US Print & Direct Mail industry leader · Enterprise security compliance · RAG-based AI platform
For a company operating at the scale of a US Print & Direct Mail industry leader, security policy is not a document — it is an operating system. Policies are extensive, frequently revised, and non-negotiable for compliance across client contracts, vendor relationships, and regulatory obligations. The gap between policy intent and employee understanding was not a training problem. It was an access problem: the right information existed, but finding it quickly and with confidence was not reliably possible.
The compliance burden was most acute in the security questionnaire process. Clients and partners regularly issue detailed security questionnaires — each with a different structure, a different set of questions, and a different submission format. Responding accurately required pulling in subject matter experts from legal, IT, and operations, coordinating across teams for weeks, and manually locating the precise policy language that answered each question. A single questionnaire cycle could consume three to four weeks of senior staff time across multiple departments. With questionnaire volumes increasing alongside client security requirements, the cumulative cost of this process had become significant.
Shelorve designed and built a Retrieval-Augmented Generation (RAG) based Security AI Agent — a purpose-built platform that brings the organization's complete security policy documentation into a searchable, intelligent system that employees can query in plain language and receive precise, policy-grounded answers in seconds.
The platform begins with a secure document ingestion pipeline. Every security policy document is processed through AWS Glue, vectorized, and stored in a secure vector database. When an employee asks a question, the system retrieves the most relevant policy sections from the vector store and passes them to GPT-4o, which synthesizes a precise, context-aware response grounded in the organization's actual policy language — not generalized guidance, and not the AI model's training data. Every answer is traceable to a specific policy document and section.
The second capability — and the one that transformed the questionnaire process — is spreadsheet ingestion. The Security AI Agent accepts security questionnaire files in any format. The system reads the structure of the spreadsheet, identifies each question regardless of column layout or phrasing, queries the vector database for the relevant policy content, generates a precise response for each question using GPT-4o, and returns the completed questionnaire — fully populated, policy-referenced, and ready for review — in minutes. A process that previously required weeks of multi-team coordination now requires a human review of a pre-populated document.
The frontend was built in Angular, giving the security and compliance teams a clean, intuitive interface for both conversational policy queries and questionnaire submission. The entire system runs on AWS Lambda for compute, with all policy data stored in a secure, access-controlled environment that meets the organization's own security standards — a requirement that shaped every architectural decision.
Security questionnaire completion — previously a weeks-long, multi-department coordination exercise — now takes minutes. The Security AI Agent reads the questionnaire, locates the relevant policy content, and populates responses with precision and traceability. The compliance team reviews and approves rather than researching and writing. Senior subject matter experts who previously spent significant time on each questionnaire cycle are no longer the bottleneck in the process.
Across the organization, employees now have immediate access to accurate policy guidance without needing to locate the right document, find the right section, or escalate to a colleague who knows where to look. The risk of policy misinterpretation — which carries real consequences in a compliance-driven environment — has been significantly reduced. Every response the AI Agent provides is grounded in and traceable to current policy documentation, which means answers are consistent, auditable, and current.
"What used to take our teams three to four weeks now takes minutes. We upload the questionnaire, the system reads it, finds the right policy language, and populates the answers. Our compliance team reviews rather than researches. It changed how we think about the entire questionnaire process."
GPT-4o · AWS Lambda · AWS Glue · Vector Database (RAG) · Angular · S3 · IAM
The platform operates in two modes — conversational policy query and automated questionnaire completion — both built on the same RAG architecture.
Employee asks a question in plain language. System retrieves the most relevant policy sections from the vector database. GPT-4o generates a precise, policy-grounded answer. Source document and section referenced in the response.
User uploads a security questionnaire in any spreadsheet format. System identifies each question, retrieves relevant policy content, generates a precise response per question using GPT-4o, and returns the completed spreadsheet for human review.
Policy documents are re-ingested and re-vectorized whenever they are updated. The vector database always reflects the current version of every policy document. When the AI Agent generates a response, it draws exclusively from the retrieved policy content — not from the AI model's training data. This means responses are current, traceable to a specific policy document and section, and consistent with the organization's official position on every question.
The system reads the structure of the uploaded spreadsheet dynamically — it does not require a fixed template or predefined column layout. The ingestion pipeline identifies question fields regardless of how the spreadsheet is organized, processes each question independently against the vector database, and populates responses in the original file structure. A questionnaire with 200 questions in a novel format is handled with the same accuracy as a familiar one.
The platform was designed to meet the organization's own security standards — which, for a direct mail operation of this scale, are extensive. All policy data is stored in access-controlled S3 buckets with encryption at rest. The vector database is secured within the organization's AWS environment with IAM-enforced access controls. No policy content is transmitted outside the organization's AWS account. The system architecture was reviewed by the client's security team before deployment.
Yes — the RAG architecture is document-agnostic. The same ingestion pipeline, vector store, and query engine that processes security policies can be applied to any structured documentation: HR policies, operational procedures, compliance frameworks, contract terms. The Security AI Agent is the first deployment of this architecture for this client, with additional document sets already being evaluated for ingestion.
Tell us about your compliance or AI challenge. We will tell you whether Shelorve is the right partner — and if we are not, we will tell you that too.