Thoropass AI Aims to End Manual GRC Drudgery with Smart Sort

NEW YORK, NY – January 29, 2026 – Cybersecurity auditor Thoropass today announced the launch of Smart Sort AI, a new feature designed to automate one of the most tedious and error-prone stages of compliance audits: organizing evidence. The AI-powered tool, integrated into the company’s Audit Lifecycle Platform, can ingest large data exports from any Governance, Risk, and Compliance (GRC) system and automatically sort the files into clean, audit-ready evidence mapped to specific control requirements.

The launch targets a persistent bottleneck for security and compliance teams who, despite using sophisticated GRC platforms to track tasks, often find themselves manually sifting through thousands of files when an audit is imminent. By automating this process, Thoropass aims to dramatically reduce preparation time, minimize human error, and allow auditors to focus on more strategic analysis rather than administrative legwork.

A New Approach to a Persistent GRC Bottleneck

The challenge Smart Sort AI addresses is a well-known pain point in the compliance industry. Organizations today operate in an increasingly complex regulatory landscape, often using multiple software systems to manage security controls and risk. While GRC platforms are effective for workflow management, they are not always optimized for evidence export in an audit-friendly format. The result is often a massive, disorganized data dump that must be manually sorted, labeled, and mapped to hundreds of specific audit requests for frameworks like SOC 2, ISO 27001, or HITRUST.

Industry research consistently highlights that manual processes and a lack of integration are top challenges for GRC professionals. Security and compliance teams report spending a disproportionate amount of their time on repetitive evidence collection and preparation, a process that can take hundreds of hours for a single audit. This manual sorting is not only inefficient but also carries a significant risk of misclassifying or overlooking critical evidence, potentially jeopardizing the entire audit outcome.

Smart Sort AI directly confronts this inefficiency. By uploading a raw export from any GRC tool, the platform’s artificial intelligence analyzes the content of each file—be it a policy document, a system configuration screenshot, or a user access log. It then identifies the relevant controls and automatically places the file into the correct evidence request within the Thoropass platform. This eliminates the need for manual sorting and significantly reduces the risk of missing or miscategorized information.

The 'Sit on Top' Strategy: Augmenting, Not Replacing

In a competitive market populated by compliance automation platforms like Drata and Vanta, which often rely on direct API integrations to collect evidence, Thoropass is pursuing a notably different strategy. Smart Sort AI is designed to be vendor-agnostic, requiring no direct integration with the source GRC system. This “sit on top” approach allows companies to continue using their existing, often deeply embedded, GRC tools without disruption.

This strategy acknowledges the reality that many organizations have made significant investments in their current GRC platforms and are hesitant to undergo a costly and complex migration. Thoropass positions its platform not as a replacement, but as an intelligent evidence-processing layer that enhances a company’s existing tech stack.

“Security teams should not have to choose between the GRC tools they already use and the benefits of a modern, AI-native audit,” said Sam Li, CEO of Thoropass, in the announcement. “Smart Sort AI gives customers that choice. It lets them bring evidence from any system into Thoropass and immediately benefit from our AI-powered audit workflows and our team of world-class auditors, without rework or disruption.”

This customer-centric philosophy of “meeting customers where they are” lowers the barrier to adoption and provides flexibility. It allows Thoropass to extend its value proposition to a broader market, including enterprises with legacy, on-premise, or custom-built systems that may not have modern API capabilities. “We built Smart Sort AI so Thoropass can sit on top of anything and turn messy exports into audit-ready evidence,” Li added.

Redefining the Auditor's Role Through AI Collaboration

The introduction of advanced automation like Smart Sort AI is not just about efficiency; it signals a fundamental shift in the role of the human auditor. By offloading the monotonous task of evidence sorting, the technology frees up compliance professionals and auditors to engage in higher-value activities that require critical thinking, context, and human judgment.

Instead of spending their days organizing files, auditors can dedicate more time to analyzing the quality of the evidence, assessing the effectiveness of controls, and providing strategic advice on risk management. This human-AI collaboration promises to produce more rigorous and credible audits. The automation handles the “what,” while the human expert focuses on the “so what.”

Smart Sort AI is a core component of a broader suite of AI capabilities within the Thoropass Audit Lifecycle Platform. It works alongside features like First Pass AI, which performs an initial quality control check on collected evidence. This integrated approach suggests a long-term vision where AI agents handle an increasing amount of the preparatory and repetitive work across the entire audit lifecycle, from scoping to report delivery, all under the supervision of experienced human auditors.

Navigating Security and Trust in an AI-Driven Audit World

As with any technology that processes sensitive enterprise information, the use of AI in handling confidential GRC data raises important questions about security and data privacy. Audit evidence can include proprietary system configurations, internal policies, and personally identifiable information, making robust data protection essential.

As a company in the business of compliance, Thoropass is built on a foundation of stringent security protocols. The company’s public policies confirm that all customer data is encrypted both at rest and in transit using industry-standard protocols like TLS 1.2. Access to data is governed by the principle of least privilege and is subject to regular reviews. Furthermore, the company’s Data Processing Addendum (DPA) ensures its practices are compliant with major data protection regulations such as GDPR and CCPA/CPRA, obligating personnel to maintain strict data confidentiality.

The broader GRC industry is moving toward a model of AI governance where transparency, fairness, and accountability are paramount. For tools like Smart Sort AI, this means ensuring the AI models are trained on properly anonymized data, operate without bias, and are subject to continuous monitoring and auditing themselves. Thoropass’s hybrid model, which embeds human auditors throughout the process, provides a critical layer of oversight, ensuring that the AI’s output is validated by an expert before it becomes the foundation of a formal audit opinion.