Page 186 - Cyber Defense eMagazine September 2025
P. 186

Each  of  these  regulators  has  its  own  tweaks  and  expectations.  For  example,  the  NYDFS  explicitly
            requires firms to limit the number of privileged accounts, review access at least annually, and disable
            unnecessary accounts. It also mandates the use of MFA for privileged access and remote access. In
            contrast, the MAS guidelines are prescriptive: privileged access must be granted on a need-to-use basis,
            reviewed quarterly and logged. The EU comes down somewhere in between, requiring financial entities
            to implement role-based access controls and segregate duties to prevent conflicts of interest. Privileged
            access must be tightly controlled, monitored and periodically reviewed. DORA also mandates logging
            and auditing of privileged activities.

            As in the password example, the LLM can be prompted to analyze the existing control and provide
            documentation  on  how  that  control  meets  the  privileged  access  expectations  set  by  the  different
            regulations.




            Next-gen compliance

            These examples give some idea of the redundancies required in traditional manual compliance tracking.
            All three regulators are setting more or less the same basic requirements. However, each regulator
            codifies those requirements with unique expectations. These expectations vary in some ways, but overlap
            in many others.

            An LLM-driven compliance solution will almost automatically apply the single control to each expectation.
            This analysis will also flag any current compliance gaps that need to be addressed, and identify gaps that
            will need to be addressed if there are changes to either the regulations or controls. Critically, the LLM
            can maintain the mapping and provide up-to-date information on mitigating controls and dependencies
            on a continuous basis.

            These solutions can make an impact well beyond the realm of government regulation. AI solutions can
            also be applied to industry accreditations and certifications and other types of independent audits. For
            example,  the  Payment  Card  Industry,  SWIFT,  and  ISO/IEC  27001  share  a  wide  number  of  control
            requirements. An LLM can work from a central control repository to identify how individual requirements
            are met and determine if there are gaps that need to be addressed. That process will save time in both
            audit preparation, and during the audit itself.

            By dramatically reducing the number of hours the cybersecurity team spends on documentations and
            audits, LLM-driven compliance approaches are reducing overhead costs. By creating a dynamic system
            that easily updates based on changes to internal controls or external regulatory expectations, these
            solutions  reduce  compliance  risks.  By  bringing  efficiency  to  the  entire  compliance  process,  artificial
            intelligence is freeing up cybersecurity teams to do what they are meant to do: protecting the organization
            from cyberthreats.











            Cyber Defense eMagazine – September 2025 Edition                                                                                                                                                                                                          186
            Copyright © 2025, Cyber Defense Magazine. All rights reserved worldwide.
   181   182   183   184   185   186   187   188   189   190   191