Before (the problem)
Even with the benchmark data normalized (see the Security Baseline Dashboard),
answering an actual compliance question still meant a human digging through rules by
hand. And the answers AI tools usually give to compliance questions share one fatal
flaw: they cannot be verified. An unsourced “yes, you’re covered” is worth nothing
in an audit.
What we built
An AI compliance analyst layered on the baseline data:
- Answers natural-language compliance questions over the CIS rule set
- Cites the underlying CIS rule IDs for every answer
- Retrieval over the rule library so responses are grounded, not generated from
memory
How it works
- A question is posed in plain language.
- PRISMA retrieves the relevant rules from the normalized CIS store.
- Claude reasons over the retrieved rules to compose an answer.
- The answer ships with the cited rule IDs, so a reviewer can verify it.
Outcomes
- Every answer is traceable to a cited rule — auditable, not a guess
- Makes an 11,000+ rule library conversational instead of a manual lookup
- Closes the trust gap that makes most AI compliance answers unusable
Stack & role
Claude API · Retrieval over CIS rules · Node.js. Built & operated in-house.
Timeline
Built in-house; live. Sits on top of the Security Baseline Dashboard’s data layer.
What it proves
AI for compliance is only useful when it is verifiable. PRISMA’s answers carry their
citations — the difference between a conversational tool and an auditable one.