Policy Generation
The policy generator workflow drafts a compliance policy document that simultaneously satisfies controls from two or more frameworks. It includes a self-validation step that confirms every targeted control is covered before returning the draft.
It runs as a slash command inside expert chat: send a user message that begins with /policy-generator to POST /v1/expert.
Command
/policy-generator <fw1> <fw2> [--domains d1,d2] [--controls c1,c2]
| Argument | Required | Description |
|---|---|---|
<fw1> <fw2> … |
Yes | Two or more framework IDs, as positional arguments. The generated policy will satisfy controls drawn from all of them. |
--domains |
No | Comma-separated compliance domains to scope the output to (e.g. Access Control, Logging). |
--controls |
No | Comma-separated explicit control IDs to target, instead of (or in addition to) whole domains. |
Provide at least two frameworks — the value of this workflow is generating a single policy that covers overlapping requirements across them.
How it works
- Resolves the target controls from the frameworks (optionally narrowed by
--domainsor--controls). - Drafts policy sections, each written to satisfy a group of related controls across the frameworks.
- Self-validates the draft: re-checks each targeted control against the generated text and revises until all are covered.
- Returns the policy with a mapping of which controls each section satisfies.
Examples
Generate an access-control policy that satisfies both PCI DSS v4 and NIST 800-53:
curl -N -X POST https://compliance.secberus.ai/v1/expert \
-H "authorization: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"messages": [
{ "role": "user", "content": "/policy-generator pci_dss_v4 nist_800_53_r5 --domains Access Control" }
]
}'
Target specific controls explicitly:
curl -N -X POST https://compliance.secberus.ai/v1/expert \
-H "authorization: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"messages": [
{ "role": "user", "content": "/policy-generator pci_dss_v4 iso_27001_2022 --controls 8.3.6,A.5.17" }
]
}'
The draft streams back as Server-Sent Events. Each section notes the controls it covers:
data: ## Password Management
data: All user passwords must be a minimum of 14 characters…
data: Covers: pci_dss_v4/8.3.6, nist_800_53_r5/IA-5, iso_27001_2022/A.5.17
Prerequisites
- Two or more valid framework IDs (from
GET /v1/frameworks). - No document corpus is required — this workflow generates new policy text. To instead measure how well your existing policies cover a framework, use Policy Coverage.
Related
- Policy Coverage — find the gaps that justify generating new policy.
- Expert Chat API — refine or extend a generated draft conversationally.