Does Truto handle rate limits for the Comp AI API automatically?

No. Truto does not retry, throttle, or apply backoff on rate limit errors. When Comp AI returns an HTTP 429, Truto passes that error directly to Claude. Truto normalizes the upstream rate limit info into standardized headers (ratelimit-limit, ratelimit-remaining, ratelimit-reset), leaving the caller responsible for retry logic.

Can I restrict Claude to read-only access for Comp AI?

Yes. When generating the MCP server URL via Truto, you can configure method filtering to explicitly allow only 'read' operations (like GET and LIST), preventing the LLM from executing state-changing POST or DELETE requests.

Do I need to manage OAuth tokens for Comp AI?

No. Truto handles the underlying authentication lifecycle for the Comp AI integration. The generated MCP server securely scopes requests to a specific integrated account, so you only need to provide Claude with the generated server URL.

Connect Comp AI to Claude: Automate Risk Assessments and Vendor Reviews

If your team uses ChatGPT, check out our guide on connecting Comp AI to ChatGPT or explore our broader architectural overview on connecting Comp AI to AI Agents.

Security and compliance operations are fundamentally text-heavy, data-intensive, and scattered across multiple systems. GRC (Governance, Risk, and Compliance) teams spend hundreds of hours manually translating cloud posture alerts into audit findings, reviewing third-party vendor documentation, and chasing engineers to complete access review tasks.

Connecting Comp AI to a Large Language Model (LLM) like Claude allows you to automate these workflows. By exposing Comp AI's compliance, risk, and asset tracking capabilities as tools, Claude can act as an autonomous compliance analyst - reviewing security questionnaires, kicking off vendor assessments, and mapping cloud vulnerabilities to specific SOC 2 or ISO 27001 controls.

To achieve this safely and reliably, you need a Model Context Protocol (MCP) server. You can choose to build, host, and maintain a custom translation layer, or you can use a managed infrastructure platform like Truto to dynamically generate a secure MCP server. This guide details exactly how to deploy a Comp AI MCP server using Truto, connect it natively to Claude Desktop, and orchestrate complex security workflows using natural language.

The Engineering Reality of the Comp AI API

A custom MCP server is a self-hosted backend that intercepts JSON-RPC requests from an LLM and maps them to standard REST operations against a vendor's API. While the MCP specification standardizes the conversation between the model and your server, you still own the entirety of the integration lifecycle against the target API.

Comp AI is an intricate enterprise compliance platform. Integrating with it requires navigating specific architectural patterns that LLMs routinely struggle to execute without an intelligent abstraction layer.

Opaque Binary Streams and Multipart Uploads Comp AI frequently exchanges raw binary data rather than structured JSON. Downloading agent packages (list_all_comp_ai_device_agent_windows), exporting evidence (list_all_comp_ai_evidence_exports), or generating HIPAA certificates (create_a_comp_ai_training_generate_hipaa_certificate) results in binary blobs (ZIPs, PDFs, DMGs) streamed directly in the response. Conversely, uploading policy documentation or trust portal artifacts requires either multipart form handling or a complex multi-step presigned S3 flow (requesting a URL, PUTting the raw bytes, and confirming the S3 key). A raw MCP implementation requires significant boilerplate to intercept, store, and translate these file-handling mechanics so the LLM does not crash attempting to parse binary streams.

Asynchronous Polling Workflows Automating security questionnaires or AI-based policy regeneration in Comp AI is rarely synchronous. Endpoints like create_a_comp_ai_auto_answer trigger background jobs and return a run handle immediately. An LLM cannot simply await the payload. Your server must implement specific logic to catch the handle and instruct the model to poll the corresponding GET endpoint until the answeredQuestions counter matches totalQuestions. If you expose the raw API directly, Claude will hallucinate completion states and proceed before the data is ready.

Strict Rate Limiting Behavior When you unleash an AI agent on a compliance audit, it tends to make rapid, concurrent calls to fetch context across hundreds of tasks and risks. If you hit a limit, Comp AI returns an HTTP 429. It is critical to note: Truto does not retry, throttle, or apply backoff on rate limit errors. When the upstream Comp AI API returns an HTTP 429, Truto passes that error directly to the caller. However, Truto normalizes the upstream rate limit information into standardized headers (ratelimit-limit, ratelimit-remaining, ratelimit-reset) per the IETF specification. Your AI framework or the LLM prompt must be configured to read these headers and execute its own backoff strategy.

How to Generate a Comp AI MCP Server with Truto

Truto eliminates the need to build a custom server layer by acting as a specialized MCP server platform for AI agents. Instead, Truto dynamically derives tool definitions directly from the integration's documented API schema. By authenticating a tenant's Comp AI environment once, you can spin up an isolated, token-secured MCP server in seconds.

There are two ways to provision this server: via the Truto Dashboard or programmatically via the Truto API.

Method 1: Via the Truto UI

Navigate to the Integrated Accounts page in your Truto environment.
Select your active Comp AI connection.
Click the MCP Servers tab.
Click Create MCP Server.
Select your operational constraints (e.g., restricting access to only read methods or specific tool tags).
Copy the generated MCP Server URL (e.g., https://api.truto.one/mcp/a1b2c3d4...).

Method 2: Via the Truto API

For platform engineers embedding AI into their own software, creating MCP servers programmatically allows you to spin up tenant-specific AI access on demand.

Make an authenticated POST request to the Truto API, passing your specific configuration preferences:

curl -X POST "https://api.truto.one/integrated-account/{integrated_account_id}/mcp" \
  -H "Authorization: Bearer YOUR_TRUTO_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Comp AI Risk Auditor",
    "config": {
      "methods": ["read", "write"]
    }
  }'

The API returns a fully configured MCP endpoint:

{
  "id": "mcp_8a9b0c1d",
  "name": "Comp AI Risk Auditor",
  "config": { "methods": ["read", "write"] },
  "expires_at": null,
  "url": "https://api.truto.one/mcp/a1b2c3d4e5f6..."
}

This URL is entirely self-contained. It encodes the tenant mapping, the authentication state, and the method permissions required to route JSON-RPC traffic to Comp AI securely.

How to Connect the MCP Server to Claude

Once you possess the generated URL, the next step is connecting it to your AI client. We will outline the process for both UI-driven setup and local configuration files.

Option A: Via the Claude UI

If your organization uses Claude via the web or enterprise interface, adding the connector takes seconds:

Open Settings and navigate to the Integrations or Connectors tab.
Select Add MCP Server (or Add Custom Connector).
Paste the Truto MCP URL into the connection field.
Save the configuration. Claude will immediately handshake with the endpoint, pull the tools/list, and load the Comp AI schema into the model's context window.

Option B: Via Manual Config File (Claude Desktop)

For developers using Claude Desktop locally, you must update your claude_desktop_config.json file. Truto uses the Server-Sent Events (SSE) transport protocol for remote MCP servers, so you will use the official @modelcontextprotocol/server-sse proxy.

Locate your configuration file (typically found at ~/Library/Application Support/Claude/claude_desktop_config.json on macOS) and append the following block:

{
  "mcpServers": {
    "comp_ai_auditor": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-sse",
        "https://api.truto.one/mcp/a1b2c3d4e5f6..."
      ]
    }
  }
}

Restart Claude Desktop. The model now has direct access to the Comp AI environment via Truto's proxy layer.

Hero Tools for Comp AI Automation

Truto normalizes Comp AI's endpoints into highly descriptive, snake_case tool names complete with injected JSON schemas for strict parameter validation. Here are the highest-leverage tools available for orchestrating GRC workflows.

list_all_comp_ai_risks

Fetches organization risks, including ownership details, severity scores, and mitigation statuses. Crucial for mapping out the current risk register before generating compliance reports.

"Fetch all organization risks currently tracked in Comp AI. Filter for any risks where the mitigation status is open and the severity is marked high, and summarize the treatment strategy for each."

create_a_comp_ai_vendor_trigger_assessment

Triggers an automated vendor risk assessment. Use this when onboarding new third-party software or during annual vendor compliance reviews to force an update of third-party risk evidence.

"Trigger a fresh risk assessment for the vendor record assigned to 'Datadog' to ensure their SOC 2 compliance evidence is current."

create_a_comp_ai_questionnaire_upload_and_parse

Uploads a raw security questionnaire payload and starts the asynchronous parsing job. The tool returns a run ID, which the model uses to track extraction progress before generating answers.

"Take this customer security questionnaire payload and upload it to Comp AI for parsing. Once you get the run ID, let me know so we can track the extraction."

create_a_comp_ai_finding

Creates a formal audit finding to track issue ownership, remediation activity, and severity. Use this when your agent detects non-compliance in a secondary system and needs to log it in the source of truth.

"Create a new high-severity audit finding in Comp AI for 'Unencrypted S3 Bucket in Production'. Assign it to the DevOps department and link it to the infrastructure security policy ID."

create_a_comp_ai_security_penetration_test

Executes an AI-powered penetration test run for an approved target. This pushes proactive vulnerability scanning directly into the compliance lifecycle.

"Kick off a new security penetration test run against the staging environment URL. Ensure the resulting findings are logged back to the security task board."

list_all_comp_ai_cloud_security_findings

Retrieves cloud security findings discovered by external scans (AWS, Azure, GCP). Ideal for pulling raw vulnerability data and comparing it against active compliance tasks to prioritize engineering work.

"List all recent cloud security findings from our AWS connection. Identify any critical findings related to IAM permissions and tell me which ones lack an assigned owner."

create_a_comp_ai_task

Generates a general compliance task for evidence collection, remediation, or recurring control work. The backbone of driving human-in-the-loop compliance actions.

"Create a new compliance task titled 'Q3 User Access Review'. Describe the requirement to verify all admin permissions in GitHub, set the priority to high, and assign it to the security engineering lead."

To view the complete inventory of available Comp AI tools—including full schemas for policy management, HR onboarding checklists, and custom framework mapping—visit the Comp AI integration page.

Workflows in Action

Exposing individual endpoints is useful, but the real power of an MCP server lies in autonomous tool chaining. Here are three concrete ways AI agents use Truto to orchestrate Comp AI workflows.

1. The Autonomous Vendor Risk Review

When procurement requests a new software vendor, security analysts must evaluate the vendor's posture, assign an internal risk score, and document the assessment. Claude handles this end-to-end.

"We need to evaluate 'Acme Analytics' as a new vendor. Check if they exist in the vendor directory. If they don't, create a new vendor record, trigger a risk assessment, and create a compliance task for the security team to review the results."

list_all_comp_ai_vendors: Claude searches the system for "Acme Analytics".
create_a_comp_ai_vendor: Finding no match, Claude creates the vendor record with preliminary details.
create_a_comp_ai_vendor_trigger_assessment: Claude triggers the automated assessment process against the new vendor ID.
create_a_comp_ai_task: Claude logs a task in the compliance dashboard to track the human review phase.

sequenceDiagram
    participant User as User
    participant Claude as Claude Desktop
    participant Truto as Truto MCP Server
    participant CompAI as Comp AI API

    User->>Claude: "Evaluate Acme Analytics vendor..."
    Claude->>Truto: Call list_all_comp_ai_vendors
    Truto->>CompAI: GET /vendors
    CompAI-->>Truto: Return empty (not found)
    Truto-->>Claude: Return empty result
    
    Claude->>Truto: Call create_a_comp_ai_vendor
    Truto->>CompAI: POST /vendors (Acme Analytics)
    CompAI-->>Truto: Returns New Vendor ID
    Truto-->>Claude: Vendor ID created
    
    Claude->>Truto: Call create_a_comp_ai_vendor_trigger_assessment
    Truto->>CompAI: POST /vendors/{id}/trigger-assessment
    CompAI-->>Truto: 201 Created
    Truto-->>Claude: Assessment initiated
    
    Claude->>Truto: Call create_a_comp_ai_task
    Truto->>CompAI: POST /tasks (Review Acme Analytics)
    CompAI-->>Truto: Returns Task ID
    Truto-->>Claude: Task created successfully
    Claude-->>User: "Vendor created, assessment running, task logged."

2. Automated Cloud Posture Remediation

Connecting cloud security scans to actual audit findings usually requires manual mapping. Claude can poll for infrastructure vulnerabilities and formally register them against the organization's risk framework.

"Review our AWS cloud security findings. For any critical unencrypted database alerts, create a formal audit finding, leave a comment detailing the instance, and assign a remediation task to the infrastructure team."

list_all_comp_ai_cloud_security_findings: Claude retrieves the latest scan data and filters for critical database encryption failures.
create_a_comp_ai_finding: For each failure, Claude logs an official audit finding, mapping it to the relevant security control.
create_a_comp_ai_comment: Claude attaches context (the specific AWS instance IDs) to the newly created finding.
create_a_comp_ai_task: Claude generates a prioritized engineering task to remediate the unencrypted databases.

3. Security Questionnaire Triage

Sales teams lose days answering repetitive security questionnaires. An AI agent can ingest the raw questionnaire, parse it, and orchestrate the automated response engine.

"I have a new security questionnaire payload from a prospect. Upload and parse it. Once parsing starts, grab the run ID and let me know the status so we can begin the auto-answer sequence."

create_a_comp_ai_questionnaire_upload_and_parse: Claude uploads the payload, initiating the extraction job and retrieving the runId.
Claude logic: Acknowledges the run ID and informs the user that extraction is underway, prepping to execute create_a_comp_ai_auto_answer once the parsing phase concludes.

Security and Access Control

Exposing an enterprise risk management platform to an LLM requires strict boundary controls. Truto enforces security at the MCP token level, ensuring agents only execute authorized actions.

Method Filtering: Restrict an MCP server exclusively to read operations. By setting methods: ["read"] during server creation, Truto physically removes POST, PATCH, and DELETE tools from the generated schema. The LLM cannot alter data, eliminating accidental destruction of audit evidence.
Tool Tagging: Scope the server to specific operational domains. Use tags: ["vendors", "risks"] to limit the AI's visibility, preventing it from accessing HR directories or billing controls.
Secondary Authentication: Enable require_api_token_auth: true to force the client connecting to the MCP server to provide a valid Truto API token in the Authorization header. This prevents unauthorized execution even if the MCP URL is leaked.
Time-to-Live (TTL): Set an expires_at timestamp for temporary access. Truto automatically destroys the token and revokes access at the designated time, perfect for transient audit scripts or contractor workflows.

Wrap Up

Integrating Comp AI with Claude transforms static risk registers and compliance checklists into active, conversational intelligence. By utilizing Truto as the managed MCP layer, engineering teams bypass the massive technical debt of building custom API translation layers, handling complex pagination logic, and maintaining rigid data schemas.

Instead of spending weeks fighting S3 uploads and parsing binary evidence streams, you generate a secure URL and instantly grant your AI agents the context they need to execute enterprise-grade compliance operations.