Fluency with Generative AI and Compliance Policies

AuditBoard Engineering
6 min readMar 13, 2024

Author: Scott Newcomer, Staff Software Engineer

The Task
For Compliance professionals, maintaining formal compliance docs such as Policies for your organization is incredibly important to ensure the organization operates ethically, legally, and responsibly. Policies need to be clear, concise, and specific, setting a clear expectation of behavior or outcomes. Moreover, they need to be communicated effectively. Researching and writing policies can be a daunting task requiring an inordinate amount of time (even to come up with an initial draft). This post will walk you through using Generative AI to make things a little bit easier.

I dove into Generative Artificial Intelligence (GenAI) in my previous article, detailing the history and mathematical details that got us to today. This article will focus on getting value out of these tools. For context, GenAI is a branch of AI that involves large language models (LLMs) trained on vast amounts of text and built to output text. With large models like OpenAI’s GPT4, the training text sufficiently represents much of what we humans have put in writing and online. As a result, interacting with these models is a skill in itself and effective prompting is essential for obtaining desired outputs from LLMs. In order to get good outputs, you need good prompts.

Interacting with Generative AI
A common starting point for a Compliance professional may be to take previous Policies and use them as the basis for your next Policy. This can end up being a reductive exercise, likely cutting out the meat of the paragraphs and leaving a thin shell of soon-to-be rewritten headings. This approach does not provide a dynamic canvas or gateway for exploration and insights. With GenAI, you have a modern tool that can push your initial draft beyond just templates and mediocre drafts to directionally correct, informationally rich starting points for further refinement and enhancement.

As you interact with GenAI models, take care in reading through the entire answer and seek out potential errors. When applicable, ask the model for sources to confirm the information generated by the model.

Let’s take a look at some prompt examples and the corresponding output using the free ChatGPT version available here.

Simple Prompt
Our first exploration of a prompt to generate Policies will start quite simply. We can just tell the model to craft us an Access Control Policy.

> User: “Can you please write me an access control policy covering identity and account creation, user provisioning, user removal, periodic access review, privileged access, role based access control, and remote access?”

ChatGPT: Access Control Policy

1. Identity and Account Creation:

1.1. All users accessing the organization's systems and resources must
have a unique user account tied to their individual identity.

1.2. User account creation is initiated by the IT department upon
receiving a formal request from the relevant department manager
or supervisor.

1.3. User accounts must adhere to the organization's password policy,
including complexity requirements and regular password changes.

2. User Provisioning:

2.1. User access rights are provisioned based on the principle of
least privilege, where users are granted the minimum access necessary
to perform their job functions effectively.

……

Ok, that is looking alright. I cut off the rest of the text given the behavior of Generative AI models and their non deterministic behavior. It is lacking meaty details in each section and some of the language could reflect a more strict response to items such as Access Removal. For example, whereas this instance outputs “User accounts must be promptly deactivated”, a company may want to replace the word “promptly” with “immediately” to reflect the need for absence of delay and instant action. I’m sure we can improve on it.

Add More Context
Next, let’s imbue the prompt with surrounding context such as Framework Requirements and additional details about the company in question.

> User: “I am a compliance manager for a large multinational corporation operating in both the United States and Japan. We maintain strict access controls for our employees to prevent access to sensitive information and government information. Can you please write me an access control policy covering identity and account creation, user provisioning, user removal, periodic access review, privileged access, role based access control, and remote access that aligns to the requirements of NIST 800–53 and ISO-27001? Please include as much detail for each section as possible and reflect our risk posture.”

ChatGPT: Access Control Policy

1. Identity and Account Creation:

1.1. Policy Statement: The organization implements stringent identity and
account creation procedures to ensure that only authorized individuals
have access to sensitive information and resources.

1.2. Procedure:

- All employees requiring access to the organization's systems and
resources must undergo a formal identity verification process.
- Account creation requests are initiated by the respective department
manager or supervisor and submitted to the IT department.
- The IT department creates user accounts following a standardized
process, including verification of identity and assignment of appropriate
access permissions.
……

As you read through the rest of the output, you will notice language that reflects the requirements and language in each framework requirement as well as a deeper understanding of each section required to craft a comprehensive Policy.

Larger Models
So far, we have been using GPT 3.5 through the ChatGPT free interface. However, OpenAI released GPT 4 — a larger, improved version of GPT 3.5. Although the specific details are not known, we can deduce its behavior based on various benchmarks. Note, you might need to have a paid version of ChatGPT or a corporate account with tools like Microsoft Azure to access the latest and greatest models. Let’s give it a try.

GPT 4: Access Control Policy
Document Version: 1.0
Effective Date: [Insert Date]
Review Date: [Insert Date]
Approved by: [Name/Title]

1. Purpose
The purpose of this Access Control Policy is to define the requirements
for accessing the information systems and assets of [Company Name],
ensuring the security and confidentiality of sensitive information,
particularly that which pertains to our governmental contracts in the
United States and Japan.

2. Scope
This policy applies to all employees, contractors, and third-party
representatives of [Company Name] who may have access to corporate
information systems and data.

3. Policy

3.1 Identity and Account Creation

- All user accounts must be uniquely identifiable with a strict no-sharing
policy. Identity verification measures must be employed before account
creation.
- User accounts will be created following a formal approval process that
involves the direct supervisor and the IT department.
- Accounts must adhere to a strong password policy and, where possible,
utilize multi-factor authentication (MFA).

......

As expected, this version gives us a much better starting point to crafting our Policy. It seems to exhibit a more natural prose with better domain and context understanding. As models become larger, you can expect Generative models to continue to improve their outputs like you have seen here.

Advanced
You may decide this is a good enough starting point. However, I have a few more tricks to suggest. To take your prompting skills to the next level, here are some additional prompt strategies to try out.

  1. Case study Prompts: Present a case study in the prompt related to the Policy and ask the AI to address the challenges presented in the case study. For example, you can describe a data privacy breach incident and prompt the AI to generate a data breach response Policy.
  2. Comparative Prompts: Prompt the AI to compare the differences between GDPR and CCPA compliance requirements and then subsequently generate a policy that aligns with both regulations. This encourages the model to think and bring in sufficient context before outputting a Policy.
  3. Customized Templates: Create customized prompts based on specific policy templates or frameworks relevant to your company. For example, provide a template for an IT security policy and prompt the AI to customize it according to your organization’s specific requirements and risk posture.
  4. Hypothetical Situations: Present hypothetical scenarios or future regulatory changes and prompt the AI to generate policies that anticipate and address potential challenges or compliance requirements. This is the forward thinking the profession needs.
  5. Follow-up Questions: GPT and other tools are also conversational agents and they accomplish this by basing their response on the recent chat history. For example, you can ask follow up questions to guide the AI to add more detail or you might follow up with a command such as “Could you incorporate a glossary for specialized vocabulary at the end, please?”.

Conclusion
The art of prompting will continue to progress as we learn more about how to extract value from Generative AI. Once you become an expert in interacting with Generative AI models, you can begin to apply these same strategies to Narratives along with any other content needed for your job!

--

--

AuditBoard Engineering

AuditBoard Engineering and Career Blog. Does our work and culture resonate with you? Come see if you’re a fit — https://www.auditboard.com/careers/