AI will give you a confident answer about your security controls – but can you defend it?
AI can answer almost any question about your security controls in seconds. The harder question is whether you can defend that answer to the board, an auditor, or a regulator. Here's what AI in controls assurance must get right to be trusted.
Ask almost any AI tool a question today and you will get an answer in seconds. It will be fluent, well organized, and sound completely sure of itself. In most of working life, that is enough. In security, it isn't.
During product development sessions with the Panaseer team, the question I keep coming back to isn't whether AI can answer a question about your controls (of course it can), it's whether you can stand behind that answer when someone who matters pushes back.
That is a different ask – and a different bar to set your standards at altogether. A CISO in front of the board, a governance lead evidencing a position to an auditor, a risk team answering a regulator. None of them can afford an answer that is merely plausible, they need one they can defend. A confident answer you can't trace the underlying truth data leans to the reckless rather than the prudent.
Fluent is not the same as defensible
The appeal of any generative AI tool is obvious.
It takes the friction out of getting from a question to an answer. But in a controls context, the space between a fluent answer and a defensible one is where the risk hides.
A general-purpose AI tool answers from generic best practice, or from whatever data it has been trained on or pointed at. It has no idea which numbers in your environment are stale or double-counted, so instead will revert to inventing something with total conviction. It also has no sense of role based permissions and who is allowed to see what data.
That's not helpful for a quick personal query, for a number you are about to put in a board pack, its highly problematic.
This is the problem Continuous Controls Monitoring (CCM) was built to solve. CCM is the practice of continuously checking whether your security controls are actually deployed and working across your environment, instead of assuming they are. Done well, it delivers decision-grade controls assurance; continuous, evidenced proof that your controls are holding up.
But put AI on top of data that isn’t verified, isn’t continuous, and isn’t trustworthy, you don’t close the gap between data and decision – instead, you widen it.
What AI in controls assurance has to get right
When we built our own AI tool sets at Panaseer, we set ourselves a few non-negotiables. They are less about features and more about whether you can trust what comes back.
- It has to be grounded in verified data. The answer can only ever be as good as what sits underneath it. That means reconciled, normalized data about your real assets and controls, not a model guessing at your environment.
- You have to be able to check it. You should be able to move from a plain-language answer to the actual devices behind it in a click or two. If you can't see the source, you can't defend the answer, and you can't rule out a hallucination.
- It has to respect permissions. People should only see data they are already allowed to see. An AI that quietly widens access is a governance problem dressed up as convenience.
- It should stay in its lane. A tool built for cyber controls should answer questions about cyber controls and decline the rest. We put firm guardrails around ours for that reason.
- It has to leave the user in control. The best thing an AI can do for cybersecurity controls assurance is to deliver the user a defensible answer and a sensible next step, faster.
Meet Cyber Advisor
We recently ran our first session on our latest AI enhancement, Cyber Advisor, where Thordis, one of our lead AI data scientists, and I walked through what we built and why.
We did a live demo too. Most of the conversation kept circling back to one question from the audience: How do you know you can trust what the AI tells you?
Cyber Advisor is a generative AI agent built for cyber controls, working only on your own data inside the Panaseer platform.
Cyber Advisor is a generative AI agent built for cyber controls, working only on your own data inside the Panaseer platform.
It isn't a general-purpose chatbot and it isn't a bolt-on. Underneath sits Panaseer's existing data processing, the reconciliation that turns conflicting tool outputs into one verified view. We apply AI on top, where it summarizes, reads a question however you phrase it, and suggests what to do next. Every answer links back to the underlying record so you can verify it yourself. It only ever shows data you are permissioned to see. And it won't make anything up. It will not invent a metric, a dashboard, or a remediation objective. It works on the facts already in your environment, and it leaves the decision, and the action, with you.
AI doesn't remove the need for judgment. It just gets you to the point of judgment faster, with an answer you can actually stand behind.
Frequently asked questions
Can you trust AI-generated security data?
Only when the answer is grounded in verified data and you can trace it back to the source. Trust comes from being able to check the answer, not from how sure it sounds.
How do I know an AI answer isn't a hallucination?
You check it. If the tool lets you drill from its answer down to the specific records behind it, you can confirm it for yourself. If it can't, treat the answer with caution.
Is generative AI safe to use with sensitive security data?
It can be, as long as the data stays where it is, isn't mixed across organizations, isn't used to train models for anyone else, and respects each user's existing permissions.