🤖 SCCA — AI-Assisted Control Authoring
Audience: Control authors, compliance officers, security engineers, auditors Time: ~5 min to draft your first AI-assisted control
SCCA (Smart Control & Compliance Assistant) is the built-in AI copilot that helps you author, test, and manage controls through natural language. It understands the Control Core platform — resource bindings, PIP attribute mappings, action wiring, and promotion flows — and keeps mutating operations behind a confirmation token to prevent accidental changes.
📌 What SCCA can do
| Mode | Example prompts |
|---|---|
| Draft controls | "Create a deny control with a webhook on deny for resource X" |
| Compose conditions | "Add nested condition groups: group_1 for role, group_2 for geo risk" |
| Convert intent to Rego | "Convert this wizard control to Rego and keep action triggers aligned" |
| Explore data sources | "Open Semantic Explorer and show me missing PII mappings" |
| Test controls | "Generate a semantic test case and run what-if replay on last 100 denials" |
| Explain decisions | "Explain why this simulation denied access in plain language" |
| Pre-promotion checks | "Before promoting, compare sandbox vs production metadata values and list parity gaps" |
📌 Role modes
SCCA adapts its guidance based on your declared mode:
| Mode | Focus |
|---|---|
| Control Manager | Drafting, condition logic, deployment flow |
| Compliance | Control mapping, evidence and audit expectations |
| Security | Risk signals, incident routing, threat-aware conditions |
| Auditor | Traceability, decision evidence, action audit trail |
To set your mode, tell SCCA: "Set mode to Compliance" or select from the SCCA panel header.
🏗️ Safety: confirmation token flow
Any mutating action (creating, updating, promoting, or deleting a control) requires you to confirm via a confirmation token before execution.
SCCA will present a summary of what it will do and request confirmation. Never approve a mutation without reviewing the summary. This prevents accidental policy changes from a misunderstood prompt.
🏗️ Key SCCA prompts for common workflows
Authoring
"Create a new control that allows Finance users to read confidential data during business hours."
"Add a condition to this control: user must have MFA verified."
"Generate Rego for: deny if user.risk_score > 75 and resource.classification is RESTRICTED."
PIP and semantic exploration
"Open Semantic Explorer and show me missing PII attribute mappings for this control."
"List all PIP attributes available from the Okta data source."
"Map user.department from the Workday connection to this control."
Testing
"Generate a semantic test case for this control."
"Replay the last 100 denials against this control and show me what changed."
"Explain why this deny occurred in plain language."
Pre-promotion validation
"Before I promote this control, compare sandbox vs production metadata values and list parity gaps."
"Confirm that key names and value enums for user.region and user.kyc_status are the same in both environments."
"Check that the production Bouncer and production resource are correctly paired."
📌 Pre-promotion checks via SCCA
Promotion failures most often occur when production PIP data has different attribute names or value formats than sandbox. SCCA can automate this check:
- Open the control you want to promote
- Open the SCCA panel → "Before I promote this control, verify metadata parity between sandbox and production for all input attributes in this control."
- SCCA will list any gaps: attribute name mismatches, value enum differences, missing mappings
- Fix the gaps in Settings → Data Sources → Mappings before promoting
See full pre-promotion checklist: Simulator & Testing
🛠️ Troubleshooting
| Symptom | Check |
|---|---|
| SCCA does not see PIP attributes | Confirm data source has synced in Settings → Data Sources |
| SCCA suggests wrong attribute names | Run "Open Semantic Explorer" to refresh attribute catalog |
| Confirmation token expired | Start the mutation again; token expires after a short window |
Full: Troubleshooting Controls