Compliance & Legal

How to run an annual policy attestation cycle with AI

Compliance & Legal3 AI tools7 steps6 friction points
Want an agent to handle this on your live data? See the Starch version →

An annual policy attestation cycle is the process of getting every employee — or a defined subset — to formally acknowledge they've read and understood specific company policies: a code of conduct, an acceptable-use policy, a data-handling policy, a conflicts-of-interest disclosure, and so on. Most operators run this once a year, sometimes more often if a policy changes. It's partly a legal requirement, partly an audit artifact, and partly the kind of hygiene that becomes very visible when something goes wrong.

The workflow looks like it should be easy to automate: you have a fixed list of policies, a roster of people, a deadline, and a binary completion status per person. That structure is exactly what makes operators reach for AI. The drafting work — policy summaries, reminder emails, manager escalations, completion dashboards — is high-volume and repetitive. A language model should be able to generate most of it. The instinct is right. The execution has real friction.

ChatGPT, Claude, and Gemini can contribute meaningfully to the drafting layer of this workflow. They'll write clear policy summaries, draft the initial attestation email and two or three follow-up reminders with escalating urgency, generate a completion-tracking template, and produce a final attestation report narrative. If you paste in the raw policy text, they'll summarize it accurately. What they can't do is send the emails, track who clicked, know who hasn't responded, or remember any of this when you run the cycle again next year.

Skip the manual work → See the Starch version
Compliance & Legal3 AI tools7 steps6 friction points
AI walkthrough

How to do it with AI today

A practical walkthrough using ChatGPT, Claude, and other off-the-shelf LLMs — what they're good at, what you'll have to do by hand.

Tools that work for this
ChatGPTClaudeGemini
Step-by-step
1 Export your current policy documents (PDF or plain text) and your employee roster (CSV from your HRIS). These are your two inputs — you'll paste policy text directly into the LLM and reference the roster for counts and names.
2 Open Claude or ChatGPT and paste in the full text of each policy you need attested. Ask the model to produce a plain-English summary (150–200 words) employees will actually read, plus three key takeaways. Save each summary to a Google Doc or Notion page.
3 Prompt the LLM to draft your attestation launch email: it should introduce the cycle, link to the policy summary, state the deadline, and tell employees exactly what 'attesting' means (clicking a link, signing a form, replying to the email — whatever your mechanism is). Do this once per policy or once for a bundled attestation.
4 Prompt for a T+7 reminder, a T+14 reminder, and a T+21 escalation to the employee's manager. Ask for distinct subject lines and slightly different tones — the first is a nudge, the second is firmer, the third goes to the manager as an action item. Copy each draft into your email client or a spreadsheet.
5 Build a completion tracker: ask the LLM to generate a Google Sheets or Airtable schema — columns for employee name, department, manager, policy name, attestation status, date completed, reminder count sent. You'll update this manually or via your form tool's export.
6 As responses come in, paste the current completion count and outstanding list into the LLM and ask it to draft a progress update for your compliance officer or board summary. Re-run this at week 2 and week 4.
7 At close, paste your final completion data into the LLM and ask it to generate an attestation cycle summary document: completion rate by department, names of any outstanding non-completers, date range, and a statement suitable for an audit file.
Prompts you can copy
Here is our Acceptable Use Policy [paste text]. Write a 175-word plain-English summary for employees and list the three things they most need to understand before attesting.
Draft a launch email announcing our annual policy attestation cycle. Employees must complete attestation by [date]. The policy is attached. Tone: professional but direct. Include a clear call to action. Length: under 150 words.
Write three follow-up emails for employees who haven't completed attestation: one at 7 days, one at 14 days, and one at 21 days that cc's their manager. Each should have a distinct subject line and escalating urgency without being hostile.
Here is our attestation completion data as of today [paste CSV]. Write a one-page compliance summary suitable for our audit file: overall completion rate, breakdown by department, list of non-completers, and cycle dates.
Generate a Google Sheets schema for tracking annual policy attestation across 80 employees. Include columns for all the fields an auditor would expect to see, and add a column for 'evidence link' where we can store the signed form URL.
Reality check

Where this gets hard

The walkthrough above works — until your numbers change, the LLM hallucinates, or you have to re-paste everything next month.

No live connection to your HRIS — you paste a roster once, but as employees join or leave mid-cycle, you're manually updating the list the LLM never actually holds.
The LLM doesn't send emails, track opens, or know who responded. You draft in the model, then manually execute in Gmail or Outlook — and manually reconcile completions against your tracker.
Nothing persists between sessions. The email drafts, tracker schema, and policy summaries you built last year live in a chat window you've long since closed. Next year's cycle starts from scratch.
Completion data lives in three places — a form tool, your email client, and a spreadsheet — and pulling them together for an audit-ready report means another manual export-and-paste session.
The LLM has no awareness of deadlines, so escalation emails don't send themselves. You're setting calendar reminders to remember to run the reminder prompt at day 7, day 14, and day 21.
Prompts drift: the carefully structured attestation summary and email format you tuned last cycle isn't reproducible without saving and re-loading the exact prompt chain — which most people don't do.

Tired of the friction?

Starch runs the whole workflow on live data — no copy-paste, no hallucinated numbers, no re-prompting next month.

See the Starch version →
Starch alternative

The same workflow on Starch

Starch is an agentic operating system — it builds and runs the software your work depends on, connected to your live business data. For policy attestation, that means an agent builds the persistent app that manages the full cycle — drafts, sends, tracks, escalates, and reports — without you re-running prompts or reconciling spreadsheets.

Connect Gmail or Outlook from Starch's integration catalog and your HRIS (BambooHR, Rippling, Gusto, ADP, Paylocity — all reachable). Starch queries your live employee roster so the cycle always reflects actual headcount, including mid-cycle joiners and leavers.
Describe the attestation workflow in plain English and the agent builds it: 'Draft a policy summary for each attached document, send launch emails to all active employees, and trigger reminder emails at 7, 14, and 21 days for anyone who hasn't completed attestation.' It builds and runs that as a persistent automation.
The Email Triage app (live in the App Store) handles the inbox side — tracking replies, flagging completions, and surfacing non-responders — so you're not manually scanning for who replied 'confirmed' versus who went silent.
Starch's Knowledge Management app gives policy documents a permanent home with AI-powered search. Employees can find and read the current version before attesting, and you can update a policy without hunting down which Google Doc is canonical.
At cycle close, describe the report you need: 'Generate a completion summary by department, flag any employees still outstanding, and format it as an audit-ready document.' The agent pulls from live completion data and produces it — no copy-paste from three different tools.
The Task Manager app (currently in development — request beta access) can surface outstanding attestation tasks for managers, so escalations become action items in the tools your team already works in, not emails that get ignored.
Get closed-beta access →
Toolkit

Starch apps for this workflow

Knowledge Management
A team knowledge base that keeps your company's information organized, searchable, and always up to date. AI-powered search finds answers instantly so your team stops asking the same questions.
Task Manager
Track tasks, set priorities, and stay on top of deadlines. A simple, focused task list with priority levels, due dates, and custom ordering.
Email Agent
AI that organizes your inbox and drafts replies instantly. Smart prioritization, automated follow-ups, and one-click actions help you reach inbox zero and get through email twice as fast.
Pick your role

See this workflow by operator

For your role
For Small Legal and Compliance Teams

The AI stack built for small in-house legal and compliance teams.
For your role
For Small HR Teams

The AI stack built for small HR teams.
For your role
For Small IT and ITOps Teams

The AI stack built for small IT and ITOps teams.
For your role
For Chief of Staff and Founder's Office

The AI stack built for the founder's office.
For your role
For Foundation and Nonprofit Ops Teams

The AI stack built for foundation and nonprofit ops teams.
For your role
For Independent Clinic Owner-Operators

The AI stack built for independent clinic owner-operators.

Run run an annual policy attestation cycle on Starch

You're on the list! We'll be in touch soon.