Tools & Technology

Privacy-First GRC Analysis Tool Launched: Honest Assessment Reveals AI's Current Limitations and Strengths

Global · · benluthy.com

A new, locally-run GRC analysis tool, Lacunae ControlSense, has been released, offering a privacy-first approach to mapping security controls to frameworks like NIST CSF, CIS, and NIST AI RMF. This article provides a transparent look at its development and, crucially, an honest evaluation of its performance, highlighting both its utility as a decision-support tool and the current accuracy limitations of AI in complex GRC tasks. Internal audit and assurance professionals should note the emphasis on local processing for sensitive data and the candid discussion of model accuracy, which offers valuable insights into integrating AI responsibly into GRC workflows.


Introducing Lacunae ControlSense: A Privacy-First GRC AI Tool

Ben Luthy, a security governance practitioner, has launched Lacunae ControlSense, an innovative GRC analysis tool designed to streamline the laborious process of mapping security controls to various frameworks. Unlike many AI-driven solutions, ControlSense prioritizes data privacy by operating entirely on local hardware, ensuring that sensitive policy documents and control environments never leave the user's machine. This 'local-only' design addresses a critical concern for security teams handling confidential information, making it a viable option for real-world GRC applications. The tool currently maps controls to NIST CSF 2.0, CIS Controls v8, NIST AI RMF, and OWASP LLM Top 10, with NIST 800-53 planned for future releases. Beyond mapping, it identifies coverage gaps, suggests remediations, and generates auditable gap registers, functioning as a valuable decision-support system for GRC professionals.

The Practitioner's Journey: Building AI with Domain Expertise

Luthy's background as a security governance expert, rather than a career software engineer, is central to ControlSense's development. He leveraged AI-assisted development to build the tool, emphasizing that domain judgment was the most critical component. The model was fine-tuned using 168 examples across 12 GRC domains, all authored by Luthy himself. This approach highlights the potential for domain experts to build specialized AI tools that address specific industry challenges, rather than solely relying on vendors. His experience demonstrates that with the right domain knowledge and a willingness to learn modern AI stacks, practitioners can create impactful solutions, even if the journey involves unexpected challenges and honest self-assessment.

An Honest Look at AI Performance: Accuracy and Error Management

A standout feature of Luthy's launch is his transparent and honest evaluation of ControlSense's performance. Through a rigorous evaluation harness of 100 hand-curated control statements, the model achieved a 53.1% accuracy rate for required-mapping to NIST CSF 2.0. Luthy candidly discusses this "humbling" number, explaining that while not exceptionally high, the errors were largely "defensible-but-imprecise," often selecting an adjacent subcategory within the correct family rather than producing nonsensical results. Crucially, he also measured the model's fabrication rate of framework IDs, which was 5.2% at the model level. However, through robust engineering and a runtime validator, the product-level fabrication rate was reduced to 0.0%, ensuring that users never receive confidently wrong or non-existent mappings. This commitment to transparency and error mitigation is a vital lesson for anyone integrating AI into critical assurance functions.

Implications for Audit and Assurance Professionals

For internal audit and assurance professionals, ControlSense offers a glimpse into the future of AI-assisted GRC. While not an oracle, it serves as a powerful decision-support tool that can significantly reduce the initial, tedious work of control mapping. The emphasis on local processing means that organizations can leverage AI for sensitive GRC tasks without compromising data security. The honest assessment of its accuracy underscores the importance of human oversight and expert judgment in reviewing AI-generated outputs. Professionals should view such tools as aids to enhance efficiency and provide a structured starting point, rather than replacements for their critical analytical and decision-making roles. The open-source nature of ControlSense also encourages collaboration and feedback, fostering continuous improvement in the application of AI within the GRC landscape.


Read more
Comments

No comments yet. Be the first.


Sign in to join the discussion.

Sign in or Create account
Subscribe

By email

Get audit & assurance news in your inbox.


By feed reader

We publish RSS, Atom, and JSON feeds sliced by category and region.

View all feeds →

Have a tip? Submit a story or job →

Subscribe by email

Get audit & assurance news in your inbox. Or use a feed reader — view all feeds →