Hello Hello,

I was at VantaCon UK recently, listening to a talk about GRC Engineering, and it hit me why so many GRC teams are struggling with AI. We are having the wrong conversation.

We are talking about tools and automation within GRC. We are not asking where we actually sit first. Those are not the same conversation.

We should be talking about the maturity of our GRC team to enable us to use AI to automate effectively.

Welcome to Issue 1 of The AI GRC Desk. Before we get into specific use cases, we need a framework.

TLDR

  • Most conversations about AI in GRC skip straight to tools and prompts. That is a mistake.

  • Most teams believe they are at Structured Operations, but their processes are still entirely manual.

  • You cannot automate a broken process. You have to structure it first.

  • There are four tiers in the GRC Automation Maturity Model: Manual Operations, Structured Operations, AI-Assisted Operations, and Autonomous Operations.
    Most teams are at Manual Operations (Tier 0). You must reach Structured Operations (Tier 1) before AI works.

  • This series maps every major GRC workstream across all four tiers.

Where does your GRC team sit?

GRC Automation Maturity Model

Most teams overestimate their tier. Before you read the rest of this issue, take 3 minutes to find out where your GRC function actually sits on the maturity model.

Take the GRC Automation Maturity Self-Assessment

The Bottom Line Up Front

If your GRC team is struggling to adopt AI, it is likely a structural problem, not a technical one. The GRC Automation Maturity Model defines four tiers of operational readiness. Most teams are at Tier 0 (Manual Operations) and trying to jump straight to Tier 2 (AI-Assisted). This issue outlines the prerequisite steps required to make AI adoption in GRC safe, explainable, and effective.

The GRC Automation Maturity Model

Before we get into specific use cases, we need to define the territory. There are four tiers in the GRC Automation Maturity Model. They require completely different approaches, different governance, and different risk postures.

Manual Operations (Tier 0): This is the uncomfortable truth: this is where most GRC teams actually operate right now. It is ad hoc, person-dependent, and undocumented. The process lives in someone's head, a spreadsheet nobody trusts, or an email chain from 2019. There is no repeatability.

Structured Operations (Tier 1): This is where teams think they are. It relies on documented, rules-based logic - If/Then statements and predictable outcomes. There is no intelligence involved. It is safe, but it does not scale. Crucially, this is the prerequisite for moving to AI.

Before you can call a process Tier 1, you need to be able to answer all six of these questions:

  • Who owns the control?

  • What evidence is acceptable?

  • Which policy requirement maps to which risk?

  • What triggers escalation?

  • Where does human review remain mandatory?

  • What output is decision-useful, not just document-complete?

If you cannot answer all six, you are still at Tier 0.

AI-Assisted Operations (Tier 2): This is what you can do right now with the right context and prompt structure. The AI makes decisions within defined parameters. It excels at evidence analysis and pattern recognition. The intelligence is bounded, and the outcomes are explainable. The human initiates the task, reviews the output, and owns the final decision. This is the junior analyst model - and it is where this series is focused.

Autonomous Operations (Tier 3): This is the frontier. The AI makes autonomous decisions throughout the process. There is no predefined workflow - the agent decides the next steps dynamically. The paths are unpredictable. This is where the governance question becomes critical. Who owns the prompt library? What data is the model ingesting? Who reviews the output before it influences a risk decision?

If your GRC team is struggling to adopt AI, it is likely a structural problem, not a technical one. The GRC Automation Maturity Model defines four tiers of operational readiness. Most teams are at Tier 0 (Manual Operations) and trying to jump straight to Tier 2 (AI-Assisted). This issue outlines the prerequisite steps required to make AI adoption in GRC safe, explainable, and effective.

The Governance Check

Before you move from Structured Operations (Tier 1) to AI-Assisted Operations (Tier 2), you need to answer one question: What is your data classification boundary?

You cannot give an AI context if you do not know what data it is allowed to see. Define what is public, what is internal, and what is strictly confidential. If you skip this step, your AI workflow becomes a new attack surface.

And before you try to move any workstream to Tier 2, ask this: Is the underlying process documented and repeatable without AI?

If the answer is no, stop. Document the process first. AI cannot follow rules that do not exist.

The evidence shape also has to change at the Tier 1→2 boundary. Structured Operations gives you a who-did-what-when record. AI-Assisted Operations requires more: model version, input provided, output generated, and what the human approved before it shipped. Teams that skip Tier 1 and jump straight to Tier 2 are the ones who cannot reconstruct decisions when an auditor asks for the trail.

The Uncomfortable Truth

Here is the reality of GRC in most organisations today: the process lives in someone's head, a spreadsheet nobody else understands, or an email chain from 2019. When an audit happens, it is a scramble. When a vendor questionnaire arrives, it is a manual slog.

This is not a standard workflow. This is Manual Operations. And if you try to apply AI to Manual Operations, you do not get efficiency. You get faster chaos.

As one Fractional CRO put it in response to this series: AI will not fix a weak GRC process. It will only accelerate it.

What I am Watching

The EU AI Act: and what it means for your organisation right now. The binding enforcement date for high-risk AI system obligations is 2 August 2026 - covering Articles 9-17 for providers and Article 26 for deployers. Most organisations are not ready. The compliance burden is substantial: conformity assessments, EU database registration, technical documentation, human oversight mechanisms, and demonstrable risk management systems - all required before a high-risk AI system is deployed.

What counts as high-risk? AI used in employment screening, credit decisions, education, and public administration are all in scope. If your organisation uses AI in any of these contexts, the clock is running.

The proposed Digital Omnibus would push the deadline to December 2027, but as of May 2026, the trilogue negotiations have not reached agreement - meaning August 2026 remains the operative deadline. Do not plan around a deferral that has not been legislated.

NIST AI RMF: and the growing adoption of the framework for governing enterprise AI use.

GRC platforms: beginning to integrate native AI features, blurring the line between Tier 1 and Tier 2.

The Prompt: The Maturity Mapper

I am a [insert your job title]. I want to move our [insert process] process from manual to AI-assisted. Here is how we do it today: [describe current manual process].

The GRC Automation Maturity Model defines four tiers: Tier 0 (Manual Operations - ad hoc, undocumented, person-dependent), Tier 1 (Structured Operations - rules-based, documented, repeatable), Tier 2 (AI-Assisted Operations - bounded intelligence, human reviews everything), and Tier 3 (Autonomous Operations - AI makes autonomous decisions, governance is critical).

Based on this model, what specific steps must I take to structure this process at Tier 1 before I can safely apply AI at Tier 2?

Next Issue

Next week, we dive into the first workstream: Governance and Policy Management. We will look at all the AI use cases across the four tiers, starting with the Deep Dive on Tuesday.

Until next week,
Princess

Reply

Avatar

or to participate

Keep Reading

© 2026 The AI GRC Desk.
Report abusePrivacy policyTerms of use
beehiivPowered by beehiiv