Security review is text and pattern heavy — exactly the work AI is good at. But security stakes are high; AI errors here have meaningful consequences. The right approach uses AI for first pass and humans for final judgment. Here is the workflow.
1. Code security review (first pass). AI scans for common vulnerability patterns, security anti-patterns. Senior engineer verifies findings.
2. Vendor security questionnaire responses. SOC2/ISO/HIPAA questionnaires from prospects. AI drafts from policy documents.
3. Security policy drafting. Acceptable use policies, incident response runbooks, access management policies.
4. Incident writeups and post-mortems. Faster, more structured, easier to share with stakeholders.
Whether a vulnerability is critical vs informational. Judgment.
Whether to disclose a security issue publicly. Strategic decision.
Access revocation decisions. Operational + judgment.
Final security audit responses. CISO/security owner signs off.
I am responding to a security questionnaire from [PROSPECT/CUSTOMER]. Our current security posture: [PASTE FROM POLICY DOCS] Our certifications: [SOC2 / ISO / etc] Our subprocessors: [LIST] Questionnaire: [PASTE] For each question: 1. Honest answer based on our actual posture 2. Source document/policy that supports the answer 3. Whether the answer requires verification before sending (anything material) 4. Flag if our answer would be a "no" (transparency is better than evasion) Do not embellish. Do not claim controls we do not have. Flag any question where the honest answer is incomplete or absent.