Lee Enterprises didn't want faster compliance. They wanted real compliance, faster.

For Eric Calderone, Lee Enterprise's day-to-day looked like a lot of GRC teams right now: a lean team, expanding compliance requirements, and a security program that needed to be built (not bought) from the ground up.

‍

The biggest friction point was feedback speed. When his team submitted evidence for review, it entered an external queue. Responses came back weeks later, sometimes longer. By the time a gap was flagged, the window to fix it quickly had usually passed. And because the domain expertise needed to properly evaluate NIST CSF controls wasn't sitting inside the team, there wasn't a good way to self-validate. Every assessment cycle depended on someone outside the organization telling them where they stood.

‍

What Eric needed was audit-quality judgment that his team could actually use day-to-day; something that could review evidence as it was gathered and surface gaps before they became problems.

‍

The choice to build around NIST CSF was deliberate. "The less prescriptive nature allows for an easier implementation across an Enterprise," Eric explains. "It allows for the custom creation of a program fit to your business and is not as restrictive as something like NIST 853." For an organization as geographically spread as Lee Enterprises, that flexibility wasn't optional, it was the whole point.

Lee Enterprises adopted the NIST CSF AI agent, built through a partnership between Complyance and Fine Assurance. The key thing to understand about how it works: the agent doesn't issue compliance conclusions. Independent auditors still do that. What the agent does is help Eric's team get ready: reviewing submitted evidence against NIST CSF requirements using control prompts developed from deep auditor expertise, and flagging potential gaps so the team can address them before an auditor ever sees the documentation.

‍

Troy Fine, whose firm developed the control prompts, is direct about the scope:

‍

"It's not meant to replace a human auditor, but it is meant to help companies like Lee Enterprises prepare for a NIST CSF assessment in a much faster way."

‍

In practice, that means uploading evidence and getting structured feedback immediately, rather than waiting weeks for an external queue to clear. No back-and-forth emails. No wondering where the documentation falls short until someone external tells you.

‍

Privacy controls were built in from the start: no data feeds back into LLM training, no information crosses client environments, and all processing stays scoped to Lee's team.

The immediate change was speed. Evidence that previously sat in an external review queue now gets evaluated on the spot. Eric's team can see where they stand, flag gaps during implementation rather than after the fact, and close them faster.

‍

There's been a shift inside the company too. Eric describes the program as:

‍

"Invigorating the company with a new view on cyber and getting people generally excited about trying to build a more secure Lee."

‍

Security awareness is spreading; not because it's mandated, but because the tools make it approachable.

‍

What's ahead is more of the same, done more quickly.

‍

"I expect that we'll look and we'll find gaps and we'll be able to fill them quicker because of this AI"

‍

The goal hasn't changed. The timeline has. As for relying on the AI completely? Troy Fine draws a clear line: "I would say lean into it, but don't over-rely on it. We're not to the point of replacing an auditor or replacing GRC professionals. But it can make us better quality GRC professionals."