Generic filters

Integrating AI into Compliance Programs: Review Discipline, Gap Identification, and Audit-Ready Evidence

Integrating AI into Compliance Programs

By Richard Schlottmann, Project Manager, NERC Services

Artificial intelligence is becoming more relevant to electric sector compliance programs, not because it changes the basic obligations of registered entities, but because it changes how those obligations may be supported, reviewed, and evidenced. In comments to the Department of Energy, NERC stated that artificial intelligence can support Bulk Power System operations, planning, regulation, and security. Those comments also noted that NERC is committed to identifying and monitoring implementation risks, including increased load demand and the potential need for heightened cybersecurity measures.

For compliance teams, the most useful starting point is not a broad AI strategy; it is understanding where AI is being used, what decisions or workflows it may influence, and how those uses are controlled. AI-enabled tools may assist with document review, evidence indexing, trend analysis, anomaly detection, maintenance prioritization, training support, and compliance testing. Each use case should be evaluated based on the data it relies on, the output it produces, the personnel who review that output, and the potential impact if the tool is inaccurate, incomplete, or used outside its intended purpose.

That matters because AI should be reviewed through the same compliance lens already used for other tools that affect reliability or Bulk Electric System Critical Information (BCSI). If a model is used to support monitoring, classification, alerting, maintenance prioritization, document review, or compliance testing, the key question is not whether it is innovative; the key question is whether its use is governed, traceable, and reviewable. NERC specifically stated that artificial intelligence may support regulatory functions and noted that the ERO Enterprise reviews large volumes of compliance evidence and may consider whether artificial intelligence can assist in conducting compliance monitoring activities.

A strong review program should therefore begin with scoping. Recommended practice is to identify each AI-enabled use case, the process it supports, the team that owns it, the systems and data it touches, and the specific compliance activity it influences. That review should distinguish between AI that helps organize or summarize information and AI that could influence reliability-relevant analysis, security escalation, or compliance conclusions. The reason for that distinction is straightforward: the more consequential the use case, the more rigorous the review and evidence package should be. This lifecycle perspective is consistent with the NIST AI Risk Management Framework, which describes AI risk management as a repeatable, full-lifecycle approach to the design, development, use, and evaluation of AI systems.

The second priority is gap identification. The NERC Critical Infrastructure Protection Roadmap states that foundational cyber hygiene remains essential and specifically identifies asset identification, configuration management, defensible network topologies, vulnerability management, and disciplined patching as recurring control themes. It also highlights multi-factor authentication and protection of communications over public networks as important risk-reduction measures. For compliance teams evaluating AI use, these are practical review categories: Is the AI-enabled tool inventoried? Are changes controlled? Is access restricted and reviewed? Is data flow understood? Can the organization show how it protects information used or produced by the tool?

Audit readiness depends on whether those questions can be answered with evidence rather than explanation alone. The most effective evidence packages are usually simple and traceable. Recommended evidence for AI-enabled compliance processes may include an approved inventory entry, a documented business purpose, system ownership records, change records, access lists, validation or testing records, version history, vendor documentation, and any procedures that explain how personnel review or rely on the output. These are recommended compliance management artifacts, not a separate AI standard. Their value is that they allow an auditor or internal reviewer to see that the tool is controlled in a manner consistent with existing compliance expectations. This recommendation is aligned with NIST’s lifecycle approach and with NERC’s emphasis on foundational controls and risk-informed evolution of security practices.

Evidence quality is especially important where AI is used in review or testing. If an organization uses AI to assist with compliance monitoring, policy review, evidence indexing, or anomaly identification, reviewers should be able to show what the tool was used for, what data set or document population it evaluated, what output it generated, and what human review occurred before the result was relied upon. NERC’s comments explicitly state that the ERO Enterprise may consider whether artificial intelligence can help review compliance data and whether entities responsible for compliance could consider whether AI tools may help them better maintain compliance, improve controls, and self-report violations. That statement supports use of AI in compliance programs, but it also reinforces the need for disciplined review over outputs that may affect compliance decisions.

Third-party risk should be part of the review as well. Many AI capabilities will be embedded in vendor-managed platforms rather than built internally. The NERC Critical Infrastructure Protection Roadmap states that third-party operators and expanding operational dependencies are part of the evolving sector risk environment, and it includes recommendations related to vendor assurance validation and third-party cloud service risk management. For compliance purposes, that means review teams should identify whether the AI capability is vendor hosted, how updates are introduced, what logs are available, and whether the organization can obtain sufficient evidence to explain the control environment during an audit.

In practical terms, compliance programs can keep AI manageable by organizing internal reviews around three questions.

  • First, where is AI being used in a compliance-relevant process?
  • Second, what control gaps exist in access, change management, validation, or evidence retention?
  • Third, what documentation would a reviewer need to confirm the tool was governed appropriately during the audit period?

That approach keeps the focus where it belongs: not on AI as a label, but on whether the organization can review the use, identify the gaps, and capture the evidence needed to support a defensible compliance position. That is the most durable way to integrate AI into a NERC-focused compliance program today.