The future of compliance with generative AI technology

Everyone says that generative AI technology will change the world, but how will it change the compliance world? If you are working with ISO, cybersecurity, privacy, or any other type of compliance, how will AI change your work? And will you have any work at all?

Generative AI technology will have a profound effect on all aspects of compliance and all players within the compliance industry:
  • Implementation projects
  • Compliance maintenance
  • Training
  • Software providers
  • Consultants

In my view, generative AI technology will change the way compliance is done to a large degree, and in most cases, rather than taking away jobs in the compliance industry, it will change the nature of work — in a positive way.

Let’s see how generative AI technology (through AI compliance software or apps) could change compliance implementation projects, maintenance of compliance, consulting work, trainings, and compliance software providers.

The future of compliance with generative AI technology - Advisera

Compliance implementation projects

Companies that are starting their compliance projects will benefit from the following:

Answering questions. AI compliance apps will be able to answer almost any question (directly or through Slack, MS Teams, and others) — not only simple questions like “What are the ISO 27001 implementation steps?”, but also more sophisticated ones like “How to set the ISMS scope if we have some offices out of the country, some employees are working remotely, and cloud services are provided by our sister company?” This kind of Q&A feature will considerably speed up the implementation projects, since the project managers will not need to wait for an expert answer, and it will reduce mistakes during the project.

Document writing. AI compliance apps will be able to generate documents that are automatically personalized for the specific needs of a company — this will not only reduce the manual work, but also increase the overall satisfaction of the company’s employees because documents will be more adapted and realistic. For example, an AI compliance app will be able to create a Backup Policy that is adapted to the specific backup technology the company is using, and to their existing roles & responsibilities for performing the backup.

Review of documents. AI compliance apps will be able to review policies, procedures, and other documents to find if they are fully compliant with standards and legislation, and if there are any inconsistencies. For example, if you have written a Quality Policy, but omitted a commitment to continual improvement, the app will suggest that you include this commitment because it is required by ISO 9001.

Personalized micro-trainings. AI compliance apps will be able to teach your employees exactly the pieces of knowledge that are missing for a particular task. For example, if a person acting as a data protection officer does not know how to handle a data subject access request according to the GDPR, the app will suggest which videos to watch from an existing GDPR course or generate training videos for that purpose that are adapted for the specific circumstances in the company.

Internal audit & pre-certification check. AI compliance apps will be able to review your system before you complete your implementation, and/or before you go for the certification, in order to reduce the possibility of non-compliance. For example, for a particular healthcare provider, the app could create all procedures and checklists for a HIPAA internal audit, check if all documentation and records are compliant with the regulation, and create a draft report. This probably won’t replace internal auditors, but will certainly speed up their work.

Maintenance of compliance

Companies that are already compliant with a standard or a regulation, need to invest effort into maintaining their compliance and will therefore welcome the following AI capabilities:

Updating the documents. AI compliance apps will be able to review the documents and automatically propose changes to them. For example, if a company has the documentation written according to the old 2013 revision of ISO 27001, the app will automatically rewrite the documents to be compliant with the latest 2022 revision of the standard. This way, manual work will be reduced drastically, delays will be avoided, and the chance of something going wrong will be reduced.

Monitoring of conversations. AI compliance apps will be able to monitor conversations via Slack, MS Teams, email, and similar channels to make sure that everything is compliant with legislation, standards, and internal rules. The point will not be to start the disciplinary process, but to act preventively in order to avoid any non-compliance — for example, a manager in the marketing department might propose a new outreach campaign, but the AI compliance app might warn him that this would not be compliant with the GDPR.

Speeding up meetings. AI compliance apps will be able to generate meeting agendas and perform after-meeting administrative activities. For example, prior to an ISO 14001 management review, the app will generate all the items that need to be discussed based on the current EMS documentation, and after the meeting, it will automatically create minutes of the meeting and open corrective actions that were agreed upon. Besides saving everyone’s time, this will also ensure that nothing important is missing.

Answering customer questionnaires. AI compliance apps will be able to automatically answer questionnaires sent by customers. For example, a software development company that has received a detailed cybersecurity questionnaire will be able to upload all its security documents to the app, and the app will answer all the questions in this questionnaire. This will save time for security personnel, which also means reducing costs.

How will the training change?

Training providers and trainers will have to change how they handle compliance trainings — here are some of the things that will change:

Creating & personalizing courses. AI compliance apps will be able to generate training curricula, training scripts, and even training videos automatically, and all this will be personalized for a particular company. For example, an AI compliance app will be able to develop security awareness training that is specific to a bank’s core processes and technology, and that is compliant with SOC 2 and cybersecurity regulations specific to the financial industry. This will not only reduce the developmental work, but also drastically increase the effectiveness of the training.

Interactive online courses. AI compliance apps will enable online students to interact directly with an app, overcoming one of the most important shortcomings of pre-recorded online courses. For example, if a student is watching a course on ISO 13485, she might not understand exactly how sterilization of medical devices is performed and might ask further questions on how this is done for a particular type of device; an app might display quizzes during the lesson that are adapted to a student’s level of knowledge, her position in the company, and the type of company this person is working for. All this will increase student satisfaction, as well as the pass rate on the exams.

Role plays. AI compliance apps will be able to present students with real-life exercises that will require resolving a situation through role play. For example, an AI compliance app will be able to present students with a specific layout of facilities and machinery in their company and ask the students how they would react to a certain health & safety hazard if they were a manager — at the end of the exercise, the app would provide feedback on whether the students’ reactions were compliant with ISO 45001 and local health & safety regulations.

For compliance software providers

Companies that provide GRC and other software solutions will continue to have an important role in the compliance world; however, they will need to integrate generative AI in order to stay competitive through:

  • Answering questions — clients will expect not only support, but expert questions to be answered immediately.
  • Handling documents — clients will expect their documents to be generated (based on company profile and other uploaded documents), reviewed, and kept up to date, all automatically.
  • Registers — clients will expect their registers (e.g., Risk Register, Register of Requirements, Corrective Actions, Data Protection Impact Assessment, etc.) to be filled out automatically, and to be adapted to specific company circumstances.
  • Trainings — clients will expect personalized micro-trainings to be available as part of the software, in order to teach users how to perform the next steps in the implementation.
  • User interface — the overall user interface will become more conversational, where users will not have to search through menus to activate a particular action — rather, users will be able to type any kind of command and the software will be able to recognize what needs to be done.

Compliance - what will be affected by generative AI technology?

 

How will AI compliance apps achieve all this?

As the basis for all the features that are mentioned above, AI compliance apps will need to have access to a complete knowledge base of appropriate legislation, standards, and internal documentation.

Further, AI compliance apps will need several other capabilities:

  • Integration with several communication channels (e.g., email, Slack, MS Teams, etc.).
  • Integration with file systems that contain documentation and records (e.g., Google Drive, Box, MS SharePoint, etc.).
  • Database of templates for all policies and procedures.
  • Ability to recognize what is and what is not compliant with legislation, standards, and internal documentation.
  • Ability to monitor conversations, documentation, records, etc., and trigger appropriate actions.
  • Algorithms to properly recognize the user’s activity and commands, and trigger the appropriate action.

Of course, this is not a complete list of the underlying technology, but just a glimpse of what will be needed for such a big change.

Why not use ChatGPT?

Generic AI applications like ChatGPT and Google Bard are not going to be a good fit for AI compliance apps for two key reasons:

  1. AI compliance apps will need to have very specific knowledge in order to provide reliable answers, while generic AI applications are not trained on such proprietary data.
  2. Many clients have great security and privacy concerns, which can be resolved through AI compliance apps, but not through generic AI applications.

Of course, ChatGPT will remain a great tool for writing essays and a lot of other activities, but when it comes to very specific compliance work, specialized AI compliance apps will have an advantage.

Will there be any work left for consultants?

Looking at all of the things above, you might wonder — what will be left for consultants to do? My guess is that consultants will still have a lot to do, but their jobs will start to change.

Consultants will need to start using AI tools to speed up their work and decrease administrative effort — for example, when working for a client, AI compliance apps will write management review minutes instead of the consultant, help them develop a training plan, or help them write a new policy.

Consultants will also be able to use other AI tools (that I didn’t mention in this article) — AI-powered project management tools, analytical tools, collaboration tools, etc. — to save their time and increase their effectiveness.

All this will leave consultants with more time not only to take on more clients, but also to concentrate on higher-quality work that AI will not be able to do — complex decision making, critical thinking, conceptualization, in-depth analysis of specific situations, developing strategies, advising clients on key decisions, and investing more time in developing relationships with clients.

Finally, someone will have to train these AI compliance apps with specific proprietary data, and this takes lots of people, and a great effort. And this kind of insight is best provided by consultants, since they have the greatest expertise.

Is this all going to happen?

I know that what I presented above is a lot, and it is probably hard to digest. But the fact is — the technology is already here, and the compliance pain is also already here (no one really wants to spend too much time on compliance). Therefore, I think this generative AI technology is a perfect fit for this pain to be resolved.

Here at Advisera, we are convinced this is the right direction, and we are working very hard for this vision to come true. The first piece of this is already visible through Experta, our AI-powered ISO knowledge base, and we are continuing to develop other features described in this article.

What do you think of this vision? Feel free to comment below, or contact me directly via my LinkedIn profile: https://www.linkedin.com/in/dejankosutic

Sign up here for free to Experta, the AI-Powered ISO Knowledge Base you can ask any ISO 27001, ISO 9001, or ISO 14001 question, and get help with your implementation, maintenance, consulting, or training.

Advisera Dejan Kosutic

Dejan Kosutic

Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001 and NIS 2 expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.
Read more articles by Dejan Kosutic