Asking Copilot well

A short field guide to getting the best work out of Compliance Copilot, with example prompts that work well and a few that don't.

The shape of a good prompt

The best Copilot prompts share three qualities: they describe the outcome you want, they tell Copilot how careful to be, and they say what counts as 'done.' You don't need all three every time, but the more you include, the less back-and-forth you'll have.

Prompts that work well

Risk assessments

• "Take a first pass at our security risk assessment based on what you know about us, and stop before submitting." Copilot reviews your current compliance state — policies, training, vendors, incident response — and suggests answers with its reasoning. You review and approve each one.
• "What's the status of our risk assessment? What questions are still unanswered?" Useful when you've been working through it over several sessions.

Policies

• "Generate a draft Mobile Device Policy for our organization." Copilot pulls from your org context and produces a full draft with purpose, scope, procedures, and 45 CFR citations — saved as a draft for you to edit and publish.
• "Publish all draft policies that are ready." If you've reviewed your drafts and they're good to go, Copilot can publish them in bulk.
• "Send policy review reminders to everyone who hasn't completed theirs." Nudges team members who still need to acknowledge updated policies.

Vendors

• "Research vendor X — do they publish a HIPAA stance and do they sign BAAs?" Copilot will search the web for the vendor's HIPAA information and BAA availability.
• "Research all vendors that are missing BAAs and find their BAA links." Batch research to fill in your vendor inventory.
• "Add Acme Health as a vendor and send them our BAA for signature." Copilot creates the vendor record and sends your BAA template for e-signature.
• "Run vendor discovery to find apps our team is using that we haven't tracked yet." Scans your connected identity provider for SaaS tools that might need to be in your inventory.

People and training

• "Invite jane@example.com as an employee." Copilot sends the invitation — new employees automatically get HIPAA and Security Awareness training assigned.
• "Assign all missing required trainings across the team." Finds anyone who's missing required training and assigns it.
• "Offboard John Smith — he left the company last week." Copilot handles the offboarding workflow.

Security

• "Create a phishing simulation campaign targeting all employees, using a medium-difficulty template." Sets up a campaign you can review and launch.
• "Run an MFA check and send enrollment reminders to anyone who's not enrolled." Checks MFA status and nudges stragglers.
• "Run exclusion screening for all our employees." Screens your team against the OIG LEIE and SAM.gov exclusion databases.

Remediation and reports

• "Create a remediation plan from our latest risk assessment findings." Copilot groups related findings, suggests priorities, and creates trackable items with owners and deadlines.
• "Generate a compliance report." Creates a report capturing your current compliance score, policies, training status, vendor inventory, and incident history.

Prompts that don't work as well

• "Make us HIPAA compliant." Too broad — Copilot will ask you to narrow down. Pick a specific outcome.
• "Is this safe?" Without context, Copilot can't say. Tell it which workflow, vendor, or document you're asking about.
• "Send breach notifications to all affected patients." Breach notification has legal implications — Copilot will walk you through the process but won't send external notifications without explicit human approval.

When to use Copilot vs. the docs

• Use these docs when you want to learn how a feature works, in general, before you touch your real data.
• Use Copilot when you have a specific outcome in mind for your specific organization.