We need to update it to explicitly state that the CTO must be notified within 24 hours of a critical breach. Draft a new policy version with this change and submit it for approval."

sequenceDiagram
    participant ChatGPT as ChatGPT
    participant Truto as Truto MCP Router
    participant CompAI as Comp AI API

    ChatGPT->>Truto: list_all_comp_ai_policies (query: Incident Response)
    Truto->>CompAI: GET /policies?search=Incident Response
    CompAI-->>Truto: Return Policy ID & active content
    Truto-->>ChatGPT: JSON Response
    ChatGPT->>Truto: create_a_comp_ai_policie_version (policy_id)
    Truto->>CompAI: POST /policies/{id}/versions
    CompAI-->>Truto: Return new Draft Version ID
    Truto-->>ChatGPT: JSON Response
    ChatGPT->>Truto: update_a_comp_ai_policie_version_by_id (update content)
    Truto->>CompAI: PATCH /policies/{id}/versions/{version_id}
    CompAI-->>Truto: Return 200 OK
    Truto-->>ChatGPT: JSON Response
    ChatGPT->>Truto: create_a_comp_ai_version_submit_for_approval
    Truto->>CompAI: POST /policies/{id}/versions/{version_id}/submit
    CompAI-->>Truto: Return workflow status
    Truto-->>ChatGPT: Final confirmation

Execution Steps:

1. list_all_comp_ai_policies: The agent fetches the active policy text to establish context.
2. create_a_comp_ai_policie_version: The agent initiates a new draft branch of the policy.
3. update_a_comp_ai_policie_version_by_id: The agent injects the modified markdown text containing the new 24-hour SLA requirement.
4. create_a_comp_ai_version_submit_for_approval: The agent transitions the draft into the review queue so human stakeholders can sign off.

Output: The LLM reports back that the draft is complete and awaiting management approval in the Comp AI dashboard.

Security and Access Control

Exposing compliance and audit infrastructure to an LLM requires strict governance. Truto provides several mechanisms to secure your MCP servers:

• Method Filtering: When generating the server via the API or UI, you can restrict the configuration to methods: ["read"]. This ensures the agent can query policies and findings but cannot physically alter controls or submit approvals.
• Tag Filtering: You can restrict the MCP server to only expose tools associated with specific resource tags (e.g., allowing access to tasks and vendors but excluding api_keys and users).
• Extra Authentication (require_api_token_auth): By default, the long, hashed MCP URL acts as a bearer token. For enterprise security postures, setting this flag to true requires the client to explicitly pass a valid Truto API token in the Authorization header, providing defense-in-depth against leaked URLs.
• Time-to-Live (expires_at): You can generate ephemeral servers by setting an expiration timestamp. Once the time is reached, Cloudflare KV automatically drops the token and a Durable Object alarm purges the database record, immediately severing the AI's access.

Summary

Building an AI agent that can reliably navigate the complexities of a GRC platform like Comp AI requires more than generic REST scripts. By leveraging a managed MCP infrastructure, you abstract away the credential lifecycles, multipart S3 uploads, and async job polling.

Truto transforms Comp AI's intricate compliance data model into clean, functional tools that ChatGPT can consume immediately. This allows your engineering team to focus on writing better agent instructions and orchestration logic, rather than maintaining fragile API connectors.