From Automation to Intelligence: How AI Is Rewriting GRC

There’s so much noise, hype, and rapid movement surrounding AI in GRC that it’s easy to get lost in the headlines. 

That’s why we brought together two of the industry’s most respected security leaders—Diana Kelley, CISO at NOMA Security and former CTO at Microsoft, and SKI(Senthil Kumar Ayyapan), an award-winning GRC executive and CISO at Ocrolus—along with Girish Redekar, CEO of Sprinto, to unpack what’s really happening. Their perspectives show how AI is actually transforming GRC, what’s changing, and what that means for the function moving forward.

If you’d like the complete discussion, the video below has it all:

The Last Major Evolution in GRC—And Why It’s Not Enough

The GRC landscape has evolved significantly from its early reliance on scattered emails, spreadsheets, and manual workflows. As SKI reflected, “We’ve come a long way from not having a GRC at all to having GRC monitoring tools. I’ve seen everything—entire programs run on emails, spreadsheets, and documents, now replaced by integrated tools with rules-based automation and periodic tasks.”

And this shift was truly transformational. For years, GRC tools have continued to mature and become increasingly dependable. However, the world they’re designed to safeguard has grown exponentially more complex. SKI underscored this reality: “The risk landscape, compliance requirements, and regulatory environment are constantly evolving. Managing a global product company means tracking changes across every market, every customer requirement. Static workflows simply can’t keep pace.”

That’s the fundamental problem with rules-based automation: static workflows can’t learn or recognize legitimate exceptions. They can’t adjust to emerging threats or evolving regulatory expectations. In a world where risk and compliance landscapes constantly shift, relying solely on rules-based GRC is no longer sufficient.

What AI-Powered GRC Actually Looks Like

The term “AI in GRC” is broad and often used loosely to describe everything from simple wrappers to chatbots layered on top of existing workflows. But that’s not the real story. When done right, AI doesn’t just sit on top of old processes, it changes the shape of GRC itself.

Here are three fundamental transformations that occur when AI-native GRC enters the picture:

Contextualization Instead of Blind Rules

Rules-based GRC systems treat every data point the same, while AI-native GRC systems learn the patterns and meaning behind them. As SKI put it: “With AI in GRC, there’s contextualization. We can understand the intent behind changes, recognize patterns, and adapt quickly. Things that took three years to identify can now be understood in real-time.”

And Diana illustrated this perfectly: “A rule might say ‘disable user if no activity for 90 days.’ But what if that account gets used once quarterly for specific maintenance? AI can learn that pattern and flag only true anomalies.”

But this goes even deeper. AI correlates access data, HR data, and behavioral patterns to tell a compelling story: “This pattern is risky; this one is expected.” Instead of thousands of false positives, compliance analysts finally see what actually matters. Ultimately, this level of contextual understanding and automation changes everything in GRC.

Adaptivity to Change

From new regulations to subtle updates in existing ones, compliance requirements are constantly evolving, forcing teams into a perpetual state of catch-up. With traditional GRC systems, there’s simply no alternative. But with AI-native GRC, they can finally stay ahead.

As SKI explained, managing a global company means tracking “everything that’s happening across every market, every customer requirement. A static workflow just can’t keep pace.” And AI changes this fundamentally by continuously ingesting new regulations and mapping them to your existing control set, then proposing concrete, actionable changes. Be it new controls to add, old requirements that can be safely scoped out, and controls you already have that satisfy new criteria, it can intelligently pinpoint the adjustments required to stay compliant.

Because the system never stops monitoring, organisations remain compliant at all times, rather than chasing down policy drift or reacting to unexpected changes.

Insight at Scale

GRC teams are often overwhelmed by compliance and evidence requests. Be it security questionnaires, vendor documents, or internal evidence requests, they lose countless hours to this manual, repetitive work. AI can automate most of this busywork, and the very tasks that took weeks of back-and-forth can be completed in minutes.

Diana described this opportunity and the underlying nuance clearly: “AI won’t answer everything and ship it off—you shouldn’t trust it to do that. But it can rapidly surface what matters. It can tell your procurement team which questions are critical and accelerate your responses to vendors assessing you.”

In doing so, AI not only reduces the amount of busywork but also frees up analysts to focus on areas that truly require human judgment or strategic thinking.

From Tactical Tool to Strategic Command Center

Perhaps most importantly, AI transforms GRC from a compliance tool into a strategic asset. As Girish articulated, “AI makes GRC the actual central command center for the CIO. Not just ‘did we pass the audit?’ but ‘what’s the health of our entire security program?’”

So your GRC dashboard becomes a real-time view into your organization’s security posture. It no longer just informs you whether you’re compliant, but also whether you’re resilient.

How CISOs are Handling AI: Two Critical Dimensions

Securing the AI You Ship: MLSecOps

Both Diana and SKI emphasized that as CISOs at AI-first companies, they carry a heightened responsibility to secure the AI systems they deploy. To achieve this, they had to weave security throughout the entire machine learning development lifecycle, a practice increasingly referred to as MLSecOps or AISecOps.

Diana outlined the key components of this process. Supply chain security for AI is essential: open-source models and training data are new artifacts that need scanning. You must also ensure that there’s no malicious code or neural backdoors embedded in the models. Additionally, testing LLMs in different ways is crucial. Because large language models are non-deterministic and statistically driven (as opposed to rule-based), traditional testing methods fail. Therefore, you need to monitor guardrails and continuously verify the quality of the output.

And SKI shared Ocrolus’s approach: Multiple layers of models validate each other’s output. Human-in-the-loop verification ensures accuracy, and continuous monitoring occurs post-deployment. “We’ve invested heavily in human verifiers to bring system accuracy from 90% to 95% or even 99%.”

Governing the AI You Use: Managing Shadow AI

Shadow AI is another significant risk because AI adoption is accelerating far faster than governance can keep up. Teams are spinning up ChatGPT, Gemini, Claude, and custom tools—often uploading sensitive data without fully understanding the risks.  

But the solution isn’t prohibition. As SKI emphasized, “You can’t stop people from using AI. You have to embrace it safely.”

And his approach at Ocrolus was to actively encourage AI adoption while channeling it through a structured governance framework. So, he openly accepted that AI is the future, making the adoption of AI a key metric and expectation across teams, rather than a taboo. Additionally, he established an AI governance committee, bringing together leaders from finance, marketing, engineering, and sales to review AI initiatives and guide their safe implementation. He also classified the data, helping teams understand which data can be used with which platforms, rather than banning tools outright.

Diana expanded on this philosophy: “Most shadow AI use is coming from good people trying to optimize their work. Your job isn’t to tell them to stop, it’s to understand what business process they’re trying to improve and then point them toward approved tools and safe environments.”

Sprinto AI: Shaped by Everything We’ve Learned

The themes from this conversation closely mirrored what Girish, our CEO, and Chaitanya, our Head of Product, were thinking about while building Sprinto AI. They realized that GRC teams don’t just need faster tools; they need intelligent systems that can contextually think and adapt. And most importantly, the AI elements of these systems had to be built with compliance-grade accuracy and a human-in-the-loop approach.

That’s why Sprinto AI is anchored around four key pillars:

• AI-playground with hyper contextual automation where teams can create intelligent workflows without code.
  
• AI-powered risk management that understands context and continuously recalibrates risks as conditions change.
  
• AI-powered framework mapping that lets you map any custom framework in minutes.
  
• AI-powered compliance knowledge toolkit that can auto-answer security questionnaires and democratize compliance knowledge across the company.

Together, these pieces reflect a more intelligent and adaptive version of GRC—one that evolves as quickly as the rules themselves.

From Compliance to Competitive Advantage

Throughout this conversation, one vision kept emerging: this new era of GRC isn’t about meeting requirements; it’s about maintaining resilience in real time. And that shift fundamentally changes what a modern GRC platform needs to be. SKI and Diana emphasized that GRC platforms must now function as central command centers—real-time dashboards that reveal what’s truly happening in the environment and enable intelligent, informed response rather than reactive firefighting.

This is where AI becomes truly transformative, pushing GRC beyond static proofs of compliance toward systems that stay continuously aligned with real risk. As organizations move away from one-size-fits-all checklists toward adaptive, risk-specific programs, GRC shifts from being a burden to becoming a business enabler. And that’s the true goal state for any mature GRC program.