The Future of GRC in the AI-Hype World

Pierre-Paul Ferland -

If you work in GRC today, you've probably noticed the tsunami of AI hype washing over our industry. Every vendor, consultant, and LinkedIn influencer seems to be positioning themselves as an "AI security expert" (myself included). Webinars about "AI risk management frameworks" are multiplying faster than privacy laws.

My hot take: we are just rebranding the same security principles with shiny new buzzwords. AI systems remain hosted on an infrastructure governed by the same access management, data lifecycle and development principles as any other applications. But that doesn't mean that our discipline won't change. In fact, we're about to get rid of most of the drudgery to finally realize GRC as an advisory function. Let's dig into what's really changing and what remains foundational as we all try to make sense out of this.

The Transformation of GRC in the AI Era

Cross mappings, gap analysis, data classification, controls maturity assessments, policy writing, audits, reviews, procedures writing, guidelines drafting... all of these tasks will soon be outsourced to AI.

I've met CEOs and founders who are using AI to automate entire Third Party Risk Management processes. Think you can catch faster than an AI whenever your suppliers add some shady language in their privacy policy? This is the world that's coming... and it's amazing. The days of reactive, checkbox-driven GRC are numbered.

Picture this: AI agents reading our policies, monitoring risks in real time, embedding security standards directly into coding copilots or agents. The script is flipping. Where we were once primarily information gatherers, we're now becoming curators. AI will have all the answers but it won't be able to ask the right questions.

The routine boring stuff is GONE. No more Excel hell cross-mappings. No more manual risk reports. No more pointless questionnaires. No more bridge letters nobody reads. Only the work that actually matters remains.

AI will handle the vendor due diligence grind. Good. But vendor risk isn't just about filling out a questionnaire. It's about trust. About navigating the human dynamics AI doesn't understand through the whole lifecycle.

Autonomous compliance sounds nice until an LLM hallucinates your security policies into oblivion. We'll need to watch the watchers. Make sure AI isn't just fast but right.

The Human Element in an AI-Powered GRC World

AI can crunch data, but it won't change how people think. Security awareness, culture, leadership are going to become our bread and butter.

A well-trained AI can spot anomalies. A well-trained human can make people care.

AI will still struggle with coordinating cross-functional teams with competing priorities. AI doesn't work well with the messy, unpredictable (by the way, this is why executive assistants' jobs are and will remain safe: too much chaos to deal with). Its decision-making will remain limited. AI will never replace a salesperson or a teacher, no matter how advanced it gets. Humans will always prefer human relationships; purchasing or learning are emotional decisions at their core.

The reality is that no security team can maintain all the information systems in an organization. The only solution is to ensure that the teams that operate these systems consider security. There's no AI prompt for "Should we launch this product despite the security risks?" You need judgment. Experience. Conviction.

The challenge in security has always been about balancing incentives. The carrot approach of praising good behaviors and hyping small successes often struggles to maintain engagement. The stick approach is worse. Try slowing down a development team's sprint to address vulnerability SLAs and see how that goes over.

What remains is the risk-based approach and a great deal of opportunism. The most effective security changes happen when you're involved at the right moment with the right stakeholders. AI might help identify these moments, but it won't replace the human judgment needed to navigate them.

The Reality Check: Same Game, New Tools

When cloud computing arrived, we genuinely had to rethink EVERYTHING. The "network perimeter" became old fashioned. Shared responsibility models emerged. Infrastructure became code. Cloud facilitated containers, kubernetes, serverless...

But AI? Right now, AI remains essentially SOFTWARE running in the cloud processing larger datasets with non-deterministic outputs. It feels like magic but there's nothing magical about how it runs under the hood.

Every builder is embedding models into their products. Soon ALL software will have AI components. Yet somehow we're supposed to believe this requires a completely new security discipline? What will your "AI risk register" look like when every app you use has AI components? The distinction won't matter!

We need less of:

  • Expensive "AI security" certifications
  • Consultants selling fear of "novel threats"
  • Rebranded "AI questionnaires" with security content

And focus on the same challenges:

  • Access control
  • Data protection
  • Supply chain security
  • Third-party risk management

Let's face it: "training data poisoning" may be cool sounding but threat actors will still be breaching us with the same tired methods they've been using for 20 years: misplaced credentials, misconfigurations, old vulnerable components, phishing...

While everyone rushes to become an "AI risk management expert," the fundamentals of good governance haven't changed. Your existing frameworks likely already address most of what you need.

The question isn't if AI will change GRC. It's how we'll lead it. I believe the answer lies in the same human-centered approach that has always defined effective security work. AI will enable us to focus more on what truly matters: understanding context, making judgment calls that algorithms can't, and ultimately creating a security culture that's engaging.

Security and compliance will always be human problems at their core. The technology is just a tool. As we move forward, let's remember that our greatest value isn't in what we can automate, it's in what we can humanize (ok that was cheesy).