GRC Uncensored

GRC Uncensored

Playback speed
×
Share post
Share post at current time
0:00
/
0:00
Transcript

Why the "Why" Matters in GRC

S1 EP 14: Startup founder Richa shares why “SOC 2 in a box” won’t cut it, and how tailored GRC automation with a privacy-first AI strategy can empower overstretched mid-market teams.
Elliot Volkman's avatar
Kendra Cooley's avatar
Troy Fine's avatar
Elliot Volkman
,
Kendra Cooley
, and
Troy Fine
Jul 01, 2025
Share
Transcript

In this episode of GRC Uncensored, Richa, founder and CEO of Complyance, joins the hosts to unpack the growing tension between scalable compliance tooling and the real needs of maturing GRC teams. The conversation examines why SOC 2 in a box solutions fall short for mid-market organizations and what it truly means to integrate AI without compromising privacy. Along the way, the group debates the future of entry-level roles, the role of trust in automation, and whether AI is truly replacing, or simply reshaping, the GRC profession.

TL;DL

  • Not all compliance platforms are built alike. Mid-market teams need customization, not checklists.

  • Automation is a relief, not a replacement. The best use of AI in GRC is to free humans for more strategic work.

  • Trust and transparency are non-negotiable. Privacy-first design and audit independence matter to practitioners who take security seriously.

  • Your GRC tools should evolve with your maturity. ComplianceY isn’t trying to be your first tool.

  • Entry-level GRC work will evolve, not vanish; but critical thinking and ethical intent remain core.

The Problem with SOC 2 in a Box

Richa, CEO of Complyance (spelled with a “y”), shares how her company emerged from frustration with rigid GRC tooling. While many platforms aim for speed and scale at the startup level, Complyance focuses on delivering deeper value for maturing organizations that prioritize risk management, not just a certificate.

“If a client comes to us and they’re looking for SOC 2 for the first time, it’s actually not our client.”

Built-In Audit Firms? Not So Fast.

Some platforms offer bundled audits as part of their pricing. Richa pushes back hard on that model:

“We’ve lost deals because we refuse to bundle audits. But I’d rather walk away than squeeze an auditor on the backend.”

Instead, ComplianceY recommends auditors transparently, based on client maturity and need, not hidden markups or back-end deals.

AI in GRC: Helper, Not Replacement

Complyance is innovating with AI, but with caution. Their modular, privacy-focused approach ensures customers can toggle specific AI features on or off, and even swap in their own enterprise LLMs in the future.

Examples of how they use AI:

  • Suggesting mitigating controls

  • Matching existing evidence to new audit requests

  • Reviewing third-party vendor questionnaires using agentic AI

“We’re not replacing analysts. We’re freeing them to focus on real risk reduction.”

Discussion about this video

User's avatar
© 2025 Chaos
PrivacyTermsCollection notice
Start writingGet the app
Substack is the home for great culture