Banking
Policy System Code Review for policy admin systems (Solvency II, IDD), Configuration Audit for DORA-compliant cloud, credential scanning in repositories of supervised systems.
See the industry → FOR IT
Build an AI agent team for IT engineering.
Polyant is the platform for building AI agents inside IT engineering and DevOps workflows. Automatic pull request review before merge, credential scanning in repositories, CVE monitoring on dependencies, weekly audit of cloud configurations against NIS2 and DORA baselines.
4 specialised agents
24/7 operation
GitHub native integration
The rhythm of software development changes.
What changes is the time spent on standard PR reviews: automated review covers security, quality, and test coverage patterns; the senior developer focuses on architectural review. What changes is when exposed credentials are caught: at the pre-commit hook, not weeks later. What changes is CVE monitoring on dependencies: a structured daily scan vs reactive post-incident handling. What changes is cloud configuration auditing: weekly automated review vs manual periodic audit.
03 IT SQUAD
A squad of agents specialised in IT engineering and DevOps flows.
For a large company's IT team, a squad of agents works through the code cycle and alongside the operational runtime. Each agent does its part and passes the work to the next, under the same configuration and the same audit registry.
01 CODE REVIEW
Code Review Pre-Merge
Automatic review of pull requests before merge: obvious bugs, security issues, anti-patterns, and targeted suggestions published as structured comments directly on the PR.
See the agent Proposal no. 2024-081 In review
Missing disclosure
MiFID II art. · regulated financial instrument
Alt. 1 …in compliance with MiFID II and applicable supervisory provisions.
Alt. 2 …with full disclosure attached to the offer document.
Audit trace recorded · 14:31
02 SECRETS
Secret Detection
Repository scanning for cleartext credentials, exposed API tokens, private keys in accidental commits: pre-commit hook for preventive blocking, daily scan across the entire repository history.
See the agent SCADA · live 2 anomalies
Substation SE-104 voltage out of range
Line LV-22 current spike
NIS2 classify material · 24h timer
Alert to CISO · ticket opened
03 DEPS
Dependency Watcher
CVE monitoring on production dependencies (npm, Maven, PyPI) with alerts on new vulnerabilities and an upgrade path suggestion consistent with the existing code's compatibility.
See the agent Week 23 48 critical suppliers
Raw materials · aluminium price +12%
Geopolitics · Red Sea active
Tier-1 capacity ok
Brief to supply chain director
04 CLOUD AUDIT
Configuration Audit
Weekly audit of cloud configurations (AWS, Azure, GCP) against CIS Benchmark, NIS2, and DORA baselines, identification of drifts from the reference configuration, targeted alert to the CISO.
See the agent Weekly audit 4 systems
HIS · accesses OK
LIS · reports OK
EHR · traceability VERIFY
RIS · privacy OK
1 anomaly · alert to healthcare authority lead
Four agents, four moments, one same configuration.
For the IT team at a regulated B2B SaaS company, a squad of agents covers the code cycle from PR to deploy and the underlying cloud infrastructure.
TUE 16:20 Code Review
WED 11:05 Secret Detection
THU 03:00 Dependency
SUN 07:00 Cloud Audit
TUE 16:20 Code Review Pre-Merge
The PR receives structured comments before merge.
For the head of engineering at a regulated B2B SaaS company, on Tuesday afternoon a junior developer opens a pull request on the GitHub repository. Code Review Pre-Merge activates on the webhook: it reads the diff, identifies three specific observations — a library with a known CVE, variable naming inconsistent with the team convention, missing unit tests on the new function — and publishes the structured comments on the PR. The developer updates the library, corrects the naming, and writes the tests. The senior developer reviews the PR, focusing on architecture, and approves the merge.
WED 11:05 Secret Detection
The commit with the AWS key is blocked pre-merge.
On a Wednesday morning, during a configuration refactor, a developer accidentally commits an AWS access key inside a test file. The pre-commit hook activates Secret Detection: the agent recognises the key pattern, blocks the commit locally, and suggests removal and extraction to an environment variable. In parallel, the daily scan across the entire repository history confirms that no residual secret has reached the remote repository. The trace of the decision stays in the runtime audit registry.
THU 03:00 Dependency Watcher
New CVEs arrive in the head of engineering's channel.
On Thursday overnight, the scheduled Dependency Watcher runs the scan on the production dependencies of the customer's projects. It identifies 12 new CVEs published in the last 24 hours, three of them high severity, affecting core backend libraries. The agent suggests an upgrade path consistent with the existing code's compatibility — the minor version with the fix, not the latest major release. The summary arrives in the head of engineering's Slack channel with direct links to the CVE database and the dependency changelogs.
SUN 07:00 Configuration Audit
Four drifts from the NIS2 baseline arrive at the CISO.
On Sunday morning, Configuration Audit runs the weekly check of AWS configurations against the CIS Benchmark baseline extended with NIS2 and DORA controls. It identifies four drifts from the reference configuration — an S3 bucket with encryption disabled, two security groups with overly permissive rules, an IAM role with excessive privileges — and prepares a targeted report for the CISO with suggested remediation for each drift. The IT team on Monday morning starts from a picture that is already ready, under the same instance configuration as the three preceding agents.
Industries where these workflows are relevant.
Healthcare
Clinical System Audit for HIS, LIS, RIS, EHR. MDR-SaMD Avoidance Checker for healthcare agents, PR review on clinical systems under GDPR art. 9 constraints.
See the industry →Telco
SCADA and network operations on network control systems, Configuration Audit for NIS2-compliant cloud, CVE monitoring on dependencies of public services.
See the industry →Other regulated industries
Public sector, utility, manufacturing, and other regulated contexts have their own IT specificities (Public IT Compliance for NIS2 and the national digital agency): discovery serves to understand where the customer's constraints lie and to build the agent for the IT team that will actually use it.
Four questions from heads of engineering.
GitHub is natively integrated through the runtime's ghPR and ghIssue tools. For GitLab, Bitbucket, proprietary systems, the integration is delivered during the project.
The typical timeline for a first IT agent is 4–8 weeks (longer for vertical, industry-specific agents). The duration is defined during discovery on the actual case.
No. Code Review Pre-Merge leaves structured comments on the PR. The merge stays with the senior developer or the head of engineering.
The developer can mark a comment as a false positive. The agent learns from the repository's patterns.
Two paths to start.
A 30-45 minute conversation to understand how Polyant for IT applies to the customer's case and how long it takes for the first agent in production.