Skip to main content

AI Wizards

OSCAL Hub includes a set of AI-powered wizards that transform unstructured source material — PDFs, Word documents, STIGs, CIS Benchmarks, plain-English rule descriptions — into structured OSCAL drafts and enforceable validation rules. The AI does the tedious work; you focus on reviewing and refining the output.

What they do

Five wizards are available today:

WizardInputOutput
Catalog from SourcePDF, Word, HTML, plain textDraft OSCAL Catalog — handed off to the Catalog builder
Component-definition from STIG / CIS GuideXCCDF, JSON, YAML, CSVDraft OSCAL Component Definition mapped to NIST 800-53
SSP from Architecture DocPDF, Word, HTML, ODT, RTF, plain textDraft OSCAL System Security Plan with system characteristics, components, and per-control narratives
POA&M from Spreadsheet or Pen-Test ReportExcel (.xlsx), CSV, PDF, Word, HTML, plain textDraft OSCAL Plan of Action and Milestones with severity, status, due date, and remediation narrative per item
Validation Rule GeneratorPlain-English rule descriptionSaved Metaschema constraint that fires during validation

The Catalog, Component-definition, SSP, and POA&M wizards produce drafts — after generation, the draft opens in the corresponding builder so you can review, edit, and save. AI-generated documents are never saved to your library without an explicit save action. The SSP and POA&M editors include structured per-item views so you can edit narratives without diving into raw JSON.

The Validation Rule Generator is conversational instead of one-shot: it can ask clarifying questions, runs synthetic test cases against the rule it generates, auto-iterates if the rule misfires on its own tests, and saves directly into your custom-rules ruleset. Saved rules apply immediately to subsequent validation runs.

Feature gating

AI features are disabled by default for every organization. An Org Admin must enable them before any member of your org can use the wizards.

To enable AI for your org:

  1. Log in as an Org Admin.
  2. Go to Org Admin → AI Settings at /org-admin/ai-settings.
  3. Enter your organization's Anthropic API key and set a monthly usage quota.
  4. Save the settings.

Once enabled, all members of your org will see the AI tile on the Build hub. If the AI tile is greyed out or shows "Coming soon," AI has not yet been enabled for your org — contact your Org Admin.

Cost

AI wizards call the Anthropic Claude API on your behalf. Each generation consumes tokens and is billed to the Anthropic API key your Org Admin configured. Costs vary by source size and wizard type; larger documents consume more tokens.

Org Admins can monitor usage and estimated cost in Org Admin → AI Analytics at /org-admin/ai-analytics.

Privacy

Content you upload to AI wizards — including PDFs, Word documents, STIGs, and pasted text — is sent to Anthropic for processing. Do not upload classified, sensitive, or proprietary material that cannot be processed by a third-party AI service. Review your organization's data handling policy before uploading any document.

Anthropic's data handling policies apply to all content submitted via the API. OSCAL Hub does not store uploaded source files after generation is complete, but the content is transmitted to and processed by Anthropic during that window.

Tips

  • Always review AI output. Wizards are helpful first drafts, not authoritative documents. Verify controls, mappings, and metadata before treating any AI output as final.
  • Re-run if the draft is poor. You can adjust your source document or paste a refined excerpt and generate again — each run is independent.
  • Session handoff. The wizard passes the draft to the builder via session storage. Do not refresh the page between clicking Generate and arriving at the builder or the draft will be lost.

Related