Richard Vincent · GRC Portfolio Tool Demo

AI-Assisted GRC Assessment Assistant

Portfolio demonstration of a structured GRC intake-to-report workflow. Upload read-only evidence, answer a short questionnaire, and generate a draft security posture report with findings, risk ratings, framework mapping, and remediation priorities.

📁

Upload evidence

→

📋

Answer questions

→

🤖

AI analysis

→

📊

Draft report

→

👤

Human review

Important: This tool produces AI-assisted draft reports only. It does not certify compliance, replace an auditor, or provide legal advice. All findings, risk ratings, and recommendations must be validated by a qualified GRC professional before delivery to any client.

Portfolio positioning: This page is presented as a practical GRC workflow demo inside Richard Vincent’s portfolio. It is intended to show intake design, evidence handling, structured assessment thinking, and report generation flow — not a production audit platform.

View GRC Portfolio

Step 2 of 4

Upload Evidence Documents

Upload any available security documentation. The AI will extract relevant information from each file. Upload what you have — missing documents will be flagged as control gaps.

Suggested Evidence Types

📄 Security policies

📋 Asset inventory

👥 Access review exports

🔍 Vulnerability scan reports

🏢 Vendor list

🚨 Incident response plan

💾 Backup/logging evidence

📊 Security questionnaire

📁

Click to upload or drag and drop files here

PDF, DOCX, TXT, CSV — up to 10MB per file

⟳ Reading file contents…

No files? You can skip this step and the AI will base its assessment entirely on your questionnaire answers — noting all missing evidence as control gaps.

Security design: This front-end should not call OpenAI, Anthropic, or any AI provider directly from the browser. In production, evidence should be sent to a secure backend endpoint such as /api/grc-assessment, where API keys are protected, file handling can be logged, and retention rules can be enforced.

Step 3 of 4

Security Questionnaire

Answer as accurately as possible. “Partial” or “Unknown” are valid answers — they become findings. The AI uses these responses to fill gaps not covered by uploaded documents.

Access Control & Identity

Is multi-factor authentication (MFA) enforced for all users?

Is there a formal offboarding process that includes access revocation?

Are access reviews conducted periodically?

Are shared or generic accounts in use?

Logging & Monitoring

Is security event logging enabled across systems?

Are security alerts or notifications configured?

How long are logs retained?

Data Protection & Backup

Are backups tested / restoration verified?

Is data encrypted at rest on endpoints?

Does a data classification policy exist?

Vulnerability & Patch Management

How frequently are systems patched?

Is a complete hardware/software asset inventory maintained?

Are any end-of-life (EOL) systems in use?

Governance & Policy

Does a formal information security policy exist?

Is security awareness training provided to staff?

Is there a documented incident response plan?

Are third-party vendors with system access subject to security requirements?

Additional observations or context for the AI analyst (optional)

Analyzing Evidence

The AI is reviewing your documents and questionnaire responses to identify control gaps, assess risk, and map findings to frameworks.

⟳ Reading uploaded evidence

○ Extracting risk indicators

○ Mapping to frameworks (NIST / ISO / CIS)

○ Assigning risk ratings

○ Generating remediation roadmap

○ Drafting executive summary

Analyst Review Required

This report was generated with AI assistance and must be reviewed by a qualified GRC professional before delivery. Verify all findings against source evidence, adjust risk ratings as appropriate, and remove or modify any outputs that do not reflect the actual client environment.