IN PARTNERSHIP WITH

Traditional DLP isn’t build for AI.

While legacy tools focus on email, file transfers, and endpoints, AI platforms like ChatGPT introduce new risks that demand smarter safeguards.

Learn how leading enterprises are evolving their DLP strategies to embrace AI securely – without compromising compliance or control.

Quick Announcement 📣

You know Cyber Risk Quantification and TPRM are topics I’m passionate about. I’ve had a great panel on the podcast about TPRM and the infamous Tony-Martin Vegue joined as well to give us a CRQ 101 a couple of months ago!

Very excited to announce I’ll be at FAIRCon 2025 in New York City on November 4-5 2025 with many of my friends attending/speaking there!

A lot of cool sessions planned, I’m looking forward to the focus on how AI reshapes how we assess first and third-party risks as well how AI risks are challenging GRC teams in new ways.

If you are planning on joining, check out this link to register and make sure to use the code FC25GRCENGINEER for 75% off your ticket.

Now, back with today’s topic.

How to not look dumb using AI in GRC…

An example of AI-powered Dumb GRC Engineering 🧠

Meet Alex, a technically-inclined GRC analyst at a Series B SaaS company. Spent four weeks building an "intelligent evidence validator" - AI agents with tool calling, RAG pipelines, vector embeddings, MCP servers plugged-in, the whole package.

Goal: Automatically assess if security scan outputs were audit-ready.

The AI kept contradicting itself. 

Same scan, different day, different verdict.

His manager asked one question: "What makes evidence audit-ready here?"

Silence.

Four weeks chasing AI sophistication. Zero weeks documenting the criteria auditors actually use.

Turns out, a 200-word summary of "what our auditors check" would've worked better than the entire agentic architecture.

Everyone's asking "which AI tools should we use?"

Wrong question.

What does your team know that you haven't written down?

Why It Matters 🔍

The why: the core problem this solves and why you should care

GRC teams are caught in the AI hype cycle. Every vendor demo promises transformation. Every LinkedIn post compares benchmarks. Every team debates Claude vs GPT vs Gemini.

Meanwhile, the fundamental question goes unasked: Is your workflow good enough for AI to execute consistently?

Here's what changed: AI capabilities democratised. Every GRC team can afford GPT-4 or Claude Opus. Access to sophisticated models is no longer a competitive advantage, it's table stakes.

Your competitive advantage shifted. It's no longer which model you use. It's whether your workflow architecture can leverage any model effectively. This means documented decision trees, defined validation checkpoints, structured edge case handling, and feedback loops that improve over time.

This reflects what the manifesto calls systems thinking, understanding how workflow components interact before automating those interactions. The distinction between activity and outcomes matters here: model choice is activity that looks good in reports, workflow effectiveness is the outcome that actually reduces risk. This is distinguishing signal from noise.

The stakes: Teams with solid workflows get value from basic AI. Teams with chaos workflows get garbage from expensive AI. The gap is widening.

Strategic Framework 🧩

The what: The conceptual approach broken down into 3 main principles

The Problem: Three Ways GRC Teams Get AI Wrong

🎯 Model Selection Over Process Design
Teams benchmark Claude vs GPT whilst their process has no validation steps, no edge case handling, no feedback loops, and no clear success criteria. You're asking AI to structure what you haven't structured. The problem traces back to designing controls where compliance becomes an afterthought.

💩 AI Slop Engineering
Automation without architecture. A company automates vendor assessments: "AI reads questionnaire, scores risk, generates report." Reality: AI sees "encryption in transit: yes" and scores it low-risk. Vendor meant "sometimes, for some data, using TLS 1.0." The workflow never defined what "adequate encryption" means. Result: confident outputs that miss actual risk.

♻️ Garbage Amplification
If humans can't execute your process consistently, AI won't either. Your risk workflow has twelve decision points where analysts "use judgement." What judgement? Based on what criteria? Three analysts make three different calls on identical scenarios. Your prompt can't capture organisational context, risk appetite nuances, or business politics that inform human decisions. Garbage in, AI-enhanced garbage out.

From Problems to Principles

Here's how each principle addresses the failure modes:

Now let's examine what actually works.

Principle 1: Workflow Architecture Beats Model Selection

Process design quality matters 100x more than GPT-5 vs Claude Sonnet 4.5.

AI can execute the first consistently because every decision point is defined. AI produces chaos with the second because it must guess at undefined criteria. This is where control orchestration becomes critical.

SELECT 
  CASE 
    WHEN workflow_quality < 5 THEN '£50k → Expensive Chaos 💀'
    WHEN workflow_quality >= 7 THEN '£22k → Reliable Value ✅'
    ELSE 'Still figuring it out'
  END as investment_outcome,
  
  CASE 
    WHEN workflow_quality < 5 THEN 'Update CV'
    WHEN workflow_quality >= 7 THEN 'Victory lap'
    ELSE 'Awkward silence'
  END as next_board_meeting

FROM grc_teams
WHERE bought_expensive_ai = TRUE
  AND fixed_workflow_first = FALSE;

-- Result: 87% return "Update CV"
-- Turns out you can't SELECT * FROM good_outcomes WHERE process = 'broken'

Principle 2: AI for Repetition, Not Reasoning

AI excels at scale and patterns. AI struggles with nuanced judgement.

┌─────────────────────────────────┬─────────────────────────────────┐
│ **Where AI Excels**             │ **Where AI Struggles**          │
├─────────────────────────────────┼─────────────────────────────────┤
│ 🔄 Questionnaire first-pass     │ 🧠 Risk acceptance decisions    │
│ 📄 Evidence extraction          │ 🎯 Control design               │
│ 🔗 Control mapping              │ ⚖️ Exception approvals          │
│ 📝 Documentation drafting       │ 📋 Compliance interpretation    │
└─────────────────────────────────┴─────────────────────────────────┘

The Line: If task requires understanding risk appetite, political dynamics, or regulatory impact, humans decide and AI assists. If task is "do this 500 times consistently", AI excels and humans spot-check. This becomes clearer when you understand how to apply vibe coding in GRC contexts. The future likely involves AI agents handling more repetitive orchestration, but they can't replace human judgement on risk acceptance (for now).

Principle 3: Simple AI on Solid Foundations Beats Fancy Models on Chaos

Basic Gemini Flash models with clean inputs outperforms GPT-5 trying to interpret your mess. Models can't fix undefined requirements. Advanced reasoning needs well-specified problems.

The Investment Paradox:

Company A followed the implementation framework that works for enterprises. Company B made the classic mistake of why DIY automation breaks at enterprise scale.

The Matrix: Where Your Organisation Actually Sits

Quadrant 1 (Weak Workflow + Basic AI): Inconsistent process, slightly faster. Still unreliable.

Quadrant 2 (Weak Workflow + Advanced AI): THE DANGER ZONE. Impressive demos, zero reliability. £50k to amplify dysfunction.

Quadrant 3 (Strong Workflow + Basic AI): THE SWEET SPOT. Process works, AI handles repetition, stakeholders trust outputs.

Quadrant 4 (Strong Workflow + Advanced AI): Marginal improvement over Q3. Usually not worth cost difference.

Most GRC teams optimise Q3→Q4 (model upgrades) whilst sitting in Q2. The valuable move: Q2→Q3 (fix workflow, downgrade to basic AI if needed). Understanding where you sit on the GRC maturity curve requires honest assessment of capabilities, not tool budget.

IN PARTNERSHIP WITH

The Compliance OS for Modern GRC Leaders

Audits are no longer one-off, they’re constant, complex, and costly. Legacy tools add chaos, but Sprinto is the Compliance OS built for modern GRC leaders. It automates evidence collection, reuses proof across frameworks, and keeps compliance always-on.

The impact: 60% faster audit readiness, 100% risk oversight, and confidence for boards and regulators, all without scaling headcount. Compliance stops being a firefight and becomes a predictable business function.

Execution Blueprint 🛠️

The how: 3 practical steps to put this strategy into action at your organisation

Step 1: Audit Your Workflow Before Comparing Models

Pick one GRC process to AI-enable. Document it properly.

The 30-Minute Workflow Audit:

1. Map Execution - Write every step specifically

2. Identify Decisions - Where do humans make judgement calls? What criteria?

3. Document Edge Cases - What happens when standard path fails?

4. Define Validation - How do you know output is correct?

5. Articulate Success - What does "good" look like? Be specific.

💡 Why This Matters

Remember: 🎯 Model Obsession, 💩 AI Slop, ♻️ Garbage Amplification.

This audit exposes whether you're about to fall into these traps. Undefined criteria = garbage amplification. Can't document edge cases = AI slop.

🚨 Red Flags: Not Ready for AI

❌ Steps described as "use judgement" without criteria

❌ Different people execute differently

❌ No validation checkpoints

❌ Can't explain to new hire in under an hour

If 3+ red flags: Fix workflow before considering AI. This reveals what control orchestration looks like in practice. The goal is graduating from compliance theatre to risk-driven insights.

POST /api/v1/workflow/assess HTTP/1.1

{
  "red_flags_count": 3,
  "judgement_without_criteria": true,
  "different_execution_by_people": true,
  "no_validation_checkpoints": true
}

Response 200 OK
{
  "verdict": "🚫 NOT READY FOR AI",
  "recommendation": "Fix workflow first",
  "what_you_will_do_instead": "AI Agentic rabbit hole",
  "outcome_in_6_months": "Expensive chaos at scale",
  "we_told_you_so": true,
  "board_meeting_status": "Prepare CV",
  
  "error_trace": "WorkflowQualityException: Cannot automate what humans can't execute consistently"
}

// 4/5 of API calls return this exact response
// 100% ignore it and proceed to checkout anyway

Step 2: Strengthen Workflow, Then Choose AI

Workflow Checklist:

☐ Clear Inputs - What data? What format? How validate?

☐ Defined Decisions - Can you write the logic?

☐ Validation Mechanism - How verify correctness?

☐ Edge Case Handling - What if approach fails?

☐ Feedback Loop - How do outputs improve inputs?

💡 What You're Fixing

Each item addresses a failure mode:

• Clear Inputs prevents 💩 AI slop.

• Defined Decisions prevents ♻️ garbage amplification.

• Validation catches slop before stakeholders.

Is Your Workflow Ready for AI?

If "NOT READY": Implementation framework for enterprises.

If "READY": Automating quarterly access reviews.

Step 3: Question Platform Methodology With Your Auditor

Step 3: Start Simple, Validate Extensively, Iterate

Phase 1 (Weeks 1-4): Single task, basic AI (cheaper/faster model), 100% validation. Document what works and fails.

Phase 2 (Weeks 5-8): Analyse data. Where consistent? Expand + reduce validation to 20%. Where struggled? Fix or stay manual.

Phase 3 (Months 3-6): Scale to similar tasks. Humans own judgement. Build feedback loops.

This reflects distinguishing signal from noise, measuring effectiveness (signal), not deployment activity (noise).

Success Metrics:

📊 Real Example: 6-Month Automation

Month 1: 12 questions, Gemini Flash, 100% validation → 11/12 worked
Month 6: AI handles 60%, humans 40% → Time: 8h to 3.5h

This mirrors automating quarterly access reviews in practice.

The Bottom Line

Stop optimising model selection. Start fixing your workflows.

Your competitive advantage isn't GPT-5 vs Claude Opus. Your advantage is workflow quality: documented decision trees, clear validation checkpoints, defined edge cases, structured feedback loops.

Weak workflow + advanced AI = expensive garbage at scale. £50k to amplify dysfunction.

Strong workflow + basic AI = consistent value delivery. Process works, AI handles repetition, stakeholders trust outputs.

The jump from weak to strong workflow creates 10x more value than upgrading models. Yet everyone optimises models whilst ignoring foundations.

This week's action: Pick one GRC process. Document workflow (decisions, edge cases, validation). Identify gaps. Fix workflow before choosing AI.

This is what GRC Engineering actually is, engineering thinking applied to GRC problems, not just buying sophisticated tools.

The revolution isn't AI sophistication. It's workflow discipline.

That’s all for this week’s issue, folks!

If you enjoyed it, you might also enjoy:

• My spicier takes on LinkedIn [/in/ayoubfandi]

• Listening to the GRC Engineer Podcast 

  • Spotify

  • Youtube

  • Apple Podcasts

See you next week!