Welcome to Part 1 of my new series: Use Cases for AI in GRC.
Before we get into AI, I want to make sure we are all starting from the same place. Because you cannot understand how AI fits into GRC without first understanding what GRC actually does.
Most people outside of security have no idea what GRC stands for, let alone what the team does. GRC stands for Governance, Risk, and Compliance. When I tell people I work in it, I usually get a blank stare. Or worse, they assume I just write policies and say "no" to things.
But a mature GRC function is the engine that lets a business move fast without crashing. In the words of my CISO: "GRC is the conduit between security and the wider business, owning frameworks to manage risk, audit and controls implementation while building governance, security culture and awareness."
Here is an example of how a modern GRC team can be structured across 5 workstreams:
Governance & Policy Management: This workstream owns the GRC governance framework and manages the full policy lifecycle, from drafting and review through to approval and publication. It sets the documentation standards, owns the reporting cadences, and ensures leadership has the transparency they need to make decisions.
Risk Management: This workstream owns the cyber risk management framework. It maintains the security risk register, conducts operational risk assessments, manages risk exceptions and escalations, and delivers key risk indicators (KRIs) to leadership so the business can make informed decisions.
Third-Party Risk Management (TPRM): Your vendors are your biggest attack surface. This workstream owns the TPRM framework and vendor risk strategy. It conducts third-party and AI risk assessments, manages vendor tiering and due diligence, and monitors critical suppliers on an ongoing basis.
Compliance Operations & Assurance: The certification day is the finish line everyone sees, but the year-round work of maintaining controls and evidence is where the real effort lives. This workstream manages the year-round reality of frameworks like ISO 27001, etc. It coordinates internal and external audits, oversees control testing and evidence management, and tracks remediation of audit findings.
Security Awareness & Training: This workstream builds the security culture. It leads the awareness programme, runs phishing simulations, delivers targeted campaigns, and tracks training completion and effectiveness metrics.
When ownership across these 5 workstreams is clear, the whole business wins.
Over the coming weeks, I will be breaking down exactly how AI can be applied across each one.
Which of these 5 workstreams takes up the most time in your organisation? Let me know below.
