AI Capabilities

Learn how to use Secureframe's AI-powered features to automate compliance tasks, answer security questionnaires, assess risk, and more.

Overview of AI Capabilities in Secureframe

Automate manual tasks with Secureframe's AI-powered capabilities to efficiently manage security, risk, and compliance — saving you time so you can focus on your business and grow revenue.

Secureframe's AI features are embedded throughout the platform to help your team automate compliance work, answer security questionnaires faster, strengthen vendor risk reviews, and write better policies. This article summarizes every AI capability available, with links to detailed how-to guides for each.

Comply AI Settings & Controls

Before using AI features, confirm your settings are configured correctly.

  • Enable/disable Comply AI globally: Settings → Labs → Comply AI toggle
  • Authorize data sharing with OpenAI (required for questionnaire AI): Settings → Questionnaires → Large language model authorization
  • Enable Knowledge Base answer rephrasing: Settings → Questionnaires → Knowledge Base content rephrasing (requires LLM authorization to be enabled)

Note: Comply AI is enabled by default. Company admins can disable it at any time from Settings → Labs.

Comply AI for Test Remediation

Where: Monitoring → Tests → Test detail slideout → Overview Tab → Remediation Methods

When a compliance test is failing, Comply AI provides a step-by-step remediation assistant in a conversational chat interface using prompts like CLI, CDK, Terraform, CloudFormation and more. Ask follow-up questions and get tailored guidance specific to the failing test.

Key features:

  • Multi-turn conversation with full history context
  • Responses stream in real time
  • Thumbs up/down feedback to rate response quality

Comply AI for Evidence Validation

Where: Monitoring → Tests → Test detail slideout → Evidence tab

After uploading evidence documents, Comply AI can review to verify they satisfy the test's requirements — no manual review needed. Results appear in real time as the AI processes your files.

The AI checks for:

  • Missing evidence — whether all required documentation is present
  • Evidence issues — inconsistencies or problems found in the documents
  • Custom checks — test-specific requirements
  • Evidence date — confirms evidence is dated within the last 12 months

Supported file types: PDFs and images (up to 10MB, up to 100 pages)

Comply AI for Risk

Where: Risk Management → Risk detail → Assessment tab

Click "Complete with Comply AI" to automatically populate a risk assessment in seconds. The AI fills in any fields that haven't been set yet, so it's safe to use on partially completed assessments.

Fields populated automatically:

  • Categories & departments
  • CIA ratings (Confidentiality, Integrity, Availability)
  • Treatment decision
  • Impact and likelihood scores with written justifications
  • Residual impact and residual likelihood scores with justifications

Questionnaire Automation — AI Auto-Answer

Where: Security Questionnaires → Process questionnaire

When you upload a security questionnaire, Comply AI automatically drafts answers to every question using your Knowledge Base and policy documents as context. It cites which sources were used so you can verify and edit with confidence.

How it works:

  • If an exact match is found in your Knowledge Base, that answer is used directly
  • Otherwise, the AI generates a new answer grounded in your most relevant KB entries and policy text
  • Supports free-form, yes/no, and true/false question types
  • Sources are stored for each answer for full traceability

Questionnaire Automation — Trust AI Answer Refinement

Where: Security Questionnaires → Review questionnaire → Answer editing modal

After auto-answers are generated, Trust AI is available inside each answer's editing modal to help you refine and improve individual responses. It draws on your Knowledge Base and policy documents in real time to suggest better phrasing or fill in missing detail.

Comply AI — Vendor Risk Automated Review

Where: Vendor Risk Management → Vendor → Review tab

Comply AI can automatically answer questions in a vendor risk review questionnaire by reading through the vendor's uploaded security documents (e.g., SOC 2 reports, security policies). Answers include citations linking back to the specific document and page where the information was found.

Options:

  • Answer a single question individually
  • Bulk generate answers for all or selected unanswered questions at once (processes up to 50 questions in parallel)

This feature may be part of an upgraded plan. Contact your Customer Success Manager for access.

Comply AI — Policy Writing Assistant

Where: Policies → Open any policy → AI button in the editor toolbar

The policy editor includes a built-in AI writing assistant. Select any text and choose from a menu of AI-powered actions to improve your policy content instantly.

Action Description
Summarize content Extract key points from selected text
Improve writing Fix grammar, spelling, and clarity
Simplify language Reduce complexity for broader audiences
Expand upon Add more depth and detail
Trim content Remove redundancy and tighten prose
Change tone Professional, Casual, Direct, Confident, Friendly
Change style Business, Legal, Journalism, Medical, Poetic
Translate Spanish, French, German, Italian, Dutch

AI-Powered Knowledge Base Search

Where: Used automatically in the background during questionnaire processing

The Knowledge Base uses semantic (meaning-based) AI search, so the questionnaire AI can find relevant answers even when the wording of a question doesn't exactly match your existing content. This happens automatically — no configuration required.

Developer Access via MCP/API 

You can also use AI tools like Claude or ChatGPT to query your Secureframe compliance data in real time through the Secureframe MCP Server.

Summary of AI Features

Feature Where to Find It What It Automates
Comply AI for Remediation Monitoring → Test detail → Remediation tab Step-by-step fix guidance
Evidence Validation Monitoring → Test detail → Evidence tab Evidence review & date check
Comply AI for Risk Risk Management → Assessment tab Risk scoring & justifications
Questionnaire Auto-Answer Security Questionnaires → Process Full questionnaire drafting
Trust AI Refinement Security Questionnaires → Review Answer refinement chat
Vendor Risk AI Vendor Risk → Review tab Vendor document Q&A
Policy AI Assistant Policies → Editor toolbar Writing, editing & translation
KB Semantic Search Automatic (background) Smarter context retrieval

Frequently Asked Questions (FAQ)

What AI technologies power Secureframe's Comply AI features?

  • Add that we use the latest OpenAI models (currently GPT-5 generation), and that we update periodically to ensure we're using the most performant options available.

Is customer data sent to third-party AI providers? Where is it stored?

  • Lach's clarification on the vector store needs to be reflected here. The current draft says data and vector stores are managed by us, which is mostly true but needs a carve-out: for the Comply AI Vendor Assessment feature specifically, temporary vector stores are created in OpenAI from uploaded vendor documents and are deleted after use. This is still governed by the vendor agreement prohibiting training use.

What AI technologies power Secureframe's Comply AI features?

  • Secureframe's AI capabilities are powered by the latest OpenAI models, accessed via API. We periodically update the models we use to ensure reliability and performance. Current capabilities include large language models (LLMs) for content generation, natural language processing for document analysis, and retrieval-augmented generation (RAG) for questionnaire automation. Secureframe does not train, fine-tune, or host its own models.

Is customer data sent to third-party AI providers? Where is it stored?

  • Customer data is only processed by AI providers when you actively use AI-powered features, and only the minimum data required for each task is submitted. Customer data is stored within Secureframe's own AWS infrastructure and is logically segregated per customer.
  • One exception: the Comply AI Vendor Assessment feature creates temporary vector stores in OpenAI from uploaded vendor documents. These are deleted after use and are governed by a vendor agreement with OpenAI that prohibits use of this data for model training.

Was this article helpful?

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.