Skip to contentAbout Fig Group

Agentic Remediation

Policy-governed remediation that closes the gap between detection and resolution automatically.

Request a demoAll solutions

The challenge

Does this sound familiar?

A control fails on Tuesday. An alert lands in an inbox. By Thursday, someone creates a ticket. The following week, an engineer investigates. Three weeks later, the fix is applied, but nobody updates the compliance register and the auditor finds the gap six months on.

How Fig helps

Agentic Remediation with Fig

The workflow starts with your policy variables and ends with an auditable corrective action. Fig turns policy intent into enforceable logic, watches for matching events, executes the approved remediation path, and records the evidence automatically.

01

Policy Set

Framework and policy variables define what should happen when the control fails.

02

Integration Event

A live signal from cloud, identity, endpoint, or security tooling breaches that rule.

03

Automated Fix

Fig runs the allowed remediation path directly or routes it for approval.

04

Evidence Logged

Trigger, action, approvals, timestamps, and outcome are written to the audit trail.

Closed-Loop Remediation

When a control fails, Fig does not raise an alert and wait. It determines the appropriate response, creates the remediation artefacts, assigns the work, and where your policies permit, executes the fix directly.

Voice-Driven Remediation with Martin

Martin, Fig’s voice-enabled AI agent, gives authorised teams conversational access to remediation workflows. Read-only queries execute immediately, reversible actions require confirmation, and medium-risk changes require independent approval before execution.

Fig workflow from policy generation to automated remediation and evidence logging
Core Capability

Fig has a voice-enabled AI agent that filters out small and low-risk client requests when they call or raise a ticket, so routine remediation and service actions can be handled immediately without pulling engineers into every interaction.

Zero-Touch Playbooks

For MSP and security operations teams, playbooks can create incidents, notify owners, call RMM tooling via webhook, execute remediation scripts, verify the result, and escalate automatically if the fix fails.

Tamper-Evident Audit Trail

Every automated action captures the trigger, policy authority, target, approvals, timestamps, and outcome. When an auditor asks who changed what and why, the answer is already there.

Audit-ready workflow

How Agentic Remediation becomes evidence

Agentic Remediation should not be treated as a standalone tool surface. In Fig it is part of a governed workflow: a signal is captured, an owner is assigned, a control or risk is updated, and evidence is retained so the organisation can prove what happened later.

Lifecycle

Where it sits in the operating model

The Respond phase is where this capability sits in the wider Fig operating model. A control fails on Tuesday. An alert lands in an inbox. By Thursday, someone creates a ticket. The following week, an engineer investigates. Three weeks later, the fix is applied, but nobody updates the compliance register and the auditor finds the gap six months on. Fig turns that problem into a repeatable lifecycle so MSPs, risk teams, and auditors are not relying on static spreadsheets or ad hoc screenshots when a buyer asks for proof.

Evidence captured

What auditors and buyers see

For agentic remediation, useful evidence normally includes the triggering record, the affected asset or supplier, the control requirement, the assigned owner, the decision made, the timestamp, and the outcome. That evidence is mapped back to frameworks such as Cyber Essentials, ISO 27001, NIS2, DORA, GDPR, CMMC, and internal policy requirements where relevant.

Implementation checks

Four steps to roll this out

  • 01Define who owns agentic remediation and what events should trigger review.
  • 02Connect the relevant source systems so evidence is collected continuously.
  • 03Map outputs to the frameworks and policies that matter to the organisation.
  • 04Review exceptions, accepted risks, and overdue actions before audit or renewal.

Useful references

Independent sources buyers and auditors recognise

The exact evidence required still depends on your scope, risk profile, sector, and framework obligations.

External source
NCSC guidance for organisations
External source
NCSC Cyber Essentials overview
External source
ICO accountability framework
Fig Group
Fig platform overview
Fig Group
All Fig solutions
Fig Group
Discuss your framework scope

Built for you

Who uses this?

MSPs & MSSPs

Zero-touch playbooks handle routine remediation across every client, with escalations only when the automation cannot safely close the loop. Your team spends less time chasing tickets and more time on exceptions that actually require judgement.

Learn more

Security & risk teams

Compliance posture does not decay between audits. Failures create tracked remediation immediately, hard controls can block unsafe operations, and validated playbooks can execute containment or corrective action under policy.

Learn more

Compliance & audit

Every remediation step is linked to the triggering control, the governing policy, the approval path, and the final outcome. That gives auditors a complete evidence chain from failure through correction and verification.

Learn more

Respond

Related solutions

Incident Management

Structured incident workflows with evidence capture and regulatory notification tracking.

Vulnerability Disclosure

Public intake, safe harbour enforcement, and 9-state governance for responsible disclosure.

Common questions

Frequently asked questions

Can automated actions make changes to our production environment without approval?

That depends on your configuration. By default, actions that modify state require human approval. You can selectively enable automatic execution for validated playbooks, approved action types, and defined targets. Nothing runs outside your configured allowlists.

What happens if an automated remediation fails?

The platform escalates to a human operator with full context: what was attempted, what the result was, and what the current state is. Failed remediation attempts are never silently swallowed.

How does Martin handle permissions?

Martin operates under the caller’s actual RBAC role. If the caller cannot perform the action in the web interface, Martin cannot do it on their behalf. Medium-risk actions require a second approver, and high-risk or out-of-scope actions are blocked entirely.

Can we disable specific types of automated remediation?

Yes. Every consequence type, playbook, escalation path, and just-in-time response is independently configurable. You can run in monitor-only mode and enable enforcement incrementally as you build confidence.

Does this work with our existing tooling?

Yes. Fig governs and orchestrates your existing tooling rather than replacing it. Playbooks can call RMM, PSA, identity, cloud, backup, and security tooling via integration or webhook, then capture the full outcome in the same audit trail.

Next step

See Agentic Remediation in action.

Book a walkthrough tailored to your frameworks and tooling.

Request a demoAll solutions