Ensuring AI Outputs Resonate with Users Across the Product
Gen AI has created many opportunities with natural language but can also introduce new challenges if outputs fall short or feel disjointed with the rest of the application. While validating the accuracy and usefulness of AI outputs, it’s also important to ensure they resonate appropriately with users within the context of their workflow and align with the product’s voice and tone.
Let’s dive into how we approach this at Drata: creating user personas and implementing them during AI development.
Creating Personas
We’re developing personas tied to various use cases of our platform, including Compliance and Risk Analysts, Security Engineers, CISOs and more, that we can use when building AI workflows. There’s a unique opportunity to use the conversational nature of LLMs to create a persona for the model that prioritizes the workflow goals while embodying the product’s voice and tone. We’ll plug in the appropriate persona for each AI feature and make adjustments based on the necessary context.
The stakes for building trust with users is incredibly high in the GRC (governance, risk, and compliance) space — AI suggestions can significantly impact their security and compliance. At Drata we try to apply a thoughtful approach to the voice and tone of the AI output to ensure an overall consistent user experience that will build trust with the user.
How are personas utilized in development?
I’ll walk through an example of creating an AI security advisor for a security engineer tasked with monitoring and detecting potential insider threats. *Note: This is a fictitious example inspired by Anthropic’s Career Coach and is not something Drata currently offers or plans to offer in our product.
Step 1: Building Product Guidelines and Personas
Our product team is developing guidelines for AI user experiences: Sai Mohan works on design guidelines, and Vitus Pelsey defines and evolves our product voice. For each project, teams spend a lot of time understanding the user and their background to determine the optimal in-product experience and the voice of the presented content.
For example, the user profile is incredibly important when explaining or recommending technical concepts in a workflow. For technical users like a security engineer, being straight to the point and clear is the priority. For a compliance analyst who may not be very technical, a friendly voice that provides extra detail and abstracts the technical components appropriately can go a long way.
Some questions we’ll ask ourselves to help build the persona:
- Who is the user, and what is their background?
- How does the task relate to their background?
- Is the task time-sensitive?
- What type of user interaction is best suited for the task?
- What is the next step in the user’s workflow?
Example user and workflow context:
- Users are new-hire security engineers tasked with monitoring and detecting potential insider threats within a 2-day SLA
- They are experienced with technical details and require precise, clear instructions.
- They respond well to straightforward, no-nonsense feedback and appreciate detailed technical guidance.
- They typically need to analyze unusual activities and determine the next steps to mitigate any risks.
- The organization had to resolve unauthorized access from former employees last year
- Migrated to a different SIEM tool, so they may need more guidance on how to use it.
Step 2: Prompt engineering
We’ll then incorporate the appropriate context from Step 1 into the prompts as System and User roles. Note: Anthropic and Open AI have great guides for prompt engineering. These examples are using Claude 3 Sonnet through AWS Bedrock.
Example Prompt V1:
Step 3: Testing and Feedback loops
Every feature we build goes through a rigorous testing process with clear feedback loops, both during and after development. Before releasing a feature, we’ll work with our internal GRC team to evaluate the quality of the output and monitor how they felt in the user interaction. Depending on the feature, feedback can be tracked through CSAT (thumbs up / down), user interaction (did they dismiss, modify, or accept the suggestion), and more. Based on that feature’s criteria, we’ll go back to step 2 to iterate until we’re satisfied with the user experience.
Example testing:
Prompt V1 output:
*Speaking in a clear, authoritative tone* Hello, I’m Alex, an AI security advisor from AI Security Advisors Co. To investigate unusual activity on your internal network, here are the recommended steps:
1. Review log files from firewalls, proxies, VPNs and other network monitoring tools to identify the source IP addresses, ports, protocols and timestamps of the suspicious traffic.
2. Check if the activity matches any known threat indicators from updated threat intelligence feeds. Look for connections to malicious IPs, domains, URLs or file hashes.
3. Analyze network flow data to establish baselines of normal traffic patterns. Identify anomalies like large data transfers, beaconing to external IPs, or connections to rare ports/protocols.
4. If you suspect compromised hosts, collect volatile data like memory dumps, and acquire disk images for forensic analysis using approved tools.
5. Isolate any potentially compromised systems from the network by blocking their network access or disabling their accounts.
6. Escalate the incident to your security operations center and open a high-priority investigation ticket. Provide all evidence collected.
7. Work closely with the incident response team. Be prepared to participate in the containment, eradication and recovery efforts.
Let me know if you need any clarification or have additional details to share about the suspicious activity observed. Prompt action is key to minimizing damage from threats.
The advice is already very structured and detailed, which is probably how the model was trained to talk about security, but the advice is too generic. Generic advice is great for an open-ended chatbot if the user wants to learn more about managing security incidents across various topics. This specific user has tasks at hand and may not have the time to have a detailed conversation with the AI advisor. The goal is to help the user solve the problem of what to do next, so let’s try adding more context about that:
Prompt V2:
Output:
*Speaking as Alex, the AI security advisor from AI Security Advisors Co.*
Greetings. To investigate unusual activity on your internal network, I recommend following these steps:
1. Review logs and alerts from your security information and event management (SIEM) system. Look for any anomalies, failed login attempts, unauthorized access attempts, or other suspicious events.
2. Check if the activity originated from an internal IP address. If so, identify the host and user associated with that IP. Review that user’s recent activity for any other red flags.
3. If the activity seems to be coming from an external source, check firewall and VPN logs to see if there was any unauthorized access to your network.
4. Use network scanning tools to search for any rogue devices, unauthorized software, or signs of compromise on hosts involved in the suspicious activity.
5. Isolate any potentially compromised systems from the rest of the network to prevent further spread.
6. Collect volatile data like memory dumps and live response data from involved hosts for deeper forensic analysis.
7. Escalate to your manager and security leadership if you confirm a breach or cannot contain the threat yourself within the 2 day SLA.
Let me know if you need any clarification or have additional details to provide. Thorough investigation is crucial to quickly identify and mitigate potential insider threats.
Adding context about the organization’s SLA, tool use, and threat history made the advice more actionable to this new security engineer — building more credibility and trust.
Challenges with Scale
As with any new technology, expertise and ownership is initially centralized before more teams across an organization adopt it — and this has been especially true with Gen AI. Maintaining a unified product voice and tone across various teams is an inevitable challenge.
Collaborating with marketing, product, and design to create personas that can be implemented by any team for AI development is a great start for consistency. Many practices like user research, experimentation, and iteration from the traditional SDLC can be applied to Gen AI development to apply those personas consistently across any feature by any team.
About the writers: Lior is the VP of Data, and Pratik is the product lead for AI initiatives at Drata.
