What happens when you put three security pros in a (virtual) room and let them vent about SOC 2, auditors, and the alphabet soup of frameworks?
In this week’s GRC Uncensored, hosts Troy Fine, Kendra Cooley, and producer Elliot Volkman sit down with Zlatko Unger, CISO Expert at a little company called Wiz, for one of the most brutally honest takes yet on compliance theater.
Catch this episode on Apple, Spotify, Amazon, or YouTube.
Highlights
Framework overload: From NIST AI RMF to PCI DSS, Zlatko explains why mapping every control to every standard is a full-time job, and why no one ever agrees on what right looks like.
Automation vs. understanding: How AI tools like ChatGPT and Gemini are already being used (and misused) in compliance analysis.
SOC 2 is losing its edge: Once a gold standard, now a commodity. The crew debates whether the market can fix itself or if we need a new model entirely.
Vibe-based auditing: Why finding an auditor who gets your environment matters more than chasing logos or rock-bottom prices.
AI and the future of audits: Will the next SOC 2 report be written by AI and reviewed by another AI? (Spoiler: probably.)
Framework Overload
Zlatko Unger describes the never-ending cycle of trying to align multiple compliance frameworks while keeping teams productive.
“The number, the acronym soup of different frameworks just keeps expanding and expanding, and I guess it keeps all of us employed by the end of the day. Does it keep us sane?”
He explains how chasing alignment often discourages progress:
“Instead of going ‘we have this thing, what’s the gap?’ you go, ‘that’s taking too much time. Let’s focus on the new thing that we need to do because it’s much easier going from scratch than trying to pair it with something that you already know.’”
The point: the compliance ecosystem has become so fragmented that starting over feels easier than maintaining continuity; an ironic by-product of frameworks meant to simplify risk.
AI in Compliance
Unger experiments with AI to classify controls and test how automation interprets frameworks like the NIST AI RMF.
“There was a huge discrepancy between the two. So I had to figure out, am I looking at it the wrong way? Is the AI looking at the wrong way? And both of us were wrong.”
AI can accelerate documentation, but it doesn’t yet grasp the nuance of technical versus non-technical controls, which is a reality check for anyone betting on full AI-driven audits.
SOC 2: From Badge to Commodity
The team dives into how SOC 2 lost its luster. Unger doesn’t hold back:
“It’s a gift that keeps on giving, right? Like back in the day, SOC 2 used to mean something. It was like, ‘oh, we have SOC 2 Type 1. Holy moly.’ … Now it just becomes, every mom and pop can have a SOC 2 if they have the money for it.”
He continues:
“Because of that change from meaning something to just being so commoditized … the value of a SOC 2 report goes out the window.”
The conversation connects this erosion of trust to the rise of quick-turn audit vendors promising certification “in hours,” and to TPRM teams increasingly rejecting reports they don’t trust.
The Vibe Check Auditor
When asked how he evaluates auditors, Zlatko reframes the process around chemistry and competence:
“Finding an auditor that fits your vibe and fits the needs of the organization goes a long way… If you find yourself in a room with suits that are moving at speeds of a computer from 1997 versus somebody who’s nimble, that understands modern technology and it’s just ‘oh AWS, I get it,’ … it goes a long way.”
His advice highlights an overlooked truth in compliance: a misaligned auditor can waste months. The right partner, by contrast, accelerates both trust and maturity.
SOC 2 for Robots
Mid-episode, Kendra jokes about where automation is headed and Zlatko leans in.
Kendra Cooley: “Honestly, we’re probably getting to the point though, of people just like typing into ChatGPT, ‘can you please issue me a SOC 2 report?’”
Zlatko Unger: “I’m willing to bet that there’s gonna be a way to just jam any AI processing tool so that way an actual human has to put in the effort.”
Kendra Cooley: “We’re doing SOC 2 for other robots. The robots are doing SOC 2 for other robots. This is the world we’re moving into.”
