Organizations face many challenges regarding cybersecurity, including keeping up with the ever-evolving threat landscape and complying with regulatory requirements. In addition, the cybersecurity skill shortage makes it more difficult for organizations to adequately staff their risk and compliance functions. According to the (ISC)2 2022 Cybersecurity Workforce Study, the global cybersecurity workforce gap has increased by 26.2%, with 3.4 million more workers needed to secure assets effectively.

Organizations must employ technologies like artificial intelligence (AI), collaboration tools and analytics to cope with the situation efficiently. To that end, ChatGPT can be an enabler for organizational governance, risk and compliance (GRC) functions.

ChatGPT addresses typical GRC use cases

A significant advancement in natural language processing (NLP) technologies has allowed for more accurate and nuanced language analysis, leading to better and more reliable insights. By leveraging the power of NLP technology, ChatGPT, the AI-based chatbot developed by OpenAI, can generate coherent and relevant responses to a wide range of questions and topics. Some reasons for ChatGPT’s popularity include the ability to understand human language and context, tailor responses based on previous conversations and retrieve vast amounts of information. ChatGPT is powered by GPT-3.5-turbo, OpenAI’s most advanced language model. OpenAI has also developed various language models with different capabilities and use cases, like Codex, DALL-E, Ada and Davinci.

With ChatGPT, GRC analysts have a valuable tool to use in navigating the world of risk and compliance. Let’s explore some of the GRC use cases ChatGPT can address.

Generate framework, policy and procedure documents

GRC analysts can use ChatGPT to generate draft policy or procedure documents by supplying basic information and guidelines. It can then use its NLP capabilities to create a coherent, well-structured document that meets the company’s GRC management requirements.

Additionally, GRC analysts can use it to evaluate policy and procedure documents by inputting a completed document into the model. Analyzing policy documents, providing feedback on effectiveness and highlighting areas that might require revision can also support the analyst.

Using ChatGPT for policy and procedure document creation and evaluation saves GRC analysts time while improving the overall quality of the documents.

But while ChatGPT can create the initial draft, analysts must use human judgment and expertise to evaluate and refine it to ensure that the information is appropriate for the company’s specific needs and complies with all relevant regulations and standards.

Manage regulatory compliance

ChatGPT can be a valuable tool to help GRC analysts manage compliance and minimize the risk of fines and penalties. Recently, Meta was hit with $414 million in fines by the European Union’s leading privacy watchdog. While traditional methods of managing compliance may still be in use, they may not be able to keep up with the rapidly changing regulatory landscape. Hence, ChatGPT is valuable for the following use cases:

  • It can help by reviewing and analyzing vast amounts of data from agencies worldwide. It can filter the data, find the specific requirements applicable to the organization/sector/geography and assess gaps in the existing processes to provide recommendations. This systematic approach can give the organization confidence in its approach to monitoring and maintaining regulatory requirements. For example, an IT organization complying with environmental, social and governance (ESG) regulations can leverage the technology for detailed insight related to the EU’s Energy Efficiency Directive for data centers or addressing modern slavery and human trafficking disclosure requirements under the UK’s Modern Slavery Act.
  • It can analyze compliance-related communications, such as articles, regulatory filings, emails and chat messages, for potential compliance risks. The model could be trained to detect keywords that indicate potential compliance issues and flag them for further review. However, ChatGPT is a chatbot, not a regulatory compliance tool. While it can analyze and understand text data related to compliance and regulation, it cannot actively monitor a company’s compliance or regulatory status.

Enhance risk assessment

ChatGPT’s vast knowledge of various industries and risk data should be leveraged to identify relevant risk factors. Risk managers can share information, such as incident reports, audit reports and regulatory filings, to identify potential risks. Analyzing this information will help the risk manager evaluate the risk’s impact quickly and accurately. For example, ChatGPT could be trained to analyze social media posts related to customer complaints to identify common patterns. It could then assess the likelihood and potential impact of those complaints on the company’s reputation.

The platform can also generate risk assessment reports that identify potential risks and provide recommendations for mitigation.

As an AI language model, ChatGPT can also potentially identify risks from network architecture diagrams. It may not be able to analyze the diagram itself, as it is an image, not text. Still, it can analyze textual descriptions and labels within a network architecture diagram to identify potential risks and vulnerabilities.

Improve fraud detection

Fraud is a significant risk for most organizations and is difficult to detect, especially when dealing with large volumes of data. ChatGPT could help process text data looking for potential fraud. A few examples include:

  • Emails: By analyzing emails, companies can identify patterns of communication that may indicate fraud, such as employees communicating with known fraudulent actors or discussing fraudulent activities.
  • Social media: Social media platforms can be a rich data source for detecting potential fraud. By analyzing social media posts and activity, companies can identify individuals or groups that may be engaging in fraudulent activity and patterns of behavior or language that may be associated with fraud.
  • Invoices: Analyzing invoice data helps companies identify suspicious patterns, such as duplicate invoices or invoices from unknown vendors.
  • Compliance documentation: Compliance documentation, such as audit reports and certifications, can help identify potential fraud or noncompliance.

However, text data analysis alone is insufficient for comprehensive fraud detection. It is most effective in conjunction with other fraud detection methods, such as data analytics and human expertise.

Support third-party assessment program

An analyst can leverage ChatGPT for a range of activities in a third-party assessment program:

  • It can be trained to provide guidance on assessment criteria and assist third-party assessors in understanding specific assessment requirements. It can provide information on industry best practices for security and compliance, including frameworks such as SOC 2, Payment Card Industry Data Security Standard (PCI DSS) and Health Insurance Portability and Accountability Act (HIPAA).
  • The model can analyze assessment data and identify patterns or trends, like analysis of third-party survey responses or audit findings, to identify common themes or areas where the organization may need to improve its compliance program.
  • It can conduct risk assessments based on specific criteria, such as risk factors related to a particular industry or region. This can help third-party assessors identify potential risks and provide guidance on implementing security controls to mitigate them.
  • It can provide ongoing education and training for third-party assessors.

Conduct training and awareness

With ChatGPT, companies can provide analysts with a more engaging and personalized training experience tailored to their specific needs. The company could create a platform-based compliance training chatbot with which employees and analysts can interact using natural language. The chatbot could be trained on the company’s specific compliance policies, procedures and regulatory requirements. This can help improve employee engagement and retention of key compliance concepts while reducing the risk of non-compliance and regulatory violations.

There are many other use cases where GRC professionals can benefit from using ChatGPT. Though the platform provides a wealth of information on security and compliance topics, it is not a substitute for working with qualified professionals, such as auditors, security consultants and legal advisors. Also, the use of ChatGPT and training other OpenAI models come with data privacy risks. Security experts must properly evaluate and mitigate these to take full advantage of ChatGPT.

More from Artificial Intelligence

Preparing for the future of data privacy

4 min read - The focus on data privacy started to quickly shift beyond compliance in recent years and is expected to move even faster in the near future. Not surprisingly, the Thomson Reuters Risk & Compliance Survey Report found that 82% of respondents cited data and cybersecurity concerns as their organization’s greatest risk. However, the majority of organizations noticed a recent shift: that their organization has been moving from compliance as a “check the box” task to a strategic function.With this evolution in…

Cloud Threat Landscape Report: AI-generated attacks low for the cloud

2 min read - For the last couple of years, a lot of attention has been placed on the evolutionary state of artificial intelligence (AI) technology and its impact on cybersecurity. In many industries, the risks associated with AI-generated attacks are still present and concerning, especially with the global average of data breach costs increasing by 10% from last year.However, according to the most recent Cloud Threat Landscape Report released by IBM’s X-Force team, the near-term threat of an AI-generated attack targeting cloud computing…

Testing the limits of generative AI: How red teaming exposes vulnerabilities in AI models

4 min read - With generative artificial intelligence (gen AI) on the frontlines of information security, red teams play an essential role in identifying vulnerabilities that others can overlook.With the average cost of a data breach reaching an all-time high of $4.88 million in 2024, businesses need to know exactly where their vulnerabilities lie. Given the remarkable pace at which they’re adopting gen AI, there’s a good chance that some of those vulnerabilities lie in AI models themselves — or the data used to…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today