In partnership with
Hello Hello,
A while back I asked ChatGPT to draft me a policy. What came back was technically correct, professionally worded, and completely useless. It could have belonged to any organisation in any industry. There was no reference to our framework, our control environment, or our risk appetite. It was a policy-shaped document with no actual policy in it.
I almost gave up on AI for policy work entirely.
The problem was not the tool. It was me. I had asked it to do something without giving it the context it needed to do it properly. I had treated it like Google, throw a question in, get an answer out.
Policy Management is where most GRC professionals first try AI. And it is where most of them first conclude that AI is not ready for serious GRC work. They are wrong, but only because they have not structured the task yet.
This week we map the Policy Management workstream across all four tiers, and show exactly what structured AI use looks like at each one.
TLDR
Most policy processes are at Tier 0, ad hoc, person-dependent, and undocumented.
Before AI can help, three things must be in place: named ownership, policy-to-risk mapping, and a formal exception process.
I have highlighted six AI use cases in Policy Management mapped across all four tiers in this issue.
Tier 2 is achievable right now, but only once the process is documented at Tier 1.
The most underused use case: Policy Q&A. Where your employees Ask AI what your own policy says. It answers in seconds.
Policy exceptions are a hidden AI opportunity, most teams are still managing them over email.
Where does your GRC team sit?
GRC Automation Maturity Model
Before you read how AI applies to Policy Management, find out where your GRC team actually sits on the maturity model. The self-assessment covers all five workstreams including this one. Here is a link: https://aigrcdesk.com/p/the-framework-the-grc-automation-maturity-model to last week’s post that breaks down the GRC Automation Maturity Model.
The Bottom Line Up Front
Policy Management is the workstream most likely to give you a quick, visible AI win. The use cases are well-defined, the outputs are auditable, and the time savings are significant. The risk is skipping Tier 1, if your policy lifecycle is undocumented, AI will produce output you cannot trust or defend. Structure the process first. Then apply AI.
The Policy Management Workstream
Before we map the AI use cases, let us be clear on what Policy Management actually owns.
Policy Management is responsible for the full lifecycle of every policy in your organisation, from drafting and review through to approval, publication, and retirement. It sets documentation standards, owns the review cadence, maps policies to control frameworks, and ensures leadership has the visibility they need to make governance decisions.
In most organisations, this workstream is held together by one or two people with institutional knowledge, a SharePoint folder nobody fully trusts, and a review cycle that only happens when an audit is imminent.
AI Use Cases in Policy Management, Across All Four Tiers
Before AI can add any value to Policy Management, three structural questions need answered. These are not AI questions. They are Tier 1 questions. If you cannot answer all three, you are still at Tier 0.
1. Who owns what? Every policy needs a named owner, not a team, not a function, a person. That owner is responsible for the review cycle, the approval of changes, and the sign-off on exceptions. They are also the person AI routes output to at Tier 2. Without named ownership, AI-assisted gap analysis produces a report that goes nowhere. AI-assisted drafting produces a document nobody approves. Ownership is not a governance nicety, it is the prerequisite for everything that follows.
Policy ownership also extends to controls. Which control does this policy clause operationalise? Who owns that control? That relationship needs to be documented before you can do meaningful framework mapping or gap analysis, with or without AI.
2. Which policy requirement maps to which risk? A policy gap is only meaningful in the context of the risk it creates. A missing clause that maps to a critical risk is a priority finding. A missing clause that maps to a low-rated risk can wait. Without a documented policy-to-risk mapping, your gap analysis is a list of observations with no prioritisation. AI at Tier 2 can help you build and maintain this mapping but the risk register and the risk ratings have to exist first.
This is also what makes policy review defensible to a CISO. Not "we found twelve gaps" but "we found three gaps that map to high-rated risks and here is the remediation plan."
3. How are policy exceptions managed? Every organisation has them. Someone needs access to a system the policy prohibits. A vendor cannot meet a control requirement. The question is not whether exceptions happen, it is whether they are formally requested, risk-assessed, time-bounded, approved by the right person, and reviewed on schedule.
Most organisations manage exceptions informally. That is a Tier 0 exception process. At Tier 1, every exception has a documented rationale, a named approver, an expiry date, and a review trigger. At Tier 2, AI drafts the exception rationale and residual risk assessment. At Tier 3, exceptions are automatically flagged when their conditions change, new threat intelligence, a change in the underlying risk, or an approaching expiry date.
The table below maps every core Policy Management use case across the four tiers of the GRC Automation Maturity Model. Use it to identify where your current process sits and what the next tier looks like for each task.
AI Use cases in Policy Management mapped to the GRC Automation Maturity Model
The AI opportunity at Tier 0 is zero. You cannot apply AI to a process that does not exist in a repeatable, documented form. If your Policy Management workstream is at Tier 0, the work right now is documentation define the lifecycle, name the owners, establish the review cadence. Only then does Tier 2 become possible.
The Prompt: Policy Gap Analysis at Tier 2
This is the exact prompt structure I use to move policy reviews to Tier 2.
Act as an expert GRC Analyst working in a Tier 2 AI-Assisted Operations model, meaning your output will be reviewed and validated by a human practitioner before any action is taken.
I am providing you with two inputs:
1. A list of required controls from [Insert Framework, e.g. ISO 27001:2022 Annex A].
2. Our current [Insert Policy Name, e.g. Access Control Policy].
Your task is to perform a policy gap analysis. Compare the policy against the required controls and provide the output in a table with the following columns:
— Control ID & Name
— Status (Fully Addressed, Partially Addressed, Missing)
— Relevant Policy Excerpt (Quote the exact text if addressed)
— Recommended Addition (If partially addressed or missing, draft the specific sentence or paragraph we need to add to satisfy the control)
Do not hallucinate compliance. If a control is not explicitly covered in the text, mark it as Missing.In Practice: AskInfoSec
One of my team members built a custom GPT called AskInfoSec, a friendly security policy assistant for our organisation. Employees ask policy questions in plain language and get answers drawn directly from our information security documentation.
"What is the process for third-party vendor access?" gets a response grounded in our Supplier Management Policy. "Can I use a personal device to access work email?" gets an answer from our Acceptable Use Policy. Specific, sourced, and available instantly, without the question landing on someone in GRC.
If the employee is still unsure or the question goes beyond what the documented policy covers, they are directed to the InfoSec Slack channel where a human picks it up.
That is Policy Q&A and Interpretation at Tier 2 in practice. The AI handles the high volume of routine questions. The human handles the edge cases. GRC capacity is freed up for work that actually requires a practitioner.
The governance is built into the design: the model only answers from documented policy, it does not interpret or advise beyond what is written, and there is always a human escalation path. That is what bounded intelligence looks like when it is implemented well.
The Governance Check
Before you apply AI to any Policy Management task, answer these three questions:
1. Is the data classification boundary defined? Policies often contain sensitive information about controls, vulnerabilities, and organisational structure. Before you paste a policy into any AI tool, confirm that your data classification policy permits it. Most corporate AI tools (Microsoft Copilot, Google Gemini for Workspace) have enterprise data boundaries. Consumer tools (ChatGPT free tier, Claude.ai without enterprise) do not. Know which you are using before you start.
2. Is there a human in the loop at every decision point? AI at Tier 2 produces output that a human must review and approve. No AI-drafted policy section should be published without practitioner review. Document the review step if an auditor asks how the policy was produced, "AI drafted it and a named human approved it" is a defensible answer. "AI produced it" is not.
What I am Watching
The EU AI Act: and what it means for your organisation right now. The binding enforcement date for high-risk AI system obligations is 2 August 2026 - covering Articles 9-17 for providers and Article 26 for deployers. Most organisations are not ready. The compliance burden is substantial: conformity assessments, EU database registration, technical documentation, human oversight mechanisms, and demonstrable risk management systems - all required before a high-risk AI system is deployed.
What counts as high-risk? AI used in employment screening, credit decisions, education, and public administration are all in scope. If your organisation uses AI in any of these contexts, the clock is running.
The proposed Digital Omnibus would push the deadline to December 2027, but as of May 2026, the trilogue negotiations have not reached agreement - meaning August 2026 remains the operative deadline. Do not plan around a deferral that has not been legislated.
GRC platforms: beginning to integrate native AI features, blurring the line between Tier 1 and Tier 2.
Claude is not just a chatbot anymore. Is your security team ready?
Claude.ai is one thing. Claude Cowork with MCP connections, running agentic workflows, taking actions across your data with ungoverned skills? That is a different conversation entirely, and most security teams are not equipped to govern it.
Harmonic Security is built to secure everything Claude offers. Full browser controls for Claude.ai, deep governance over agentic MCP workflows, and real-time visibility into what Claude is doing across your organization. So your CISO can say yes to the tools your business is already demanding.
The Bottom Line
Policy Management is where most GRC teams should start with AI. The use cases are clear, the outputs are auditable, and the time savings are immediate. But the prerequisite is always the same: document the process first. AI cannot follow rules that do not exist
Next Issue
This Thursday: Issue 3, Policy Gap Analysis Notebook. I would share the exact prompt, the workflow, and the governance check i use for the policy management workstream
Until Thursday,
Princess
