The State of GRC Automation: From Commoditisation to Long-Term Trust

The State of GRC Automation: From Commoditisation to Long-Term Trust

The Unfiltered GRC Automation Roundtable left with a few key questions of my own. In this post, I’ll share my main takeaways, the concerns that still keep me up at night.

Recently, I watched the Unfiltered GRC Automation Roundtable, featuring leaders from major GRC automation platforms—Drata, Anecdotes, Thoropass, Sprinto, Scrut, Vanta, and SecureFrame. As someone who lives and breathes governance, risk, and compliance (GRC) in my daily work, I was eager to see how the top minds discuss “commoditisation” versus “democratisation,” their perspectives on legacy enterprise compliance, auditor relationships, and the rise of AI-driven next-gen tooling.

The panel covered a lot, but I left with a few key questions of my own. In this post, I’ll share my main takeaways, the concerns that still keep me up at night, and my perspective on how we can push GRC forward—especially at Cyber Matters, where we help organisations build agile, scaled compliance programmes.

1. Democratisation vs. Commoditisation: Two Sides of the Same Coin

“Is GRC being commoditised or democratised?” This question seemed to ring throughout the roundtable. The consensus among the speakers was that lowering barriers to compliance can raise the overall security baseline—small startups can affordably build a minimal compliance programme, obtain SOC 2 or ISO 27001, and compete with bigger players.

But here’s my counterpoint: while democratisation is great for broadening participation, it can devolve into commoditisation. Compliance frameworks become cheap checkboxes instead of meaningful security milestones. If the trust in these certifications erodes, then we face a more damaging outcome than we had before. After all, if everyone starts dismissing SOC 2 or ISO reports as “rubber stamps,” how will we measure an organisation’s true security posture?

My take on this

I’m a realist. Over time, everything moves toward commoditisation—penetration testing, vulnerability scanning, and even advanced compliance tasks. It’s the nature of technological progress and free markets. That doesn’t automatically degrade trust, though, if we hold ourselves accountable. A GRC programme that includes robust, experienced oversight (instead of automated ‘tick-the-box’ processes only) is the key to ensuring trust stays intact.

2. The Experience Gap: Tools Alone Won’t Save You

A recurring theme for me, as I listened to the roundtable, was the assumption that fancy automation tools can substitute for real-world security expertise. Yes, GRC dashboards and frictionless evidence collection are leaps forward compared to the pain of 500 Excel sheets. Yes, “plug-and-play compliance” is exciting for smaller teams with no dedicated security staff.

But let’s address the elephant in the room: if your AWS environment is misconfigured, you can gather all the data you want—you’re still gathering bad data. Garbage In, Garbage Out. Or, put another way, “If you’re starting from a shaky foundation, advanced GRC automation only replicates your errors at scale.”

My take on this

Tools are an enabler, not a replacement, for thorough security know-how. Start with skilled professionals who configure your systems properly. Then, once the environment is stable, you’ll truly see the benefit of data-driven, real-time evidence.

3. Enterprise Complexity: The “Dinosaur” Version of Compliance

Another thing that stood out in the roundtable discussion: even though smaller companies use modern frameworks and continuous auditing, larger enterprises remain stuck in a dinosaur compliance mindset. They still rely on monstrous checklists, legacy spreadsheets, and labour-intensive annual audits.

Why are they behind? Sometimes it’s bureaucracy, sometimes risk aversion, sometimes the cost of switching legacy GRC systems. Either way, if you’re a startup trying to sell to a Fortune 500 client, it doesn’t matter that you’ve got a slick, near-real-time approach to SOC 2—they’ll still ask you for 100 spreadsheets and a 350-question vendor form. So we’re bridging new, nimble frameworks with old-school demands, hacking together processes that frankly should be redesigned from the ground up.

My take on this

The solution is partial harmonisation. The reality is enterprises won’t do a full rip-and-replace of entrenched procedures. They need iterative improvements—gradual overhauls, plus new technology. That’s where services like ours at Cyber Matters come in: we tailor a “bridge” that meets old-school demands in parallel with your more modern GRC posture. It’s not perfect, but it ensures you can keep sales moving without burying your security team in outdated tasks.

4. Auditor Partnerships: It’s Not All Roses at the Top

We frequently hear about the “tiered” auditor ecosystem—some emphasise thorough checks, others barely glance at the data. At the roundtable, everyone cautioned against rubber stamp auditing. But they also acknowledged that auditors themselves face cost pressures and market competition. Some firms gladly provide bargain-basement SOC 2 audits, which eventually tarnish the entire brand of certification.

And what about so-called top-tier firms? None are perfect, either. There’s no shortage of headlines about Big Four entanglements in financial scandals or conflicts of interest. Ultimately, the same market dynamics pushing compliance towards commoditisation are also pushing these firms to streamline (or short-change) the auditing process.

My take on this

No certification is better than a worthless certification. If your security posture can’t stand up to scrutiny, a cheap piece of paper only invites bigger compliance headaches later. We always remind our clients that audits exist for trust, not just vanity. Find an auditor who won’t just “sign on the dotted line,” but also help ensure your controls are genuinely effective.

5. AI and the Next Generation of GRC

The roundtable panel was generally bullish on AI to speed up tasks like evidence-gathering, policy writing, or risk scoring. It’s an exciting frontier: imagine real-time correlation of misconfigurations, with on-the-fly auto-generated suggestions for new controls.

My take on this

But as I see it, AI is an aid, not a complete solution. Hallucinations, incomplete context, or random data mismatches do happen. Every day, we see examples of ChatGPT confidently producing nonsense. So while AI for GRC is powerful, we still need human pros to verify, contextualise, and interpret results—especially in areas as sensitive as risk management.

Where Cyber Matters Fits: GRC That Evolves With You

At Cyber Matters, we’ve embraced many of these insights:

  1. Scale your GRC as you grow. If you’re a 10-person startup, a lightweight, trust-building compliance framework is enough. Once you start courting enterprise clients, you’ll need a more robust programme. We design it so the evolution is painless rather than a total rebuild.

  2. Incorporate modern automation with real human oversight. We deploy best-in-class tools, yes—but we always add an experienced GRC consultant to oversee the data, confirm alignment with business objectives, and make sure you’re not pushing junk data into your dashboards.

  3. Bridge old and new. Even when you have the coolest, continuous monitoring GRC suite, your largest customers may demand old-school documentation. We help you spin up a “hybrid” approach that satisfies your biggest enterprise clients while you continue to scale modern processes in the background.

  4. AI is a co-pilot, not a driver. We welcome next-gen capabilities—like auto-checking evidence or generating risk scenarios. However, we keep it within a guard-railed, human-curated context. We’re not about to hand over your entire compliance posture to a machine that might go off-script.

  5. Don’t lose sight of trust. Ultimately, compliance is about relationships—vendors trusting your environment, your customers trusting your data handling, your investors trusting you to steer the ship securely. Trust is not a piece of paper. It’s the end result of good architecture, real-time evidence, and consistent follow-through by people who care.

Final Thoughts

The Unfiltered GRC Automation Roundtable showcased all the buzzwords—continuous compliance, data-driven evidence, bridging SMB to enterprise, AI magic, and so on. From my vantage point, these are exciting developments. But there’s no silver bullet. Commoditisation is inevitable, but if we lose sight of trust, the industry undermines itself.

My takeaway is that democratised GRC can work if we pair tools with seasoned insight—ensuring new players don’t just check boxes but genuinely secure their environments. Enterprises must gradually overhaul their “dinosaur demands,” allowing smaller suppliers to integrate modern methods into their compliance checks. AI will help, but not replace, the thoughtfulness and accountability of real practitioners.

At Cyber Matters, our approach tries to reflect all of these realities: start small, grow responsibly, blend automation with real expertise, and never treat “compliance” as a monolithic task. If that resonates with you, I’d be happy to compare notes—because the real magic of GRC automation is seeing how these frameworks actually help a business, rather than bury it under pointless red tape. And that’s the conversation worth having next.

We're Ready

WHEN YOU ARE

Get in touch and let's determine the best retainer for you

SCHEDULE AN APPOINTMENT
image