ChatGPT is a chatbot launched in November 2022 by OpenAI that is based on their GPT-3 extensive family of language models that have been fine-tuned by applying both reinforcement and supervised learning techniques.
With ChatGPT bringing transformational changes to artificial and augmented intelligence, GRC professionals can take the opportunity to create and evaluate use cases that enhance the overall automation of repetitive resource-intensive tasks.
To better understand where ChatGPT can be leveraged for GRC programs, let us evaluate their key elements and discuss how it can be integrated to achieve benefits.
Elements of GRC Program
- Key elements for the success of any automation driven GRC program includes:
- Establishing the “expected outcome” of the processes
- Building checks and balances for the process as documented
- Adopting a GRC tool to automate the GRC processes and workflows
- Identifying feasible “integration points” for the GRC tool with other technologies using the SECOPS, risk management, policy compliance and other data input modules
- Setting up “automated feeds” or the best “possible integration” inputs with the GRC tool for the “continuous data feeds” required to assess and review the operational environments
- Custom building modules for process reviews with workflow automation to ensure that the checks and balances designed for the processes test the process modification or identify any anomalous process execution to trigger alerts
- Integrating advanced algorithms to “evaluate baseline configuration output vs. the revised configuration output to help with variance calculation”
Use Cases for ChatGPT Integration
For effective and efficient use of GRC, organizations must integrate GRC with business and IT. This aspect can very well be the first use case of AI where the basic integration aspect of business and IT processes can be achieved by leveraging AI.
To further the integration of AI with GRC function, the core components of audit, compliance and risk management can leverage AI to develop the initial blueprint, with human intelligence implementing the fine-tuning as per the requirement of the engagement. Other areas that can be good use cases for ChatGPT integration include:
- Identifying normal CI configuration parameters versus anomalous configurations with business analytics algorithms
- Using AI to analyze past configurations versus baseline configurations and the changes introduced to provide predictive analysis results for “Risks” & “Compliance Breach” scenarios
- Reviewing most of the change updates for the control environment, control Language and evidence requirements
- Verifying design standards against benchmarks
- Reviewing and validating architectural designs
- Evaluating IT processes, data flow, data segregation, data classification, etc.
- Evaluating SDLC and STLC to ensure that software design and components are tested and validated
- Threat and vulnerability tracking and updates
- Risk tracking review and status updates
However, the challenge of going forward with the adoption of ChatGPT or any AI in the GRC space is about the target audience. This challenge is driven by the sensitive and critical data that is handled by GRC professionals versus the training model and data sets required to train the AI tool.
Key Take Away
While AI can pave the way for successful GRC program development and execution, the key aspect would always be the overall review of the program and to tailor it as per the scope of the project and organizational requirements. Additionally, the models used to train AI tools as well as the techniques and data sets used need to be more reasonably determined so they do not create any additional risk for the organization.
While the evolution of AI is certainly a beneficial advancement, the limitations caused by the uncertainties associated with GRC components may need to be regularly reviewed so the AI can be trained for better output.