TJ, Kendra, and Elliot are back, and welcomed Evan Millman, GRC Manager at Abnormal Security, for what started as a casual chat and evolved into a sharp look at compliance blind spots, the role of AI in GRC, and how professionals can shape their careers in a changing field.
TL;DR
SOC 2 reports are almost always clean and that’s a problem.
Structural bias exists because auditors are paid by their clients and want to retain business, leading to overly optimistic reports.External vs. internal audits serve very different purposes.
External = present the best face, avoid findings.
Internal = expose gaps, secure funding, and drive real improvement.Third-party attestations are table stakes, not genuine assurance.
SOC 2 and ISO certifications open the door but don’t reflect the whole security posture of a vendor.Mature third-party risk management requires layered defenses.
Evan’s approach combines vendor criticality ratings, deeper due diligence for high-risk vendors, and compensating internal controls, such as frequent access reviews.The compliance ecosystem itself is flawed.
Everyone—vendors, auditors, customers—plays a role in sustaining a cycle that rewards clean reports over transparency.AI is becoming a practical accelerator in GRC workflows.
Teams use tools like ChatGPT for evidence analysis, risk scoring, documentation search, and audit prep, but AI doesn’t replace human oversight.
The Problem With Perfect Reports
Evan began by discussing his team’s responsibility for maintaining certifications such as ISO 27001, ISO 27701, the new ISO 42001 (AI), and annual SOC 2 reports. These are critical business enablers, but they come with an uncomfortable truth: nearly every SOC 2 report looks spotless.
The reason isn’t a sudden wave of security perfection. It’s structural bias. External auditors are paid by the companies they assess, and bad news risks damaging that business relationship. As Evan put it, unless there’s an unbiased governing body reviewing these reports, it’s unrealistic to expect widespread transparency.
Kendra added a real-world example — she recently reviewed a qualified SOC 2 opinion for the first time in years. Those uncomfortable findings, she noted, are often what make the case for increased funding and program improvements. Evan agreed, drawing a clear line between external audits (polish, minimize findings) and internal assessments (be brutally honest to get better).
Third-Party Risk: Table Stakes vs. Real Assurance
The conversation naturally shifted toward vendor risk management. If external audits are structurally biased, how much weight should companies give to vendor SOC 2 reports and ISO certifications?
Evan’s stance was blunt: attestations are table stakes, not the end state. At Abnormal, his team applies a layered approach:
Classifying vendors by criticality based on data access and business impact.
Digging deeper for high-risk vendors when renewals or major changes occur.
Deploying internal compensating controls, such as more frequent access reviews and privilege management, to limit reliance on third-party assurances.
As he noted, “You can’t just say, ‘I’m using a third party, therefore I’m absolved of any security control on my end.’”
The system is imperfect, but tossing SOC 2 reports aside isn’t viable either. Instead, organizations need to treat these attestations as the beginning of a conversation, not the end of risk evaluation.
AI: Practical Helper, Not a Replacement
Early in the episode, the group shared their latest uses of ChatGPT—from Evan using it to assign risk ratings in a report, to Kendra using it to generate tailored interview questions. It set the stage for a broader discussion: AI isn’t replacing GRC teams anytime soon, but it’s already reshaping workflows.
Evan described using AI tools internally to analyze audit evidence, surface documentation, and reduce prep time. Tools like Glean and automation platforms help his team move from reactive, last-minute evidence collection to more continuous monitoring.
But he was clear: “Trust, but verify is still the mentality.” AI can speed up the work, but human judgment remains essential—especially in navigating gray areas that certifications and reports gloss over.
GRC Career Pathways: Lean Into the Human Edge
The episode closed on a thoughtful note: how to build a successful GRC career in this shifting landscape.
Evan’s advice, especially for those coming from technical backgrounds, was to double down on soft skills. Communication, relationship-building, and the ability to translate technical risk into business impact are what differentiate strong GRC professionals—not Python scripts.
He also emphasized networking and persistence over certifications alone. “Sometimes the road isn’t super clear, but with will and determination, that’s how you make the transition,” he said. Certifications can open doors, but human connections and strategic thinking keep them open.
