Policy Generation

The policy generator workflow drafts a compliance policy document that simultaneously satisfies controls from two or more frameworks. It includes a self-validation step that confirms every targeted control is covered before returning the draft.

It runs as a slash command inside expert chat: send a user message that begins with /policy-generator to POST /v1/expert.


Command

/policy-generator <fw1> <fw2> [--domains d1,d2] [--controls c1,c2]
Argument Required Description
<fw1> <fw2> … Yes Two or more framework IDs, as positional arguments. The generated policy will satisfy controls drawn from all of them.
--domains No Comma-separated compliance domains to scope the output to (e.g. Access Control, Logging).
--controls No Comma-separated explicit control IDs to target, instead of (or in addition to) whole domains.

Provide at least two frameworks — the value of this workflow is generating a single policy that covers overlapping requirements across them.


How it works

  1. Resolves the target controls from the frameworks (optionally narrowed by --domains or --controls).
  2. Drafts policy sections, each written to satisfy a group of related controls across the frameworks.
  3. Self-validates the draft: re-checks each targeted control against the generated text and revises until all are covered.
  4. Returns the policy with a mapping of which controls each section satisfies.

Examples

Generate an access-control policy that satisfies both PCI DSS v4 and NIST 800-53:

curl -N -X POST https://compliance.secberus.ai/v1/expert \
  -H "authorization: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "messages": [
      { "role": "user", "content": "/policy-generator pci_dss_v4 nist_800_53_r5 --domains Access Control" }
    ]
  }'

Target specific controls explicitly:

curl -N -X POST https://compliance.secberus.ai/v1/expert \
  -H "authorization: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "messages": [
      { "role": "user", "content": "/policy-generator pci_dss_v4 iso_27001_2022 --controls 8.3.6,A.5.17" }
    ]
  }'

The draft streams back as Server-Sent Events. Each section notes the controls it covers:

data: ## Password Management
data: All user passwords must be a minimum of 14 characters…
data:   Covers: pci_dss_v4/8.3.6, nist_800_53_r5/IA-5, iso_27001_2022/A.5.17

Prerequisites

  • Two or more valid framework IDs (from GET /v1/frameworks).
  • No document corpus is required — this workflow generates new policy text. To instead measure how well your existing policies cover a framework, use Policy Coverage.