I Built an AI Tool to Solve a GRC Problem. Here's What I Actually Learned.

Ben Luthy

Ben Luthy

5 min read
Share
I Built an AI Tool to Solve a GRC Problem. Here's What I Actually Learned.

I'm a Cybersecurity Governance person. Well, that's part of it. I'm a Cybersecurity person. I think that might fit better? Ok, honest truth- I enjoy technology, love cybersecurity, and building things.

I've been spending a lot of time in the last six months learning more about Artificial Intelligence. As a professional in the industry, you get a lot of information about AI in front of you and it's usually how it can solve a problem that you might have. When I begin to research these things, it usually comes back with three companies that appear to do the same thing, but the difference might be cost or capability. Do you already use the tool? Is there a module add-on for it? How much extra would it cost you? I know what I use AI for in my day to day work and I know the work that goes into verifying the outputs. So, after thinking about it, I thought, "How can I use it to solve a problem that I might have?" and it led me to thinking about policy and a problem that some organizations have.

Depending on the size of your organization (and the age) you might have several policy documents. Those documents have control statements and they should map to frameworks like NIST 800-53, NIST CSF, HIPAA, or CIS 18. You'll see a lot that these are done manually or by a practitioner who already knows the answer, or it might not be done at all. Depending on how often your policies are updated, or how often the framework is updated, the manual part is what nobody talks about. You take a control statement like, "user accounts shall be provisioned in accordance with the principle of least privilege" and somebody sits and decides, "Does this satisfy PR.AA-05? Also, does it fully satisfy it, or just partially? What's missing? Now- rinse and repeat for the two hundred controls across the other frameworks.

So, since I had been studying and learning more about Artificial Intelligence, I used this opportunity to build something which might help folks who have had this problem.

I came up with Lacunae ControlSense. Yes, AI did help me come up with that name. I went through a few but Lacunae came in as a suggestion and thought it enveloped the issue well. According to Google:

For those who know me, you know that I love a good play on words. Also, I couldn't come up with a good acronym for the program, but that will be phase 2.

To explain simply, Lacunae ControlSense is a local AI tool that takes a policy document, reads the actual control statements, and maps them to NIST CSF 2.0, CIS 18, and NIST AI RMF. It not only identifies gaps but places where a control is present but maybe incomplete. It also produces a gap register that you can actually use. It runs on your own machine, which means your policy documents never leave your environment. Notice how I mentioned it runs on your own machine? That also means that it can be operated on an airgapped network. Process for offline updating will be coming soon.

When I started thinking about this, I realized very quickly that the problem had a few dimensions. I also don't have a lot of time in my day to day, but I wanted to:

1) Learn and grow while assessing a real problem
2) Participate in hands-on learning along with the theory I had been studying

In order for me to do that I was able to bring my domain expertise to the table, but what I didn't have for this work was the technical execution. The technical execution came from Claude as a coding partner. I had seen some incredible things that people had been building, so started out testing that theory slowly by first having it assist me in metrics building and white-boarding, and then moved to having it assist me in web building. I was incredibly impressed so thought I would really challenge it and have it teach me along the way. So I guess you could say that I didn't just ask an AI to build me a tool, I defined the problem. I built the training data from my own knowledge of how controls map to frameworks, which required someone who actually knows what PR.AA-05 means and when a control satisfies it versus when it only partially satisfies it. I made the quality judgements, caught the errors, and I definitely knew when the output was wrong.

What Claude helped with was the code. The fine-tuning pipeline, the containerization, the inference engine, and the UI. I know how to code and about containers, but it would have taken me significantly longer to build alone.

The final result was a tool that reflects my expertise, not just a generic AI output. The model was trained on real examples that I wrote. The gap analysis logic reflects how I actually think about framework coverage. I thought that component would be helpful versus what several vendors in this space might be already doing.

One thing that surprised me while building this tool was how accessible building and training a model actually was. It seems so intimidating sometimes when learning a new technology. Usually I dive in head first, but in this instance, I didn't want to break it right away, I wanted it to be reflective of my knowledge. To assist with this, I gave Claude the prompt to take on the role of a Senior Software Engineer at Anthropic to interview me. This made the process structured and was able to take my domain knowledge out through questions and turned it into 168 training examples across 12 security domains. My expertise was now the training data. This was the part that felt genuinely different from just using an AI tool.

As you are reading this, you are probably asking yourself, "Where is it?" or the best question, "How much is it?" I will be releasing Lacunae ControlSense for free. I'm releasing it publicly because the problem is real and practitioners shouldn't have to pay enterprise prices to get control-level gap analysis. I'll also be adding NIST 800-53 mapping, expanding the training data across more security domains, and building out the org mode which will let you load your own organizational context so that analysis reflects your environment specifically.

If you want to try it when it's available, follow along here. If you are a GRC practitioner and want to see how it might work for your organization, I'd be happy to walk through it with you. At the end of the day, if it helps you save a complete day worth of mapping work, I'd love to know and I'll have a virtual 'tip bucket' setup if you want to buy me a coffee.

As I release it, please know that this is a work in progress. This is also a tool developed by a very busy working professional. I deeply value feedback so feel free to connect once it's released and you have questions or notice areas for improvements.