Most GRC teams are probably using AI wrong. They treat it like Google. Treat it like a junior analyst instead. Here's how:
An InfoSec analyst tells Claude / ChatGPT / Gemini / Copilot, "Conduct a risk assessment for our migration to AWS." They get a textbook summary of cloud vulnerabilities back, and decide AI just isn't cut out for the heavy lifting.
The problem isn't the tool. It's the workflow.
When you hire a junior analyst, you don't just say "do a risk assessment." You give them:
- The framework
- The context
- The specific output format you need
You need to do the exact same thing with AI.
Over the next few weeks, I'm launching a new series: Use Cases for AI in GRC.
I'll be sharing the exact prompts, workflows, and strategies I use to turn Claude (also applicable to ChatGPT, Gemini, Copilot) from a basic chatbot into a highly capable GRC assistant.
We'll cover everything from policy gap analysis to vendor security reviews.
If you're tired of spending hours on manual compliance mapping, this series is for you.
What's the first GRC task you want to hand off to an AI analyst? Let me know below.
Stop treating AI like Google
How treating AI like a junior analyst not a search engine changes everything about what you get back.
May 16, 2026
•
1 min read
