Machine Learning–Driven Compliance Intelligence Framework for Automated Vulnerability Mitigation and Continuous Audit Preparedness
DOI:
https://doi.org/10.5281/zenodo.20443505Keywords:
Compliance Automation, Continuous Monitoring, Vulnerability Management, Audit Readiness, Machine Learning, Security and Compliance ExplainabilityAbstract
Automation of security compliance is limited by the need for continuous monitoring and remediation of vulnerabilities, the foundation of almost all security-related policies. By explicitly linking vulnerability management and policy documentation, a machine-learning model enables not just vulnerability-closure workflows, but also automatic generation of audit-related artifacts—such as evidence of compliance, demonstrable signature of key decision-making, and policy-enforcement operation logs—that together facilitate continuous audit readiness. Orchestration of remediation efforts using risk scores derived from machine-learning-based security analyses allows justification of prioritization decisions based on changes in policy context.
Persistence of security risks and resource constraints often lead organizations to prioritize remediation of vulnerabilities with known exploits over true risk, leaving the most dangerous unpatched. Integrating alerting and remediation capabilities into one artifact provides a crucial foundation to support automated triage and remediation orchestration, ensuring that even vulnerabilities without obvious management precedence receive timely remediation without draining resources. The ability to generate remediation is augmented with a second component: support for the production of evidence and process-mapping artifacts needed for audit readiness. Audit preparation and compliance validation are two of the biggest operational burdens organizations face, yet both can be partly automated through continuous monitoring of infrastructure changes and of knowledge repositories, such as audit logs and change approval records.
References
[1] Ali, S. (2025). Role of automation in hybrid cloud security configAlles, M. G., Kogan, A., & Vasarhelyi, M. A. (2006). Putting continuous auditing theory into practice: Lessons from two pilot implementations. Journal of Information Systems, 20(2), 195–214.
[2] Angermeir, F., Schneider, S., & Pretschner, A. (2024). Towards automated continuous security compliance. arXiv (preprint).
[3] Bhandari, G., Gavric, N., & Shalaginov, A. (2025). Generating vulnerability security fixes with code language models. Information and Software Technology, 185, 107786.
[4] Chan, D. Y., & Vasarhelyi, M. A. (2011). Innovation and practice of continuous auditing. International Journal of Accounting Information Systems, 12(2), 152–160.
[5] Chafjiri, S. B., Legg, P., Hong, J., & Tsompanas, M.-A. (2024). Vulnerability detection through machine learning-based fuzzing: A systematic review. Computers & Security, 143, 103903.
[6] Charmanas, K., Kyriazis, D., & Panagiotopoulos, V. (2023). Exploitation of vulnerabilities: A topic-based machine learning approach. Information, 14(7), 403.
[7] Duan, H. K., Vasarhelyi, M. A., & Codesso, M. (2025). Integrating process mining and machine learning for advanced internal control evaluation in auditing. Journal of Information Systems, 39(1), 55–75.
[8] Eulerich, M., Huang, Q., Pawlowski, J., & Vasarhelyi, M. A. (2025). Using process mining as an assurance tool in the three-lines-model. International Journal of Accounting Information Systems, 56, 100731.
[9] Föhr, T. L., Reichelt, V., Marten, K.-U., & Eulerich, M. (2025). A framework for the structured implementation of process mining for audit tasks. International Journal of Accounting Information Systems, 56, 100727.
[10] Hamza, E., & Al-Okaily, A. (2025). Audit and internal control in the era of emerging technologies: Implications for continuous auditing. Proceedings of Atlantis Press.
[11] Herreros-Martínez, A., Rebollo-Monedero, D., & Díaz, I. (2024). Applied machine learning to anomaly detection in enterprise purchase processes. arXiv (preprint).
[12] Hu, Y., Chen, Z., Li, Y., & Dolan-Gavitt, B. (2025). SoK: Automated vulnerability repair: Methods, tools, and evaluation. Proceedings of the USENIX Security Symposium.
[14] Jacobs, J., Romanosky, S., Edwards, B., & Roytman, M. (2023). Enhancing vulnerability prioritization: Data-driven exploit prediction scoring. Proceedings of the Workshop on the Economics of Information Security (WEIS).
[15] Jiang, N., Lutellier, T., & Tan, L. (2021). CURE: Code-aware neural machine translation for automatic program repair. In Proceedings of the IEEE/ACM International Conference on Software Engineering (ICSE).
[16] Kalouptsoglou, I., Chatzigeorgiou, A., & Ampatzoglou, A. (2023). Software vulnerability prediction: A systematic mapping study. Information and Software Technology, 160, 107212.
[17] Li, Y., Hu, Y., Chen, Z., & Dolan-Gavitt, B. (2025). SoK: Towards effective automated vulnerability repair. Proceedings of the USENIX Security Symposium.
[18] Mahbub, M., Rahman, M., & Ahmed, S. (2025). A novel vulnerability exploit prediction system using the exploit prediction scoring system. ACM Transactions on Privacy and Security.
[19] Mohammed, K. I., Alsharif, M. H., & Alotaibi, R. (2025). Evolution of DevSecOps and its influence on application security: A systematic literature review. Risks, 13(12), 548.
[20] Nocera, S., Rossi, D., & Di Penta, M. (2025). On the adoption of software bills of materials in open-source software projects. Journal of Systems and Software, 213, 112098.
[21] Nong, Y., Wang, S., & Chen, Z. (2025). APPATCH: Automated adaptive prompting large language models for vulnerability patching. Proceedings of the USENIX Security Symposium.
[22] Pearce, H., Tan, B., Ahmad, B., Karri, R., & Dolan-Gavitt, B. (2021). Examining zero-shot vulnerability repair with large language models. Proceedings of the IEEE Symposium on Security and Privacy Workshops.
[23] Port, D., Bui, T., & Boehm, B. (2024). Investigating effectiveness and compliance to DevOps practices: A process improvement perspective. Journal of Systems and Software, 211, 112014.
[24] Prates, L., & Pereira, R. (2025). DevSecOps practices and tools. International Journal of Information Security, 24(1), Article 11.
[25] Prasad, R. D., & Kumar, S. (2024). A deep learning approach to software vulnerability detection. Journal of Theoretical and Applied Information Technology, 102(15), 1–15.
[26] Sadovykh, A., Kotenko, I., & Saenko, I. (2024). Enhancing DevSecOps with continuous security requirements verification in CI/CD pipelines. Computer Research and Modeling, 2024(7), 1–18.
[27] Sayal, A., & Yun, J. J. (2025). Optimizing audit processes through open innovation: An AI-enabled framework. Journal of Open Innovation: Technology, Market, and Complexity, 11(3), 100108.
[28] Sierhieiev, Y., & Olshevska, O. (2023). Detection and prediction of vulnerabilities in software systems using machine learning techniques. In Proceedings of CEUR Workshop Proceedings.
[29] Sinan, M., Happe, L., & Cito, J. (2025). Integrating security controls in DevSecOps: Challenges, practices, and research directions. Journal of Software: Evolution and Process, 37(6), e70029.
[30] Zhang, G., Atasoy, H., & Vasarhelyi, M. A. (2022). Continuous monitoring with machine learning and interactive data visualization: An application to a healthcare payroll process. International Journal of Accounting Information Systems, 46, 100570.
[31] Zhang, Q., Fang, C., Yu, B., Sun, W., Zhang, T., & Chen, Z. (2024). Pre-trained model-based automated software vulnerability repair: How far are we? IEEE Transactions on Dependable and Secure Computing, 21(4), 2507–2525.
[32] Zhao, S., Liu, Y., & Wang, H. (2024). Software vulnerability mining and analysis based on deep learning: An empirical study. Computers, Materials & Continua, 78(2), 1–20.
[33] Zhou, X., Xu, B., Kim, K., Han, D., Nguyen, H. H., Le-Cong, T., He, J., Le, B., & Lo, D. (2024). Leveraging a large language model for automatic patch correctness assessment. IEEE Transactions on Software Engineering, 50(11), 2865–2883.
[34] Zhou, X., Xu, B., Kim, K., Han, D., Nguyen, H. H., Le-Cong, T., He, J., Le, B., & Lo, D. (2025). Large language model for vulnerability detection and repair: A systematic literature review. ACM Computing Surveys.
[35] Zhu, T., Wen, M., & Gao, S. (2024). An empirical study of automatic program repair techniques for injection vulnerabilities. Proceedings of the International Conference on Software Engineering (ICSE) Companion.
Additional Files
Published
Data Availability Statement
None
