Revolutionizing GRC with AI: Harnessing the

power of LLM and RAG technologies

Introduction
In the rapidly evolving landscape of Governance, Risk, and Compliance (GRC), the integration of
artificial intelligence (AI) has emerged as a transformative force. This technical whitepaper, intended
for GRC professionals and industry analysts with a deep understanding of both the GRC landscape
and recent advancements in AI technologies, explores the groundbreaking capabilities of Hailey, the
AI engine powering 6clicks.

Developed in 2020, before the widespread popularization of generative AI tools, the continuous
evolution of Hailey represents a pioneering effort in applying AI to GRC challenges. This whitepaper
delves into the technical underpinnings of Hailey, its unique features within the 6clicks platform, and
its implications for the future of GRC practices.

Key areas of focus include:

• The architectural design of Hailey and its integration within the 6clicks Hub & Spoke model
• Hailey's advanced contextual awareness and permission-based operation
• The practical applications of AI in GRC tasks and workflows
• The technological advancements that set Hailey apart in the GRC software landscape

As we explore these topics, we aim to provide a comprehensive understanding of how Hailey is

reshaping GRC strategies and operations, offering insights into the future direction of AI-powered
GRC solutions.

Note: This document contains confidential information and is intended solely for GRC professionals
and industry analysts. It assumes a high level of familiarity with both GRC concepts and recent
developments in AI technologies.
Hailey vs. generic AI: Purpose-built intelligence for
GRC
In the evolving landscape of GRC software, the emergence of generative AI has led to a proliferation
of solutions claiming AI capabilities. However, it's crucial to distinguish between genuine AI-driven
innovations and what industry experts term “AI washing” – the practice of rebranding simple
automation as AI to generate market interest.

Beyond AI washing and prompt engineering

Many vendors in the GRC space have adopted AI terminology to describe what is essentially rule-
based automation – 'if-then-else' logic that has been a staple of software development for decades.
This rebranding effort, while potentially effective for lead generation, does not represent true AI
integration or innovation.

Similarly, “prompt engineering” – the optimization of queries for large language models (LLMs) like
ChatGPT – has gained traction as a method to create the appearance of enhanced intelligence. While
this approach can yield impressive results in generative tasks, it falls short in addressing the
complex, action-oriented needs of GRC processes.

Hailey: A purpose-built AI engine for GRC

Hailey, our proprietary AI engine, stands apart from these surface-level applications of AI. Developed
through years of research and collaborative efforts across data science, scale engineering, and
specialized AI tools, Hailey exhibits four key characteristics that set it apart:

a) Action-based intelligence
Generative AI tools excel at understanding natural language queries and producing information-
based responses. However, they often lack the ability to execute actions within specific systems due
to limited integration and contextual awareness.
Hailey, in contrast, is designed with a core focus on task completion, not just information retrieval.
This action-oriented approach is achieved through:

1. Contextual understanding of system-specific functions, actions, workflows, and user

experiences, aligned with natural language requests
2. Deep linking and dynamic application logic that enable system navigation and action
initiation based on user intent

For example, when asked “How do I create a risk?”, Hailey provides:

• Specific, actionable steps: “Click here to create a risk in the system, enter the requested data,
and click OK.”
• Relevant resources: “Here's a Knowledge Base article describing the process of creating a risk
in 6clicks.”

Figure 1 - Hailey generating a context/system-aware response on how to create a risk (to watch the video of the
comparison between Hailey and ChatGPT, click here)

In contrast, a typical AI might offer a lengthy, abstract methodology that, while informative, lacks
practical utility for practitioners who already understand the 'why' but need to know the 'how' in
concrete terms.
Figure 2 - ChatGPT providing a generic response on how to create a risk (to watch the video of the comparison between
Hailey and ChatGPT, click here)

This practical, system-aware approach makes Hailey particularly valuable for users seeking to
efficiently complete tasks rather than just access general information.

b) Authorization-aware operations
Hailey distinguishes itself from generic AI models by operating with a comprehensive understanding
of the 6clicks platform's user permissions and data access rights. This capability ensures:

1. Responses and suggested actions are precisely tailored to each user's specific access level
2. Sensitive information is protected, maintaining data integrity and compliance
Figure 3 - Example of Hailey being authorization-aware (to watch a video of Hailey being authorization-
aware, click here)

Beyond its AI capabilities, 6clicks features a unique Hub & Spoke architecture designed for federated
businesses. In this context, Hailey demonstrates advanced awareness:

• It can respond based on data stored across the entire Hub & Spoke environment, including
multiple Spokes.
• Hailey's responses are contextually aware of the user's position within the application's
organizational structure.

Figure 4 - 6clicks Hub & Spoke architecture for federated deployment (for more information on 6clicks Hub & Spoke, click
here)
For instance, a user at the Hub level with access to Spokes 1 and 2 would have access to the Hub,
Spoke 1, and Spoke 2 data, while a user in Spoke 1 would only have access to data in Spoke 1.

This combination of permission-aware AI and architectural understanding allows Hailey to provide

highly relevant, secure, and context-specific assistance across complex organizational structures.

c) Organizational intelligence
Hailey's most distinctive feature is its ability to comprehend and utilize the vast array of risk and
compliance data specific to each organization. This encompasses:

• A holistic view of audit histories, risk assessments, and incident reports

• Understanding of the organization's regulatory compliance landscape
• The ability to draw insights and make recommendations based on this comprehensive
organizational context

Figure 5 - Hailey recommending a response based on the organizational data the user has access to (to
watch the video of Hailey recommending a response, click here)

d) Next-generation automation
Hailey goes beyond simple task execution by offering next-generation automation capabilities. This
results in a 10-100x productivity boost for various manually intensive risk and compliance activities.
Key areas include:
 • Policy gap analysis: Automated mapping of internal controls to the most in-demand security
frameworks across industries, such as GDPR, NIST, ISO, DORA, and other global frameworks
to identify areas of compliance and non-compliance.
• Regulatory cross-compliance mapping: Automated mapping between the most in-demand
security frameworks across industries, such as GDPR, NIST, ISO, DORA, and other global
frameworks to streamline multi-framework compliance.
• Automated assessment response: AI-driven responses to audits, assessments, and
questionnaires, powered by historical responses and data, compliance reports, and other
documentation.
• Control definition generation: AI-generated control definitions based on external
compliance requirements.
• Recommended remediation generation: AI-generated recommendations for mitigating and
managing identified risks and issues based on audit and assessment responses.
• Hailey Assist: Powered by our Enterprise Action Model (EAM) for NLP-based search,
navigation, and contextual action. This AI-driven tool enables users to quickly find relevant
information, navigate complex data, and perform actions based on a specific context,
significantly improving efficiency and decision-making.

The tangible difference

These features enable Hailey to provide advanced capabilities across cyber GRC domains, including
security compliance, risk and incident management, third-party risk management, and operational
resilience, far surpassing a simple interface and generative AI model:

• Contextual recommendations: Hailey can suggest actions based on historical data, current
risk profiles, and upcoming compliance deadlines.
• Proactive risk management: By analyzing patterns in organizational and third-party data,
Hailey can identify potential issues and risks before they escalate.
• Efficient compliance mapping: Hailey can rapidly link new and updated regulations with
existing controls and policies, streamlining the compliance process across multiple
frameworks.
• Expedited audit readiness: Hailey enhances audit preparation by collecting, organizing, and
recommending relevant data points and supporting evidence.
• Operational resilience: Hailey helps identify and flag potential incidents early in their
lifecycle, recommends appropriate remediation activities, and minimizes business
disruption.
• Intelligent reporting: Generate insightful reports that not only compile data but offer
strategic analysis and action items.
Continuous evolution

Unlike static prompt-engineered solutions, Hailey is designed for continuous learning and
improvement. As it interacts with more data and user behaviors within the GRC context, its
capabilities expand, ensuring that 6clicks clients always have access to cutting-edge AI assistance
tailored to their specific and changing needs.

While many GRC vendors may claim AI capabilities, Hailey represents a fundamental shift in how AI
is integrated into GRC processes. It's not just about providing information or automating simple
tasks – it's about creating an intelligent partner that understands the complexities of GRC and the
specific context of your organization and can take meaningful actions to drive efficiency and
effectiveness in your risk and compliance activities.
Technological foundation and
proprietary innovation
Hailey, 6clicks' AI engine for GRC, leverages artificial intelligence to transform governance, risk, and
compliance processes. Its architecture combines cutting-edge technology with deep GRC domain
expertise to provide contextual, actionable insights.

For a high level schematic of the Hailey architecture, see Appendix 1.

Core architecture: The triad of intelligence

At the heart of Hailey lies a tripartite architecture that blends cutting-edge AI technologies with deep
GRC domain expertise. This triad – indexing, retrieval, and generation – forms the foundation upon
which we've built a system that doesn't just process information, but truly understands and
contextualizes it within the complex landscape of GRC.

Figure 6 - The triad of intelligence

1.1 Indexing: The knowledge foundation
Imagine a vast library where every piece of information – from regulatory guidelines to company-
specific policies, audits, assessments, and risk and issue registers – is not just stored but understood
at a fundamental level. This is what our indexing system achieves. Leveraging Azure AI Search, we've
created a vector database that transcends traditional data storage methods.

Each piece of information, be it public or confidential, undergoes a transformation. Text is converted

into multidimensional vector embeddings, capturing not just the words, but the very essence and
sentiment of the content. These vectors are then enriched with metadata, creating a web of
interconnected knowledge. The beauty of this system lies in its ability to understand relationships
between different pieces of information, much like a human expert would connect disparate facts to
form a cohesive understanding.

Our indexing process is also acutely aware of the multi-tenant nature of the 6clicks platform which
we call Hub & Spoke. By implementing tenant-aware indexing, we ensure that data remains securely
compartmentalized, respecting the boundaries between different organizations while still allowing
for comprehensive analysis within each tenant's domain.

1.2 Retrieval: The art of relevance

When a user interacts with Hailey, they're not just querying a database; they're initiating a
sophisticated process of knowledge discovery. The retrieval phase is where the magic of contextual
understanding truly comes to life.

As a user's query is received, it undergoes a transformation similar to the indexed data, being
converted into a vector representation. This vector becomes the key that unlocks relevant
information from the 6clicks large language model. But it's not a simple matching process. Our
system employs advanced similarity algorithms that understand nuance and context.
Figure 7 - The process of retrieving data from the vector database

The retrieval process is akin to a highly skilled librarian who doesn't just find books that match
keywords but understands the deeper intent of the query and retrieves information that truly
addresses the user's needs. This contextual retrieval ensures that the information provided is not
just relevant, but precisely tailored to the specific GRC context of the query.

1.3 Generation: Where knowledge meets creativity

The final step in this triad is where Hailey truly shines. The generation phase is not merely about
producing an answer; it's about crafting a response that combines deep knowledge with contextual
understanding.

Our engine takes the original query and enriches it with the meticulously retrieved contextual
information. This enriched prompt is then processed to generate a response that is not just accurate,
but insightful and actionable within the GRC context.

Think of this phase as a conversation with a seasoned GRC expert who not only has all the relevant
information at their fingertips but also the wisdom to apply it to your specific situation. The
responses generated are tailored to the user's role, permissions, and the specific GRC landscape of
their organization.

The heart of Hailey: Our advanced language model

At the core of Hailey's capabilities is our proprietary large language model (LLM). This is not an off-
the-shelf solution but a finely tuned AI that has been trained on vast amounts of GRC-specific data.

Our LLM is the culmination of years of research and development in natural language processing. It
possesses an unparalleled understanding of GRC terminology, regulations, and best practices. But
what truly sets it apart is its ability to grasp context and nuance in a way that mimics human
expertise.

Figure 8 - The benefits of LLMs (to learn more about LLMs in GRC, click here)

This model doesn't just process language; it understands the intricate dance of compliance, risk
management, and governance. It can decipher complex regulatory texts, interpret policy
implications, and even predict potential risk scenarios based on subtle cues in the data.

The continuous learning capability of our LLM ensures that it stays at the cutting edge of GRC
knowledge. As regulations evolve and new best practices emerge, our model adapts, ensuring that
Hailey always provides the most up-to-date and relevant insights.

Retrieval-augmented generation: The future of AI-driven GRC

While our LLM forms the brain of Hailey, the retrieval-augmented generation (RAG) system is its
nervous system, connecting vast stores of knowledge with real-time processing capabilities. This
innovative approach sets Hailey apart in the world of AI-driven GRC solutions.
Figure 9 - A high level diagram of 6clicks' RAG architecture (for more information on RAG architectures,
click here)

3.1 Intent classification: Understanding the unspoken

Part of our RAG is an advanced intent classification mechanism. This isn't just about understanding
words; it's about deciphering the true intent behind a user's query.

Using sophisticated prompt engineering techniques and leveraging the capabilities of the OpenAI
API, we've created a system that can accurately interpret the nuances of user inputs. Whether a user
is seeking clarification on a specific regulation, looking for risk assessment strategies, or trying to
understand compliance implications, our intent classification system ensures that the query is
routed to the most appropriate knowledge sources.

This intelligent routing is crucial in the complex world of GRC, where a simple question can have
multifaceted implications across various domains of governance, risk, and compliance.

3.2 Hybrid vector database search: The best of both worlds

In our quest to provide the most relevant and accurate information, we've developed a hybrid
search approach that combines the strengths of semantic search with the precision of traditional
text-based search.
The semantic search component utilizes vector similarity to understand the conceptual meaning
behind queries. This allows Hailey to grasp the intent behind a question, even when it's phrased in
an unconventional manner. It's akin to having a GRC expert who can read between the lines and
understand what you're really asking.

Complementing this is our enhanced text-based search, which employs the BM25 algorithm coupled
with advanced language analyzers. This ensures that specific terminologies and key phrases in GRC
are never missed, providing a safety net for precise information retrieval.

This dual approach, inspired by the latest advancements in search technologies like those seen in
Azure AI Search, allows Hailey to provide responses that are both conceptually relevant and
terminologically precise.

3.3 Semantic reranking: Refining for relevance

The final piece in our RAG puzzle is the semantic reranking system. In the vast sea of GRC
information, finding relevant data is only half the battle; presenting it in order of importance is
equally crucial.

Our semantic reranking system evaluates the retrieved information against the user's query,
considering factors like relevance, recency, and authority of the source. This process ensures that
the most pertinent information rises to the top, allowing users to quickly access the most valuable
insights.

This reranking isn't just about sorting; it's an intelligent process that considers the user's context,
their role in the organization, and the specific GRC landscape they operate in. The result is a curated
set of information that feels less like a database query and more like a consultation with a team of
GRC experts.
Data flow and processing: The lifeblood of intelligent GRC

The sophistication of Hailey's responses is a direct result of our approach to data flow and
processing. This is where we transform raw data into actionable GRC intelligence.

Contextually aware and secured data processing

Figure 10 - Data flow and processing underpinning Hailey

4.1 Corpus and indexing: Building the knowledge foundation

Currently, we're indexing two primary types of data sources, each bringing unique value to our GRC
intelligence:

• SQL database: This forms the structured backbone of our knowledge base. We focus on
fields rich in GRC relevance, such as detailed descriptions of policies, risk assessments, and
compliance procedures. Additionally, we capture crucial metadata like ownership
information and status updates. This structured data allows for precise querying and forms
the factual foundation of our responses.
• Text data: At present, this primarily consists of our extensive Knowledge Base articles. These
articles are a treasure trove of GRC insights, best practices, and interpretations of complex
regulatory requirements. The beauty of our system lies in its extensibility – we have the
capability to incorporate any form of textual data, from regulatory documents to internal
policy manuals.
A key feature of our indexing process is the tagging of private data with tenant IDs. This ensures that
in our multi-tenant environment, data access is strictly controlled, maintaining the confidentiality
and integrity of each organization's sensitive information.

4.2 GRC-specific model tuning: Tailoring AI for compliance excellence

Our commitment to GRC excellence is reflected in the continuous fine-tuning of our language model.
This isn't a one-time process but an ongoing evolution:

• We leverage proprietary GRC datasets, ensuring our model understands the latest in
regulatory requirements and compliance best practices.
• Real-world interactions within the 6clicks platform feed back into our model, allowing it to
learn from the collective wisdom of GRC professionals using our system.
• Our team of GRC experts regularly updates the model with the latest regulatory changes and
emerging compliance trends, ensuring Hailey stays ahead of the curve.

4.3 Tenant-aware processing: Security in a multi-tenant world

In the sensitive realm of GRC, data security and access control are paramount. Our tenant-aware
processing ensures:

• Stringent data access boundaries based on tenant and user IDs

• Metadata tagging in our vector database that allows for granular access control
• The ability to handle highly sensitive, private data with the utmost security measures

This approach allows us to maintain the highest standards of data protection while still providing
comprehensive, organization-specific insights.

Charting the future: Ongoing innovations

As we look to the horizon, our team is actively working on several exciting enhancements:

• We're expanding our indexing capabilities to encompass an even wider range of data
sources, including real-time regulatory feeds and industry-specific compliance databases.
• Our research team is developing more advanced semantic understanding algorithms,
pushing the boundaries of AI's ability to interpret complex GRC scenarios.
• We're continuously optimizing our RAG pipeline, aiming for even greater accuracy and
relevance in our responses.
 • We continue to pioneer our unique Enterprise Action Model (EAM) to further support the
automation and triggering of GRC workflows through our embedded GRC chat assistant,
Hailey Assist.
• We are also expanding our integration capability to make Hailey accessible and useful in
third-party business tools, connecting GRC programs with non-GRC professionals and the
wider business.

These ongoing innovations underscore our commitment to keeping Hailey at the cutting edge of AI-
driven GRC solutions.
Conclusion
The technological foundation of Hailey represents a quantum leap in the application of AI to
governance, risk, and compliance. By combining advanced language processing, sophisticated data
handling, and deep GRC domain expertise, we've created a system that doesn't just assist in GRC
tasks – it elevates the entire practice of GRC to new heights of efficiency and insight. In a world
where organizations must navigate complex regulatory environments and a plethora of existing and
emerging risks, Hailey stands as a transformative asset, offering a simpler, more efficient way to
build resilient and effective GRC programs.

As we continue to push the boundaries of what's possible in AI-driven GRC, we remain committed to
our vision of transforming how organizations approach governance, risk management, and
compliance. With Hailey, we're not just preparing for the future of GRC – we're actively shaping it.
Appendix 1

Figure 11 - Schematic of Hailey's architecture