🎙️ GRC Automation Vendors Roundtable

7 Platform Leaders from Competing GRC Automation Platforms Share Unfiltered Insights in a Historic Roundtable

Author

Ayoub Fandi
April 01, 2025

In an unprecedented industry event, executives from seven leading GRC automation platforms came together for a candid roundtable discussion on the state and future of compliance and risk management.

This landmark conversation brought together:

The discussion explored several critical topics, from compliance commoditisation to enterprise adoption strategies, offering rare insights into how these competitors view the market's evolution and their place within it.

Compliance Commoditisation, who’s fault is it? 📚

The first major topic addressed was compliance commoditisation. Most participants rejected the premise that GRC automation has commoditised compliance, arguing instead that it has democratised access to compliance frameworks for smaller companies.

Democratisation instead?

Shrav emphasised that before automation, compliance was prohibitively expensive and time-consuming, with barriers that prevented many companies from achieving certifications.

Several speakers noted that automation has actually improved security by enabling programmatic verification of controls rather than relying on manual sampling methods.

Sales-focus vs. security-focus

Jake offered a contrasting perspective, acknowledging that commoditisation has occurred but attributing it to changing go-to-market motions rather than technology itself.

He argued that when compliance becomes more about sales enablement than security, the value of attestations can be diminished. This perspective highlighted the tension between making compliance accessible and maintaining its rigour.

GRC vs. Trust

The discussion revealed a broader industry shift from viewing compliance as purely a security function to seeing it as part of trust management. 

Matt suggested that the "T" might eventually be added to "GRC" to reflect this evolution, as the ultimate goal of compliance activities is to build and maintain customer trust.

This framing helps explain why many companies without dedicated security teams still pursue compliance certifications—they need to demonstrate trustworthiness to potential customers.

// Progressive disclosure pattern for GRC
interface GRCProgram {
  startupMode: boolean;
  enterpriseMode: boolean;
  features: Feature[];
}

// Show the right complexity at the right time
function adaptToCustomerMaturity(customer: Customer): GRCProgram {
  return {
    startupMode: customer.employees < 100,
    enterpriseMode: customer.employees >= 1000,
    features: getRelevantFeatures(customer)
  };
}

GRC Automation Vendors and Enterprises 🏢

The second major topic explored was the enterprise market for GRC automation. All participants claimed to serve enterprise customers, though they acknowledged different approaches.

All about the data

A key insight was the importance of data and customisation for enterprise clients. Jake emphasised that enterprises care deeply about data completeness and accuracy, not just automation.

Several speakers noted that enterprises often have legacy systems and complex workflows that require flexible integration approaches.

Agnostic middleware layer

The discussion revealed an interesting tension in enterprise go-to-market strategies. Rather than completely displacing established GRC platforms like ServiceNow or Archer, many automation vendors position themselves as complementary solutions or middleware.

This approach allows them to add value through API-driven evidence collection and continuous monitoring while working within existing enterprise workflows.

As Girish put it, they aim to be "agnostic to where the data comes from" and "agnostic to where the data should eventually go."

Modular and customised approach

This leads to a modular approach where enterprises can adopt specific components of GRC automation (like evidence collection, risk management, or vendor assessment) without committing to a full platform switch.

Jeremy noted that this meets enterprises "where they are" rather than forcing them to adapt to a new system.

Several participants emphasised that data becomes the critical layer, with customisation capabilities being essential for enterprise adoption.

IN PARTNERSHIP WITH (MAYBE YOU?)

Interested in partnering with the GRC Engineer?

Your product, your brand, your collaterals, shared with a highly relevant audience of hundreds of GRC/security leaders and experienced practitioners managing programs at the world’s biggest tech companies. 

Reach out now to be featured in front of pre-qualified potential customers with World-Class open-rate and CTR, more info available here.

Want to work together, this is where it happens ⬇️

Additional topics discussed 📐

Feedback from Enterprise Practitioners?

The final major topic addressed was how vendors incorporate feedback from GRC practitioners who aren't currently customers.

The consensus was that while all feedback is valuable, vendors must balance practitioner input against commercial considerations and broader market trends.

Jake acknowledged that sometimes a large enterprise's specific needs, while interesting, might not be commercially viable to implement if they don't apply to a wider customer base.

GRC Engineering movement shoutout!

Jeremy expressed excitement about growing community involvement, particularly highlighting the GRC Engineering initiative.

This signalled a recognition that the GRC community has historically been underserved compared to other security domains and that more collaboration between vendors and practitioners could benefit the industry.

Summary of the key discussion points 📝

Throughout the discussion, there was a recurring theme of evolving beyond traditional approaches to GRC.

Participants highlighted how automation has transformed evidence collection from manual screenshots to programmatic API calls, creating more comprehensive and accurate assessments.

They also noted a shift toward continuous monitoring rather than point-in-time audits, enabling a more dynamic approach to compliance and security.

Despite some disagreements about commoditisation, there was broad agreement that GRC automation has elevated the baseline security posture across the industry by making compliance more accessible and shifting focus from documentation to continuous verification.

The participants also agreed that enterprises require a different approach than SMBs, with more emphasis on customisation, data completeness, and integration with existing systems.

3 actionable takeaways for you 🖊️

As you consider your own GRC program's evolution, focus on building the right foundations before pursuing automation for its own sake.

Start with a clear understanding of your data sources and flows, then gradually implement targeted solutions that deliver measurable value.

By approaching GRC as a strategic asset rather than a compliance checkbox, you'll position your organisation to build genuine trust with customers while effectively managing security risks.

Implement a Data-First Architecture for Your GRC Program

Audit your current GRC processes to identify where manual evidence collection and validation occur. Replace screenshot collection with API-driven data gathering where possible.

Focus on ensuring data completeness and accuracy through systematic validation before automating workflows on top of this foundation.

Adopt a Modular Approach to GRC Automation Implementation

Instead of attempting a complete platform transition, identify specific pain points in your current GRC program (such as evidence collection, vendor assessment, or continuous monitoring).

Target these areas first with purpose-built automation tools that can integrate with your existing systems, then gradually expand as you demonstrate value.

Build a Feedback Loop Between Trust and GRC

Connect your customer-facing trust initiatives (such as your Trust Center or security questionnaire responses) with your internal GRC program.

Analyse customer security questions to identify emerging requirements, then incorporate these insights into your control framework and risk assessments to ensure your security program addresses actual business needs.

Top 5 quotes from the Vendor Roundtable

"Meeting people where they're at versus expecting them to meet you where you're at is really where leadership is born."

Matt Hillary, CISO at Drata

"I don't think GRC is something that only big teams with big budgets for GRC FTEs and experts should have."

Nicholas Muy, CISO at Scrut Automation

"The data in itself should be available in a raw format, something that can be. That you can build your own monitoring on top of. You can build your own workflows on top of.”

Girish Redekar, CEO of Sprinto

"Security is a team sport, and I think to like, drive any outcome. It's not just something the security team can go do."

Jeremy Epling, CPO at Vanta

"The enterprises are the ones driving the commoditisation problem. Enterprises have lost trust in their vendors because their vendors are demonstrating a posture they no longer have faith in."

Jake Bernardes, CISO at Anecdotes

I want to thank again all of the participants and their companies for agreeing to this historic roundtable and bringing great experience and insights to the table!

It was a first but… definitely not the last!!!

Regular GRC Engineer newsletter issue coming on Thursday!

If you enjoyed this, you might also enjoy:

See you on Thursday!

Reply

or to participate.