Computer-implemented method for identifying and assessing effects of changes in a cloud service

A computer-implemented method using a Large Language Model processes cloud service change data to identify and assess risks, addressing the challenge of uncontrolled cloud service changes, improving data and connection security with high accuracy risk management.

WO2026148369A1PCT designated stage Publication Date: 2026-07-16

Patent Information

Authority / Receiving Office
WO · WO
Patent Type
Applications
Filing Date
2026-01-08
Publication Date
2026-07-16

AI Technical Summary

Technical Problem

Cloud service providers frequently implement numerous changes without user control, posing risks to user systems, especially critical infrastructure, and users face the impossible task of reviewing extensive change logs to assess these risks.

Method used

A computer-implemented method using a Large Language Model (LLM) to process change data from cloud services, reducing it to a minimum, assessing risks, and providing a user interface for quick or comprehensive risk assessments, with AI support for identifying and quantifying potential impacts on IT systems.

Benefits of technology

Reduces technical risks by enhancing data and connection security, enabling efficient and informed risk management of cloud service changes, with 95-99% accuracy in risk category matching user choices.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure AT2026060004_16072026_PF_FP_ABST
    Figure AT2026060004_16072026_PF_FP_ABST
Patent Text Reader

Abstract

The invention relates to a computer-implemented method for processing data relating to changes in cloud services (1), comprising: retrieving data relating to a change in a cloud service (1); reducing the data relating to the change; comparing the reduced data with stored data relating to already detected changes; comparing whether the change relates to an active service if both conditions are met; processing the reduced data in a risk assessment process, comprising: identifying risk categories; a risk analysis for textually specifying risk factors to the risk categories; a risk assessment; proposing measures, wherein these sub-steps are carried out by a user supported by software and in advance by a large language model, wherein the result of the process processed by the large language model is provided to the user in addition to the data relating to the new change.
Need to check novelty before this filing date? Find Prior Art

Description

[0001] Computer-implemented method for identifying and assessing the impact of changes to a cloud service

[0002] The invention relates to a computer-implemented method for processing change data via cloud services.

[0003] In the realm of cloud services, a problem arises from the large number of changes implemented by cloud service providers, and the users of these services have no control over these changes or their implementation timing. Every change implicitly poses a risk to the user's system, especially if the user operates critical infrastructure. Cloud service providers do, at the very least, make change data available, usually in the form of change logs. However, the user is then tasked with reviewing these change logs and assessing the associated risks, a task that is virtually impossible without support due to the sheer number of changes (thousands per year).

[0004] The object underlying the invention is to provide a computer-implemented method for processing the change data of cloud services in order to identify the effects of changes to a cloud service on an IT system using this cloud service and thus to reduce technical risks of technical systems and their functions.

[0005] This change data is defined by information on changes, in particular changes to be carried out or carried out by cloud providers, predefined, automatic, solitary, unique and scheduled changes without explicit authorization or possibility of undoing.

[0006] To solve the task, a computer-implemented method is proposed for identifying the impact of a change to a cloud service on the technical functions of a technical system in the form of an IT system, comprising the following steps:

[0007] Retrieving change data for at least one recent change from at least one cloud service,

[0008] Reducing the change data to a defined minimum of reduced data for processing in subsequent steps, whereby the remaining data can be stored.

[0009] The first condition is to compare the reduced change data with stored data to determine whether it is new change data.

[0010] o where if yes a new change is created or o where if no already recorded change data is updated in case of changes. Checking whether the change described in the change data affects at least one active service or function of an IT system using the cloud service as a second condition.

[0011] o where if no, the change is saved and marked as not open and to be carried out,

[0012] where, if so, the reduced data of the change are fed into the following further steps: processing the reduced data in a risk assessment process to identify possible implications and risk categories of changes using defined checklists of risk categories, encompassing the following sub-steps:

[0013] o Identifying risk categories

[0014] o Conducting a risk analysis to provide a textual description of risk factors for the risk categories

[0015] o Conducting a risk assessment

[0016] o Proposed measures, whereby these sub-steps can be carried out by a user with software support in the form of a quick assessment for low risks or the comprehensive risk assessment process, but in any case must be carried out independently and in advance in a pre-evaluation using a Large Language Model,

[0017] the result of the process executed by the Large Language Model is provided to the user directly in a process view, in addition to the data of the new change.

[0018] The invention comprises the implementation of the method as a computer program, i.e., software comprising instructions that cause a computer to execute these method steps. A technical effect of the method according to the invention is the reduction of technical risks by increasing information and data security, since, for example, data changes, changes to encryption, changes to file formats, changes to storage location, and the effects of these changes on an IT system are detected. A further technical effect of the method according to the invention is the reduction of technical risks by increasing connection and access security, since, for example, changes to interfaces, access rights, roles, service providers, storage availability, transmission volumes, and the effects of these changes on an IT system are detected.

[0019] In general, the method according to the invention identifies technical risks to the technical functions of an IT system and their effects.

[0020] The user is one or more individuals responsible for risk assessment at the user of the cloud service. The user is the licensee of the monitored cloud system, either themselves or whose customers use the cloud services. Different cloud service providers offer change data from different sources. Retrieval methods that can be used in the retrieval step include, for example, REST APIs, RSS, email subscriptions, and web parsing.

[0021] Different cloud service providers offer data in different formats. To ensure a standardized process, a minimum of necessary data is required, which can be defined and is used in the data reduction step.

[0022] In one version, the reduced data includes:

[0023] Change ID

[0024] Affected Services

[0025] Start and end date of the change

[0026] Title of the change

[0027] Description of the change

[0028] In other versions, the reduced data also includes tags and / or further links.

[0029] The data sources for changes contain extensive information, but not all of it is necessary for evaluating a change. All other information that goes beyond the minimum requirements is stored, but not used in the process.

[0030] In the two comparison steps, the data is further reduced.

[0031] The process determines whether the change has already been recorded or whether it needs to be created anew. If a change has already been recorded, it is additionally checked whether it is unchanged or whether any modifications have been made to it.

[0032] Furthermore, in the software or computer-implemented process, all products and services that are not in use are marked so that changes for them do not have to be evaluated. This further increases efficiency.

[0033] The risk assessment process is designed in such a way that the Large Language Model (LLM), in combination with conventional algorithms and procedures, can carry out this process independently and in advance.

[0034] In the identification phase, possible risk categories are proposed; in the risk analysis, these are described textually; and in the risk assessment, a proposal for a risk assessment is made depending on the implementation variant of the risk quantification of the entire change, individual risk categories, or individual risk factors.

[0035] The Large Language Model is an artificial intelligence (AI) agent for the user. The computer-implemented risk assessment process was designed and developed with AI integration as a core component, thus representing an AI-native process or an AI-native computer-implemented procedure. Even the step of normalizing and reducing the change data to a more concise form serves to provide it in a format optimized for processing by the AI ​​agent or the Large Language Model within the risk assessment process.

[0036] The AI ​​agent consists of an extensive implementation of roles, context, process flow, and prompt. This is passed to a Large Language Model, and structured output is expected.

[0037] The LLM receives information about various people involved in the change management process in the real world, as well as their interests.

[0038] The context includes the change, the metadata, and all further information about the service.

[0039] The LLM will be provided with the aforementioned risk assessment process and the necessary instructions on how to carry it out.

[0040] The prompt consists of the described information and the necessary input and output rules to obtain a usable, data-technically deterministic final result. This information is passed to the LLM progressively for each process step to improve the quality of the information.

[0041] Only LLMs with high general problem understanding capabilities can be used. Therefore, models that perform very well in MMLU or HellaSwag benchmarks are employed.

[0042] The LLM runs the same risk assessment process anew for each change. The LLM does not look at past changes and does not learn from its use. Therefore, it is not machine learning based on the evaluation of past and current changes.

[0043] This is primarily because the changes to the invention in question are considered singular events, meaning that no access to historical data is possible. Instead, the LLM performs the risk assessment process anew for each change without considering historical data from other changes, and it does not learn from these changes.

[0044] The present invention is particularly advantageous for changes that are automatic and one-off, originating from external sources or being specified. These changes are often automatically activated and cannot be prevented or approved. This distinguishes the present invention from methods used internally during software development or when modifying the system itself, since in the latter case the change can still be modified or its approval and thus its implementation can be prevented.

[0045] The procedure can additionally include that when previously recorded change data is updated in the event of changes to the change data, information is also sent to a user or the change to the change data is displayed in a user interface.

[0046] The advantage is that the user can see at a glance what has been changed in the change information, allowing them to either confirm the update without taking any action or revise the entire assessment to potentially conduct other risk assessments or action plans. This enables continuous monitoring of the changes already recorded for the active services.

[0047] Optionally, the modified data can also be fed into the Large Language Model, which performs the aforementioned sub-steps on the modified data of the change. The result of the process executed by the Large Language Model is then provided to the user in addition to the data of the updated change. A comparison can then be made to determine whether the result based on the modified data of the change differs from the result based on the previously existing data of the change.

[0048] The computer-implemented method can be based on an architecture comprising multiple satellites and a hub.

[0049] The satellites and the hub are container solutions (Docker Compose). A satellite uses retrieval methods to retrieve change information from a manufacturer or cloud service provider, normalizes it to a defined data model, and sends it to the hub.

[0050] The hub handles the steps described above as reconciliation. If it is a new change that has never been previously delivered via change data, it is created as a new change and the process starts for this change.

[0051] If the change is already in place and the data has remained the same, it will be ignored; if the data has been changed, the change will be updated.

[0052] For example, if the service is deactivated, the change is saved, but not marked as open and ready to be implemented.

[0053] The hub includes a user interface to enable the user to perform the risk assessment process. The hub includes the previously described AI assistant for pre-executing the risk assessment process using the Large Language Model.

[0054] The hub can also include dashboards, KPIs, and reporting.

[0055] The invention is illustrated by drawings:

[0056] Fig. 1: Illustrates a preferred embodiment of the computer-implemented method and a preferred architecture of the software or the computer-implemented method.

[0057] Fig. 2: Illustrates three different variants for risk quantification.

[0058] The computer-implemented procedure for processing data on changes to Cloud Services 1 starts with retrieving data on at least one change to Cloud Services 1. Depending on the complexity of the IT system of the user of the computer-implemented procedure, or of the software that executes the computer-implemented procedure, data on changes from multiple Cloud Services 1 can be queried.

[0059] This query and a reduction step 2, in which the change data is reduced to a minimum defined in the software or computer-implemented procedure, are preferably performed by several satellites 3. The satellites 3 are container solutions specifically designed for the respective interface of the cloud services 1 and normalize the differently structured datasets for the changes. The normalized data is transferred to a hub 4, where further processing of the reduced data and storage of all change data takes place. In a first comparison step 5, it is determined whether the change data represents a new change or whether the change has already been retrieved and processed at an earlier time. In the case of a new change, it is processed by the software or...In the computer-implemented process, a new entry is created, and the reduced change data is subjected to a second comparison step 6. If the change is a previously recorded change, the software or computer-implemented process determines in a comparison step 7 whether the change data has been altered compared to the previously recorded change data. If changes have been made to the data, the previously recorded change data is updated in an update step 8. If the change data remains unchanged, the process for this change is completed 9.

[0060] For a new change, the software or computer-implemented process determines in the second comparison step (6) whether the change affects at least one active service or function of the user's IT system. If not, the change data is saved in a storage step (10), and the process ends. To ensure that the active and inactive services and / or functions of the software or computer-implemented process are known, this information can be kept up-to-date by a user of the software or computer-implemented process, or, if possible, retrieved from the user's IT system (asset or configuration management) if this information is available there in an up-to-date format.

[0061] When an inactive service or function is activated, the described process requires that only subsequent changes are subjected to a risk assessment. This is because a risk assessment is already performed when a service or function is activated, so only changes occurring after the initial risk assessment need to be re-examined. An optional implementation variant allows the user to specify a cut-off date when activating a service or function. Any change occurring after this cut-off date is then treated as a new change for that service and processed accordingly, using the saved data from update step 8 and save step 10.This allows for consideration of changes that may occur between the initial risk assessment and the actual activation of the service or function.

[0062] If the comparison step 6 reveals that the change involves an active service or function, the reduced data for this change is passed to a risk assessment process 11. This risk assessment process 11 comprises several sub-steps 12-15, which are executed sequentially and build upon one another. The computer-implemented procedure involves these sub-steps 12-15 being performed by a computer assistant 16 prior to a user performing the same sub-steps 12-15 via the corresponding user interfaces of the software or the computer-implemented procedure.

[0063] The user therefore receives the result of the Change Assistant 16 for sub-steps 12-15 directly for the new change, but can also execute these steps themselves in the same way as the Change Assistant 16. The result of the Change Assistant 16 and the data of the new change are displayed to the user in a graphical process view, particularly for views of sub-steps 12-15.

[0064] In the first sub-step 12 – Identification – potential implications and risk categories of changes are identified using checklists of risk categories and risk factors. The goal of the change, the resulting risks, their probability of occurrence, and their impact are identified based on a checklist of possible risk categories. Information security is one example of a risk category.

[0065] If no or low risk is identified, the change can undergo a quick assessment and be completed with a short comment in process end 18. This is done by the user responsible for assessing the change, although the AI ​​assistant 16 may also reach this conclusion beforehand and suggest this action, preferably also the wording of the comment. The responsible user can be defined or defined in the software or the computer-implemented procedure.

[0066] If risks are identified in one or more risk categories, the second step – analysis – involves a qualitative review of the risk factors for each risk category. The goal of this step is to generate a better understanding of the risks based on further information about the change (links, documentation, etc.). The risk assessment includes a detailed examination and analysis of the causes and sources of the risks. A checklist for each risk category, defining the risk factors, is preferably used. Working through the checklist documents the risk factors. The depth of the investigation can vary depending on the risk, purpose, and available information, data, and resources. Examples of risk factors in the previously mentioned information security risk category include:

[0067] Identity and access management, rights & roles, encryption.

[0068] In the third sub-step 14 – Risk Assessment – ​​the qualitative results from sub-step 13 are quantified. Depending on the desired level of detail and the resources available to a company, the risk assessment can be carried out either based on all risk factors, the risk categories, or on the change itself. These three options are illustrated by way of example in Fig. 2, where D1 represents the risk assessment based on the change itself with the example result RD1. D2 represents the risk assessment based on the risk categories Kl and K2, with the example result RD2, which corresponds to the highest risk of a risk category. D3 represents the risk assessment based on the risk factors K1F1, K1F2 and K2F1, K2F2, with the example result RD3, which corresponds to the highest risk of a risk category, where the risk of the risk categories is the highest result of their risk factors.The quantification is preferably carried out according to the well-known formula: Risk = Probability of occurrence * Impact.

[0069] The impact factor describes potential damage or negative consequences of the change. In a preferred implementation, numerical values ​​from 0 (no impact) to 3 (significant impact) can be assigned in the software or computer-implemented process.

[0070] The probability of occurrence describes how likely the change or risk is to occur. In a preferred implementation, numerical values ​​from 0 (Never) to 3 (Certainly) can be assigned in the software or computer-implemented procedure.

[0071] By selecting values ​​for impact and probability of occurrence, a qualitative announcement of a change (raw text) can be evaluated with quantitative data by multiplying and using the maximum value of an entity at a higher level of detail.

[0072] This enables, for example, the control, prioritization and evaluation of changes and their risks for the company.

[0073] If possible, a change and its impact can optionally be tested at various stages of the risk assessment process to obtain, for example, more precise analysis data or impact assessment data. In the fourth sub-step 15 – Proposing Measures – measures can be developed for the quantified risks, if necessary and possible, to reduce the risk of the change. These risk mitigation measures can include, for example, changes to user documentation, service configuration (disabling the function), etc. Service configuration (disabling the function) is a technical measure. Information from the risk assessment can be used to define and evaluate the measures, for example, to define assessed, aggregated, and / or prioritized risks.

[0074] Preferably, after the measures have been defined, the risks are determined assuming the implementation of the measures, in order to quantify how the measures taken will reduce the risks of the change.

[0075] It can be stipulated that, above a definable threshold of the quantified risk, the developed measures can only be approved by authorized persons. User roles and permissions are therefore preferably definable and manageable within the software or computer-implemented procedure, which is generally known. Such a review by a higher authority or another person takes place in a step referred to as Review and Monitoring 17, in which the result of the risk assessment assistant 16 and, if applicable, the result of the actual user are available. The review step can also include a user reviewing and confirming the risk assessment process of the risk assessment assistant. In the event that the risk assessment assistant identifies a high risk or a risk higher than that determined by the user, optional adjustments can be made in the software or computer-implemented procedure.Rules may be defined in the computer-implemented procedure that require review by a higher authority or a second person. The monitoring aspect can include processing changes from update step 8 according to rules defined in the software or the computer-implemented procedure, for example, displaying them to the users responsible for the respective change. The reduced data of the updated change can also be subjected again to risk assessment process 11 by the AI ​​assistant.

[0076] These rules allow a distinction to be made as to whether a high risk was previously identified for the change or not, or whether the result of the Kl-Assistant 16 for the updated data differs from the result previously determined by the Kl-Assistant 16 or the user.

[0077] The Kl-Assistant 16 has already been described in detail in the general section of the description.

[0078] Through large-scale proof of concepts and qualitative surveys (n=ll), it was found that the AI ​​assistant supports users of the computer-implemented procedure to such an extent that 95% - 99% of the risk categories, descriptions of factors and ratings matched those usually chosen by the user.

Claims

Patent claims 1. Computer-implemented method for identifying and evaluating the impact of a change to a cloud service (1) on technical functions of a technical system in the form of an IT system, comprising the steps: Retrieving change data for at least one recent change from at least one cloud service, Reducing the change data to a defined minimum of reduced data for processing in subsequent steps, whereby the excess data can be stored. The first condition is to compare the reduced data with stored data to determine whether it is a new change. - where if yes, a new change is created, or - where if no, an already recorded change is updated in the event of changes As a second condition, check whether the change affects at least one active service or function of an IT system using the cloud service (1), - where if no, the change is saved and marked as not open and to be carried out, - where if yes, the reduced data of the change is fed to the following further steps, processing the reduced data in a risk assessment process, to identify possible implications and risk categories of changes using defined checklists of risk categories, comprising the sub-steps ( 12-15 ): - Identifying risk categories - Conducting a risk analysis to provide a textual description of risk factors for the risk categories - Conducting a risk assessment; proposing measures wherein these sub-steps (12-15) can be carried out by a user with software support in the form of a quick assessment for low risks or the comprehensive risk assessment process, characterized in that these sub-steps (12-15) are in any case carried out independently and in advance in a pre-evaluation by a Large Language Model, wherein the Large Language Model consists of an implementation of context and prompt, wherein the reduced data of the change serves as context, wherein the risk assessment process and necessary instructions on how to carry it out are passed to the Large Language Model, wherein the prompt consists of the described information and necessary input and output rules to obtain a usable, data-technically deterministic final result, and wherein this information is passed to the Large Language Model for each of the sub-steps (12-15) of the risk assessment process in a progressive manner.to improve the quality of information, wherein the result of the process executed by the Large Language Model is provided to the user directly in a process view in addition to the data of the new change, encompassing the technical measures developed by the Large Language Model in the fourth sub-step ( 15) to reduce the risk of the change for the technical function of the IT system.

2. Computer-implemented method according to claim 1, characterized in that for the first sub-step (12), identification of risk categories, at least one stored checklist is retrieved, which is processed by the user and the Large Language Model to select the risk categories.

3. Computer-implemented method according to claim 2, characterized in that for the second sub-step (13), risk analysis, at least one stored checklist for each risk category selected in the first sub-step (12) is retrieved and processed by the user and the Large Language Model to select and describe the risk factors.

4. Computer-implemented method according to one of claims 1 to 3, characterized in that in the third step (14) one of the following quantitative risk assessments is carried out depending on the level of detail by the user and the Large Language Model: - just a single risk for the entire change, or - one individual risk for each of the risk categories, or - one individual risk for each of the risk factors.

5. Computer-implemented method according to claim 4, characterized in that the user and the Large Language Model determine an overall risk for the change, which is equal to the highest individual risk, wherein each individual risk is calculated by multiplying a numerical value for probability of occurrence and impact.

6. Computer-implemented method according to any one of claims 1 to 5, characterized in that in the fourth step (15), proposing measures, the Large Language Model develops measures for the risks quantified by the Large Language Model, which can serve to reduce the risk of the change, wherein these measures are already made available to the user when the user receives information about the existence of a new change.

7. Computer-implemented method according to one of claims 1 to 6, characterized in that rules are stored for the computer-implemented method which are applied when a numerical value of the risk assessment exceeds a definable threshold and / or when the Large Language Model determines a higher numerical value of the risk assessment than the user, wherein the rules relate to the authorization to release measures and / or to complete the risk assessment process without measures.

8. Computer-implemented method according to one of claims 1 to 7, characterized in that it is based on an architecture comprising several satellites (3) and a hub (4), each of which is a container solution, wherein each satellite (3) retrieves the data for a change from an information source, normalizes it to a defined data model and sends it to the hub (4).