Tech Trends, Technology Articles

Harnessing AI & ChatGPT for Compliance Automation

Harnessing AI & ChatGPT for Compliance Automation – cover image

Large language models (LLMs) are rapidly gaining prominence in the technological landscape, becoming indispensable tools in the toolkits for a wide range of teams, from software development to marketing. LLMs can benefit nearly all stages of building a product, from concept creation and documentation to design, prototyping, testing, and final production.

According to the survey published in Forbes, over 50% of data scientists and engineers plan to deploy large language model applications into production ASAP. However, numerous teams still hesitate to incorporate LLM solutions into their production processes due to concerns regarding the high costs associated with the pre-implementation research and the unpredictability of the results post-implementation.

At Akvelon, we have deep-dived into the LLMs functionalities and possible limitations for various applications. Moreover, we've already successfully utilized ChatGPT to build several next-gen solutions, like an AI-powered Website Visitor Assistant or a Study Chatbot.

This time, we explored the perspectives of LLM applications and profitability in cases related to compliance and governance and found out these solutions can contribute to the creation of not just general procedural documents but more specific guidelines and policies.

Phase 0. Discover ChatGPT's Capabilities in Streamlining Compliance

Many large organizations with distinct units choose enterprise solutions for their compliance needs and have already built their governance, risk, and compliance (GRC) processes. But what if your company, while not quite at the enterprise scale, still requires a robust toolkit to navigate the complexities of compliance or embark on its compliance path?

Large language solutions, such as ChatGPT, can become a solid and sustainable alternative to enterprise-scale costly solutions thanks to their ability to process natural language, reply in a human-like manner, and give a versatile, valuable output when adequately prompted. However, there are still certain limitations associated with LLMs, including the potential for biased or incomplete responses and privacy and confidentiality concerns that must be navigated. We'll talk more about them later on in this article.

Exploring the compliance capabilities of LLMs, we identified areas where they can bring certain value. In our case, we specifically used the GPT-3.5 Turbo model.

LLM Potential Contribution to Compliance

Phase 1. Try to Make Some Paperwork With the Help of AI

In the realm of cybersecurity, well-crafted documentation is essential. And LLMs do not just excel in text generation, they're also well-trained on massive amounts of all sorts of data, including various cybersecurity frameworks and industry-specific standards, which makes them powerful tools for generating security and compliance docs and helping with ongoing paperwork. This is especially true if we're talking about advanced LLM solutions like ChatGPT. 

While LLMs present some challenges, such as occasional complexities in usage and the need to verify responses, their benefits outweigh these hurdles. With proper configuration and expert guidance, these tools can significantly simplify the process of creating and maintaining cybersecurity documentation, helping companies achieve and maintain compliance, produce comprehensive documentation, and enhance their overall security.

Let's uncover the practical benefits of ChatGPT for the paperwork using real-world prompts and examples. We've provided a series of requests and showcased the corresponding outputs generated by the LLM.

Prompt Item Expected Outcome An Example of ChatGPT-Generated Documentation

Act as a compliance officer as if you have to do your paperwork to write the Information Security Policy. Write me a clear Information Security Policy to align with the ISO 2700x requirements. Do not write anything generic. Gather the whole text into a sustainable Word document format.

Information Security Policy [Your Company Name].

Information Security Policy Example

Act like an IT Auditor. You have to fill the gap in the documentation with a password security policy. Write me the clear Information Password Security Policy to align with the best frameworks' requirements. Do not write anything generic. Gather the whole text into the sustainable Word document format.

Password Security Policy [Your Company Name].

Password Security Policy Example

Effective Communication with ChatGPT

The way you engage with an LLM model directly affects the value you derive from such tools. There are specific "best practices" you should employ for a more enriched and fulfilling experience.

Consider using these common tips for more effective communication with LLMs like ChatGPT and achieving better results:

  1. Role-play for enhanced outcomes

Framing your prompts as if ChatGPT is an actor or expert in a specific field helps you get more focused and relevant responses. By providing context and a clear role for the AI, you can navigate the conversation towards the desired outcomes. 

  1. Avoid bias through original prompts

Direct copy-pasting of existing company documentation into ChatGPT prompts can lead to bias and limit the AI's ability to generate original content. Instead, use the LLM to get fresh perspectives and outlines that you can process further.

  1. Verify and validate responses

Always make sure to review and verify the information generated by ChatGPT to ensure accuracy and relevance. Remember, you are ultimately responsible for the content you use, so careful analysis is essential.

Phase 2. Move From Generic Guidelines to In-depth Processes

A robust Security Policy is essential for ensuring the integrity of the Confidentiality, Integrity, and Availability (CIA) security triad. However, what happens if that alone isn't sufficient enough and there's a daily shortfall in cybersecurity processes?

Addressing this situation often involves manually creating and detailing an entire suite of processes – a task that's time-consuming and nearly impossible to handle when facing tight deadlines. As a solution, leveraging ChatGPT with well-crafted prompts can help you navigate these challenges more efficiently and expediently. Let's review a couple of prompts you can use to generate the docs with the essential procedures described using ChatGPT.

Prompt Item Expected Outcome An Example of ChatGPT-Generated Documentation

Act like a cybersecurity officer. You have to create the specific processes map aligned with ISO 27001 Controls. Write it in a table. Do not write anything generic.

Specific processes map aligned with key ISO 27001 controls

ISO27001 Controls

You are the head of the Cybersecurity Incident Response team and you have to document your whole processes into the incident management guideline. Do not write anything generic. Write the checks in a table. Be specific.

Detailed steps for the incident management guideline

Incident Management Guideline

The documents generated by ChatGPT provide a clearer perspective on each step involved in two distinct processes: aligning with controls required by the ISO 27001 standard and establishing incident management guidelines. By following the suggested steps, teams can implement the missing processes faster and enhance their readiness for handling specific situations, such as security incidents. However, it's crucial to remember that the guidelines provided by ChatGPT serve as high-level examples and should be tailored to meet the unique requirements of each organization.

Phase 3. Fill the Gaps in Processes

While ChatGPT proves to be an efficient toolkit for organizations at 0 level of process maturity, its capabilities extend beyond process creation. As compliance needs evolve towards process comprehensiveness, ChatGPT can transition into a CISO-like role, analyzing existing processes to identify and highlight potential gaps. This adaptability makes the LLM a valuable asset throughout an organization's compliance journey, from establishing foundational procedures to refining and optimizing them over time. See the particular prompts we used to identify certain procedural drawbacks.

Prompt Item Expected Outcome ChatGPT Responses

Act like a CISO. Identify the gap in the process of the user lifecycle actions list related to the access management process. You currently have the following steps: User Provisioning, User Deprovisioning

Particular steps to fill the gaps in the user’s lifecycle

Missing Step: User Modification

Description: User modification refers to the process of making changes to a user's access rights and permissions after the initial provisioning. This step is essential because user roles and access requirements may change over time due to various factors such as job role changes, project assignments, or changes in security policies.


  • Define a clear process for requesting and approving changes to user access rights.

  • Implement procedures for modifying user accounts, roles, and permissions based on approved requests.

  • Ensure that user modification requests are subject to proper authorization and validation.

  • Maintain an audit trail of user access changes for compliance and security monitoring.

Act like a head of Cybersecurity Incident Response Team. Identify gaps in the “Incident Response Actions” list related to the “Security Incident” process. You currently have the following steps: I ncident Identification, Incident Classification, Containment and Eradication

Particular missing steps within incident management

Missing Step: Root Cause Analysis

Description: Root Cause Analysis is the process of identifying the underlying reasons and vulnerabilities that led to the security incident. It helps in understanding how and why the incident occurred, which is essential for preventing similar incidents in the future.


  • Investigate the incident to determine the specific vulnerabilities or weaknesses that allowed the incident to happen.

  • Analyze the actions or events that led to the incident, including the attack vector, system vulnerabilities, and human factors.

  • Determine if the incident was the result of a technical flaw, policy violation, or other systemic issues.

  • Assess whether the incident could have been prevented with different security measures or practices.

Although ChatGPT can assist in justifying particular actions within processes and identifying gaps, the ultimate responsibility for ensuring the comprehensiveness and effectiveness of the procedures still lies on the Cybersecurity Compliance manager. Also, the specific implementation of the processes should be tailored to align with each organization's unique needs and context.

Phase 4. ChatGPT Limitations and Common Pitfalls

While ChatGPT offers immense potential in detailing and implementing specific processes and compliance-related procedures, as already mentioned, it does have limitations, particularly with tasks like bridging gaps or merging multiple documents. In this section, we'll outline practices to avoid when using ChatGPT for compliance to ensure optimal results and give examples of the prompts that will not work despite being well-formulated.

What to Avoid When Using ChatGPT for Compliance

1)Using ChatGPT's output without additional verification of results

When working with LLMs like ChatGPT, reviewing and validating the outputs they generate is universally recommended. However, the importance of this verification becomes even more critical in specific scenarios, for instance, when you're expecting an LLM to manage tasks that involve establishing contextual connections. While LLMs are advanced, they can rarely grasp or maintain the intricacies inherent in some complex contexts.

ChatGPT Failed Prompt 1

2)Entrusting LLMs with lists comparison and detection of missing processes

LLMs like ChatGPT are limited when it comes to tasks that require meticulous comparison, especially of complex lists such as those associated with standards like ISO27001. Even when provided with detailed and precise prompts, ChatGPT might not reliably pinpoint specific processes that need to be added, resulting in inaccuracies.

ChatGPT failed prompt 2

3)Using ChatGPT as a standalone compliance toolkit for comprehensive ISO or SOC assertions

ChatGPT can assist in streamlining and enhancing specific aspects of compliance initiatives, but it's not a comprehensive solution for implementing standards like ISO or SOC. It can help identify areas for improvement and provide insights into key processes, but it should be used in conjunction with other resources and expertise to achieve full compliance.

ChatGPT Failed Prompt 3


Integrating AI-powered tools like ChatGPT can revolutionize how organizations manage cybersecurity compliance. LLMs have the potential to provide a streamlined approach to meeting industry standards and regulatory requirements when used correctly and with diligent output verification.

By harnessing AI's capabilities, organizations can pinpoint compliance gaps, refine processes, and adapt to the changing threat landscape. ChatGPT, in particular, allows for a proactive and thorough approach to cybersecurity compliance, helping organizations set up the core processes to base on for further compliance development and maintenance.

To Be Continued

In this article, we mostly paid attention to the creation of general cybersecurity policies and procedures for compliance using ChatGPT. We're going to continue this series further and, in the upcoming articles, cover the aspects of Incident Management and Vendor Management optimization with the help of LLM solutions. So, stay tuned!

Oleg Oparin, Akvelon

Oleg Oparin

Technical Project Manager at Akvelon