BlogEngineering
March 31, 2025

Unlocking AI innovation with quality hill climbing

Written by
Ignacio Andreu
Reviewed by
No items found.

Accelerating security solutions for small businesses 

Tagore offers strategic services to small businesses. 

A partnership that can scale 

Tagore prioritized finding a managed compliance partner with an established product, dedicated support team, and rapid release rate.

Standing out from competitors

Tagore's partnership with Vanta enhances its strategic focus and deepens client value, creating differentiation in a competitive market.

At Vanta’s recent Company Kickoff in New Orleans, we took the opportunity to showcase an essential approach for rapidly improving AI products: Quality hill climbing. Quality hill climbing is the idea that, given a clear dataset of what "good" looks like, collaborative iteration can swiftly enhance AI features and effectiveness.

Our engineering organization had two hours of dedicated time together, where we organized a hands-on AI activity centered on evaluating and iterating prompts. We wanted the challenge to feel as close to real work as possible, so we used Vanta’s own data to evaluate our prompts. Like our customers, Vanta uses Vanta for its annual SOC 2 audits. 

We took our most recent SOC 2 audit and removed key pieces of data simulating imperfect audit evidence, then we challenged ourselves—can we, in 45 minutes, quickly iterate to a prompt that reliably detects missing audit evidence? We split up into groups of five to experiment with different prompt engineering techniques and various LLM models. At the end of the workshop, teams were graded based on the accuracy of their results and total latency. 

The results were impressive—teams were able to go from a base score of 30% on our eval set to over 75%. After the workshop, we received lots of great feedback from our engineers: 

"The AI workshop was excellent! Working with real data on a real problem illustrated how vast the problem space is for AI applications. It was a blast to iterate with the team and see our solution evolve." - Michael Vobejda

The event made me realize that more context is not always better. Trying to get an LLM to handle many suggestions in context does not necessarily increase the accuracy of your results. Sometimes, simple language that is very clear with the responsibilities expected of a model is better than trying to get it to solve problems with a ton of explicit guidance. - Josue Guzman

Here are some general takeaways from running AI workshops: 

#1:  Prompt engineering is iterative

As engineers progressed through the exercise, what seemed like daunting prompt engineering became manageable through iterative practice. They discovered that crafting effective prompts is a lot like debugging and testing code. Having a good evaluation dataset is also key to understanding if your iterations are improving or regressing.

The workshop emphasized that even logically sound prompts might not always yield the desired outcomes, highlighting the importance of embracing an iterative approach to prompt engineering: Write. Run. Observe. Tweak. Through these quick feedback rounds, prompt engineering went from an intimidating concept to an accessible tool.

#2 Dogfooding is fuel for real progress 

One powerful method we highlighted was dogfooding—using Vanta's own compliance artifacts as the foundation for our AI experimentation. This strategy not only grounded the exercise in real-world relevance but reinforced how iterative refinement using actual company data accelerates AI feature quality.

AI can be complex—which makes using them the best way to learn. Grounding the exercise in real-world data gave the engineering team a jump start for understanding the parts of AI tooling they were less familiar with. Of course, there’s always a risk of overfitting your prompt to the test data, but given a limited experimentation window this worked well.

#3: Prompting is already part of the work we do everyday

One of the best moments came after the challenge, when someone said: “This is just what I do with ChatGPT anyway.” That aha moment helped engineers create a mental model for AI tooling. 

The realization that prompt engineering wasn't an entirely new skillset, but rather something many of our engineers were already utilizing, was empowering. Our team quickly realized that effective prompt development is less about esoteric techniques and more about disciplined iteration guided by clear specifications and thoughtful evaluation.

Making AI a team sport

When AI first landed in software development, it brought along terms like “prompt engineer,” “chain of thought,” and “few-shot examples”, making prompt engineering seem like an art few could do. We don’t want that kind of gatekeeping affecting how we develop software that helps our customers, and after this workshop, many of our engineers understand that prompt engineering has a process, just like software engineering. By teaching quality hill climbing, we empowered over 100 engineers to leverage their existing software development expertise to create awesome, accurate AI features. 

These workshops are just the start, but they’ve already made a difference in lowering the barrier to entry. Thanks a lot to the team behind the activity: Ruyan, Tina, Walt, Noam, Dan, and Kevin! 

If you love solving meaningful problems, and want to work with an innovative team, check out our open roles at Vanta.

Access Review Stage Content / Functionality
Across all stages
  • Easily create and save a new access review at a point in time
  • View detailed audit evidence of historical access reviews
Setup access review procedures
  • Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews
  • Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems
  • Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta.
  • Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS)
  • Upload access files from non-integrated systems
  • View and select systems in-scope for the review
Review, approve, and deny user access
  • Select the appropriate systems reviewer and due date
  • Get automatic notifications and reminders to systems reviewer of deadlines
  • Automatic flagging of “risky” employee accounts that have been terminated or switched departments
  • Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section
  • Track progress of individual systems access reviews and see accounts that need to be removed or have access modified
  • Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners
  • Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests
  • Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access
  • Focused view of accounts flagged for access changes for easy tracking and management
  • Automated evidence of remediation completion displayed for integrated systems
  • Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results
  • Auditor can log into Vanta to see history of all completed access reviews
  • Internals can see status of reviews in progress and also historical review detail
Logo of incident.io
Incident.io
Logo of Lumos
Lumos
Icepanel logo on a white background.
IcePanel
Epsilon Logo
Epsilon3
The logo for supabase.
Supabase
EasyLLama Logo
EasyLlama
Qualifi Logo
Qualifi
Logo of toku
Toku
FEATURED VANTA RESOURCE

The ultimate guide to scaling your compliance program

Learn how to scale, manage, and optimize alongside your business goals.

DOWNLOAD FOR FREE

Table of contents

No titles!

Share this article

Share this article

Related Resources

Engineering
Blog

How we fixed a session race condition at Vanta

Learn how the team diagnosed performance challenges and improved authentication reliability for seamless client access.

Engineering
Blog

Building a smarter retrieval system: Lessons from Vanta AI

Discover how Vanta built and optimized a high-scale AI retrieval system to power critical business decisions.

The logo for terraform on a black background.
Engineering
Blog

Engineering at Vanta: How we imported our AWS environment into Terraform

Find out how we resolved a host of issues by importing our AWS environment into Terraform.

Engineering
Blog

Speeding up the slowest page in the Vanta app by 7x

Learn how we optimized our app, speeding up our slowest page by 7x to deliver a smoother, more efficient user experience.

Related Resources

Engineering
Blog
How we fixed a session race condition at Vanta

Learn how the team diagnosed performance challenges and improved authentication reliability for seamless client access.

Meet the Vanta MCP Server
Engineering
Blog
Built for the agentic era: Meet the Vanta MCP Server

We’re excited to announce that the Vanta MCP Server in now available via public preview—the first step towards bringing trust management into the emerging Model Context Protocol (MCP) ecosystem.

Engineering
Blog
How we navigated database limits with a growing product

Discover how Vanta rethought its data strategy after nearing MongoDB Atlas storage limits—reducing storage by 30% and building a scalable infrastructure to support rapid product growth.

Engineering
Blog
How we standardized error handling at Vanta

In early 2024, our error handling strategy led to vague frontend errors that impacted product quality. Learn how we tackled it.

Engineering
Blog
Seven lessons after seven months in Vanta Engineering

See what it's like stepping into a new role on a fast-moving engineering team at Vanta. Learn key lessons on leadership, impact, and effectiveness.

Engineering
Blog
How Claude + MCP + Vanta could help auditors

At Vanta, we’re always looking to experiment, learn, and stay at the forefront of AI. Recently, we built a proof of concept to explore how auditors could interact more effectively with audits and the data within them.

Engineering
Blog
Speeding up the slowest page in the Vanta app by 7x

Learn how we optimized our app, speeding up our slowest page by 7x to deliver a smoother, more efficient user experience.

Engineering
Blog
The evolution of quality at Vanta

Learn how we elevated our engineering practices to meet growing customer demand and expand into new markets.

Engineering
Blog
Building a smarter retrieval system: Lessons from Vanta AI

Discover how Vanta built and optimized a high-scale AI retrieval system to power critical business decisions.

How to de-risk patching third party software packages
Engineering
Blog
How to de-risk patching third party software packages

Patching a package can be risky. Here are some tips and tricks to make patching a package less risky.

The logo for terraform on a black background.
Engineering
Blog
Engineering at Vanta: How we imported our AWS environment into Terraform

Find out how we resolved a host of issues by importing our AWS environment into Terraform.

Engineering
Blog
3 GraphQL pitfalls and how we avoid them

Vanta's engineering team shares what they've learned from their initial implementation of GraphQL back in 2017 and how GraphQL ended up being the perfect tool for the team.

Get compliant and build trust—fast

Request a demo
G2 Badge 2025 - Best Software | Top 50 Governance, Risk, & Compliance ProductsG2 Badge 2025 - Best Software | Top 50 Security ProductsG2 Badge 2025 - Best Software | Top 100 Best Software Products