<<< Attempt: AI tool for collecting cyber news 

Generating policies via AI -- good idea?2026-06-06

Frank Herbert is known for his Dune books, but he has some other phenomenal work. In his novels Whipping Star and The Dosadi Experiment the sentient species of the galaxy live under a government so efficient that it passes laws and enforces them galaxy-wide in mere seconds, and such reckless legislation has made the world a horrible place to live in. To limit the power of the hyper-efficient government, the sentient species established the fourth branch of power: the Bureau of Sabotage (BuSab) whose role is to hinder the government by playing dirty tricks on it.

I am less into laws, more into corporate security policies. They are needed for the security audits, but require LOTS of paperwork. Why don't we use AI 🤖 to create, review, process and maintain all those security policy documents? Humans won't need to bother with the policies at all!

Sure, we can generate/update thousands of pages of policies with AI. Still, there is something fundamentally wrong with the above approach; not with AI writing policies but with humans not knowing them.

Why do we have corporate security policies at all? They:

  • 1️⃣ Define how the company must operate to be secure.
  • 2️⃣ Serve as a basis for holding responsible those who do not comply -- this basis must be able to stand in court if needed.

Corporate (security) policies are not just papers to check compliance requirements, your company needs to operate that way. Generating thousands of pages of policies without anyone reading them and claiming you operate that way does not bode well:

  • 👉 If your staff does not know your policies, your company is not going to operate according to them. The policies won't work, and your compliance claims will turn out to be lies.
  • 👉 If your staff is not expected to know/follow the policies, they are not going to be enforceable in court.
  • 👉 You will be responsible and there will be no one else to blame.

Of course you can generate/update/maintain corporate policies with AI, it does not matter who does the heavy lifting. However, if you distance them from humans and the actual processes, the policies will become dead weight, and you should not be passing those audits either.

I agree that corporate (security) policies tend to get out of control. However, generating them via AI is not the solution: that will bloat them further and further, and lead to the kind of reckless legislation in Herbert's sci-fi novels.

Use common sense and make them lean instead -- with or without automation. Identify what your employees really need to know, and make sure they follow that. Eliminate the rest. The 'delete' key is often the most useful one on the keyboard. 😄

 

This post was first published on Linkedin here on 2026-05-31.

 

 

 
This is my personal website, opinions expressed here are strictly my own, and do not reflect the opinion of my employer. My English blog is experimental and only a small portion of my Hungarian blog is available in English. Contents of my blog may be freely used according to Creative Commons license CC BY.