Summary

Important: Before using Sage, please review Whistic's AI & Security policies for information on how your data is accessed, stored, and used. Whistic AI never trains on your data and does not share it with external parties. AI can make mistakes so please review the information for accuracy.

🚀 Getting Started

Sage for Compliance is available on the Compliance > Controls page. Before you begin, make sure you have the following:

Requirements:

• Your account must have access to both Sage and Compliance features. If you're unsure, contact your Customer Success Manager.
• Your compliance document must be in one of the supported file formats: PDF, DOCX, CSV, or XLSX
• The document should contain compliance-related content such as controls, policies, or audit reports (for example, a SOC 2 report or a controls export from another GRC platform)
• The file cannot be encrypted or password protected

🛠️ How to Build Controls with Sage

1. Navigate to Compliance > Controls in the top navigation bar

2. Click the Build with Sage button in the upper-right corner of the Controls page. The Sage panel will open on the right side of your screen.

3. Upload your compliance document by clicking the Attach File(s) button at the bottom of the Sage panel. You can also search your existing knowledge base for documents that have already been uploaded to your account.

4. Tell Sage what you'd like to do. For example, you could type something like:

"I exported all of our controls from our current GRC platform. Can you help me import them?"

or

"Here is our SOC 2 report. Can you create controls and tests from it?"

5. Sage will read your document, parse its structure, and provide an outline of what it found — including the number of controls and tests it identified.

6. Review the preview that Sage provides. This is a Markdown summary of all proposed controls and tests. Nothing is saved to your account at this point — this is your opportunity to review, ask questions, or request changes.

7. Once you're satisfied with the preview, Sage will ask for your explicit permission before making any changes. Click Allow to approve.

8. Sage will begin creating the controls and tests in your Controls library. You'll see them appear in real time on the Controls page as they're added.

📋 What Sage Generates

When you use Build with Sage, it can create the following based on your uploaded documentation:

• Controls — Individual compliance controls extracted from your document, organized and structured for your Controls library
• Tests — Associated tests for each control, which may include manual tests or automated Browser AI tests depending on the control type
• Compliance Status — Each control is added with a status that is tracked as the tests are conducted

After Sage finishes building your controls, you can open any individual control to review its details, edit the information, or adjust the tests associated with it.

❓ FAQ

What file types does Sage support?

Sage accepts PDF, DOCX, CSV, and XLSX files. This means you can upload SOC 2 reports, policy documents, spreadsheets, or exports from another GRC platform.

What happens if Sage gets something wrong?

Nothing is saved until you approve it. Sage shows you a full preview of all proposed controls and tests before anything is written to your account. You can review, ask Sage to make changes, or reject the proposal entirely.

Can Sage map controls to compliance frameworks like SOC 2 or ISO 27001?

Sage can read and interpret framework references within your uploaded documents, but it does not currently map controls to compliance frameworks within the Whistic platform. Framework mapping is planned for a future release.

Do I have to use Sage, or can I still build controls manually?

Sage is completely optional. Manual control creation is still fully supported — just click + Create Control on the Controls page to add controls individually. Sage is simply an additional tool to help speed up the process.

How long does it take for Sage to generate controls?

The process typically takes about 5–10 minutes from upload to live controls, depending on the size and complexity of your document.

Does Sage save my chat history?

Sage does not currently retain chat history between sessions. If you navigate away from the Compliance Controls page or log out, your conversation with Sage will not be available when you return. However, any controls and tests that were approved and saved to your Controls library will remain.

Can Sage work with controls I've already created?

Yes. If you already have controls in your library, Sage can compare proposed controls against your existing ones and flag any that have already been imported, helping you avoid duplicates.

What types of documents work best with Sage?

Sage works best with structured compliance documents such as SOC 2 reports, GRC platform exports (CSV or XLSX), and policy documents that clearly outline controls and their associated tests. Documents that are unrelated to compliance or that contain unstructured content may produce less accurate results.

What should I do if Sage isn't generating the results I expected?

Make sure your document is in a supported file format (PDF, DOCX, CSV, or XLSX) and that it is not encrypted or password protected. If the document is unrelated to compliance or contains limited control information, Sage may not be able to extract meaningful data. You can also try rephrasing your request or providing more specific instructions in the chat.

How is my data handled when using Sage?

Review Whistic's AI & Security FAQ to learn how information is accessed, stored, and used. Whistic AI never trains on your data and does not share it with external parties.