Information about 6clicks' use of AI and ML technologies, including Google BERT and OpenAI GPT
Introduction
One of 6click's key value propositions is that it powers its Governance, Risk and Compliance (GRC) platform with artificial intelligence. Artificial intelligence allows for streamlining time-consuming data processing activities found in GRC activities like never before.
6clicks use cases involving AI
The ways in which 6clicks leverages artificial intelligence today include:
- Compliance mapping - Comparing authority documents (standards, laws and regulations) made of individual provisions (clauses) to identify similarities and differences.
- Policy/control set mapping - Comparing policies/control sets defined in 6clicks with authority documents to identify coverage and gaps.
- Policy/control set development - Helping to draft policy/control set and control descriptions through synthesising and paraphrasing associated provisions.
- Assessment questions mapping - Displaying similar questions previously answered.
- Assessment response generation - Generating a suggested answer to a question in an assessment based on similar questions previously answered.
Model selection
For compliance and policy/control set mapping using 6clicks' Hailey AI, 6clicks relies on a custom-trained version of Google's BERT model. Google's BERT model was first pre-trained on language representation based on inputs from Wikipedia.
For policy/control set development and assessment answer generation, 6clicks makes use of OpenAI GPT-3 and GPT-3.5. GPT-3+ are language models that produce text based on training on data from across the internet written by humans and then optimized based on human feedback.
For matching similar questions, 6clicks uses OpenAI's ADA-002 text embedding model. Text embeddings are a numerical representation of a semantic concepts, allowing for matching natural language strings based on similarity in meaning.
Training by 6clicks
6clicks undertook further training of Google's BERT model in creating Hailey AI, including training the model to understand the language used in standards, laws and regulations found in the 6clicks Content Library.
Sources of mapping information were then used to refine the model behind Hailey AI. Sources included mapping information embedded into standards, other public sources of mapping information and mapping information available from our own experts.
Finally, 6clicks applies a human feedback loop leveraging its own experts and experts from partners to refine the output from the model prior to public release.
The OpenAI GPT-3 model for policy/control set development is used as is at this time.
Minimizing the risk to customers
6clicks hosts the Hailey AI model on its own infrastructure in Microsoft Azure which inherits security certifications from Microsoft and is encompassed into 6clicks' own cyber, information security and privacy management systems certified to ISO/IEC 27001.
6clicks security program includes technical security controls in the areas of network security, storage security, encryption at rest and in transit, physical security, personnel security and access management. All of which play a role in isolating and protecting data.
The 6clicks use cases relate primarily to public domain data, such as the authority documents (standards, laws, and regulations) and provisions (clauses) in the 6clicks Content Library. For compliance mapping, this is exclusively the case.
The fields involved in compliance mapping are:
- Name of authority document (ISO 27001, NIST CSF etc.)
- Provision ID
- Provision Title
- Provision Description
- Provision Custom Fields
For policy/control set mapping, the word embeddings associated with customer policy/control sets must be stored in the 6clicks database related to AI. Tenant specific access controls segregate the word embeddings associated with customer policies/control sets.
The fields involved in policy/control set mapping are:
- Name of authority document (ISO 27001, NIST CSF etc.)
- Provision ID
- Provision Title
- Provision Description
- Provision Custom Fields
- Control ID
- Control Title
- Control Description
- Responsibility Title
- Responsibility Description
For policy/control set development, the policy/control set details are submitted to the OpenAI model. A response is returned, including a synthesised policy/control set description or a synthesised control description based on linked provisions.
The fields involved in policy/control set development are:
- Team name
- Name of authority document (ISO 27001, NIST CSF etc.)
- Provision ID
- Provision Title
- Provision Description
For assessment question matching and generation, question text is submitted to the 6clicks hosted embedding model when questions are created or updated in the application. Answer text is submitted to the OpenAI model when the "Ask Hailey" button is clicked.
The fields involved in assessment question matching and answer generation are:
- Assessment ID
- Third Party Respondent ID
- Question ID
- Answer ID
- Question Text
- Answer Text
AI service location
Wherever possible, 6clicks' use of AI technology relies on Azure services running in the same region as the primary application instance. Sometimes, due to availability or quality, we may use Azure services in different regions. The following table shows the location of the AI models across each 6clicks application instance and function.
| App Instance: |
Australia (app-au) |
Aus Gov (app-au-gov) |
UK (app-uk) |
US (app-us) |
US Gov (app-us-gov) |
| Compliance mapping | Australia | Australia | UK | US | US |
| Policy/control set mapping | Australia | Australia | UK | US | US |
| Policy/control set generation | US* | US* | US* | US | US |
| Assessment question mapping | Australia | Australia | UK | US | US |
| Assessment response generation | US* | N/A * | Sweden | US | US |
* 6clicks continually monitors the availability of models in different Azure regions. In Q1 2024 we intend to relocate these services to be within the same region as the 6clicks app instance.
Supervision and feedback
6clicks believes in supervision as a part of the responsible use of machine learning and artificial intelligence, even in relatively low-risk applications within GRC. We make it clear when a feature uses AI by referring to "Hailey" (refined Google BERT) or "Ask Hailey" (OpenAI GPT).
It's also baked into the fundamental design of features powered by AI. When performing compliance and policy/control mapping, a human can link or delink the associations made by Hailey AI based on informative similarity scores and human judgement.
When using "Ask Hailey" to perform policy/control set development and assessment response generation, there is a button that requires active interaction to use the feature. A human can refine or reject the synthesised wording that is returned.
Policy/control mapping results are used as feedback for future iterations of the Hailey model. We collect feedback in a way that prevents the collection of individual/sensitive data and minimises the risk of any deliberate or accidental poisoning of the model.
The future of AI at 6clicks
6clicks will continue to innovate by introducing artificial intelligence and machine learning into its GRC platform in a way that seeks to mitigate risk and maximise opportunities for our customers. This involves seeking feedback from our customers.
Some of the use cases we are planning include the following:
- automated linking of issues/incidents to risks
- predictive risk analytics (likelihood, impact and risk rating)
- team-wide search
More information
If you'd like more information about 6clicks' use of artificial intelligence and machine learning, please contact your account manager in the first instance, the support team if you're an existing customer or the security team if you're performing due diligence.