Changelog: Agentic Policies and the Path to AI Governance
Daniel LiszkaA big one in February. We shipped agentic policies, an early preview of compliance coverage, signed manual evidence, and a platform refresh. Here’s what’s new and why we’re excited about it.
Agentic Policies
Getting started with software delivery policies has always required writing Rego, the Open Policy Agent policy language. It’s powerful, but it’s not easy, and for most teams it ends up being the reason they never get started.
Agentic policies change that. Instead of writing code, you describe what you want to check in plain language, and an LLM reasons over the attached evidence and returns a verdict. You can have a working policy in minutes, not days.
This is useful in two situations. First, when you want to get started quickly and iterate before hardening a check into deterministic Rego. Second, for evidence that’s hard to evaluate with rigid rules: free-form reports, documents, and other unstructured content that doesn’t fit neatly into an if-then policy.
There are two ways to use it:
Zero-code. The built-in evidence-prompt policy takes a plain-language description. No Rego, no boilerplate.
Power-user. The chainloop.evidence_prompt builtin can be embedded inside custom Rego policies, combining AI reasoning with deterministic logic in the same rule.
Enterprise customers can connect their own LLM provider (Anthropic or OpenAI) via API key.
Full details in the LLM-driven policies guide.
Compliance Coverage (Preview)
Until now, figuring out where you stand against a compliance framework meant digging through individual attestations and piecing things together manually. This is the first step toward fixing that.
The new compliance coverage view maps your projects against frameworks and requirements, showing what’s covered, what’s failing, and where the gaps are. It works at the product level, aggregating status across all project versions so you get a single clear picture. This is an early preview; full rollout is coming soon.
Declarative Frameworks and Requirements
Compliance configuration shouldn’t live only in the UI. Frameworks, requirements, and policy groups can now be defined as YAML files and managed via the CLI. That means your compliance setup lives in version control, can be reviewed like any other code change, and applied in CI with chainloop apply.
Signed Manual Evidence
Manual evidence is now signed, attested, and tamper-resistant. You can download a signed attestation receipt and verify it via the CLI, which means manual evidence now carries the same integrity guarantees as anything collected automatically.
You can also submit manual evidence directly from the products view, which makes it a lot easier to keep compliance tracking up to date at the product level.
Policy Engine Improvements
A set of updates that give you more control over how policies behave.
More flexibility in how policies run. Attestation phases let you control when a policy evaluates during the attestation lifecycle. gate: false disables enforcement for a specific policy without removing it from your setup.
Better access to evidence. The new chainloop.download_artifact builtin pulls artifacts from CAS directly into the policy evaluation context, so your policies can reason over the actual content.
New out-of-the-box policies. owasp-top10-2025 adds OWASP Top 10 coverage updated for 2025 with SARIF and CodeQL support. cwes-group makes it easier to organize and apply CWE-related policies as a group.
Platform Refresh
We updated the design system to a cleaner, more compact look and shipped two usability improvements that I personally use every day now.
Global search. Hit CMD + K to find workflows, projects, frameworks, and requirements from anywhere in the platform.
Contract diffs. See exactly what changed between two contract revisions at a glance.
Full changelog at docs.chainloop.dev/changelog.
Let’s Talk
We’ll be traveling in the next few weeks and would love to meet in person:
- New York, March 16-19 (Chainguard’s Assemble Conference)
- San Francisco, March 20-26 (BSidesSF, RSAC Conferences)
If you’re around, reach out. Always happy to grab coffee and hear what you’re working on.
- Request a demo: chainloop.dev/book-a-demo
- Documentation: docs.chainloop.dev
- Open source: github.com/chainloop-dev/chainloop
- Follow us on LinkedIn
