6clicks' use of AI and ML technologies

Learn more about 6clicks' use of AI and ML technologies, including Google's BERT and OpenAI's GPT models

Introduction

One of 6clicks' key value propositions is that it powers its Governance, Risk, and Compliance (GRC) platform with Artificial Intelligence (AI). Artificial intelligence streamlines various data processing activities in GRC, which results in enhanced operational efficiency and improved insights and analytics that drive better decisions.

6clicks use cases involving AI

The ways in which 6clicks leverages artificial intelligence today include:

1. Compliance mapping - Comparing authority documents (standards, laws, and regulations) made of individual provisions (clauses) to identify similarities and differences
2. Policy/control set mapping - Comparing policies/control sets defined in 6clicks with authority documents to identify coverage and gaps
3. Policy/control set development - Helping to draft policy/control set and control descriptions through synthesizing and paraphrasing associated provisions
4. Assessment questions mapping - Displaying similar questions previously answered
5. Assessment response generation - Generating a suggested answer to a question in an assessment based on similar questions previously answered
6. Hailey Assist - Using natural language prompts to get answers to questions about your GRC data, system navigation, and the 6clicks Knowledge Base

Model selection

For compliance and policy/control set mapping using 6clicks' Hailey AI, 6clicks relies on a custom-trained version of Google's BERT model. Google's BERT model was first pre-trained on language representation based on inputs from Wikipedia.

For policy/control set development, assessment answer generation, and forming responses for Hailey Assist, 6clicks makes use of OpenAI GPT 3.x and 4 models. These models produce text based on training on data from across the internet written by humans and then optimized based on human feedback.

For matching similar questions, 6clicks uses OpenAI's ADA-002 text embedding model. Text embeddings are a numerical representation of semantic concepts, allowing for matching natural language strings based on similarity in meaning.

Training by 6clicks

6clicks undertook further training of Google's BERT model in creating Hailey AI, including training the model to understand the language used in standards, laws, and regulations found in the 6clicks Content Library.

Sources of mapping information were then used to refine the model behind Hailey AI. Sources included mapping information embedded into standards, other public sources of mapping information, and mapping information available from our own experts.

Finally, 6clicks applies a human feedback loop leveraging its own experts and experts from Partners to refine the output from the model prior to public release.

The OpenAI GPT-3 model for policy/control set development is used as is at this time.

Minimizing the risk to customers

6clicks hosts the Hailey AI model on its own infrastructure in Microsoft Azure which inherits security certifications from Microsoft and is incorporated into 6clicks' own cyber, information security, and privacy management systems certified for ISO/IEC 27001.

6clicks' security program includes technical security controls in the areas of network security, storage security, encryption at rest and in transit, physical security, personnel security, and access management, all of which play a role in isolating and protecting data.

The 6clicks use cases relate primarily to public domain data, such as the authority documents (standards, laws, and regulations) and provisions (clauses) in the 6clicks Content Library. For compliance mapping, this is exclusively the case.

The fields involved in compliance mapping are:

• Name of authority document (ISO 27001, NIST CSF, etc.)
• Provision ID
• Provision Title
• Provision Description
• Provision Custom Fields

For policy/control set mapping, the word embeddings associated with customer policy/control sets must be stored in the 6clicks database related to AI. Tenant-specific access controls segregate the word embeddings associated with customer policies/control sets.

The fields involved in policy/control set mapping are:

• Name of authority document (ISO 27001, NIST CSF, etc.)
• Provision ID
• Provision Title
• Provision Description
• Provision Custom Fields
• Control ID
• Control Title
• Control Description
• Responsibility Title
• Responsibility Description

For policy/control set development, the policy/control set details are submitted to the OpenAI model. A response is returned, including a synthesized policy/control set description or a synthesized control description based on linked provisions.

The fields involved in policy/control set development are:

• Team Name
• Name of authority document (ISO 27001, NIST CSF, etc.)
• Provision ID
• Provision Title
• Provision Description

For assessment question matching and generation, the question text is submitted to the 6clicks-hosted embedding model when questions are created or updated in the application. The answer text, on the other hand, is submitted to the OpenAI model when the "Ask Hailey" button is clicked.

The fields involved in assessment question matching and answer generation are:

• Assessment ID
• Third-Party Respondent ID
• Question ID
• Answer ID
• Question Text
• Answer Text

Hailey Assist uses a process known as Retrieval Augmented Generation (RAG) to keep customer data in the 6clicks environment under access controls and does not store customer data within the supporting Microsoft Azure OpenAI service or models.

AI service location

Wherever possible, 6clicks' use of AI technology relies on Azure services running in the same region as the primary application instance. Sometimes, due to availability or quality, we may use Azure services in different regions. The following table shows the location of the AI models across each 6clicks application instance and function.

6clicks continually monitors the availability of models in different Azure regions.

Supervision and feedback

6clicks believes in supervision as a part of the responsible use of machine learning and artificial intelligence, even in relatively low-risk applications within GRC. We make it clear when a feature uses AI by referring to "Hailey" (refined Google BERT) or "Ask Hailey" (OpenAI GPT).

It is also baked into the fundamental design of features powered by AI. When performing compliance and policy/control mapping, a user can link or delink the associations made by Hailey AI based on informative similarity scores and human judgment.

When using "Ask Hailey" to perform policy/control set development and assessment response generation, there is a button that requires active interaction to use the feature. A user can refine or reject the synthesized wording that is returned.

Policy/control mapping results are used as feedback for future iterations of the Hailey model. We collect feedback in a way that prevents the collection of individual/sensitive data and minimizes the risk of any deliberate or accidental poisoning of the model.

Hailey Assist's thumbs up and down feedback feature is reviewed by 6clicks product management in order to understand and prioritise improvements.

The future of AI at 6clicks

6clicks will continue to innovate by introducing artificial intelligence and machine learning into its GRC platform in a way that seeks to mitigate risk and maximize opportunities for our customers. This involves seeking feedback from our customers.

Some of the use cases we are planning include the following:

• Automated linking of issues/incidents and risks
• Further generative capabilities aligned with organisational context
• Predictive risk analytics (likelihood, impact, and risk rating)

More information

If you'd like more information about 6clicks' use of artificial intelligence and machine learning, please contact your account manager, our Customer Support team if you're an existing customer, or the 6clicks Security team if you're performing due diligence.