What We Shipped for PICMS in April 2026 — and Why It Matters for Compliance Teams

April 2026 was the busiest delivery month PICMS has had since launch. Six major capability releases shipped between the 16th and the 22nd — every one of them driven by what compliance professionals actually do day-to-day, not what software companies think they do.

Here's what landed, what it does, and — more usefully — what it signals about where ISO compliance is heading.

1. Autonomous AI Agents That Don't Wait to Be Asked

The biggest mental shift in PICMS this month wasn't a feature, it was a stance. Compliance software used to ask you questions. PICMS now answers them before you ask.

Five new agents went live across the platform:

• Risk Guardian — fires the moment a new risk is logged, runs bias detection, suggests controls drawn from the standards your organisation actually subscribes to. ISO 45001 risks get H&S controls; ISO 27001 risks get InfoSec controls. No generic noise.


• Hazard Guardian — same pattern for the Hazard Register, with COSHH and CDM 2015 awareness baked in.


• Investigation Orchestrator — drives the Incident Command Centre through the 5-Whys structure, voice-enabled for on-site use, generating Golden Thread links across CAPAs, audits, and risks automatically.


• Support Assistant — drafts replies on every support ticket within seconds, prefixed so the human reviewer always sees it's a draft. Customer waits less. Support team writes less.


• Master Agent — orchestrates RAG retrieval across your evidence library so a question like "show me how we satisfy ISO 9001 Clause 7.5" pulls the actual policy, not a generic template.



The point isn't "we added AI". Every SaaS adds AI. The point is the agents recall — they remember what worked last week, what got corrected, what got rated unhelpful, and they get better. Which leads to…

2. The Agent Learning System — Why Our Agents Get Smarter Each Week

Most compliance AI is stateless. You ask, it answers, it forgets. Useful, but it doesn't compound.

PICMS agents now run a four-week learning cascade every Sunday morning:



• 02:30 UK — Feedback processor. Every "not helpful" or "corrected" rating gets converted into training knowledge for the relevant agent.


• 02:45 UK — Affinity updater. Learns which auditor styles each user prefers and re-ranks memory recall accordingly.


• 03:00 UK — Fleet learner. Anonymised patterns across ≥3 organisations get clustered into fleet-level training signals — so a new customer benefits from day one.


• 03:30 UK — ISO Manual auto-findings. Cross-org gap patterns become product roadmap signals.


• 04:30 UK — S3 export. Every memory, every correction, every fleet pattern exports to your S3 bucket as gzipped JSONL. Your agent IP is portable. If you ever migrate off PICMS, you take it with you.



That last point is the moat. Your auditor team's accumulated judgement, captured as data, exportable. Compliance procurement teams will recognise this as data portability — a clause that's increasingly demanded in vendor RFPs.

3. Tier Redesign — Psychology, Not Spreadsheets

The April 2026 pricing redesign came out of a strategic review (the "Manus review") that flagged a simple problem: our tiers had been priced like a feature spreadsheet, not like a buyer's decision journey.

The new four-tier structure is shaped around what an SHEQ professional thinks when they evaluate ISO software:



• Starter (£179/mo) — 1 ISO standard, 3 users, manual evidence mapping. Honest entry point. The word "manual" is deliberate — Starter customers do the mapping themselves.


• Professional (£349/mo) — 3 standards, 10 users, autonomous AI agents map evidence automatically. The decoy delta. Most customers feel the £170 jump pays for itself in week one.


• Certification (£549/mo) — 5 standards, 25 users, unlimited AI queries, plus one Industry Pack included free. Anchored as "the certification-ready bundle".


• Enterprise (£899/mo) — All standards, unlimited users, every Industry Pack, full API access, quarterly IRCA auditor calls. The ceiling.



For consultants like Training Assurance Consultancy, the implication is straightforward: clients now self-select into the right tier without a 40-minute pricing conversation. We can spend that time on actual compliance work.

4. Commercial Diving Pack — Niche Compliance, Done Properly

The fourth Industry Pack went live: Commercial Diving. £250/mo. Covers DWR 1997, HSE L103/L104 ACoPs, and the IMCA D-series (D018 plant examination, D023 surface-orientated systems, D040 audit protocol).

Why niche? Because every diving contractor we've spoken to has been making the same compromise — using horizontal SHEQ software that almost covers diving, then keeping a parallel paper system for IMCA-specific requirements. The Diving Pack collapses both into one platform with:



• Plant register with cert-tracking and PMS scheduling


• Competent Persons register (IMCA Cat 1-4)


• Dive Operations Logbook (statutory under DWR Reg 12)


• D040 audit protocol with finding-tracking and CAPA workflow


• AI-generated RAMS that pass audit because the prompt is anchored to DWR 1997 + L103/L104 + IMCA D018/D023/D040/D039



It's a deliberate niche play. There are about 80 diving contractors in the UK. They've been underserved. We expect to take a meaningful share within twelve months because nobody else is purpose-building for them.

5. Security Monitoring — Sentinel and Pax

Two security agents went live, running every Sunday:



• Sentinel (04:45 UK) — static review of the PICMS codebase. Catches multi-tenant isolation gaps, IDOR risks, body-trusted identifiers, optional-column SELECT bombs, public-prefix overreach, SQL injection, XSS, CSP regressions. Each candidate gets triaged by Claude Sonnet to filter regex false-positives.


• Pax (05:00 UK) — live HTTP probes against api.picms.com from outside the platform. Tests IDOR with real JWTs. Tests CORS with rogue origins. Tests rate-limit thresholds. Tests CSP allowlists.



Findings land in Master Admin with a triage state machine. Critical findings auto-escalate to a support ticket and our fix-attempt agent picks them up. The whole loop — detection → triage → fix → verify — runs sub-24h.

For B2B compliance buyers, the answer to "what's your security posture?" just got a lot easier to give.

6. Post-Quantum Cryptography Sprint

NIST published the final FIPS 203 / 204 / 205 standards for post-quantum key agreement and signatures in 2024. Most SaaS vendors have ignored them. PICMS now hasn't.

The April PQC sprint delivered:



• A Cryptographic Bill of Materials (CBOM) audit covering every place PICMS uses crypto


• A canonical crypto-provider.js wrapper — single point of change when ML-KEM and ML-DSA replace the current AES-256/HMAC-SHA-256/UUID stack


• HMAC-SHA-256 signatures on every weekly S3 export bundle (data integrity for the agent learning moat)


• 90-day retention on agent briefings, 2-year archive on de-identified fleet patterns — explicit data-lifecycle controls



The migration to genuine post-quantum primitives is a one-file change in the wrapper. For customers with five-to-ten-year evidence retention obligations (think life sciences, defence, financial services), this is "harvest now, decrypt later" protection — exactly what FIPS 203 was published for.

What This Signals

Three trends, taken together, suggest where ISO compliance software is heading:



1. Proactive beats reactive. Compliance teams shouldn't be running the system. The system should be running, and surfacing decisions to the team.


2. Niche specialisation will outcompete horizontal platforms. The Diving Pack proves it. Healthcare, security, construction starters next.


3. Data portability is becoming table stakes. Vendor lock-in via opaque AI memory is no longer acceptable. If your provider can't show you the JSONL export of your compliance intelligence, ask why.

If you're an SHEQ professional reviewing your stack for FY26, these are the questions worth asking — of PICMS, of us, and of any vendor you're shortlisting.

Want to talk through what April 2026's release means for your specific compliance programme? Get in touch.