AI Features
ConcertoGRC integrates AI throughout the platform to accelerate compliance work -- analyzing documents, suggesting remediation plans, drafting policies, mapping evidence, and generating reports. AI assists but never replaces human judgment; all AI-generated content is presented as suggestions for your review.
See AI Model Cards for detailed governance controls, guardrails, and safeguards for each AI capability.
Feature Catalog
ConcertoGRC includes 36 AI-powered features across four categories. Each feature can be individually enabled or disabled, and administrators can configure models and prompt templates per feature.
Orchestrator
| Feature | Description | Default Model |
|---|---|---|
| Orchestrator Queries | Conversational AI for status lookups, complex reasoning, actions, reports, and compliance guidance. Streaming responses. | Claude Sonnet 4.5 |
Auto-Suggest
| Feature | Description | Default Model |
|---|---|---|
| Embeddings | Vector similarity search across controls, evidence, and policies for intelligent mapping suggestions | Titan Embeddings V2 |
| Explanations | "Why?" explanations for suggested mappings between controls, evidence, and other records | Claude Haiku 4.5 |
| Migration Field Mapping | Column-to-field mapping suggestions during data migration wizard imports | Claude Haiku 4.5 |
Analysis
| Feature | Description | Default Model |
|---|---|---|
| Vendor URL Discovery | Auto-discovers vendor website, trust center, and privacy policy URLs | Claude Haiku 4.5 |
| Vendor Due Diligence | Analyzes vendor questionnaire responses and generates risk assessments | Claude Sonnet 4.5 |
| Vendor Legal Review | Analyzes vendor documents through a legal lens -- privacy, terms of service, data processing, and regulatory concerns | Claude Sonnet 4.5 |
| Questionnaire Review | AI-assisted review and scoring of questionnaire responses | Claude Sonnet 4.5 |
| Risk Remediation | Generates remediation plans and treatment suggestions for identified risks | Claude Haiku 4.5 |
| Document Analysis | Analyzes uploaded documents for compliance evidence and completeness | Claude Sonnet 4.5 |
| Evidence Mapping | Maps evidence artifacts to framework controls | Claude Haiku 4.5 |
| Evidence Review | Reviews evidence artifacts against control requirements for external audit assessments | Claude Sonnet 4.5 |
| Task Prioritization | Compliance-aware rationale for dashboard task priority rankings | Claude Haiku 4.5 |
| Security Analysis | Analyzes network security group rules for misconfigurations and compliance risks | Claude Haiku 4.5 |
| Infrastructure Remediation | Generates step-by-step remediation guidance with AWS CLI commands for infrastructure findings | Claude Haiku 4.5 |
| Transcript Analyser | Parses compliance meeting transcripts into categorized, actionable suggestions | Claude Sonnet 4.5 |
| Commitment Extraction | Extracts security and compliance commitments from customer contracts with source-clause traceability | Claude Sonnet 4.5 |
| Contract Text OCR | Text extraction from contract documents using AWS Textract for scanned/image-based PDFs | Textract |
| PIA Gap Analysis | Identifies privacy regulation compliance gaps across GDPR, CCPA, and ISO 27701 | Claude Sonnet 4.5 |
| Scan Finding Analysis | Plain-language explanation of vulnerability scan findings with impact assessment and remediation guidance | Claude Haiku 4.5 |
Generation
| Feature | Description | Default Model |
|---|---|---|
| Policy Drafting | Generates or reviews policy documents based on framework requirements. Streaming. | Claude Sonnet 4.5 |
| Report Narrative | Drafts executive summaries and compliance report narratives. Streaming. | Claude Sonnet 4.5 |
| Initiative Status Update | Generates concise status updates for initiatives based on description and supporting tasks | Claude Haiku 4.5 |
| AI Generate (General) | General-purpose generation via the prompt template system | Claude Sonnet 4.5 |
| Policy Variable Suggestions | Analyzes policy template content and suggests where text should be replaced with template variables | Claude Haiku 4.5 |
| Evidence Gap Suggestion | Drafts evidence requests for framework controls that lack evidence mappings | Claude Haiku 4.5 |
| Activity Generation | Drafts recurring activity definitions for framework controls without activity mappings | Claude Haiku 4.5 |
| Assessment Finding Generation | AI-assisted drafting of formal assessment findings from auditor descriptions | Claude Haiku 4.5 |
| BIA Environment Import | Generates BIA records from environment descriptions with vendor/risk/dependency linking | Claude Sonnet 4.5 |
| Risk Register Generation | Generates risk register records from environment descriptions with framework control mapping | Claude Sonnet 4.5 |
| AI Workspace | General-purpose AI assistant with document upload, analysis, and streaming chat | Claude Sonnet 4.5 |
| PIA Section Drafting | Drafts responses for privacy impact assessment sections given vendor context | Claude Sonnet 4.5 |
| Training Content Generation | Generates complete training modules with slides, quizzes, scenarios, and artifacts | Claude Sonnet 4.5 |
| Infrastructure Diagram -- AI Generate | Generates network infrastructure diagrams from text descriptions. Streaming. | Claude Sonnet 4.5 |
| Infrastructure Diagram -- Import | Extracts infrastructure components from uploaded PDF or image diagrams and reconstructs as a canvas | Claude Sonnet 4.5 |
| Customer Notification Draft | AI-generated customer notification drafts personalized to tier, contractual language, and incident details | Claude Sonnet 4.5 |
AI Workspace
The AI Workspace provides a conversational interface for compliance queries, document analysis, and data lookups with streaming responses. Upload documents for analysis, ask questions about your compliance program, and get help with any task.
Conversations are saved automatically and can be resumed later. The workspace supports file uploads for document analysis and provides context-aware responses based on your organization's data.
Models
| Model | Provider | Use Cases |
|---|---|---|
| Claude Sonnet 4.5 | Anthropic via AWS Bedrock | Complex analysis, document review, detailed generation, streaming tasks |
| Claude Haiku 4.5 | Anthropic via AWS Bedrock | High-volume field suggestions, quick mappings, lightweight analysis |
| Claude Sonnet 4 | Anthropic via AWS Bedrock | Available alternative for complex tasks |
| Claude Opus 4.6 | Anthropic via AWS Bedrock | Highest quality for critical assessments and board-level reports |
| Titan Embeddings V2 | Amazon | Vector embeddings for similarity search across compliance records |
All AI processing is performed via Amazon Bedrock within AWS. Your data is not used to train AI models and is not retained by the model provider beyond the request lifecycle.
Transparency and Human Oversight
- All AI-generated content is clearly marked with the ConcertoGRC AI icon
- The platform never auto-applies AI suggestions without human confirmation
- You always have the opportunity to review, edit, or discard AI output before it affects any record
- Every AI invocation is logged with full audit trail (input, output, model, user, timestamp)
- AI features can be globally enabled or disabled per organization
- Access can be restricted to platform operators only or opened to all users
Configuration
Administrators can configure AI behavior from Settings → AI. Each feature is represented as a card showing the feature name, description, assigned model, and current status.
Configuration options include:
- Enable/disable individual features with toggle switches
- Model selection per feature (where multiple models are supported)
- Prompt templates with
{{variable}}placeholders populated from record fields - Inference settings -- max tokens and temperature overrides per feature
- Category filtering -- filter by Orchestrator, Auto-Suggest, Analysis, or Generation
Tenant administrators can view feature configurations and, when permitted, customize prompt templates for their organization while inheriting platform defaults.
See AI Configuration for detailed setup instructions.