Connect Drata to ChatGPT: Audit Company Compliance and User Data

If your team uses Claude, check out our guide on connecting Drata to Claude or explore our engineering breakdown on connecting Drata to AI Agents for custom frameworks.

Auditing company compliance and verifying user security states should not require your engineering or security teams to manually dig through GRC dashboards. By exposing your Drata instance to ChatGPT via the Model Context Protocol (MCP), you can enable conversational audits, immediate user compliance checks, and automated evidence retrieval directly within your chat interface.

Using Truto's SuperAI MCP Server, any connected Drata account can be dynamically transformed into a fully authenticated JSON-RPC 2.0 toolset for ChatGPT.

Here is exactly how to architect this connection, the reality of the Drata API, and the practical workflows it enables.

The Engineering Reality of Drata's API

Building a Drata integration from scratch involves specific domain complexities. GRC and compliance platforms require extremely strict data validation and highly nested relationship models.

When working with the Drata API, engineers typically hit three distinct challenges:

1. Deeply Nested Entity Models: User records in Drata are not flat objects containing a name and an email. Because of the requirements of SOC 2 and ISO 27001, a user object contains deeply nested arrays mapping to backgroundChecks, identities, documents, and specific roles. Parsing this in a raw API client requires significant boilerplate to avoid null reference errors when a user lacks a specific piece of evidence.
2. Strict Compliance State Enums: Searching or filtering for users based on their compliance status requires exact string matches against strict enum values. Passing a slightly malformed status to a query parameter will result in validation errors rather than fuzzy matching.
3. Rate Limiting Realities: Auditing tools are notorious for triggering rate limits when pulling full organization rosters. Truto normalizes Drata's upstream rate limit information into standardized IETF headers (ratelimit-limit, ratelimit-remaining, ratelimit-reset). However, it is critical to understand that Truto does not retry, throttle, or apply backoff on rate limit errors. When the Drata API returns an HTTP 429, Truto passes that 429 error directly to your caller. Your agent or client is entirely responsible for reading the headers and implementing its own retry or backoff logic.

Truto abstracts the authentication and schema mapping, allowing you to interact with these endpoints as normalized MCP tools without managing the underlying OAuth or API token lifecycle.

Step 1: Creating the MCP Server for Drata

Truto dynamically generates MCP tools based on the active API resources (see our 2026 architecture guide to auto-generated MCP tools) and documentation available for the Drata integration. You can generate an MCP server via the Truto dashboard or programmatically via the API.

Approach A: Via the Truto UI

1. Navigate to the Integrated Accounts page in your Truto dashboard.
2. Select your connected Drata account.
3. Click on the MCP Servers tab.
4. Click Create MCP Server.
5. Define your configuration (e.g., restrict to read methods only, or filter by specific tool tags like compliance).
6. Copy the generated MCP server URL. This URL contains a cryptographically hashed routing token.

Approach B: Via the API

For platform teams embedding this functionality, you can generate the MCP server programmatically using the Truto API. Make a POST request to /integrated-account/:id/mcp.

POST https://api.truto.one/integrated-account/<DRATA_INTEGRATED_ACCOUNT_ID>/mcp
Authorization: Bearer <YOUR_TRUTO_API_TOKEN>
Content-Type: application/json
 
{
  "name": "Drata Compliance Auditor",
  "config": {
    "methods": ["read"],
    "require_api_token_auth": false
  }
}

The response will return a ready-to-use URL:

{ 
  "id": "mcp_8a9b0c1d",
  "name": "Drata Compliance Auditor",
  "config": { "methods": ["read"] },
  "expires_at": null,
  "url": "https://api.truto.one/mcp/xyz123abc456..."
}

Step 2: Connecting the MCP Server to ChatGPT

Once you have your Truto MCP URL, you need to register it with ChatGPT. You can do this through the native UI or via a manual configuration file approach if you are backing a custom GPT action.

The UI Connector Flow

1. Open ChatGPT and navigate to Settings -> Apps -> Advanced settings.
2. Toggle Developer mode to ON (this exposes MCP support).
3. Under the MCP servers / Custom connectors section, click Add new server.
4. Name: Give it a recognizable name, like "Drata (Truto)".
5. Server URL: Paste the Truto MCP URL generated in Step 1.
6. Click Save. ChatGPT will immediately connect, perform the JSON-RPC handshake, and load the available Drata tools.

The Manual Config File Approach

If you are using programmatic clients, enterprise proxies, or defining Custom GPT Actions where a raw JSON schema is required instead of the native UI connector, you can map the MCP proxy using a standard JSON configuration. This effectively tells the client where to route tool invocations.

{
  "mcpServers": {
    "drata_auditor": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-proxy",
        "https://api.truto.one/mcp/xyz123abc456..."
      ]
    }
  }
}

Drata Tool Inventory

Truto provides a comprehensive mapping of Drata's API endpoints as distinct tools. Here is the tool inventory structure, broken down into primary hero tools and the complete operational list.

Hero Tools

These are the core tools your LLM will use most frequently to audit compliance and investigate users.

list_all_drata_company_info

Retrieves high-level company configuration and compliance overview data from Drata.

Contextual usage: Use this when you need to understand the global state of the organization, security report details, domain configurations, or broad entitlement statuses.

Example prompt:

"Pull the latest Drata company info and tell me our current training and compliance status, along with the date of our last security report."

list_all_drata_users

Lists all registered users in the Drata platform with their associated metadata.

Contextual usage: Essential for sweeping audits. It returns critical fields like drataTermsAgreedAt, roles, background check status, and identity provider links for every user. Because of pagination, ensure your prompt instructs the model to pass the next_cursor back to this tool if you need to scan the entire company.

Example prompt:

"List all users in Drata and filter the output to show me anyone who has not completed their background check yet."

get_single_drata_user_by_id

Fetches the complete, deeply nested record for a specific user.

Contextual usage: Use this when investigating a specific employee's compliance failure. It requires the user's id (which can be obtained via the list tool).

Example prompt:

"Get the full Drata profile for user ID 10452 and list exactly which documents they are missing."

For the complete tool inventory and full schema details, visit the Drata integration page.

Workflows in Action

Once the tools are connected, ChatGPT can orchestrate complex, multi-step queries without human intervention. Here are real-world examples of how this operates.

Scenario 1: Auditing an Employee's Compliance Block

An IT admin needs to figure out why an engineer is blocked from accessing production due to a compliance failure.

User Prompt:

"Find the Drata user record for jsmith@company.com and tell me exactly what compliance steps they are missing to be fully approved."

Execution Steps:

1. ChatGPT calls list_all_drata_users with a query parameter filtering for the email jsmith@company.com.
2. The tool returns the basic user object containing the Drata id (e.g., 88921).
3. ChatGPT calls get_single_drata_user_by_id using id: 88921 to fetch the deeply nested data.
4. The LLM parses the documents, identities, and backgroundChecks arrays, identifies that the "Secure Code Training" document is missing and the background check is stuck in "Pending".
5. ChatGPT formulates a concise summary detailing exactly what the user needs to resolve.

Scenario 2: Vendor Questionnaire Prep

A sales engineer needs quick statistics for a security questionnaire (read more on automating vendor risk management with APIs).

User Prompt:

"I am filling out a security questionnaire. Pull our company info from Drata and give me our legal name, domain, and a summary of our security report status."

Execution Steps:

1. ChatGPT calls list_all_drata_company_info.
2. The tool returns the organizational object.
3. The LLM extracts name, legalName, domain, and the nested securityReport details.
4. ChatGPT formats the exact data points needed to paste into the vendor questionnaire.

Security and Access Control

Exposing GRC data to an AI model requires strict governance and zero-data retention MCP architecture to remain compliant. Truto MCP servers are secure by design, operating at the integrated account level with zero cross-tenant contamination. You can further lock down the server using the following configuration flags:

• Method Filtering (config.methods): Restrict the server to specific HTTP methods. By setting methods: ["read"], the MCP server will entirely drop any create, update, or delete tools during the generation phase, making your integration strictly read-only.
• Tag Filtering (config.tags): Scope the server to specific functional areas. If you only want ChatGPT to see user data and not framework controls, you can pass a tag array (e.g., tags: ["directory"]) to filter out all non-matching resources.
• Enforced Client Auth (require_api_token_auth): By default, the cryptographically secure MCP URL is sufficient to connect. Setting this flag to true requires the connecting client to also pass a valid Truto API token in the Authorization header, preventing unauthorized access even if the URL is leaked.
• Time-To-Live (expires_at): For temporary contractor access or short-lived audit sessions, pass an ISO timestamp to automatically destroy the MCP token and its underlying Key-Value storage records once the expiration time is reached.