Catch this episode on Apple, Spotify, Amazon, or YouTube.
In the latest episode of GRC Uncensored, hosts Kendra Cooley and Troy Fine sat down with Jake Bernardes, CISO of Anecdotes and host of Risking It All, to talk about the positive side of GRC. What unfolded was less about sugar-coating and more about the tensions shaping our industry from AI disruption to the shaky future of SOC 2 reports. More specifically, is there a world where we see a consolidation of regulations and frameworks in response to the sprawl we see now?
Key Takeaways
AI in GRC should enhance, not replace, auditors; transforming evidence gathering into value-added analysis.
Compliance automation lowers the barrier to entry but risks turning certifications and attestations into check-the-box exercises.
SOC 2 and ISO are still necessary today, but may give way to continuous GRC models within the next decade.
Risk must return to the center of GRC, with data-driven registers guiding real-world decisions.
AI in Auditing: Threat or Tool?
On par with most things today, we kick things off by chatting about AI. Jake argued that automation won’t replace auditors, but it will make them better. By offloading repetitive evidence collection and validation, auditors can focus on meaningful analysis and risk consulting.
Troy pushed back, asking whether these tools truly help clients rather than just auditors themselves. The group landed on a vision where AI not only speeds up audit prep but also gives organizations real-time feedback about evidence quality, shifting the value from box-checking to continuous improvement.
Are Compliance Platforms Lowering the Bar or Raising It?
The trio debated whether platforms like Anecdotes, Vanta, and others have made compliance too easy, creating check-the-box programs that offer a false sense of security.
Optimistic view (Jake): Even if early-stage startups use automation to achieve certifications/attestations quickly, it’s still better than doing nothing. These platforms at least push companies to adopt baseline security measures.
Skeptical view (Kendra and Troy): Easy compliance may cheapen certifications, leading to shallow programs and rubber-stamp audits. Without real scrutiny, buyers could be shaking hands with nonsense.
Jake countered that the real issue isn’t GRC itself, it’s third-party risk management (TPRM). Too often, buyers ask poor questions (“Do you have a SOC 2? Yes/No”) instead of digging into evidence of actual security practices.
SOC 2: Golden Ticket or Fading Relic?
One of the liveliest parts of the discussion was whether SOC 2 and ISO 27001 still matter. Or, if they will matter in the future.
Jake argued that certifications/attestations have been commoditized and will likely decline in importance by 2030. Instead, he predicts a shift toward continuous assurance backed by live, evidence-based trust centers.
Kendra noted that while SOC 2 reports are still a ticket to the conversation in sales, customers increasingly demand additional questionnaires and evidence beyond them.
Troy raised the uncomfortable question: if certifications/attestations are increasingly devalued, are some compliance vendors actually incentivized to accelerate their collapse so they can sell continuous assurance as the replacement?
Risk-Driven GRC: The Way Forward
The episode closed on an optimistic note. Jake reminded everyone that the “R” in GRC—risk—is often neglected in favor of governance and compliance. His vision of the future is:
Dynamic, data-driven risk registers that reflect what’s actually happening in the environment.
Evidence-backed decisions on tools, people, and controls.
Transparency with customers, where evidence of testing and remediation is shared directly rather than summarized in static reports.
“Problems or not,” Jake said, “we’re light years ahead of where we were five years ago.”
Listen to the full episode on GRC Uncensored and join the conversation on Reddit.
