Blog

In the vast and often absurd cosmos of modern business, organizations are rocketing through space with one hand on the controls and the other gripping a towel — buffeted by gravitational pulls of regulation, solar flares of risk events, and occasional wormholes of bad audits. Fortunately, they’re not alone. Enter the Hitchhiker’s Guide to the GRC Technology Galaxy, the reliable, occasionally snarky companion for every compliance officer, risk manager, and digital governance strategist who forgot to pack a panic button.

Governance, Risk Management, and Compliance isn’t a planet you visit — it’s a galaxy you have to navigate, while dodging data breaches, reputational black holes, and the occasional asteroid made of policies that nobody reads.

Now, some will tell you the ultimate answer to GRC is 42. They’re wrong. The ultimate answer is architecture — not just software architecture, but capability architecture (see the OCEG GRC Capability Model as your reference framework and your supporting technology architecture is below). Because GRC is not a single app, workflow, or module. It’s a federation of integrated capabilities that span strategy, performance, risk, compliance, ethics, audit, resilience, and — yes — even AI itself.

Why GRC 7.0 Matters: The Intelligent Command Center

That’s where GRC 7.0 – GRC Orchestrate comes in. This is not just the next step in automation. It’s the intelligent orchestration of GRC capabilities across the enterprise, transforming the silos of the past into a coordinated constellation of purpose, performance, risk, and resilience. In The Hitchhiker’s Guide to the Galaxy, the Babel Fish is a small, yellow, leech-like creature that, when placed in one’s ear, instantly translates any language. You see, the problem with GRC technology isn’t that there’s not enough of it — it’s that it doesn’t always speak the same language. Risk tools babble at compliance systems. Audit platforms mutter in acronyms. Third-party systems speak fluent procurement but ignore ethics. Without a unifying framework — without a Babel Fish — your GRC stack is just a noisy bar at the end of the universe.

Note, no single GRC platform does it all (If it says it does, it’s probably Vogon poetry in disguise). The real path forward is an enterprise GRC architecture: one that includes a core platform — yes — but also leverages best-of-breed tools, AI agents, digital twins, and integration fabrics to build a connected, intelligent, and adaptive GRC ecosystem. This is a constellation of technologies, platforms, and point solutions that work together in harmony. There may be a core system — and there should be — but there’s absolutely a role for best-of-breed tools that excel in specific domains.

Your GRC Star Chart: Twelve Domains in Orbit

These 12 Enterprise GRC domains below are your navigation chart — from Strategy & Decision Management at the helm, to AI GRC exploring the outer limits of autonomous accountability. Each domain serves a distinct role, but together they form the gravitational architecture of integrity in the modern enterprise. Each is hyperlinked below so you can hyperspace over to a more detailed article defining each domain.

That’s why GRC 7.0 – GRC Orchestrate matters. It’s not about one ring to rule them all (yes, have to insert a Tolkien reference as well), but about interconnected capability: a coordinated, dynamic, and intelligent architecture where digital twins simulate operations and agentic AI helps the business sense, respond, and adapt in real time. It’s how you move from GRC-as-checklist to GRC-as-command-center — from fragmented silos to orchestration at scale.

Each domain in this model reflects a critical pillar of enterprise capability — not theoretical, but operational. These aren’t “features.” They’re functions of how a business builds trust, achieves objectives, and adapts with integrity in an ever-shifting galaxy of risk. These functions are growing. There full vision of GRC Orchestrate will not be operational until 2030, but some technology in this context is being delivered today.

At GRC 20/20, we’ve mapped hundreds of solutions into this twelve-domain enterprise framework. Some organizations opt for an integrated platform as their core system of record (wise), while augmenting it with best-of-breed tools that excel in specific areas like policy management, AI risk, ESG, or third-party oversight (also wise). The key is to know how these tools fit together into a cohesive GRC capability — a blueprint that reflects your business, not just your budget.

So, grab your towel. Insert your digital Babel Fish. Boot up your improbability drive with your digital twin. And prepare to explore the GRC Galaxy — where uncertainty is navigable, integrity is engineered, and the meaning of risk may not be 42, but we’re getting closer. and prepare to explore the twelve domains of enterprise GRC capability in GRC Orchestrate . . .

• Strategy & Decision Management. Strategy & Decision Management is the starting point of any effective GRC capability. It connects strategic intent with operational action, ensuring decisions are informed and governed. Often overlooked, this layer governs the very process of decision-making. In GRC 7.0 – GRC Orchestrate, this domain transforms GRC from a reactive function into a strategic capability — aligning values, data, and decisions to enable the business to thrive with integrity and agility.
• Performance & Objective Management. Performance & Objective Management aligns strategic intent with operational execution. While risk and compliance are widely managed, performance often lacks governance. GRC 7.0 embeds this as a core capability, ensuring objectives are risk-adjusted, progress is monitored, and accountability is clear. This domain helps organizations dynamically align targets, drive ethical results, and track impact — turning GRC into a value driver rather than just a control layer.
• Enterprise & Operational Risk & Resilience Management. Enterprise & Operational Risk & Resilience Management treats risk as a strategic asset and resilience as a design principle. GRC 7.0 enables organizations to monitor threats, model disruptions, and adapt proactively. Risk intelligence is embedded into decisions and operations, creating foresight-driven resilience. This domain safeguards strategy and supports organizational endurance in a world where risk is ever-changing.
• Digital Risk & Resilience Management. Digital Risk & Resilience Management extends risk oversight to the digital ecosystem — from cloud to the data center. GRC 7.0 places digital trust at the center, modeling infrastructure and detecting threats in real-time. It builds resilience by design, turning cybersecurity and compliance into a strategic differentiator. This capability ensures digital interactions are trustworthy and continuously aligned with business integrity.
• Compliance, Ethics & Obligation Management. Compliance, Ethics & Obligation Management links external rules to internal behavior. GRC 7.0 automates interpretation of laws and regulations, monitors ethics, and ensures accountability across the organization. This capability supports principled performance by aligning obligations to actions and embedding integrity into everyday decisions. It enables traceability, transparency, and ethical conduct across the enterprise.
• Third-Party GRC Management. Third-Party GRC Management governs the lifecycle of external relationships. GRC 7.0 makes this a fully orchestrated capability aligned with purpose, risk, and performance. It integrates data and oversight across vendors, suppliers, and partners, ensuring that trust, compliance, and resilience extend across the ecosystem.
• Policy & Training Management. Policy & Training Management ensures that policies are not just documented but operationalized. GRC 7.0 aligns policies with objectives and risk, delivering them contextually with training and tracking comprehension. This capability turns policies into living guidance, supports culture change, and empowers people to act with clarity and confidence.
• Internal Control Management, Monitoring & Automation. Internal Control Management becomes proactive and embedded in GRC 7.0. Controls are monitored continuously and adapted based on business and risk context. This capability transforms static libraries into dynamic systems, allowing organizations to validate, adjust, and automate controls in real time — supporting performance, compliance, and assurance.
• Issue Reporting & Event/Case Management. Issue Reporting & Event/Case Management enables the organization to detect, escalate, and resolve concerns quickly. GRC 7.0 integrates issue capture across the business and enriches it with intelligent triage and monitoring. This domain builds trust by ensuring accountability and visibility, reinforcing that integrity is monitored, not assumed.
• ESG & Sustainability Management. ESG & Sustainability Management is embedded into the core of the business in GRC 7.0. It governs ethical performance, stakeholder trust, and regulatory alignment. This capability integrates ESG into strategy, operations, and reporting, enabling the organization to deliver purpose-driven value with measurable integrity and traceable accountability.
• Audit Management, Analytics & Assurance. Audit in GRC 7.0 is a continuous engine of assurance. This capability provides oversight and validation that controls are effective, risks are managed, and objectives are achieved. It supports strategic insight, not just retrospective checks, and closes the loop between planning, execution, and accountability.
• AI GRC (AI Governance, Risk Management & Compliance). AI GRC ensures intelligent systems operate transparently, ethically, and in alignment with strategy. GRC 7.0 brings lifecycle governance to AI, using AI to monitor AI. This domain supports explainability, regulatory compliance, and ethical oversight — ensuring trust is built into every intelligent decision.

Final Approach: Mind the Probability Field

So there you have it — twelve planetary domains in the ever-expanding GRC Galaxy, each with its own gravitational pull, intelligent lifeforms (some of them regulatory), and occasional wormholes of audit evidence requests. We’ve charted the big picture — the Enterprise GRC architecture — and how GRC 7.0 – GRC Orchestrate helps you navigate it with purpose, agility, and integrity.

But this is just the beginning of your galactic journey.

For a deeper dive into how these capabilities align with real-world technology and market direction, be sure to access the on-demand Research Briefing: 2025 State of the GRC Market – Hitchhiker’s Guide to the GRC Technology Galaxy, where we break down what’s here now, what’s emerging, and where the improbability drive of innovation is heading.

And don’t panic if you’re wondering how this architecture shows up in the day-to-day orbit of departments and functions. Next week, we’ll move from the bridge of the Enterprise to specific starships — diving into the 10 domains of GRC within specific roles, functions, and departments. From legal to finance to privacy to human resources, we’ll explore how GRC Orchestrate enables intelligent, integrated decision-making across the constellation of business functions.

Until then, keep your towel handy, your digital twin calibrated, and remember: in the GRC Galaxy, architecture is everything — and trust is your universal translator.

End of transmission. Prepare for next hyperspace jump…

Recognizing those who dare to rethink Governance, Risk Management & Compliance

“Any intelligent fool can make things bigger, more complex and more violent. It takes a touch of genius – and a lot of courage to move in the opposite direction.”

The 2025 GRC Innovation Awards are here — and they are anything but ordinary.

The GRC Innovation Awards recognize truly revolutionary advances in the governance, risk management, and compliance (GRC) space. These are not “best in class” awards. They are not for those who simply built a better mousetrap, or who outpaced their competitors on speed, scale, or configurability. These awards are for the bold. For the different. For those who are reshaping the way GRC is experienced, delivered, and understood.

This year, competition was fierce. There were hundreds of submissions. Many submitted multiple nominations, with one vendor submitting eight. But while the volume of nominations was high, only a select few met the stringent criteria that define true innovation.

Only 15 winners made the final cut.

---

What the GRC Innovation Awards Are — and Are Not

To establish clarity, it’s important to understand what these awards represent — and what they don’t.

• They are for paradigm shifts, not incremental improvements.
• They reward creativity and boldness, not simply faster configurations or prettier dashboards.
• They highlight solutions that are re-architecting the GRC experience, not just competing on speed, features, or price.

These awards are not:

• For claiming “best feature set” over the competition
• For boasting faster time-to-value or easier implementation
• For being more configurable or “agile” (which, ironically, was the most common — and automatically disqualified — claim in this year’s submissions)

Instead, the GRC Innovation Awards celebrate game-changing ideas — solutions that break boundaries, challenge norms, and rethink what’s possible in GRC. Think Apple in its prime: a complete reimagining of form and function. Not just simplicity for its own sake, but simplicity that delivers context, clarity, and connection when and where it’s needed.

---

The Common Pitfall: Mistaking “Better” for “Innovative”

This year saw a flood of nominations that confused innovation with improvement. Submissions that touted speed, configurability, or competitive advantages — while valuable — were not enough.

Many focused on arguing how they have better features. Those are precisely the sorts of entries that should be saved for the upcoming 2026 GRC Best in Class Awards, which will open for nominations in November 2025. Those awards honor excellence within defined categories.

The Innovation Awards, on the other hand, are about defiance. Defying the expected. Disrupting the routine. Doing GRC differently.

---

A Process Built on Rigor and Relevance

Nominations for the 2025 awards closed at midnight CDT on January 31st, 2025. From there, the GRC 20/20 evaluation team conducted a rigorous review process throughout February:

• Every submission was screened for originality, substance, and alignment with the true meaning of innovation.
• Submissions that failed to differentiate beyond buzzwords were quietly dismissed.
• Finalists were selected for deeper evaluation.
• Winners were selected.

The result? A carefully curated list of 15 pioneering solutions that represent the future of GRC.

---

The 2025 GRC Innovation Award Winners

The following solutions have been selected as winners of the 2025 GRC Innovation Awards, listed alphabetically (follows the links in each for all the great detail . . .

• Archer. Archer has been awarded a 2025 GRC Innovation Award in the category of Risk & Resilience Management for its groundbreaking Archer Insight platform, which redefines enterprise risk management through accessible, quantitative decision intelligence.
• AuditBoard. AuditBoard has been awarded a 2025 GRC Innovation Award in the category of Audit Management, Analytics & Assurance for redefining the audit lifecycle through AI, analytics, and an integrated Connected Risk platform.
• CoreStream GRC. CoreStream GRC has been awarded a 2025 GRC Innovation Award in the Enterprise Integrated GRC Architecture & Platforms category for its modular, no-code platform that redefines what flexible, scalable, and intuitive GRC architecture can be.
• Corlytics. Corlytics has been awarded a 2025 GRC Innovation Award in the Compliance & RegTech category for its Regulatory Risk Intelligence Platform—an end-to-end solution that redefines compliance as an orchestrated, strategic function in line with the GRC 7.0 vision of GRC Orchestrate.
• Coverbase. Coverbase has been awarded a 2025 GRC Innovation Award in the category of Third-Party Risk Management for its groundbreaking Coverbase Copilot solution, a next-generation TPRM platform built on agentic AI.
• Diligent. Diligent has been awarded a 2025 GRC Innovation Award in the category of Legal GRC Management Solutions for its Board & Leadership Collaboration platform—a purpose-built solution that redefines governance as a dynamic, decision-driven command center.
• GAN Integrity. GAN Integrity has been awarded a 2025 GRC Innovation Award in the category of Third-Party GRC/Risk Management Solutions for its groundbreaking Integrity Identify™ platform, which reimagines third-party risk management through AI-powered, continuous oversight.
• iluminr. iluminr has been awarded a 2025 GRC Innovation Award in the Risk & Resilience Management Solutions for transforming how organizations build resilience through its groundbreaking Microsimulations.
• MindBridge. MindBridge has been awarded a 2025 GRC Innovation Award in the category of Finance GRC Management for transforming how financial risk is monitored, understood, and governed through continuous AI-powered oversight.
• OPTIMAS.AI. OPTIMAS.AI Inc has been awarded a 2025 GRC Innovation Award in the category of Digital Risk & Resilience Management for its groundbreaking solution: Autonomous Control Validation & Monitoring® (ACVM).
• ReadiNow. ReadiNow has been awarded a 2025 GRC Innovation Award in the category of Enterprise Integrated GRC Architecture & Platforms for pioneering the use of Agentic AI within its no-code platform—ushering in a new era of GRC 7.0: GRC Orchestrate.
• Signal AI. Signal AI has been named a 2025 GRC Innovation Award winner in the Risk & Resilience Management for its pioneering work in transforming external risk intelligence into actionable, strategic foresight.
• ValidMind. ValidMind has been awarded a 2025 GRC Innovation Award in the category of AI Governance, Risk Management & Compliance (AI GRC) for redefining model risk management in the age of AI and Generative AI.
• Vault Platform (a Diligent brand). Vault Platform has been awarded a 2025 GRC Innovation Award in the category of Compliance & Ethics Management for transforming outdated hotline models into a modern, mobile-first system of integrity intelligence.
• Verterim. Verterim has been awarded a 2025 GRC Innovation Award in the GRC Management Solutions for its groundbreaking GRC Mapper: a domain-specific AI solution that radically accelerates and improves the accuracy of GRC data mapping across frameworks, policies, controls, risks, contracts, vendors, and more.

---

Innovation Is Just the Beginning

As the GRC landscape continues to evolve, innovation will remain its North Star. In an increasingly interconnected, digital, and AI-driven world, the need for intuitive, responsive, and intelligent GRC solutions has never been greater. The winners of this year’s Innovation Awards are not just improving GRC — they are reinventing it.

To those who submitted and were not selected: keep thinking differently. Keep pushing boundaries. Innovation is a journey, not a destination.

And to those already planning for what’s next, stay tuned for the 2026 GRC Best in Class Awards, which open for nominations this November. That program honors the solutions that deliver excellence at scale — the “best of the best” across the GRC galaxy.

Until then, let us celebrate the innovators who remind us that simplicity, when done right, is the ultimate sophistication— and that risk, indeed, is our business.

---

“All we have to decide is what to do with the time that is given us.” — Gandalf the Grey, The Fellowship of the Ring

In the epic arc of J.R.R. Tolkien’s The Lord of the Rings, few moments carry as much symbolic weight as the transformation of Gandalf the Grey into Gandalf the White. This metamorphosis is not merely cosmetic, it represents a deep, foundational change in purpose, identity, and power. Gandalf emerges from the depths of darkness not as he was, but as he must be: a new figure forged by necessity, experience, and the enormity of the threat facing Middle-earth. He sheds the old robes of one who advised and managed, and dons the mantle of one who must lead and orchestrate. [Yes, I am a Tolkien nerd, ask me about my paper I wrote on the influence of medieval thought and theology on Tolkien and Lord of the Rings for my Theology of Middle Earth class]

So too must the role of cybersecurity (IT security, information security) evolve.

For decades, we’ve lived with the equivalent of Gandalf the Grey in the form of the traditional Chief Information Security Officer (CISO): tasked with perimeter defenses, endpoint security, technical controls, policy enforcement, and incident response. This CISO, and the ecosystem of security programs surrounding them, emerged from the ashes of the early Internet era, matured in the age of compliance, and valiantly battled threats with firewalls, antivirus software, SIEMs, and risk registers. But the world has changed. And like Gandalf falling into the abyss with the Balrog, cybersecurity must go through its crucible.

We are now entering the age of Digital Trust. And to get there, cybersecurity must be reborn: not as a stronger version of its past self, but as something entirely broader and of deeper value to the business to protect it.

The Fellowship is Fractured: Fragmentation in Risk and Security

Organizations today exist in a hyper-connected, always-on digital ecosystem. Third-party relationships are sprawling. Data is decentralized. Business operations rely on digital services, APIs, AI algorithms, cloud infrastructure, and software-defined everything. Threats are no longer the orcs at the gate, they are subtle, shifting shadows: digital supply chain compromise, AI hallucinations, reputational sabotage, ransomware, data poisoning, ethical lapses, algorithmic bias.

Yet many organizations still defend themselves with a strategy rooted in Middle-earth’s past: fortress walls and sentries. Risk is fragmented, siloed across functions. IT security is isolated from business context. Compliance is reduced to checklists. We manage by artifacts rather than insight. Spreadsheets multiply like orcs in Moria. The old ways cannot protect the new realities.

The result? We have CISOs fighting 21st-century Balrogs with 20th-century swords. The time has come for transformation.

The White Wizard Emerges: Rise of the Digital Trust & Resilience Officer

This metamorphosis is already happening.

Across two separate three-week trips through Europe in May and June, and in my conversations last week in New York City, I have seen firsthand a growing shift in mindset. No longer is the conversation simply about “cyber risk” or “IT security.” Organizations are thinking bigger, broader, and deeper. They are embracing digital risk, digital resilience, and above all, the delivery of digital trust as a business imperative.

In my two-part series on the death of the CISO and the rise of the Digital Trust & Resilience Officer, I described this evolution as necessary and inevitable. The role is no longer a gatekeeper or technical defender. It is an orchestrator, a communicator, a strategist. Like Gandalf the White, this leader is no longer confined to the margins of the boardroom. They are central to the mission.

Digital Trust requires:

• An integrated view of risk that connects cyber threats, operational resilience, regulatory obligations, reputational exposure, and commitments.
• Real-time situational awareness through the use of digital twins, telemetry, and predictive modeling.
• AI-enabled orchestration where Agentic AI acts not just as a tool, but as a partner in decision-making.
• Cross-functional collaboration where digital risk is no longer owned by a siloed function but is a shared narrative across IT, legal, compliance, procurement, operations, and the C-suite and lead by a digital risk and resilience officer.

This is not about doing old things better. It is about doing new things, in new ways, for new outcomes.

The Road Goes Ever On: GRC 7.0 and the Journey of Orchestration

At the heart of this transformation is what I call GRC 7.0 – GRC Orchestrate. This is the framework for a new era of Governance, Risk Management, and Compliance that is:

• Business-integrated. Aligned directly to strategic objectives and operational realities.
• Cognitive and Agentic. Empowered by AI that not only processes but acts.
• Dynamic and Foresight-driven. Powered by digital twins that simulate impact, outcomes, and response.
• Orchestrated. Where disparate risk and control processes harmonize in real time, rather than operate as disconnected solos.

Agentic AI plays the role of Samwise Gamgee in this journey: a loyal, ever-present companion that doesn’t just carry the load but brings insight, perspective, and strength. Digital Twins are our Palantíri: but unlike the corrupted seeing stones of old, these are clear, trusted mirrors into real-time risk and impact. They allow organizations to simulate business disruptions, assess their resilience posture, and rehearse recovery.

GRC 7.0 is not just technology. It is a philosophy and framework. It is the recognition that business, risk, integrity, and technology are inseparable in a digital world.

In the 2025 State of the GRC Market: Hitchhiker’s Guide to the GRC Galaxy, we’ll explore how these ideas are transforming both vendor landscapes and enterprise architectures.

Into the West: The New Role of Risk in Business Strategy

To fully transform, we must leave behind our legacy notions of risk as a limiter. Risk is not a red light. It is a compass. It tells us where to focus, where to invest, and where to act. In this new landscape:

• Cybersecurity becomes Digital Risk Management.
• Incident response becomes Resilience Orchestration.
• Compliance and control becomes Contextual Integrity Management.
• Risk assessments become Real-Time, Data-Driven Simulations.

Consider the example of a global financial institution that moved from static risk heatmaps to dynamic modeling using agentic AI and digital twins. They no longer debate what their risk posture was last quarter. They visualize what it will be tomorrow. When ransomware hit a third-party provider, they simulated the cascading impacts within minutes, not days. This is the future.

These are not hypotheticals. These are real Gandalf-the-White transformations happening in the field.

The Steward and the Sword: Leadership in the Age of Digital Trust

Leadership in this new era must embrace a different narrative. We can no longer defend what we don’t understand. And we cannot build trust in what we cannot explain.

Just as Gandalf had to challenge Denethor, the Steward of Gondor, to take rightful leadership in the face of rising darkness, so too must today’s risk leaders challenge outdated hierarchies and silos. It is not enough to watch. It is time to act.

• Digital Trust is not a project. It is a capability.
• Digital Resilience is not an add-on. It is a foundation.
• GRC is not a function. It is a discipline of orchestration.

The Final Word: What Shall We Do with the Time Given Us?

As Gandalf reminds us, we do not choose the age we live in. But we do choose how we meet it. I started my career in the 1990’s in information security. Our world today, information security today, is not the same as it was thirty years ago, nor even five years ago. The transformation from traditional cybersecurity to digital risk and resilience is not optional. It is not theoretical. It is happening. And it demands leadership, courage, and orchestration.

Let us be clear: the CISO is not dead. But they have a new name.

• They are now the Digital Trust & Resilience Officer.
• They are no longer Gandalf the Grey.
• They are Gandalf the White.

And Middle-earth — our digital economy, our connected society, our collective trust — needs them now more than ever.

---

Part 3 in the GRC Orchestrate Series

The future of Governance, Risk Management, and Compliance (GRC) is not just digital: it is autonomous, intelligent, and orchestrated. In the first article of this series, we introduced the foundational principles of GRC 7.0 – GRC Orchestrate as a convergence of agile platforms, cognitive intelligence, and business-integrated GRC into a unified, dynamic architecture. In the second installment, we focused on digital twins as the foresight engine of GRC: mirroring the enterprise in real time to simulate futures, assess impact, and guide strategy.

Now, in this third article, we explore the autonomous force behind orchestration itself: Agentic AI. These are the active agents operationalizing GRC. They sense, think, act, and adapt. They do not simply automate tasks, they enable informed decisions based on objectives, risk, performance, and integrity. They are not tools, they are teammates and collaborators, embedded into the GRC fabric of the organization and its systems and processes.

Defining Agentic AI: The Mind of the GRC Orchestrate System

Agentic AI represents a fundamental shift in how artificial intelligence is applied to GRC. Rather than being a passive analytical engine or a rule-execution tool, Agentic AI is characterized by agency; that is, the capacity to observe its environment, make decisions within its assigned objectives and boundaries, and take action autonomously while engaging humans when needed.

Where earlier forms of AI focused on narrow tasks (e.g., classifying documents, detecting anomalies, scoring risks), Agentic AI is oriented toward achieving outcomes. It acts as a digital coworker across GRC functions: risk management, compliance, audit, ESG, IT, resilience, and more. Agentic AI operates with purpose; it is aware of the goals, thresholds, ethical parameters, and operating context of its domain.

Each agent operates in a cycle that mimics intelligent human behavior:

1. Observe. Constantly gather signals from operational systems, documents, human inputs, regulatory updates, and telemetry.
2. Analyze. Interpret this information using knowledge graphs, business rules, large language models, and pattern recognition.
3. Act. Make decisions, trigger alerts, adjust workflows, initiate reviews, or change controls; within its scope of authority.
4. Escalate. When complexity exceeds the agent’s threshold for action, notify the appropriate human or supervisory system for intervention.

These AI agents are not isolated. They operate within a network of agents, often coordinated across the digital twin analyze outcomes. This allows for highly contextualized responses, cooperative action, and shared intelligence.

Deep Dive: Agentic AI Applications Across the GRC Landscape

Strategic Risk and Objective-Centric Decision Making

Strategic decisions carry the weight of uncertainty, where the stakes are high and consequences are cascading. Agentic AI becomes a strategic partner to the boardroom by continuously interpreting strategic intent, aligning it with real-time performance data, and modeling the likely outcomes of various decisions.

For example, if an organization is considering an expansion into Southeast Asia, the agent would model geopolitical instability, changing tax policies, ESG-related risks, partner network viability, and supply chain logistics. It evaluates alignment with internal ESG policies, regulatory exposure by country, and dependencies across functions. Then, it simulates market entry under multiple time horizons and economic conditions, identifying strategic risks and actionable mitigations.

This allows executive teams to:

• Stress test strategic moves across macro and micro conditions
• Evaluate the cascading risk to objectives and suggest risk-adjusted alternatives
• Reprioritize based on real-time simulations and dynamic scorecards

Agentic AI does not just inform: it helps govern.

Risk Management and Uncertainty Navigation

Risk is not something to avoid or mitigate, in GRC 7.0, risk is seen as a navigable condition within the journey to achieving objectives. Agentic AI becomes a guide that sees what’s ahead, maps the terrain, and adjusts course dynamically.

As the organization’s internal and external data streams shift — from financial performance to supply chain delays to social unrest — agents synthesize signals and calculate uncertainty against objectives. They then suggest response scenarios such as shifting inventory, delaying expansion, or modifying a service contract.

Consider a scenario in which a political uprising occurs in a key manufacturing region. The agent detects the change through geopolitical monitoring services, assesses third-party dependence, calculates the probable delay and cost impact, and recommends alternate sourcing and risk mitigation timelines, all while aligning with business continuity plans and risk appetite.

Agentic AI transforms static risk frameworks into living, breathing guidance systems.

Digital Risk and Resilience

Digital ecosystems have become foundational to business, but also deeply vulnerable. Digital/cyber risk evolves faster than most organizations can respond, making autonomous response essential.

An agent embedded in a financial institution might detect subtle anomalies in user behavior: such as an unusual pattern of late-night database access from an offshore IP address. It evaluates the threat in context: the criticality of the systems accessed, whether the access aligns with the user’s historical profile, and the level of risk posed by the action. If deemed significant, the agent automatically quarantines the session, notifies IT security, and initiates a review of access logs across related systems.

Simultaneously, within the digital twin, the agent simulates the business impact of a worst-case breach and recommends additional segmentation, control hardening, or escalation to regulators.

This real-time loop closes the window of exposure and builds cyber resilience not only in detection, but in systemic foresight.

Third-Party Risk and Extended Enterprise Oversight

Managing vendors, contractors, and supply chain partners has grown exponentially more complex. Risk now lives outside the four walls of the enterprise. Agentic AI becomes the connective tissue that binds the organization’s oversight to its extended enterprise.

Let’s say a multinational manufacturer is reliant on a Chinese component supplier. An Agentic AI scans public news sources, Chinese regulatory filings, and ESG data providers. It detects a potential labor rights controversy unfolding at the supplier. The agent cross-checks the supplier’s role in mission-critical product lines, evaluates SLA breach implications, models contractual exit options, and recommends a proactive response plan.

The value of this isn’t just awareness—it’s precision: understanding exactly where the risk enters your operations, what objectives it threatens, and how to act before reputational or operational damage occurs.

Compliance and Regulatory Change

Compliance today is far too reactive. Organizations often scramble to meet regulatory deadlines, adjust policies, and train employees at the last minute. With Agentic AI, the paradigm shifts from reaction to readiness.

Picture an agent responsible for global financial regulation. It continuously monitors publications from hundreds of global regulators, news outlets, and enforcement actions. One morning, it detects that a regional regulator has just released new anti-money laundering guidance expected to influence cross-border data retention.

The agent maps this against current obligations and policies, identifies areas of overlap and conflict, and updates the compliance register. It then triggers workflows to legal, IT, and operations to evaluate controls, training, and documentation. Executives are briefed through an interactive dashboard showing probable enforcement timelines and estimated compliance costs.

Compliance becomes a living system of adaptive integrity, not static adherence.

ESG and Sustainability Governance

Environmental, social, and governance factors are now central to investor relations, customer loyalty, and regulatory expectation. Yet most organizations treat ESG as a disclosure activity. Agentic AI transforms it into a strategic, real-time accountability and stewardship system.

An agent monitors a firm’s sustainability metrics, drawing from ERPs, procurement platforms, emissions sensors, and partner disclosures. When a critical Scope 3 emission anomaly is detected — due to a logistics partner’s operational changes — the agent flags the deviation, models its long-term impact on net-zero commitments, and recommends alternate vendors or offsets.

This not only keeps reporting accurate, it ensures that strategic ESG objectives are operationalized and maintained.

Audit and Assurance

Internal audit must evolve beyond periodic inspection and point-in-time validation. Agentic AI enables a future where assurance is always on.

Imagine a GRC platform where agents continuously monitor control evidence, incident trends, risk exposure, and business change. Instead of waiting for quarterly testing, agents identify fluctuations in control performance as they happen—prompting alerts, initiating self-assessments, or escalating issues to auditors.

When a new system is deployed without proper change controls, the agent immediately recognizes a break in policy coverage, pulls audit history on similar rollouts, and drafts a preliminary assurance note with linked evidence.

The audit team doesn’t start from scratch: they start with context, clarity, and coherence.

The Road to 2030: GRC Agents Evolving Toward Maturity

Today, we are still in the early stages. Agentic AI has entered the market through specific features — risk scoring, regulatory mapping, chatbot interfaces — but the true orchestration of coordinated agent ecosystems is still in formation.

To reach maturity by 2030, organizations must take proactive steps:

• Normalize taxonomies and metadata across GRC domains
• Structure policies, risks, controls, and obligations to be machine-readable
• Implement ethical and operational guardrails for AI behavior
• Foster a governance culture that treats AI as a participant, not just a processor

The journey ahead isn’t about replacing humans: it’s about designing hybrid systems of intelligence where humans and agents collaborate across risk, integrity, and objectives.

Final Reflections: Agentic AI as the GRC Operating Core

In the 2025 State of the GRC Market: Hitchhiker’s Guide to the GRC Galaxy, we’ll explore how these ideas are transforming both vendor landscapes and enterprise architectures.

Agentic AI is not a bolt-on enhancement. It is the new operational model for GRC. It is the connective fabric between foresight and function—between policy and performance.

It is how GRC transforms from being something you report on into something you interact with.

Agentic AI will redefine how decisions are made, how uncertainty is interpreted, and how organizations hold themselves accountable to a higher standard of resilience, agility, and ethics.

Stay tuned for Part 4 of the GRC Orchestrate Series: The Hitchhiker’s Guide to the GRC Technology Galaxy, where we explore the structural framework and segmentation that GRC 20/20 has mapped over 600 GRC solutions across domains, from the foundational to the futuristic.

GRC 7.0 is not a destination. It is a system of action. Agentic AI is the force that drives it.

Part 2 in the GRC Orchestrate Series

In the 2025 State of the GRC Market: Hitchhiker’s Guide to the GRC Galaxy, we’ll explore how these ideas are transforming both vendor landscapes and enterprise architectures.

In last week’s article, we introduced the concept of GRC 7.0 – GRC Orchestrate, a revolutionary-evolution of Governance, Risk Management, and Compliance. This next-generation approach envisions GRC as a dynamic and intelligent capability—one that continuously aligns business objectives, operational performance, obligations, and uncertainty across the enterprise. We explored how Agentic AI and digital twins transform traditional GRC into a living, learning system.

In this second installment, we dive deeper into one of the most transformative pillars of GRC Orchestrate: the Digital Twin.

GRC Orchestrate Is the Future: But the Journey Is Just Beginning

GRC 7.0 is a forward-looking framework that is beginning to materialize through early use cases and foundational technologies. While some organizations — particularly in Europe — are already piloting orchestration capabilities in strategy, compliance, and risk alignment, widespread adoption across the global market is will grow until 2030 when it becomes fully mature. Much of North America, for instance, is behind and still climbing toward GRC 6.0: Business Integrated GRC, focusing on embedding GRC into the business and linking it to strategic performance.

Before GRC can orchestrate, it must first integrate. That means aligning objectives with obligations, risk with decision-making, and policies with operations. But once these foundations are in place, organizations can evolve toward orchestration: where GRC capabilities dynamically interact, learn, adapt, and simulate. A core and critical piece of this next step lies the digital twin, which provides the structure, foresight, and simulation power to bring orchestration to life.

Digital Twins in GRC: Seeing Around Corners, Navigating Possibility

In the Marvel Cinematic Universe, Dr. Strange embodies the role of the ultimate Chief Risk Officer. In Avengers: Endgame, he explores over 14 million possible futures, seeking the one path to success. This fictional moment captures what digital twins offer in the real world of GRC: the ability to model complex futures, simulate countless outcomes, and make informed, strategic choices before events unfold.

A digital twin is a virtual, evolving software model that mirrors the enterprise: its structure, operations, risks, controls, policies, obligations, and external dependencies. But it’s not a static mirror; it is context-aware and predictive. It continuously ingests real-time data, refines its assumptions, and runs simulations to project what might happen next.

With GRC 7.0, digital twins become the engine of strategic foresight, allowing organizations not only to track their current GRC posture but to plan for disruptions, regulatory changes, market shifts, and strategic bets. Rather than treating risk and compliance as constraints, digital twins empower organizations to use GRC as a forward-looking capability that unlocks resilience, agility, and opportunity.

Building a GRC Digital Twin: The Eight Structural Pillars

To construct a functional GRC digital twin, organizations must think beyond traditional risk registers and compliance checklists. They must bring together data, logic, and governance layers to form a dynamic representation of the enterprise. Here are the eight structural components and GRC-related use cases with digital twins:

1. Processes and Business Services. Every digital twin, in a GRC context, begins by mapping how the organization actually operates. Business processes — from procurement to HR, from order-to-cash to incident response — are digitally modeled. These aren’t just static diagrams but dynamic simulations tied to workflows, dependencies, and performance data. When a disruption occurs — a regulatory change, a cyberattack, a supply chain interruption — the twin can simulate cascading impacts across services and geographies, allowing for stress testing and rapid reconfiguration of business logic.
2. Risks and Controls. Risk is modeled as a living variable tied to objectives. It is not just about capturing threats but about understanding how they evolve and interact. Each control is also represented as a live mechanism; complete with effectiveness ratings, failure scenarios, and response protocols. Together, they form the reasoning core of the twin: simulating what happens when risks escalate, controls degrade, or new threats emerge. Executives can model trade-offs and prioritize mitigation based on real-time risk-adjusted views of performance.
3. Events, Issues, and Audits. A robust digital twin learns from the past. Historical issue logs, audit findings, and incident reports are not archived, they become behavioral patterns. These patterns inform the twin’s predictive capacity: highlighting weak signals before incidents recur, modeling root cause propagation, and identifying systemic control vulnerabilities. Over time, the digital twin becomes a risk historian and a resilience strategist.
4. Policies and Regulations. Policies are no longer just documents, they are structured data elements that include links to obligations, regulatory jurisdictions, control mappings, and enforcement logic. When new regulations are proposed or passed, the digital twin models the policy impact across the organization: which documents require revision, which functions must attest, which controls must be reoriented. This capability enables anticipatory compliance, getting ahead of regulatory shifts instead of reacting late.
5. Real-Time Telemetry. The digital twin is fed continuously by telemetry from internal and external systems: cybersecurity alerts, ESG performance sensors, supply chain data, finance systems, and more. This stream of data provides the situational awareness needed to adjust simulations dynamically. When a vendor’s ESG score drops or a new threat pattern is detected, the twin instantly recalibrates exposure and updates its recommendations, closing the gap between sensing and decision-making.
6. Strategic Planning & Scenario Analysis. Perhaps the most powerful use case for digital twins is strategic scenario simulation. Leaders can explore “what-if” questions in real time: What if we divest a business unit? Enter a new market? Reallocate compliance resources? The twin simulates outcomes across risk, cost, compliance, and performance. It acts as a virtual war room, a sandbox for executive decision-making that reduces uncertainty and enhances agility.
7. Extended Enterprise. Third parties are modeled not just as data points but as interconnected nodes in the operational fabric. The digital twin captures performance metrics, compliance status, obligations, and exposure for each vendor, partner, or supplier. It enables the simulation of third-party failure or disruption, helping organizations prepare for—and prevent—cascading risk. GRC no longer ends at brick-and-mortar walls and traditional employees; it extends across the value chain.
8. Regulatory Change Modeling. By combining horizon scanning with large language models and machine-readable regulatory updates, the twin can model the likely impact of future rules. This enables organizations to simulate different legal landscapes, estimate compliance costs, and adjust investment decisions accordingly. The twin transforms compliance from reaction to foresight—from an audit trail to a strategic compass.

From Digital Mirror to Digital Conductor

A mature GRC digital twin doesn’t just reflect reality: it guides it. It evolves from a digital mirror into a digital conductor, orchestrating the flow of data, decisions, and adjustments across governance, risk, and compliance domains.

Imagine asking a natural language interface:

• “How would ESG reporting requirements in Southeast Asia impact our current vendors?”
• “What’s the control confidence across our top 10 revenue-generating processes if we cut IT compliance spend by 15%?”
• “Which regulatory regimes are converging in our product roadmap jurisdictions, and what’s the associated risk delta?”
• “If China invades Taiwan, how does this impact our supply chain and ability to deliver products/services and maintain operations?”
• “What are the top resilience issues in our digital supply chain with dependencies on critical services?”

The digital twin answers not with reports, but with simulations, visualizations, and prescriptive actions — each grounded in data, logic, and context. This is the future of GRC: contextualized, autonomous, and orchestrated.

Why It Matters: Building Tomorrow on Today’s Foundation

The effectiveness of a digital twin tomorrow depends entirely on the integrity of the data and governance structures built today. Organizations cannot orchestrate what they cannot understand. Siloed risk functions, unstructured policies, and outdated control frameworks will hinder simulation and automation.

To prepare, organizations must:

• Define and maintain a shared GRC ontology.
• Integrate policy, process, risk, and control data.
• Tag obligations and controls with metadata.
• Normalize risk assessment and treatment workflows.

These are not just investments in compliance or audit readiness, they are prerequisites for future-readiness.

Conclusion: Orchestrating the Future

Digital twins are not dashboards. They are strategic instruments of foresight. They empower GRC to shift from accountability to adaptability, from control to intelligence. In a world where uncertainty is constant and integrity is non-negotiable, digital twins help organizations chart a path forward: one that is intentional, informed, and integrated.

GRC 7.0 isn’t about the tools we buy, it is about the architectures we build and the intelligence we embed. As we continue this journey, stay tuned for Part 3 in the GRC Orchestrate series: an in-depth look at Agentic AI — the autonomous force behind the orchestration.

GRC 7.0 isn’t a destination. It’s the command framework for the next generation of decision-making.

In the 2025 State of the GRC Market: Hitchhiker’s Guide to the GRC Galaxy, we’ll explore how these ideas are transforming both vendor landscapes and enterprise architectures.

Agentic AI, Digital Twins, and the Enterprise-Wide Command Center for GRC: Objectives, Uncertainty, and Integrity

In the 2025 State of the GRC Market: Hitchhiker’s Guide to the GRC Galaxy, we’ll explore how these ideas are transforming both vendor landscapes and enterprise architectures.

The world of Governance, Risk Management, and Compliance is shifting toward orchestration: a continuous, intelligent alignment of decisions, data, and direction across the entire enterprise. Welcome to GRC 7.0 – GRC Orchestrate: the convergence of agile infrastructure, cognitive intelligence, and business integration into a unified operational model. This is not merely a technological trend. It is the systemic evolution of how organizations pursue objectives, navigate uncertainty, and act with integrity.

Importantly, the concept of GRC Orchestrate has roots not in hype, but in visionary groundwork. Over five years ago, I collaborated with Ian Hollowbread, then Chief Operating Officer for Digital Innovation at ING and Head of ING Labs. Ian coined the term GRC Orchestrate and led pioneering work to build a cohesive model where governance, risk management, and compliance, particularly in a RegTech context, were no longer fragmented, but orchestrated throughout the organization and its operations. Even before today’s AI gold rush, Ian envisioned a future in which regulatory obligations, risk signals, and business decisions flowed seamlessly through a unified digital architecture: an early vision now being realized.

Real-world implementations are bringing this vision to life. I recently saw this vividly illustrated in EY Germany’s One Governance framework, which offers a modular, federated, and objective-aligned governance architecture. Their approach intelligently integrates domains such as performance management, risk, internal control, compliance, resilience, and sustainability through a shared platform model. With its ontological rigor, digital twin enablement, and data-driven design, One Governance is a tangible embodiment of what GRC Orchestrate aspires to deliver: integrated oversight, real-time coordination, and contextual governance across every layer of the enterprise. It uses the power of a performance management system combined with its ability to integrate, – automate and reconfigure itself. Like a Hydra who grows a new head when one is cut off!

G: Governance – Setting, Steering, and Achieving Business Objectives

At its core, governance is about defining direction and ensuring the organization stays on course, not just through oversight, but through active alignment with strategic objectives. In the GRC Orchestrate model, governance becomes a continuously monitored and dynamically adjusted capability embedded in software: always-on, adaptive, and linked to business performance.

Boards are no longer waiting for quarterly dashboards. They are engaging with live, interactive systems that model objectives, track performance indicators, and simulate decision paths. They interact with live, intelligent systems that continuously model objectives, measure performance, and adapt pathways.

Agentic AI empowers this new governance. What one collaborator playfully called “Squids” for their digital tentacles that act on behalf of governance functions to monitor objective progress, flag deviations, and recommend corrective actions. For example, in a multinational bank expanding into new markets, governance agents track whether ESG, compliance, and financial objectives are progressing in sync. They identify gaps between corporate intent and local execution, triggering policy refinement, stakeholder engagement, or investment recalibration. 

Think of it like high-frequency strategic governance: where agents don’t just report but act, simulate, and refine. In a multinational bank, for example, these agents assess ESG, financial, and compliance progress in real-time, recommending actions when strategic objectives drift from execution.

At the heart of this system are Digital Governance Twins: virtual models of an organization’s governance architecture, including policies, committees, mandates, legal entities, and lines of accountability. These twins support scenario modeling, such as evaluating what happens to governance coverage if the organization restructures or divests a business unit. The governance layer is also federated: global objectives and governance mandates cascade into local adaptations while maintaining traceability.

GRC Orchestrate Contexts for Governance:

• Governance is the process of setting, steering, and achieving enterprise objectives.
• GRC Orchestrate transforms governance from static oversight into a dynamic, agent-supported capability.
• Digital Governance Twins model real-world governance structures, enabling simulation and proactive steering.
• Agentic systems track performance across objectives and trigger governance interventions when necessary.
• Federated policy governance enables global alignment with local adaptability, reducing policy drift.

R: Risk – Navigating the Uncertainty That Affects Objectives

Risk is not about what might go wrong in the abstract. Risk is the effect of uncertainty — both threats and opportunities — on the achievement of objectives. This framing is critical: GRC 7.0 does not see risk merely as negative events to avoid but as dynamic uncertainty to model, simulate, and leverage.

In GRC 7.0, risk management becomes a live, interconnected, and agent-driven process that is deeply tied to business performance. Risk is evaluated in the context of what the organization is trying to achieve, and continuously assessed as new data, decisions, and disruptions emerge

GRC Orchestrate leverages Agentic AI to monitor internal operations, external environments, and cross-functional dependencies. These agents scan for leading risk indicators, regulatory shifts, market disruptions, and operational anomalies. They perform real-time analysis, conduct simulations, and propose mitigations tailored to specific objectives. This marks a shift from reactive risk registers to objective-centric risk modeling.

With GRC Orchestrate, Agentic AI continuously scans signals across the enterprise: operations, suppliers, regulations, markets. These agents detect patterns, simulate outcomes, and adapt risk responses in real-time. Enabling the organization to “see around corners.” This is a clear break from passive risk registers.

We are entering the realm risk management in strategic decision making and objective-centric risk modeling: where risk data is embedded into decision architectures and dynamically optimized. These are elements that have been in the scope of the definition of GRC going back to the first version of the OCEG GRC Capability Model in 2003, but technology for GRC has not fully delivered in the past.

GRC Orchestrate Contexts for Risk Management:

• Risk is defined as the uncertainty that can affect the achievement of objectives.
• GRC Orchestrate uses agentic AI to proactively monitor risk across internal and external dimensions.
• Objective-centric modeling ties every risk to a strategic, operational, or tactical goal.
• Digital Risk Twins simulate risk impact and support resilience testing across business units.
• Risk becomes a value enabler—integrated into capital planning, innovation, and performance steering.

---

C: Compliance – Acting with Integrity Across Obligations and Expectations

Compliance in GRC 7.0 is not about box-checking or regulatory fire drills. It is about ensuring the organization acts with integrity, upholding internal values and honoring external obligations. GRC Orchestrate redefines compliance as an embedded and predictive assurance function. It continuously aligns internal policies, training, controls, and records with an ever-evolving regulatory landscape.

Agentic compliance systems monitor changes to laws, standards, and stakeholder expectations. When a new law (e.g., EU AI Act or Corporate Sustainability Due Diligence Directive) is passed, agents immediately map the new obligations to affected policies, systems, third-party contracts, and roles within the organization. Gaps are flagged, controls are updated, and relevant personnel are notified—with all actions logged for audit and regulatory review

Yes, compliance agents still interpret laws, monitor obligations, and ensure documentation. But that’s AI Stage 1. In Stage 2 and beyond, compliance becomes predictive, adaptive, and strategic. For instance, an agent could ingest global news about lithium battery incidents, anticipate future regulatory shifts across markets, and recommend adjustments to supply chains before any laws are passed.

Compliance assurance is no longer episodic. It is continuous. Evidence of control effectiveness is gathered in real time through automated monitoring. Compliance AI agents also validate attestations, execute testing protocols, and maintain audit-ready documentation. Integrity is not a campaign: it is operationalized through orchestrated workflows and embedded intelligence.

Take this further: imagine a system where a service contract is ingested, its SLA obligations extracted, metrics connected, workflows created, and actions (like payment blocking) triggered automatically upon breach. No human configuration. The system generates live code based on context. This is not science fiction, it is self-evolving GRC.

This is compliance-as-strategy. We move beyond alerts and attestations toward systems that guide long-term strategic choices, from divestment to product redesign, based on evolving legal and ethical landscapes.

GRC Orchestrate Contexts for Compliance:

• Compliance is about acting with integrity—honoring legal, ethical, and stakeholder commitments.
• Compliance agents continuously interpret new regulations and align internal systems accordingly.
• Obligations are mapped to controls, policies, and evidence in real time, enabling continuous assurance.
• Digital compliance twins model the integrity of the organization’s control environment.
• Predictive compliance reduces regulatory exposure, audit fatigue, and ethical blind spots.

Infrastructure: Ontologies, Twins, and Intelligent Systems

Behind GRC Orchestrate is a robust semantic and operational foundation. It begins with a shared GRC Ontology: a machine-readable structure that defines how governance, risk, and compliance concepts are related. Obligations, risks, controls, policies, processes, entities, and data are not isolated elements, they are interconnected nodes in a contextual map.

This ontology powers Digital Twins of the enterprise: governance twins, risk twins, and compliance twins. These twins are updated in real time and support intelligent simulations, performance forecasting, and assurance scenario modeling. For example, a risk twin might simulate what happens to supply chain resilience if a key vendor fails due to sanctions or ESG violations.

Agentic systems operate within these twins. Each agent follows a defined observe-analyze-act-escalate loop: autonomously processing input, recommending actions, executing tasks within thresholds, and escalating when necessary. All actions are governed by internal rules, ethics frameworks, and audit traceability.

GRC Orchestrate Contexts for Infrastructure & GRC:

• A shared GRC ontology creates semantic consistency across governance, risk, and compliance data.
• Digital twins simulate the current and future state of enterprise GRC capability.
• Agentic AI workflows bring autonomy to risk sensing, compliance testing, and governance monitoring.
• All orchestration is bounded by internal ethics, audit trails, and access controls.
• This infrastructure transforms GRC from function to fabric—a dynamic layer embedded in business execution.

Final Reflection: Orchestrating Integrity, Intelligence, and Impact

The evolution to GRC 7.0 is more than just another phase, it is a structural transformation. The idea that Ian Hollowbread initiated in ING Labs — a single orchestrated platform for governance, risk management, and compliance — is now fully realizable through today’s technologies. And we are already seeing signs of this vision coming to life in real-world implementations. EY Germany’s One Governance framework is an exemplary case. It integrates ISO 31000, COSO, and other global standards into a federated, modular framework with digital twin support, policy lifecycle orchestration, and intelligent GRC services spanning internal control, ESG, resilience, and responsible AI. One Governance is not just a methodology—it is GRC orchestration in action.

This convergence of agentic AI, digital twins, and GRC ontologies is giving rise to systems that learn, adapt, and grow: like living organisms. We are nearing a time when GRC systems behave like a hydra: reconfiguring, regenerating, and redirecting themselves based on context.

This enables GRC where:

• Governance is about setting and achieving business objectives.
• Risk is the uncertainty that affects those objectives.
• Compliance is acting with integrity in pursuit of them.

GRC Orchestrate is the operational system that makes this alignment tangible, real-time, and scalable. It bridges the strategic with the operational, the intentional with the intelligent, and the ethical with the executable.

In the 2025 State of the GRC Market: Hitchhiker’s Guide to the GRC Galaxy, we will expand further on this theme—particularly how digital twins and ontological data models are transforming not just how we manage GRC, but how we design resilient, adaptive organizations.

GRC Orchestrate isn’t just the future. It’s what the bold are building now.

We live in an age where risk is no longer an abstract concept relegated to risk registers and quarterly reviews. It is front-page news. It is embedded in our daily operations. It is defining corporate strategy and destabilizing it in equal measure. And nowhere is this more apparent than in the proliferation and intensification of geopolitical risk.

In June alone, across my engagements in Denmark, the UK, and beyond — from financial services to international logistics, from UN agencies to infrastructure providers — geopolitical risk has emerged as the dominant concern. It shapes every conversation, touches every operational dependency, and forces organizations to rethink not just their risk postures but their very business models.

Yet, amid this rising tide of uncertainty, most organizations are not equipped to manage risk as it truly exists: dynamic, interconnected, and globally impactful. Worse, many still approach risk management through outdated lenses: overly focused on compliance, reactive rather than proactive, and siloed from strategy and performance.

To confront this challenge, we must rethink what we mean by “risk management” in Governance, Risk Management, and Compliance (GRC). This is a call to action: to modernize our understanding of the “R” in GRC, to embrace external risk intelligence, and to build agile, objective-centric, and forward-looking risk programs that can navigate today’s complex geopolitical terrain.

---

The “R” in GRC: A Tiered Approach to Risk Management

Over the years, I have articulated a three-level model for understanding and operationalizing risk in the context of GRC. These levels provide a lens through which to evaluate both capabilities and technology solutions—and expose the widening gap between operational routines and strategic foresight.

1. Operational Risk & Resilience (Bottom Layer)

This is where most organizations concentrate their risk efforts. It’s the realm of internal controls, KRIs, incident tracking, risk registers, RCSAs, and risk matrices. It’s often compliance-driven, deeply procedural, and largely focused on the past to the present—what went/can go wrong, and how to prevent recurrence.

This level is insufficient. It’s the reactive muscle of risk management, and certainly not proactive. It’s also where most GRC solutions play, digitizing workflows and supporting regulatory alignment. However, it fails to provide insight into future uncertainty or connects risk to organizational objectives.

These are often necessary activities, particularly from a compliance requirement. But they tell us little about what’s coming next.

2. Objective-Centric Risk & Resilience (Middle Layer)

This is the level where risk management becomes proactive, integrated, and performance-aligned. Risk is not managed in a vacuum but is directly linked to the organization’s ability to achieve objectives: whether operational, financial, or strategic. It requires engagement with front-line operations and cross-functional collaboration. Risks are evaluated in terms of their potential to impact the achievement of objectives. Performance and resilience become two sides of the same coin.

This level of risk management starts to factor in context: economic conditions, regulatory trends, and industry movements. But to fully realize its value, it must be underpinned by external risk intelligence. At the apex lies strategic foresight: the ability to scan the horizon, anticipate disruption, and reallocate resources accordingly to enable the organization to reliably achieve (or exceed) objectives. As ISO 31000 states, risk is the effect of uncertainty on objectives. It involves scenario modeling, war-gaming, and geopolitical forecasting.

3. Strategic Risk & Resilience (Top Layer)

This level of risk management is forward-looking, deeply integrated with the Board and C-suite, and all levels of management. It is critical to sustaining competitive advantage in an era of turbulence. This is the realm of risk-informed decision making.

It’s not just about protecting strategy: it is about shaping strategy through risk-informed intelligence. It’s where risk becomes a strategic asset.

Examples:

• A multinational consumer brand evaluating reshoring manufacturing from East Asia due to rising geopolitical tensions and export controls.
• A financial institution modeling different regional regulatory futures to decide where to expand its crypto asset services.
• An infrastructure company using digital twins to simulate the impact of political instability on supply chains across the Middle East and Africa.

Yet, despite its criticality, this level is the least addressed by traditional GRC technology. Most platforms are built for workflows and compliance — not strategy, objectives, and foresight.

---

The Geopolitical Imperative: Why This Matters Now

The global landscape is more volatile than at any point in recent memory. Consider the following:

• Russia’s war in Ukraine has upended energy markets, global grain supply, and security alliances.
• China-U.S. tensions impact everything from semiconductor supply chains to regulatory compliance in digital services.
• Sanctions regimes are expanding and shifting rapidly—requiring constant monitoring of evolving blacklists and economic restrictions.
• EU regulations are reshaping resilience, supply chain, and digital governance.
• Middle East instability, rising authoritarian nationalism, and emerging conflicts in Africa and Southeast Asia add to the unpredictability.

The result: business strategy and achieving objectives is inseparable from geopolitical context.

In June alone, I had multiple conversations where geopolitical risk was the top concern:

• An international agency trying to unify project, portfolio, and enterprise risk in fragile regions.
• A CISO going to RFP to support digital trust, citing nation-state cyber threats and regulatory risk exposure.
• A global shipping company with risks catalogued, aligning them to operational and strategic objectives through collaborative assurance models and looking to further enhance strategic risk and resilience to support decision making.

In each of these cases, the ability to anticipate, understand, and respond to external developments is what separates resilient organizations from reactive ones.

---

The Missing Ingredient: External Risk Intelligence

This brings us to the heart of the problem. Traditional risk management is inward-facing. It documents internal failures, assigns ownership, and produces metrics. But in a world shaped by external uncertainty, this is not enough.

What’s needed is a robust capability for external risk intelligence, combining two key functions:

1. Horizon Scanning

The ability to identify emerging risks, weak signals, and trend developments before they materialize into crises. This includes:

• Monitoring geopolitical flashpoints.
• Tracking emerging regulatory regimes across jurisdictions.
• Anticipating supply chain disruptions from climate, conflict, or trade policy.
• Identifying reputational risks in social and media landscapes.

2. Situational Awareness

The real-time ability to understand what is happening now: across vendors, geographies, and regulatory regimes. This supports:

• Crisis response planning.
• Incident impact assessments.
• Operational pivoting (e.g., re-routing shipments, adjusting pricing, halting expansion).

Few solutions do this well. Most focus on internal processes, not external monitoring. But I’ve seen several promising approaches. These solutions are beginning to bridge the gap between external reality and internal response.

---

Toward a Risk Intelligence-Enabled GRC Strategy

The way forward is clear. Organizations must evolve their GRC capabilities to incorporate external context and align risk practices with business performance and resilience. This requires:

1. Embedding Risk into Strategic Planning
   Risk officers should sit alongside strategy teams. Risk appetite, not generically but in context of each objective/decision, should shape capital allocation, M&A, market entry, and innovation.
2. Moving Beyond Compliance-Driven Risk Management
   Regulatory compliance is the floor, not the ceiling. True GRC success is about enabling agility, resilience, and performance under uncertainty. This is the very definition of GRC since 2003. The capability to achieve objectives, address uncertainty, and act with integrity.
3. Investing in External Risk Intelligence Solutions
   These should plug into your GRC and operational data environment, contextualizing decisions in real-world conditions.
4. Reimagining Risk Technology
   Demand more from your platforms. Workflow automation is not enough. Seek out tools that integrate strategy, objectives, and external intelligence. I would also highly encourage the use of digital twins.
5. Building a Culture of Anticipation
   Train your teams not just to manage what went wrong, but to ask what could go wrong, and what could go right if we seize the opportunity embedded in risk.

---

Final Thoughts: Risk is Not the Enemy, It Is the Lens

Geopolitical risk is not going away. It is the air we breathe in global business. The challenge is not to eliminate risk but to navigate it intelligently. That requires a new mindset, one that views risk not just as a hazard to avoid but as a lens through which to understand the world, evaluate opportunity, and drive resilient performance.

Let’s stop managing risk as a checklist and start managing it as a strategic capability. It’s time to make the “R” in GRC stand for more than reporting. Let it stand for Resilience, Realism, and Readiness in a world that demands nothing less.

The regulatory landscape is moving at a breakneck pace, and it’s tough to keep up. Organizations everywhere are grappling with a flood of new regulations, amendments to existing laws, and enforcement actions that are putting immense pressure on compliance teams. This is especially true for industries like financial services, where regulatory scrutiny is intense and constantly shifting. But this isn’t just a challenge for financial services, it’s a reality for organizations across all sectors, each facing a maze of complex and often overlapping compliance requirements.

In an environment where accuracy and timeliness are of the utmost importance, staying on top of the ever-changing rules is a Herculean task. But there’s good news, AI and automation are here to help. To stay competitive and compliant, organizations must adopt smarter, more efficient solutions that streamline compliance and strengthen internal controls.

Automation also . . .

[The rest of this blog can be read on the Pathlock blog, where GRC 20/20’s Michael Rasmussen is a Guest Blogger]

---

In the context of Governance, Risk Management, and Compliance (GRC), the “R” – risk management – has often been the most misunderstood, misapplied, and technologically abused component. For all the buzz surrounding risk quantification, operational resilience, and integrated risk frameworks, many so-called “risk management” modules and solutions remain little more than glorified workflow tools — digital filing cabinets that turn risk into a bureaucratic exercise, rather than a driver of strategic value. As GRC has matured over the past two decades, its true purpose has been clarified in the OCEG GRC Capability Model back in 2003: GRC is about the capability to reliably achieve objectives (governance), address uncertainty (risk management), and act with integrity (compliance). Yet, too many implementations fail to grasp or enable the true purpose of risk management in the GRC context as defined for over 20 years.

Instead of helping organizations understand the uncertainty that impacts their success, many GRC solutions promote risk as static lists, clunky assessment forms, and color-coded heatmaps. These serve compliance goals — especially in contexts like SOX — but they do little to nothing to support strategic decision-making. The result is often a dangerous illusion: the false belief that risk has been “managed” simply because it has been documented. Terry Goodkind’s “Wizard’s First Rule” eerily captures the spirit of this deception — people will believe what they are motivated to believe, even when it isn’t true. In risk management, we have deceived ourselves into thinking that checklists and red-yellow-green matrices provide insight. In reality, they often obscure more than they reveal.

To be blunt: most risk management solutions/modules on the market today are not only weak but counterproductive. They reinforce a ritualized, low-value version of risk management that serves neither governance nor resilience. Worse, they lull organizations into a false sense of security.

The Fallacy of Workflow-Centric Risk Management

Risk management is NOT a workflow engine, it is NOT a ticketing system. While tasks, forms, and assessments are part of the process, they are not its essence. Treating risk management as a set of tickets to be opened and closed misses the point entirely. Good risk management technology must do more than facilitate process: it must enable insight, modeling, foresight, and business alignment.

Most risk management modules I encounter are designed to support compliance, not strategy. They excel at routing forms, assigning accountability, and storing evidence; but they rarely offer:

• Strategic scenario modeling
• Objective-centric analysis
• Meaningful quantification beyond superficial “likelihood × impact” matrices
• Tools for understanding the ripple effects of interconnected risks

In short, they miss the core: risk management as a decision-support discipline.

What Good Risk Management Technology Should Deliver

To move beyond mediocrity, risk management technology must embrace and enable a more strategic, analytical, and dynamic approach. The following are the essential pillars of a modern, mature risk solution:

1. Strategy Management: Risk in Decision-Making

True risk management starts upstream, in the strategic decision-making process. It is not a back-office activity but a front-line enabler of choice and direction. Risk exists where decisions are made. This is the RM2 philosophy espoused by Alex Sidorenko: risk management should live in decisions, not documentation.

Good risk solutions should allow organizations to:

• Embed risk evaluation directly in strategic initiatives, investment decisions, and transformation programs
• Tie risk identification to business cases, investment committees, and planning cycles
• Assess the potential downside and upside of decision alternatives, not just static threats
• Use tools like scenario decomposition, sensitivity analysis, or exceedance curves to inform decision outcomes

2. Objective-Centric Risk Management: Aligning Risk with What Matters

ISO 31000 defines risk as “the effect of uncertainty on objectives.” This is not just semantics, it is a blueprint for action. Risk is not a list of bad things that might happen; it is the uncertainty that affects our ability to perform, to achieve, to grow.

This is the school of thought championed by Tim Leech: risk must be managed in the context of objectives.

Strong risk management software will enable:

• Objectives to be defined and tiered across the organization (e.g., strategic, operational, compliance, ESG)
• Risks to be linked to specific objectives at various layers: enterprise, division, department, process, project, asset, or third party
• Performance metrics to be tracked alongside risks, revealing the true business impact
• Dynamic dashboards that show where uncertainty threatens key outcomes

Without this connection to objectives, risk becomes compliance. With it, risk becomes actionable and of value.

3. Risk Quantification: Beyond Heatmaps and Into Distributions

Heatmaps are not only imprecise, they are often misleading. As Graeme Keith of Stochastic ApS and others have argued, they create a false sense of comparison where high-scoring “green” risks may pose more aggregate exposure than “red” ones. Static matrices lack the dimensionality required to inform strategic resource allocation.

What is needed instead is intelligent quantification, such as:

• Use of distributions, not single-point estimates, to reflect uncertainty ranges
• Scenario-based models that evaluate different pathways and their outcomes
• Risk aggregation techniques that avoid false mathematical precision but enable executive-level oversight

Still, Monte Carlo is often misunderstood and misapplied. The real value lies not in complex models for their own sake, but in understanding the landscape of possible outcomes and the assumptions behind them. What Graeme has worked on is brilliant in making risk quantification practical and meaningful.

4. Risk Visualization: Engaging the Right Brain

We often over-rely on spreadsheets and reports that appeal to logic but not intuition. Effective risk management also requires visualization techniques that engage the right brain and facilitate understanding across the business.

Bow-tie analysis (my favorite), for example, offers:

• A clear structure showing cause, control, and consequence
• Visualization of control effectiveness and gaps
• The ability to simulate mitigation effectiveness in real-time

Such tools transform risk from a compliance burden into a business conversation.

5. Scenario Modeling & Digital Twins: The Future of Risk

One of the most powerful developments in risk management today is the rise of digital twins: virtual representations of business functions, supply chains, projects, or even entire enterprises. These allow organizations to simulate disruptions and evaluate the effects of risk on objectives in a dynamic, systems-based context.

Good solutions will support:

• Creation of digital models for supply chains, operational processes, or enterprise-level systems
• Simulation of risk events (e.g., supplier failure, cyber attack, regulation change) and their downstream impacts
• Testing of alternative mitigation strategies in real time
• Insights into resilience thresholds and recovery strategies

This is where risk management moves from theory to action, and where executives can explore, not just analyze. It gives us the power of Dr. Strange from the Marvel Universe in Avengers End Game to explore all the possibilities and identify the future where we win.

6. Connectivity, Clustering, and Contagion Analysis

Risks are rarely isolated. They are connected through relationships, processes, and interdependencies. Graph theory and network analysis now allow us to understand risk contagion—how one failure can cascade into others.

Advanced risk tools are beginning to offer:

• Network maps showing how risks relate across objectives, systems, and third parties
• Clustering analysis to identify concentrated risk areas
• Early warning of emerging threats based on interconnected indicators

These techniques offer richer, more dynamic insights than any risk register ever could.

7. External Risk Intelligence: Horizon Scanning & Real-Time Context

No business operates in a vacuum. Organizations are exposed to a wide array of external risks — geopolitical instability, economic shifts, environmental volatility, social unrest, and regulatory changes — that can rapidly derail strategies and objectives. Effective risk management must continuously monitor the external environment to maintain alignment between internal decisions and external realities.

This is where external risk intelligence feeds become essential. They provide both horizon scanning (what’s emerging) and situational awareness (what’s happening now), giving organizations the foresight and agility to respond before risks become disruptions.

Advanced GRC solutions should support:

• Integration of external data sources such as geopolitical risk indices, ESG events, sanctions lists, regulatory updates, climate risk data, and news analytics
• Signal detection that highlights changes in risk posture based on unfolding events or trend shifts
• Role-based relevance filtering to ensure risk intelligence is not just delivered, but delivered to the right people with the right context
• Dynamic linkage of external threats to internal objectives, strategies, and controls, enabling proactive adjustments

Risk intelligence is the nervous system of a modern GRC strategy — sensing, analyzing, and informing decisions in real time. Without it, internal risk models become outdated before they’re even finalized.

---

Final Thoughts: From Checklists to Capabilities

The current state of risk management software is, in many cases, a symptom of a deeper malaise. When risk is reduced to compliance, forms, and heatmaps, we miss the entire point. We create the appearance of rigor without the substance of insight. We perform risk management rituals without enabling real decision support.

There are bright spots in the market—solutions and philosophies that emphasize integration with strategy, objective-centric thinking, intelligent quantification, and modeling. I particularly appreciate the work of professionals I respect (listed above) in pushing quantification boundaries and organizations like Iluminr in making scenario gaming approachable and relevant.

But the industry must evolve.

---

Call to Action

If your current risk management platform cannot:

• Support decision-centric risk modeling,
• Connect risks to layered objectives,
• Quantify risk using meaningful distributions or simulations,
• Visualize risks in a way that speaks to executives and front-line staff alike,
• Or simulate scenarios and digital twins to prepare for the unexpected…

…then it is not a risk management solution. It is a documentation tool.

Now is the time for organizations to demand more from their GRC vendors and elevate risk management from compliance exercise to strategic capability. Because in an increasingly volatile world, understanding risk is no longer optional—it is existential.

Let’s stop managing risk in forms and start managing risk in context.

And do not forget to follow my Risk Is Our Business podcast . . .

---

In a world oversaturated with rankings, quadrants, waves, grids, and so-called “expert” opinions, the role of the industry analyst has never been more critical — or more misunderstood. It should be a role grounded in investigation and informed judgment. Yet, in many ways, the profession has been hijacked by commercial interests, lazy methodologies, and echo chambers of perception masquerading as truth.

We often define an analyst as someone who studies something in detail to understand it and predict outcomes. But in practice today, this term has blurred, muddied by agendas, absence of direct experience, and a growing detachment from the realities of the marketplace.

A World of Untruth in the Pursuit of Truth

While watching Bono’s Stories of Surrender, one line struck a deep chord:

“Something you should know about performers, in pursuit of truth we are capable of more untruth than most.”

That line doesn’t just apply to artists. It is a piercing observation of many industry analysts. In the pursuit of crafting a compelling market narrative, some are willing to bend facts or gloss over contradictions to construct a neatly packaged report — one that often says more about market perception than market reality.

I have been rereading Wizard’s First Rule . . . in this book, Terry Goodkind’s wizard Zedd pronounces:

“Reality isn’t relevant. Perception is everything.”

This is the core tension at the heart of the analyst dilemma. The problem is not merely bias — it is fiction parading as fact, perception replacing analysis, and methodology sacrificed for marketability.

When Analyst Research Goes Wrong

Let’s be clear: not all analyst research is bad. But much of what is published today, particularly in GRC — from large analyst firms to boutique boutiques and peer review platforms — raises questions:

• Rankings without Rigor. Too often, I encounter reports comparing vendors in a quadrant, wave, or magic shape — where the underlying logic is murky or absent. One vendor is “a leader” in one report, and in another, the same vendor is a “challenger” or “niche.” Both reports contradict each other but claim objectivity.
• Ghost Reviews and Fake Peer Sites. Many peer review sites are riddled with manipulated entries. Solution providers incentivize clients (or consultants) to fill out the reviews on their behalf. Some go so far as to pre-write the responses, feeding them back to the reviewers. The result is a fictional echo chamber of “satisfaction” and “value” with no bearing on reality.
• No Firsthand Experience. I am astounded by how many analysts issue assessments of platforms they haven’t seen in years — or ever. I know of boutique firms publishing scores and rankings without current demos or conversations. It’s dangerous, misleading, and frankly, negligent.
• Detached from the Field. Analysts who won’t engage in live demos or customer calls, who prefer pre-recorded videos and automated surveys, are doing a disservice to the profession. Insight comes from interaction, not from passive consumption. Surveys tell you what someone thinks. Conversations uncover why.

Neutral ≠ Agnostic: The Myth of False Objectivity

When I call out poor performance — say, the growing wave of complaints I’ve heard about ServiceNow for GRC — I’m sometimes met with accusations that I’m no longer “neutral.” But neutrality is not the same as agnosticism.

Neutrality, in the analyst profession, means being guided by evidence and objectivity — not refraining from opinion. If an analyst cannot speak truthfully about what is broken, then they are not neutral — they are complicit. Objectivity requires critique when it is warranted.

As one LinkedIn commenter said in response to my post:

“Openly communicating this sort of feedback is literally the job of an analyst. Ignoring it and sweeping it under the rug because of a misguided sense of neutrality and objectivity is a dereliction of duty.”

Well said.

What Should an Analyst Do? A Return to First Principles

At its core, good industry analysis is about understanding. Not promoting. Not appeasing. Not posturing. An analyst must be an investigator, a translator, and a guide.

This means:

✅ Have Conversations, Not Just Surveys

Real insights come from probing questions and human interaction—not checkboxes. Analysts should talk to customers, implementers, end-users, and executives to understand how solutions actually perform.

✅ Demand Demonstrations

If you are going to rank, score, or analyze a platform, then you need to see it. Not a slide deck. Not a script. A live environment. Too many analysts avoid live demos in favor of canned videos. That’s not research—it’s theater.

✅ Engage the Ecosystem

You’re not an island. Analysts should build trusted relationships with practitioners, partners, and providers. That’s how you stay current, learn, and validate assumptions.

✅ Attend and Stay at Events

It’s one thing to show up, do your talk, and leave. But staying—engaging in sessions, conversations, hallway chats—this is where the real market signals live. Analysts should be present, not just performative.

✅ Acknowledge You’re Not the Expert in Everything

A good analyst knows when to consult others. Nobody is an expert in every corner of a complex market. Build a network of specialists and listen to them.

The Analyst Crisis: We Have a Problem

Today’s analyst landscape is plagued by:

• Commercialized rankings that serve marketing more than truth
• Armchair analysts who haven’t spoken to customers in months
• Overpriced advisory sessions that offer generic, out-of-touch advice
• A culture that rewards appearance over substance

This is dangerous in fields like GRC, where organizations rely on analyst guidance to make real-world, high-impact decisions around risk, compliance, and governance. If perception trumps truth, we aren’t helping—we’re harming.

Closing Thoughts: In Search of the Truth

The modern industry analyst stands at a crossroads. One path leads to genuine value: grounded, transparent, and impactful research that helps organizations make better decisions. The other path is perception-driven fiction, where charts are currency and reality is optional.

As someone who has been part of this profession for over 30 years—who helped define the GRC space in 2002 and continues to work closely with practitioners, vendors, and regulators—I believe we must reclaim the purpose of this role.

Truth matters. And the job of an analyst is to pursue it, speak it, and help others see it clearly. Because in the end, that is the analyst’s sacred duty.

If you’re navigating the GRC space and need clarity—whether you’re a buyer, a provider, or a practitioner—GRC 20/20 is here to help. We provide insight, not illusion. We ask hard questions. We listen. We engage. And we tell the truth.