GoKawiilBy Yair Kuznitsov, Co-Founder & CEO, Anecdotes
Every week I talk to enterprise GRC teams who understand exactly what agentic AI can do for their profession. They've read the articles, seen the demos, and can articulate the difference between AI that makes a workflow go a little, or even a lot faster, and an agent that replaces it entirely.
Yet still, some remain reluctant to make the shift to agentic GRC.
When I ask why, the conversation moves away from technology pretty quickly. Most of them have the "AI budget" available, but something is holding them back from making the move and they can't always name what it is.
The conversations all eventually lead to the same place, even if they can’t say it in so many words: they're not sure who they are when the operations aren't theirs anymore. It's an identity and even value question above all else.
Most GRC practitioners carry an implicit belief about where their value comes from. That belief isn't wrong, but it's describing a role that's being restructured, and those who make the transition the fastest will be the ones leading the industry in the coming years.
The Competence That Got Us Here
GRC professionals built their expertise around operational competence. Knowing how to gather the right evidence, managing audit cycles under pressure and keeping a complex compliance program running when it's understaffed and under-resourced have been signs of a valuable GRC team member for years.
That competence took years to develop, and the people who have it are genuinely good at what they do and are rightfully valued by their business.
The problem with agentic GRC is that it doesn't reward that competence the same way. Agents can gather evidence, open remediation tasks and can manage most of the audit cycle alone. Given that agents can handle those operations, the actual question is what a GRC professional is supposed to be doing instead, and most organizations haven't asked it yet.
... continue reading