Woman using virtual touch screen showing AI and GRC

How Can We Safely Use Artificial Intelligence to Simplify GRC Goals?

Artificial intelligence (AI) and Large Language Models (LLM) have dominated news cycles for months, and many organizations have created fascinating new ways to use generative AI to solve problems, particularly tasks requiring a lot of repetitive work. One potential area where AI could significantly improve the compliance process is assisting in the complex task of writing accurate controls for security plans, but it’s important to ask how to use these advanced AI tools safely without leaking any proprietary or sensitive information.

Complex compliance processes

As security frameworks continue to evolve and governments around the world release and update more security and privacy regulations, creating and maintaining security plans consumes a vast amount of time and effort. Governance, risk, and compliance (GRC) teams have tens of thousands of words to write for these plans, along with hundreds of controls. Each authority has specific requirements regarding how security plans and controls need to be written. For security plans, teams must write control implementation statements for 300 to 400 controls, policies, and incident response plans. It’s complicated, time-consuming, and repetitive. In other words, it’s an ideal space for AI and machine learning (ML) to minimize repetitive efforts and speed up the time it takes to create new and updated plans that meet specific requirements.

AI training challenges

Compliance and security teams have historically resisted sharing security plans and security artifacts. Frequently, these teams are worried that sharing detailed security plans could provide a roadmap for compromising the system, so it’s often limited to only those who need the information. But ML relies on large, curated data sets – sets that don’t yet exist in this space.

There are a few challenges to be aware of as we think about training AI to help with GRC goals:

  • Data availability: Compliance and security data are often sensitive and confidential, so getting permission for enough data to train AI models may be difficult.
  • Data quality: It’s important to use complete, up-to-date data, otherwise, the output will not serve the pressing needs of compliance and security teams.
  • Data quantity: Unlike image archives, there aren’t one thousand to ten thousand security plans to train from. Collecting enough data to train AI models may be difficult.
  • Data security: Data entered into and processed by the model must be kept secure; it cannot be leaked or made available to external entities.
  • Domain expertise: Ensuring experts in compliance and security are involved in training AI for use in creating security plans and documents is essential to create AI models that are effective and reliable in this space.

Addressing these challenges may be easier than many in cybersecurity fear. AI is already trained on public documents, such as the actual control documents. ChatGPT or another generative AI solution can already help with clarifications and generating some repetitive text requiring minor variation.

Explaining individual controls to stakeholders

One challenge compliance and security teams often encounter is explaining all the diverse individual controls to various stakeholders. Is the explanation intended for a system owner or a software engineer? Is it designed for a board member or the engineer who needs to know what data it needs to deliver for a time stamp? Each stakeholder needs different information based on their level of understanding and expertise, and generative AI can make it easy to deliver. It’s possible to pick an individual control, ask for customized versions for each stakeholder, and get results in seconds. For example, stakeholders who are:

  • Technical receive a detailed explanation of control, including its purpose, how it works, its limitations, diagrams, and other details.
  • Non-technical get a general explanation of the control, its benefits, and how it protects the organization.
  • Risk managers receive information about the control and the potential consequences of a breach.

The ability to quickly deliver explanations tailored to the specific needs of each stakeholder helps compliance and security teams ensure that everyone in the organization understands the controls and can make informed decisions for their individual roles. Organizations might also use LLMs to create customized versions of control catalogs that particular roles would understand. Leveraging these explanations, LLMs may even suggest example text for a control, helping teams write them more quickly. These capabilities alone can improve overall GRC goals, but how else can organizations use AI tools to improve overall compliance and security?

Securing sensitive data & using advanced AI tools

The fear that engineers and other users might inadvertently leak sensitive company information when using generative AI is far from ill-founded. Three incidents occurred with Samsung Electronics by early April 2023 as employees sought to use ChatGPT to optimize code for identifying defects in equipment, generating meeting minutes, and fixing errors in source code. These problems weren’t unexpected — security analysts warned early that the data shared with ChatGPT becomes part of the training data for ML/LLM and accessible to someone using the right prompts.

Aligning to internal security policies

Given these reasonable concerns, it’s important to find a way to make it easy for software developers to interact with generative AI tools but still follow the company’s internal security policies. These policies must include guidelines about what type of information is sent to the AI tool (for example, blocking the sharing of sensitive or proprietary information) and the information returned and controls on that information. Critically, the enterprise itself must be able to manage and monitor a control point for all data processed by generative AI tools.

This type of process can and should include the ability to add more information to the prompt before it is sent on. By putting the right policies and capabilities in place, organizations can automatically adjust the prompt, providing more context related to the control or the organization’s specific requirements. That improves the quality of the information returned from the AI tool, so the results are more helpful to developers and engineers.

Harnessing AI for compliance and security

As organizations worldwide seek to use these compelling technologies, it’s essential to approach them carefully and thoughtfully. Without policies and controls to manage what types of data leave the organization and how developers leverage these tools, proprietary and sensitive data could become compromised and put the organization at risk. Understandably, developers want to be able to use AI tools to do their jobs more efficiently. AI can become a transformative force in meeting today’s compliance and security needs, provided organizations create a happy path that ensures data isn’t leaked and empowers developers to use AI safely.