What Does ‘AI-Driven’ Mean, Anyway? Navigating GRC Solutions in 2025

In my line of work, I have a lot of conversations with GRC practitioners, and I hear one theme again and again: confusion about the many GRC solutions on the market today. 

It seems like all GRC solutions, from the biggest legacy platforms to templated SOC-in-a-Box tools, are now calling themselves “AI-powered” or “AI-driven.” But what do those claims actually mean? 

At the recent GRC Data & AI Summit, I sat down with Mike Melo, CISO at TMX, and Jeff Hoskins, Compliance Practice Lead at Tutela Solutions, to bring a little order to the chaos. In a session titled “Spot the Difference: Decoding the current GRC vendor landscape and their offerings,” we broke the vendor landscape into three and a half quadrants (which I’ll explain in a minute) and explored how each category approaches data and AI.

Here’s how we see the market, and why it matters if you’re trying to take your GRC program to the next level.

Quadrant 1: Traditional Workflow Automation

We started with the legacy giants. Names that came up included Archer, ServiceNow, and Diligent. If you’ve worked in a large enterprise, chances are you’ve crossed paths with at least one of them. They’re known for powerful GRC workflows and endless customization, but not for data and AI.

“We’re slowly starting to see some of these platforms, I would say, sprinkle AI onto it,” Mike told us, “but it’s very much an additive approach… It doesn’t really address this fundamental philosophy of how GRC should work… I think that we’re still very focused in this space on  process enablement, rather than the data insights.”

Mike had a great analogy for these giants: “It’s the 800-pound gorilla in the room. It’s large, it’s expensive… You have to go all-in to the platform across the enterprise to make it something relatively usable.” If you’ve been through any of those deployments, you know they can take years.

Jeff shared another analogy that I loved. He said using these tools is like walking into a hardware store: “There are toilets, 2x4s, sheets of lumber… You can do anything you want. You can make a chicken coop, you can make a dog house, you can make a craftsman style house, but you don’ t have any of those things… You have to have developers and architects that are gonna help you take advantage of that.”

Takeaway: These platforms can be powerhouses for large enterprises with the resources to implement and maintain them. But if you have a leaner team, or if you’re a forward looking enterprise that wants a tool that fully embraces the latest innovations in GRC data and AI, these may not be the tools for you. In addition to the difficult implementation, the legacy players show the limits of treating AI as an add-on.

{{ banner-image }}

Quadrant 2: Trust Management Solutions

Next up are the trust management solutions. Ones you’ve probably heard of include Vanta, Drata, and SecureFrame. These tools have become the go-to for startups and small businesses trying to get through their first SOC 2 or ISO audit. They’re quick to deploy, they cover a handful of use cases, and they make compliance feel less intimidating.

As Jeff explained, trust management solutions are great at helping companies take early steps in GRC. “You go in there, select the frameworks that you want, and then they help you… There’s sometimes automated evidence collection, although the customization sometimes is hard to get to.” It’s hard to make a trust management tool into something it’s not. 

Mike added that while these solutions can be invaluable for launching a program, they may not take you as far as you’d like. “They give you a false sense of maturity. You’ve automated SOC 2 prep, but that doesn’t mean your risk management program is overly robust.”

Jeff noted that trust management solutions offer limited data and AI capabilities by design. “They’re telling you what data they want to collect through integrations… As far as AI with your data, I haven’t seen a lot of that,” Jeff said. 

Takeaway: For small companies getting their first certification, these platforms can deliver what’s needed in the moment, and they’ve added some AI capabilities that can help with part of the work. But if you’re a larger enterprise or aiming to mature a GRC program, you’ll quickly hit a wall with their templated workflows, limited data and AI capabilities that don’t fundamentally change the solution from one built for early-stage founders to one that meets the needs of GRC professionals.

Quadrant 3: AI-Native Platforms

Finally, we got to the category that sits at the opposite end of the spectrum from the legacy players: the AI-native platforms. Anecdotes, Trustero, and Zania were among the names mentioned. These are the tools built with AI at the core of their architecture.

As Mike put it, “AI isn’t an afterthought, it’s part of the core architecture… It’s embedded across every layer. Whether you’re doing evidence gathering or control testing or even reporting… Rather than just speeding up processes, it’s reimagining how we are doing GRC.”

That transformative impact makes a big difference. “Most GRC teams outside of big banks are lean,” he added. “These platforms let us do more with less. They help us become more agile.” Jeff emphasized the value of AI insights that can help people know what to measure and what to look at next.

But even here, there are differences worth noting. As Mike pointed out, not every “AI-native” platform has the same focus on data. “Some of these tools have been very predictive and prescriptive on what data can they use. Whereas you have a solution like an Anecdotes that’s able to consume everything, and then create input or analytics based on all of those different data inputs.”

Takeaway: This quadrant is where the real future of GRC lies, especially for lean teams that want to scale a mature GRC program and for enterprises that need agility in how they manage compliance and risk. When comparing them, remember that even the best AI needs a robust data layer. The combination of AI-native design and a data-focussed foundation is what separates marketing buzz from genuine transformation.

Half-Quadrant 4: Single-Problem Solutions

The last group we looked at belongs to single-problem solutions like Conveyor, Whistic, TrustCloud, and SecurityScorecard. 

We called this a “half-quadrant” because these types of tools don’t stand up to the other platform categories as complete solutions. They are designed to solve one problem really well, for example, third-party risk or questionnaire response management.

As Jeff pointed out, we’re seeing a trend of mergers and acquisitions among these specialized point solutions. “Drata bought SafeBase, Vanta bought Riskey.”

Incorporation into a larger platform brings new trade-offs. “These point solutions obviously have a lot of pragmatic purpose around plugging certain gaps,” Mike said. “But when you start looking at scaling this out into large enterprise, you see the trade offs around fragmentation… Integrations can kind of get a bit challenging… It creates silos.”

It’s a familiar story: niche point tools can be strong on their own, but bolting them together through acquisition often creates a Frankenstack with uneven integrations, siloed data, and more complexity than clarity. 

Takeaway: Single-problem solutions can fill specific gaps well and can add complementary capabilities to existing platforms if done right. As GRC programs scale, though, the integration challenges and risk implications of a stitched-together stack can add up to more work. 

The Real Difference for GRC: AI-First vs. AI-Afterthought

What became clear is that not all GRC tools are created equal. While some platforms have a foundation of GRC data and native AI, other vendors are simply sprinkling AI into their preexisting workflows. 

That distinction matters. For enterprise programs you can’t expect to transform GRC with AI sprinkled on top of old workflows. Built-in AI that’s grounded in real GRC data, now, that’s a different story. 

This blog post is a recap of a session from the 2025 GRC Data & AI Summit. To enjoy the original session in its entirety, catch up with the Summit on demand.