6clicks Taps GPT-3 to Automate Writing of GRC Controls

6clicks today announced it has integrated its namesake governance, risk and compliance management (GRC) platform with generative AI to make it simpler to create policies. The 6clicks platform is based on an artificial intelligence (AI) engine it developed with the GPT-3 platform created by OpenAI.

Anthony Stevens, CEO of 6clicks, said creating policies based on regulation is a content-intensive task that can be automated using the generative pre-trained transformer (GPT) platform from OpenAI. OpenAI’s GPT platform can be trained to create policies using prompt engineering techniques. Cybersecurity teams can expose OpenAI to the regulations and automatically generate policies that will be generally clearer and more precise than ones they would otherwise have to write themselves, he noted.

The 6Clicks platform is based on an AI engine, known as Ask Hailey, that automates compliance mapping between regulations to identify overlaps between controls that enable cybersecurity teams to be more efficient. Instead of rewriting the same control multiple times, Stevens said the goal is to make it simpler for cybersecurity teams to repurpose as many controls as possible.

The integration between Ask Hailey and OpenAI’s GPT platform uses the same version of the platform that Microsoft leverages to provide cybersecurity teams with access to a platform that has been trained using more recent content and prompts, said Stevens. Microsoft has invested $10 billion in OpenAI.

Prompt engineering requires organizations to embed a description of a task in a question that enables a GPT platform to provide an answer that creates a specific type of content. It is the same technique that cybersecurity researchers have used to show how a GPT platform might be used to launch phishing attacks, among other malicious activities. In this case, however, the technique is being used to make cybersecurity teams more efficient.

Via integration with GPT, Ask Hailey can now understand and interpret nuanced text using a natural language processing (NLP) engine more naturally, said Stevens. It not only provides data about standards and regulations, but it can also provide critical information about the implications of those standards and regulations to enable organizations to make better informed decisions, he added. For example, when defining a cybersecurity access management policy in 6clicks based on ISO 27001 and NIST CSF, Ask Hailey will understand the specific wording and context of those standards as well as the policy scope and generate a bespoke description of the policy.

Specifically, in addition to identifying overlaps between controls, Ask Hailey can now generate policy and control documentation based on related standards, frameworks or regulations, generate control definitions based on the context, risks and associated references and map standards, laws and regulations to demonstrate compliance based on a single assessment.

GPT platforms are arriving at a time when regulation is steadily increasing worldwide. Countries around the world are moving to implement data privacy regulations that, while sharing a common goal, each present unique nuances that will need to be navigated. For example, in his State of the Union speech, president Biden called for clear and strict limits on the ability of organizations to collect, use, transfer and maintain personal data.

The issue now is not so much whether these types of regulations will take effect but how best to comply with them at a level of scale that will be difficult to achieve without relying more on AI.