GRC Data & AI Summit in Review: Top 5 Truths About Data & AI in GRC

The first GRC Data & AI Summit has come and gone, and I couldn’t be happier about how it went. 

Thank you again to all the speakers, sponsors, and attendees. 

It’s fair to say everyone enjoyed having a forum for expressing frank opinions and informed predictions about the ongoing Data & AI revolution in our field. 
Here are my top 5 data and AI truths the Summit uncovered:

1. Traditional Automation Failed But Data and AI Deliver 

Automation promised to solve GRC’s problems, but it failed. Fortunately, the combination of data and AI can deliver the automated efficiency GRC teams are looking for. 

Throughout the sessions, we heard firsthand accounts of more sophisticated data and AI use cases in GRC, including mapping regulations to a unified control framework, testing policies against evidence, building “self-healing” controls, auto suggestions, and more.

When asked how they’d use the time saved by AI, more than half (51%) said they’d invest it in risk activities, while another 32% said they’d focus on maturing their control environments further. In other words, teams want more time for the work that actually drives resilience.

What you can do about it: If automation “solutions” have failed to get your team out of spreadsheet hell, start exploring how data and AI can save your team time and give you more visibility into risks, policies, and controls.

2. Hidden Insights Are Everywhere Across Your Stack

Jake Bernardes, CISO at Anecdotes, shared a powerful metaphor. “A modern-day Formula 1 car produces 1.1 million data points per race,” he said. But the driver isn’t worried about gathering that data, because it happens automatically in the background.

Meanwhile, GRC teams are spending 60 to 70% of their effort collecting and validating evidence like screenshots, spreadsheets, and manual exports. Even when teams automate, it’s usually just to make audits easier, not to improve strategy. As Jake put it, “evidence collection has become the goal instead of the starting line.”

Avani Desai, CEO of Schellman, drew attention to the wealth of operational data that teams aren’t yet tapping into. “You’re going to be surprised how many insights are hiding—in logs, service tickets, HR reports.”

AI is only as smart as the data it’s built on. At Anecdotes, our secret sauce has always been connecting systems to surface relevant GRC data across your organization, wherever it originates, and using it as fuel for AI-powered GRC. 

What you can do about it: If your team is spending the majority of its time on evidence collection, “flip the pyramid” by using data and AI to cut the busywork and focus more energy on strategy. Brian Lee, Senior Manager of Product Security Compliance at Snowflake, stated the stakes plainly: “If you don’t start now, you’re going to fall behind.”  Once you have the data, make sure you are unlocking its full potential.

‍

{{ banner-image }}

‍

3. GRC Roles Are Evolving in Response to AI

Brian Fields, Partner and Audit Transformation Leader at KPMG, informed us that AI is driving changes in the workforce on both the auditor side and the GRC teams. “The body of knowledge that you are expected to know coming in might change very rapidly over the next couple of years.” 

But Brian wasn’t just talking about familiarity with AI, but the adaptability to get there. He explained that getting great results with AI requires both a creative streak and problem-solving grit. 

Vineet Seth, CPO & CTO at Coalfire, pointed out that the key to becoming fluent in AI is to start using it. “It’s OK to be a little uncomfortable, but you have to really dive in headfirst.”

What you can do about it: Make you are becoming AI-fluent and as your team grows, evaluate GRC hires for creativity and adaptability as much as for technical skill. 

4. Human + AI Partnership = Trustworthy GRC 

Vineet and his fellow panelists, Ruchi Khurana, Lead Product Manager of Cybersecurity & Compliance at Google Cloud, and Abhijit Varma, Global Tech Consulting Leader at Uniqus, have very different roles and work with AI in different ways. But they all shared strong enthusiasm for AI in GRC—as long as a human is kept in the loop. 

While we see AI improve on a daily basis, keeping humans in the loop is still essential at this point to ensure AI is both actionable and trustworthy. For example, Ruchi and Abhijit both felt that AI could do 70% of the work in drafting a SOC report, but that it is critical for humans to iterate on it to get it to the finish line. 

What you can do about it: Make sure your organization treats AI as a GRC partner, not a replacement. AI can draft, summarize, and suggest, but keeping people in the loop to validate, refine, and add judgment is how you get trustworthy results.

5. AI-Native Solutions Are Redefining the GRC Space

Kayla Wilson, Regional Sales Manager at Anecdotes, Mike Melo, CISO at TMX, and Jeff Hoskins, Compliance Practice Lead at Tutela Solutions, spoke about the new category of GRC solutions - AI-native tools. 

While legacy platforms are sprinkling on AI as an afterthought or adding AI through M&A, AI-native solutions are built with AI at the core. In their opinion (and mine) what sets these tools apart is that when AI is deeply ingrained in your GRC solution, it doesn’t just speed up processes; it reimagines how you work. But this is only true if it’s built on a strong foundation of trusted data.

In his demo session, my Co-Founder and CPO at Anecdotes, Roi Amior, walked us through how Anecdotes uses automatically collected data to unlock AI’s real potential in GRC. 

What you can do about it: Learn the difference between AI that’s built-in and bolted on. When you evaluate AI features for GRC, look past marketing that might be attempting to AI-wash the same old solutions. 

In Case You Missed It

Honestly, this was just the tip of the iceberg. There were so many amazing takeaways from the summit. If you’re kicking yourself for missing this inaugural GRC Data & AI Summit, give yourself a break. You can still catch up on demand.
Whether you made it live or watch the video, I hope you’ll join us next year!