Traditional GRC models were built for static environments, periodic reviews, and point-in-time evidence collection. Modern enterprises operate nothing like that.
Cloud infrastructure shifts by the hour, identities come and go in real time, and CI/CD pipelines move faster than humans can review. Agentic systems are introducing operational and governance challenges that traditional compliance programs were never designed to handle. And yet many organizations still rely on annual assessments, screenshots, questionnaires, and pass/fail control testing to measure security assurance.

Teams end up overloaded with evidence collection while remaining underpowered in confidence.

In this session, practitioners from offensive security, GRC operations, implementation engineering, and enterprise security leadership discuss why the market is reaching a turning point and what comes next.

Join Maril Vernon, Katriina Bell, and Conor Russo as they discuss:

• Why "compliant" does not always mean "secure"
• The limits of periodic testing in fast-moving cloud environments
• How offensive security evolved toward continuous validation, and what GRC can learn from it
• The rise of GRC Engineering and continuous controls monitoring (CCM)
• Why operational truth requires data-connected, observable, and traceable controls
• How organizations can begin shifting from evidence collection toward continuous assurance

‍