hub Model Context Protocol

The Diligent One
API, Reimagined

72 AI-native tools across 9 GRC domains + 11 AI agents powered by Riskapture. Read risks, create audits, browse compliance standards, track issues — all through natural language.

construction
72
MCP Tools
category
9
Domains
inventory_2
167
ERM Objects
api
115+
API Endpoints

Powered by Riskapture

The AI agents in this MCP server are powered by Riskapture's GRC Brain — a specialized knowledge graph that understands the full landscape of governance, risk, and compliance.

psychology The GRC Brain

Riskapture's GRC Brain is a Neo4j-powered knowledge graph trained on 10 GRC domains, 50+ inventory schemas, 20 solution packages, and 11 regulatory frameworks. It encodes the relationships between risks, controls, standards, and organizational entities that make AI-powered GRC possible.

10
Domains
50+
Inventories
57
Relationships

hub Agent Architecture

Each agent pack is generated from the Brain's canonical workflows, roles, and ontology. Agents combine Diligent One's production data with Riskapture's domain intelligence to deliver autonomous classification, monitoring, and advisory capabilities.

check_circle 20 solution packages with agent definitions
check_circle IIA Standards, DORA, ISO 27001, NIST CSF built-in
check_circle Canonical workflows with 12-stage audit lifecycle
check_circle Vendor-agnostic — works with Diligent, OneTrust, Archer
check_circle Autonomy-graded: autonomous, recommend, or human-in-the-loop
storefront
Agent Packs are add-on extensions. Each pack maps to a Riskapture solution and will be available in the Riskapture Marketplace as installable extensions. Currently: 4 packs with 11 agents covering Audit, Risk, IT Risk, and DORA Compliance.
schema

Architecture

DiligentMCP wraps the entire Diligent One platform behind a unified MCP interface. Claude (or any MCP client) speaks natural language — the server handles JSON:API, pagination, auth, rate limiting, and name resolution.

┌──────────────────────────────────────────────────────────────┐ Claude / AI Agent "Show me all high-impact risks with no controls" └──────────────────────────┬───────────────────────────────────┘ │ MCP Protocol (stdio) ┌──────────────────────────┴───────────────────────────────────┐ DiligentMCP Server v0.2.0 Audit Risk ERM Compliance Issues IT Risk Entities Results Platform Rate Limiter Name Resolver Write Guard Cache └──────────────────────────┬───────────────────────────────────┘ │ HTTPS + Bearer Token ┌──────────────────────────┴───────────────────────────────────┐ Diligent One Platform (HighBond REST API) apis-us.diligentoneplatform.com/v1/orgs/{orgId} JSON:API v1.0 │ 600 req/hr │ Bearer auth └──────────────────────────────────────────────────────────────┘
terminal

Quick Start

Clone & Install

git clone https://github.com/RiskaptureAI/DiligentMCP.git && cd DiligentMCP && npm install

Configure

Copy .env.example to .env and set your DILIGENT_API_TOKEN and DILIGENT_ORG_ID. Generate a token in Diligent One → Profile → Application Tokens.

Build

npm run build

Use with Claude

Open Claude Code from the project directory — the .mcp.json auto-registers the server. All 61 tools are immediately available.

code Example Conversation
// You say: "Show me all high-impact risks that have no controls" // Claude calls: risk_list_all + risk_list_unmitigated // Returns a formatted markdown table with 6 unmitigated risks // You say: "Create a new audit project for Q3 SOX compliance" // Claude calls: audit_list_project_types → audit_create_project // Creates the project and returns its ID + dashboard link
smart_toy

Audit Agent Pack · 4 agents · STD-SOL-007

Full lifecycle audit intelligence. Classifies findings, plans risk-based audits, tracks remediation, and reviews workpapers against IIA standards. Built from the GRC Brain's 12-stage internal audit workflow.

classification
AGT-AUD-001
Finding Classifier

Auto-classifies findings by root cause taxonomy. Maps to control objectives and compliance standards. Detects duplicate findings across engagements.

classification: autonomous control linking: recommend
bolt Trigger: finding_created, finding_updated
event_note
AGT-AUD-002
Audit Planner

Generates risk-based audit scope from risk register + prior findings. Suggests procedures, estimates resources from comparable past audits, drafts audit program narrative.

scope: recommend narrative: recommend resources: recommend
bolt Trigger: audit_created, audit_assessment_started
track_changes
AGT-AUD-003
Remediation Tracker

Monitors action plan due dates, detects stalled remediation, calculates velocity trends, and auto-escalates based on severity x days overdue.

monitoring: autonomous alerting: autonomous escalation: recommend
schedule Trigger: scheduled (daily)
rate_review
AGT-AUD-004
Workpaper Reviewer

Reviews findings against IIA 5-attribute standard (condition, criteria, cause, effect, recommendation). Flags incomplete workpapers, suggests narrative improvements.

quality check: autonomous narrative: recommend
bolt Trigger: workpaper_submitted, finding_submitted
agent_classify_finding Root cause classification, control mapping, duplicate detection AgentComposite expand_more

Fetches all findings, controls, objectives, and compliance frameworks. Presents data for AI-powered root cause classification using an 8-category taxonomy, maps findings to control objectives, and identifies duplicates across engagements.

ParameterTypeDescription
issue_idstringSpecific issue ID to classify (omit for all open)optional
projectstringScope to a project (name or ID)optional
agent_plan_audit Risk-based audit scope, procedure suggestions, resource estimation AgentComposite expand_more

Aggregates the full risk landscape, prior findings history, control testing gaps, and historical project data. Structures everything for AI-generated audit planning: scope, procedures, timeline, and resource estimates.

ParameterTypeDescription
projectstringExisting project to plan for (name or ID)optional
focus_areastringFocus: SOX, IT General Controls, Financial Reporting, etc.optional
agent_track_remediation Overdue tracking, stalled detection, velocity analysis, escalation AgentComposite expand_more

Builds a comprehensive remediation dashboard: overdue items ranked by days past due, stalled remediation detection, closure velocity metrics (avg/median/fastest/slowest), and a Severity x Overdue escalation matrix.

ParameterTypeDescription
projectstringScope to a specific project (name or ID)optional
severity_thresholdstringMinimum severity: low, medium, high, criticaloptional
agent_review_workpaper IIA 5-attribute quality check, narrative improvement suggestions AgentComposite expand_more

Reviews each finding against the IIA 5-attribute quality standard. Scores completeness (condition, criteria, cause, effect, recommendation), identifies gaps, and provides detailed review of incomplete findings with suggested narrative improvements.

ParameterTypeDescription
issue_idstringSpecific issue to review (omit for all open)optional
projectstringScope to a project (name or ID)optional
smart_toy

Risk Agent Pack · 3 agents · STD-SOL-RSK

Enterprise risk intelligence combining audit risks and ERM assets. Classifies risks by taxonomy, monitors key risk indicators, and provides treatment recommendations with control mapping.

AGT-RM-001
Risk Advisor

Classification, impact estimation, control coverage assessment, treatment recommendations across audit + ERM.

AGT-RM-002
KRI Monitor

Monitors 25 ERM risks, 45 assessments, 16 mitigations. Threshold breaches, concentration risk, coverage gaps.

AGT-RM-003
Risk Classifier

Auto-classifies using 8-category taxonomy. Cross-references audit and ERM registers for duplicate detection.

agent_advise_risk Risk classification, impact matrix, control coverage, treatment recommendations AgentComposite expand_more

Combines audit risks, ERM risk assets, and control coverage into a comprehensive risk advisory analysis.

ParameterTypeDescription
risk_idstringSpecific risk ID (omit for all high-impact)optional
include_ermbooleanInclude ERM risk assets (default: true)optional
agent_monitor_kri KRI monitoring, threshold breaches, trend detection, mitigation coverage AgentComposite expand_more

Monitors the full ERM risk portfolio: 25 risks, 45 risk event assessments, 16 mitigations. Analyzes distribution, concentration, and coverage.

ParameterTypeDescription
No parameters — monitors the full portfolio.
agent_classify_risk Taxonomy classification, cross-source duplicate detection, category validation AgentComposite expand_more

Combines audit and ERM risks into a unified view for classification. Detects duplicates across sources by keyword matching.

ParameterTypeDescription
risk_idstringSpecific risk ID (omit for all)optional
smart_toy

IT Risk Agent Pack · 2 agents · STD-SOL-ITRM

IT infrastructure risk analysis. Correlates IT assets with control coverage, identifies untested controls, and provides a prioritized remediation roadmap with design effectiveness scoring.

AGT-ITRM-001
Vulnerability Classifier

Correlates IT assets (Software, Cloud, Hardware, Info Systems) with control coverage. Identifies exposure gaps by criticality.

AGT-ITRM-003
IT Risk Advisor

Control assessment matrix with walkthrough results. Design effectiveness scoring, gap analysis, remediation roadmap.

agent_classify_vulnerabilities IT asset-control correlation, exposure gaps, testing coverage AgentComposite expand_more

Fetches IT assets across 4 ERM asset types, correlates with controls and walkthroughs, and identifies exposure gaps.

ParameterTypeDescription
No parameters — analyzes the full IT asset landscape.
agent_advise_itrisk Control assessment matrix, design effectiveness, gap-to-risk mapping AgentComposite expand_more

Comprehensive IT risk assessment: control-walkthrough matrix, ERM control assessments, gap-to-risk mapping.

ParameterTypeDescription
objective_idstringFocus on a specific objective (omit for all)optional
smart_toy

DORA Compliance Agent Pack · 2 agents · STD-SOL-DORA

DORA (EU Digital Operational Resilience Act) compliance intelligence. Classifies ICT risks against DORA articles, generates regulatory incident reports per Chapter III, and monitors third-party concentration risk per Chapter V.

AGT-DORA-001
ICT Risk Classifier

Maps risks to DORA articles (Art. 5-45), cross-references compliance frameworks and standards library.

AGT-DORA-003
TPRM Monitor

Third-party ICT provider monitoring. Concentration risk, substitutability assessment, DORA Chapter V compliance scorecard.

agent_classify_ict_risk ICT risk classification, DORA article mapping, framework cross-reference AgentComposite expand_more

Classifies all risks against DORA ICT risk categories and maps to specific articles. Cross-references the standards library.

ParameterTypeDescription
framework_filterstringFilter standards: DORA, NIS2, ISO 27001optional
agent_report_incident ICT incident classification, DORA Art. 19 deadlines, regulatory report drafts AgentComposite expand_more

Classifies issues as potential ICT incidents per DORA Art. 17-18, calculates reporting deadlines, generates draft regulatory notifications.

ParameterTypeDescription
projectstringScope to a project (name or ID)optional
severity_minstringMinimum severity: low, medium, high, criticaloptional
agent_monitor_tprm Third-party monitoring, concentration risk, DORA Chapter V compliance AgentComposite expand_more

Monitors third-party ICT providers from ERM assets. Analyzes concentration risk, IT asset dependencies, and generates a DORA Chapter V compliance scorecard.

ParameterTypeDescription
No parameters — monitors the full third-party landscape.
bolt

Slash Commands

Pre-built workflows that chain multiple tools into comprehensive reports.

CommandWhat It Does
/audit-overviewFull dashboard of all projects — status, progress, issue counts, risk coverage
/risk-matrixImpact × Likelihood heat map with gap analysis across all projects
/issue-trackerIssue aging report, remediation pipeline, overdue tracking with days-past-due
/control-assessmentControl coverage analysis, testing gaps, design effectiveness summary
grid_on

ERM Data Model

The ERM data layer uses a flexible schema where each asset type defines its own attributes. Here are the known types in the C-Labs environment:

inventory_2 Asset Types

IDNameCategoryCountAttributes
1604467Riskrisks2535
1604468Controlcontrols4928
1604465Objectiveobjectives1018
1604466Processprocesses1020
1604458Third-partyassets136
1604453IT Asset – Softwareassets230
1604454IT Asset – Cloudassets229
1604455IT Asset – Info Systemassets025
1604456IT Asset – Hardwareassets032
1604459Control Taxonomytaxonomies017
1604460Risk Taxonomytaxonomies017
1604461Organizational Unittaxonomies017

description Record Types

IDNameCount
1604462Control Assessments7
1604463Risk Event Assessment45
1604464Risk Mitigation16
1604457Finding0
data_object Asset Data Format
// Assets use a field_name/value array (not standard JSON:API attributes) { "type": "assets", "id": "92", "attributes": { "asset_attributes": [ { "field_name": "name", "value": ["Market Demand Volatility"] }, { "field_name": "risk_id", "value": ["R-005"] }, { "field_name": "risk_impact", "value": ["Very Low"] }, { "field_name": "likelihood", "value": ["Very High"] }, { "field_name": "risk_category", "value": ["Strategic"] }, { "field_name": "risk_owner", "value": { "user_ids": ["tVMAuF64ax"] } } ] } }
shield

Safety & Limits

block
DELETE is permanently blocked. The write guard prevents all DELETE operations. A project was accidentally soft-deleted early in development with no API restore path. This cannot be overridden.
speed
Rate limit: 600 requests/hour, 6 req/sec burst. Enforced by a built-in token bucket. Composite tools (RCM, heat map, pipeline) may consume many requests. The server will queue automatically.
auto_fix_high
Name resolution is automatic. Tools accept human-readable names (e.g., "IT General Controls") and resolve to numeric IDs internally. If multiple matches exist, a disambiguation table is returned.

gavel Hard Rules

RuleWhy
Never DELETESoft-delete is irreversible via API. No restore endpoint exists.
JSON:API v1.0 onlyAll requests use application/vnd.api+json content type
No server-side filteringThe filter param is not supported. All filtering is client-side.
include supportedattribute_types, permissions, statuses.events work
Cursor paginationUse base64 cursors from links.next, not page numbers