BSidesSF 2026 - How to Be a GRC Hero (Without Heroics) (Stas Bojoukha)

Hello Bides friends. How are y'all doing? I'm Sue and I'm really happy to present our speaker today and that is Staz. Uh, and his last name rhymes with Bazooka, so it's Buzza. No, I just even said it wrong. >> Bazooka. >> Thank you. >> Thank you. >> Anyway, he is founder and CEO of Comply and that is a a series A startup that's already leading the GRC automation space and he has over 20 years of experience. What's awesome is that he's worked in both the US, Canada, and also the UK. So, please welcome Staz. >> Thanks everybody. Um, yeah, it's pretty wild to have a full house on GRC. Like five years ago, I didn't think this

would ever happen, but here we are. Um, just curious, how many people are actually in GRC currently? Okay, that that makes sense. Um, how many people are trying to get into GRC? Okay, awesome. Yeah. Um, so I'm just going to start with a little bit of background about myself. So, um, >> I'm Stas Bazooka, like Bazooka. Um, I've been in the information security space for 20 years at this point. I I have a degree in information system security, which was one of the first, it was the second cohort of that degree ever being offered. Um, so, uh, I ended up working in financial services for a long time. Um, building out security practices. Um where this all kind of started from was

actually user access reviews. So fin if you're familiar with like socks regulations, we have to do like user access reviews. They're very they were very difficult. They still are very way more difficult than they should be even in 2026. Um, but this all kind of just started off with um being asked to do user access reviews all the time or being able to produce uh KPIs and reports and tell the business like where we are with things and then you know at the time it was a SAS 70 now it's a Sock 2 but not understanding like where we are with things having people running around like headless chickens trying to understand like where the business is

going what they're doing what they're working on um and then after chasing everybody up all the time having the pleasure of going into Archer and manually uploading all the evidence. So uh 5 years ago we set out on a journey uh to build out a um a governance risk and compliance platform. Um it's been it's been quite the journey. We are at the we are New York based. Uh we just opened an office in Boston and in you know 5 years ago this space wasn't very wasn't very popular and now everybody is falling over themselves trying to get into it. So uh I'm very glad that you're all here. Um so thank you. um we lined

up some pretty uh I would think some pretty interesting um slides and use cases about like where the space is going, where it's uh where we're seeing the transformation. And yes, the buzzword is going to be AI throughout all of this. But out of all of the industries where we're seeing AI, GRC is just it's gamechanging. Like instead of all of the companies trying to shoehorn in AI left, right, and center into random technology that doesn't even make sense. And you know, it with GRC it's it's really it's really groundbreaking. um what we're seeing and what we what we're able to do with it. So on that note um I'll just quickly cover off what

we'll what we're covering. So shifting from compliance gatekeepers to strategic partners um building executive trust without last minute uh heroics. Uh leveraging automation to reclaim time for highv value work and build resilient programs at scale without breaking. I'm happy to take questions as well as we go. Um, there's going to be a Q&A at the end of this, but if if people have questions along the way, feel free. All right, so the audit session hero. So, I think for GRC is broken. Um, not because teams don't care, but because the system forces them into fire drills. I mean, how many of you are familiar with this type of scenario? It's 11:47 at night. You're still chasing evidence. Slack is

blowing up. Auditors are adding just a few more requests. Things are flying back and forth. and some and somehow you're expected to hold everything under control. Um, even with a lot of the tooling that we have and a lot of the automation, the so-called quote unquote automation that we have, we're still finding this as happening all the time. I don't know if this resonates with people in the room. >> Perfect. So, it's the system. It's this isn't a system. This is survival mode. So, what let just see this. So like what what we're seeing is um gen requests for you know show me MFA coverage across privileged users for the last 90 days and then you have uh you have users

running around getting uh exports out of octa screenshots out of Azure, someone checking spreadsheets, someone emailing HR, someone uploading PDFs into a portal. This is not a control environment. This is a scavenger hunt. The real systems that we need to shift to are auditor samples that they that their own data set. So they can select their own time frames. They can filter out privileged identities. They can export evidence. They can ask questions about the evidence. They can put it in the format that they want if they don't want to use the platform for or platforms for uh for evidence capturing or their uh their auditor notes. This is a similar model that we're seeing across

different uh different platforms such as you know Snowflake, Data Dog, Splunk, they're all doing the readonly uh observability um layers for compliance. We should be doing the same thing in GRC. like if the auditor wants it in a certain way, let's give it to them. Let them ask questions about it and be confident in the data that you present to the auditor. This is where this is going. This point in time getting evidence and collecting evidence and sending it to them um is those days are numbered. So where GRC came from, right? So the the whole point of GRC uh was to pass an audit, collect the evidence, and don't fail. This was enough until it wasn't.

And now everything is everything has changed, right? So cloud cloud exploded. Um we uh from the keynote just a couple minutes ago, right? Cloud was in in 2018 if you were telling anyone that you were using cloud, they look at you sideways. Um in now nowadays, if you tell anybody that you're building a data center or you're you're hosting data data center, they look at you sideways. Um things have just massively changed. vendors have uh because of the the cloud changes, vendors have uh there it's just exploded with the amount of vendors that there there currently are and how many vendors uh a normal customer uses regulations uh have accelerated frameworks uh framework adoption has also accelerated um and

then obviously AI has now showed up um so we're talking about like 10 years ago you might have 40 vendors three environments one framework today you you'll have 400 vendors 12 SAS identity boundaries six frameworks two AI policies, continuous vendor breach monitoring expectations um without any any additional funding or any um you know there the job has shifted a lot but not the resources haven't caught up with it. Um it's also very hard to get um to find the right resources to be able to build out a security program as well. Things are changing so quickly and things are becoming things are becoming very technical as well. Um there's this whole notion which I'll cover off in a

minute, but this whole notion of GRC engineering and where this is kind of going and this this goes hand inhand with what I'm talking about what I'll be talking about throughout this presentation. Um but just being able to um being able to engineer processes and workflows around your existing uh your existing data and your existing applications um and just really building out a program. So the job has changed. Um you're no longer documenting controls. You're uh you're operating a control surface. Um, the old tools help me track the what I already know. The new the new tools need to tell me what I don't know yet. That's where we're going. Um,

the other shift that we're seeing um is suddenly the GRC isn't back office function anymore. It's now become a business function. Um I don't know how many of you are seeing interactions with the GRC platforms that are no longer just security and compliance but now you're seeing um you know legal, finance, HR product. Are you guys seeing are you guys actively seeing that as well? Yeah. Yeah. And so um what the reason that the reason that this is happening is it's all cross uh departmental operations, right? So you have um you have security that you that used to own GRC security is now uh everybody's problem or the tagline you know across across the organization and

and now everybody's touching it from you know engineering um wanting to um they want uh exception workflows. They need risk they need risk acceptance for risk acceptance tracking. They need uh change management reviews. They need to ship faster with guardrails. You have legal then using it for uh tracking contractual obligations, mapping vendor exposures, monitoring regulatory deltas, finance ties, you know, tying their controls back to socks assertions, model operational risk exposure, HR, uh using it for join or move lever life cycles, insider risk signals, um and AI governance workflows. Um, so the the real power of GRC, but what we're seeing is is the interconnectivity of all of these different uh segmented or siloed departments and organizations

all really coming together because they're all trying to do the they're all trying to do the same thing. Um, they're trying to build out um they're trying to build out automated processes to help them with their day-to-day jobs and GRC is the perfect spot for this. Um so um so I mean essentially what we're what we're seeing here is GRC is stopped being documentation is now becoming a decision infrastructure for for the organization. So the problem isn't GRC. Um it's how uh it's how GRC is being done. So currently still there's way too much manual work even with the automated platforms that we're seeing today or claiming to be. Um there's still way too much manual work

that's going on. There's still way too much stuff that's being uploaded, screenshots, um um screenshots, uh log logs being uploaded, um it's just way too much manual work. There's way too much disconnected systems and then there's endless evidence chasing as well. Um these what we're asking our business lines to do is work with us to be able to to show adherence to different frameworks and regulations. It is not their day job to be doing this. We need to make it as easy for them to be able to uh either connect systems, pull the data down. If we do need manual evidence collection, we have to make it very easy for them to be able to do that. Um, everybody now is

a UX expert. Um, if you're putting clunky systems in front of them, they're not going to do it. Um, they're, this is not even, you know, 10 or 5 years ago. Everybody has sophisticated apps on their phones. They use them all the time. They know what good looks like. We have to make it really, really easy for them to interact with the data. >> Question. >> Yeah. So in the keynote she was talking about how many many tools that solve very little problems right what problem that created right and that the the winners now are going to be you know tooling that's you know designed and created by practitioners essentially that really really solve problems. I

mean did you see do you see the same thing or has the same thing happened in the GRC space as well? Yeah. I mean, what we're what we're seeing is um people are people instinctively want to cut corners and get to the get to the end as quickly as possible. I mean, we're I'm sure people in this room have been following the Delve situ situation that's been going on. It's a perfect example of that, right? Um we're also seeing uh companies adopt uh less mature products for the same kind of uh mindset mindset of we need to get there as quickly as possible for the least cost as possible. And then what we're seeing is they're having to uh buy additional

additional products to support their functions to be able to um to be able to show u to be able to show their customers that they do adhere to all these all these different frameworks and regulations. So having tools or or not being um selective enough with what with what you're looking at what you're trying to solve um in the short term, long medium-term and long term. You have to do that now because things are changing so quickly that if you buy products today in 6 months to a year's time they might be completely uh irrelevant to what you're doing as a business and where the market is go like where things are going and what the

expectations of our of even your own customers. Um you know another example of that would be something like um you know trust centers have become all of the you know all of the rage recently right like something that didn't even exist like 3 years ago like you're you're now expected to have a trust center. If you don't have a trust center, you, you know, there is an issue with the company or there's uh they want you to implement one and they want to be able to monitor um they want to be able to monitor the uh the maturity of the company at all times. Um also continuous vendor management and supply supplier third party management as well and just

um continuously monitoring all of that activity uh to make sure that they are doing what they that they said that they're doing. Um things are moving at things are moving just at an astronomical rate uh at the moment and expectations are um you know going through the roof in terms of what your customers want um and what uh you need to deliver as a business. So I hope that answered the question.

So in the past heroics have become the process right? I mean I think we've all been there uh those frantic uh you know frantic searches for evidence, frantic searches for talking to people, understanding what you know what's going on with a with a PR with a pull request and why no one reviewed it and got pushed into prod or um you know why uh HR forgot to turn to put together a termination notice or why someone's in the wrong group or you know these are all things that are just that are just coming up way too often even with continuous control monitoring. Um security is never going to be perfect and if you're under that assumption

you're in for a rude awakening. Um, but you have to be able to manage security by exception and be able to document all of this properly. So, a GRC hero doesn't save the day. um what they should be doing is being able to have all the data uh all the data that they need to be able to do their jobs at their fingertips to be able to drive uh to be able to have KPIs SLAs's all of the things that the organization is wanting them uh wanting to understand about what's going on in their businesses right at their fingertips and having a GRC platform that's interconnected that's interconnected to all of your data and goes deep um allows

you to do that. So they want uh uh they design systems where nothing breaks, right? Or they want systems that where nothing breaks. That's just not that's just not reality. Um they uh they uh turn risks into decisions, give leadership clarity, build once, reuse forever, remove fire drills. So old GRC, we can do that. New GRC, here's how we do it safely. And then I'm going to go into a few uh a few examples here. So in real GRC engineering um we would have things like evidence collection right we like we've talked I've just talked about this forever so attaching screenshots to controls new models we need controls uh subscribe to telemetry streams so what this allows us to do is

for example like if you're using octa and mfa coverage comes off and you're you know you're going from 99% to 95% the control status should change automatically we don't need a spreadsheet we don't need auto prep we don't need manual updates we just need to show that the control effectiveness has now gone down and we need to take a look as to as to why. Um other examples of where we're where we're going and I think this one's actually pretty neat. Um is risk register gap detections. So instead of waiting um and writing manual risks um the platforms the platforms are so interconnected they should be the ones telling you where um you know critical CVs have been have been

detected unassigned in uh unassigned incidents have um have not been remediated missing encryption dormant privileged users um we need to be able to uh create these create these risks quantify these risks and be able to uh to assign them out and make sure that they're being uh that they're being addressed in a timely manner. the the whole I have to um for GRC it should be we have to switch from detective to we detective to pre preventive we have to go on the offensive we have to be able to uh we have to be able to understand what's going on in the business in real time and let the platform tell you uh you know what it is that your business cares

about and where where there's uh where there's drift where there's issues and allow you to decide what you want what actions you want to take instead of after the In fact, being able to escalate a risk has actually turned into an incident. Nobody cares about that. People want to prevent that from happening. And the easiest way of doing that is being able to utilize the things that we have today like the like advanced AI models to be able to pick up on this and to be able to put them into the right risk registers, incident registers, task registers, whatever it might be. Um, another um another example of this is vendor risk propagation. Um, we're seeing this, you know, we're

seeing this actively. So um being able to pull down continuous monitoring of uh a vendor, suppliers, third parties and if the if their risk levels or compliance levels change, um we should automatically be updating the risks that are associated with them. Uh pausing any renewals, uh flagging contracts for violations for SLAs's and um and other um other things that they promised us. Um this can all happen today. These are all things that are available to us. Um, this also just saves a huge amount of time for moving away from traditional TPRM and moving to an automated fashion. Um, policy drift detection. So, this one has been a huge one over the past uh like 18 months I would say. Um, but

being able to being able to actually say like what the policy says to being uh is this policy actually enforced? What is this policy uh saying? Um, you know, what is this policy saying? Are we adhering to it? do we need to make an adjustment to the policy? We're adopting a new regulation. How do we adjust that policy? Um being able to actually um interact with the policy in real time is just it it's been gamechanging everybody. I mean I I'll take a stab at it. I think everybody hates policy management um in one form or another. And to be able to have this automation is just yeah for me um as a practitioner being in this space for a long time it's

been pretty gamechanging. Um just one more example. So like the joiner mover lever um joiner mover lever has notoriously been a problem for most organizations. Um being able to automatically detect um you know engineer has moved to finance permission is unchanged system flags that there is segregation of duties issues. Um these are all things that we were striving for. You know put together toxic pair combinations and um and segregation of duties models and races and things like that. like things that were always very aspirational for us to do and very difficult to maintain have now become pretty straightforward um if if you implement the right platform. So the main difference between a blocker and a business partner um so um so

GRC teams shouldn't be seen as uh as speed bumps. Um the reason I'm saying that is if let's say let's say you have a GRC program uh in place and is it's running and it disappears tomorrow would the business move faster or fall apart. So this is a question that we've been asking uh we've been asking pretty regularly. uh if the answer has fall apart then obviously there's a problem but a lot of the information that traditional GRC has been gathering has you know it it's been difficult right it's it's difficult to create an asset register it's difficult to create a vendor register it's difficult to get um you know to get buy in and to get information about what you

know what that vendor does what what assets um you know what assets people use um but it does serve a purpose right so like if we use something like um you know access reviews Uh, do access reviews still so if if we get rid of GRC, what happens to your access reviews? Um, do you still do access reviews or are privileged accounts quietly uh accumulated for 18 months? Um, if they stop your GSC program wasn't compliance, it was identity hygiene uh infrastructure, right? So like there are there's a lot of stuff that happens in the background. Um, same thing for like vendor risk. If the GRC disappears, can you can your company really say which

vendors have production data access? The usual answer to that is no. Um this means that you know GRC wasn't uh wasn't overhead. It was third party expo exposure management. Um incident incident uh lessons learned. If GRC if the GRC disappeared, do incidents improve the environment or do they repeat every quarter? um they're going to repeat every quarter because if you can't qu if you can't quantify them and if you can't simulate them and you can't uh put root cause analysis against it um it will happen again um you know audit evidence um does does leadership still know like what their encryption coverage is what their MFA coverage is what their backup coverage vendor exposure exception management if not then GRC was

tele was your telemetry layer um you know policy management um do policies still uh connect to behavior or do they become PDFs again if they if the PDFs win then you know uh there was um then it wasn't being used properly so the translation engine between the rules and reality um and risk registers and um you know if your vulnerability scanner detects 40 critical CVs tomorrow how many of those uh automatically become risks if nobody has the answer to that then your GRC was definitely was definitely performing um so what I'm basically getting at is if a computer can do it, we should be letting it do it. There's a lot of stuff here that we that we as humans don't

have the time don't have the time uh to process and there's a lot of new things that are happening where the skill sets are not catching up to what uh what is happening in uh real world businesses. So, we should definitely be leveraging the tools that are available to us um to help us with our day-to-day uh with our day-to-day work. Um so again um we we need to adapt. So, evidence collection, screenshots, spreadsheet updates. Um, we we don't need to do this anymore. We can do everything without rebuilding uh from scratch every single time there's a new audit season uh without burning out the teams by leveraging uh leveraging different tools and technologies. Um,

real GRC doesn't reset every year. Um, we don't need to um we can continuously monitor and continuously build on what we have. if there's new frameworks and there's new frameworks all the time. They can be added in um and you can reuse your existing evidence stack um and your tech uh and new vendors um can be brought in and onboarded in a short period of time. We don't we don't need to send them like giant SIG and uh SIG cores SIG lights anymore. Um we can def we can infer so much information about vendors, suppliers and third parties now and continuously monitor them. um any new regulations that come in um we should be able again we should be able

to just reuse what we already have without having to rebuild and uh start from scratch every single time. So what is a GRC hero? It's someone that can take uh it's someone that can think uh like a risk leader, speak like an executive, build systems and not spreadsheets, focus on insights, not documentation. um design programs at scale. So the next generation of DRC leaders won't win with spreadsheets, but they will win with systems automation, clarity, and trust. Um and so the real question is which one do you guys want to become? The next generation of DRC leaders won't be people who collect evidence the fastest, but they'll be people who design systems where uh where evidence collects itself.

That was it. Um any Yep. Shoot. >> Yeah. >> Can't run to everyone. Do you mind repeating the question >> for the audience? Great. >> So, with the workflow, right, we don't collect evidence in a vacuum. We want to resolve things. >> Um, the only concern that I'm seeing as we're speeding up. >> Yeah. >> Is you you can go into a situation where you go from ignorance to negligence overnight. >> And if you're collecting all this information and you start building up this backlog in real time, >> y your period of resolution shrinks as well. >> Y >> right. So we've done a lot of the detection and hey how about remediation and tie into that because more often

than not >> y >> the systems dependent is the resolution and that's you don't own that and across the entire company. >> You see >> what examples or things you've done to say hey we're expediting the speed in which we detect and show the trip. >> Yeah. >> Now how are we getting to >> remediate? Yep. Yeah. Yeah. So the question is so now we're getting better at detecting uh at detecting drift and then how do we actually go about remediating it and um you know making sure that uh the time to well the time to remediate the issue is uh is addressed right I mean this this is why people didn't want to run like uh

vulnerability scanning right for the longest time or why people ran vulner vulnerability scanning once a year. It's not because the systems couldn't do it it's because they didn't want to know the answers to the to the questions. Um, so a lot of what like a lot of what I'm like what I'm seeing is like so there's a lot I mean there's there's a lot of debate about uh you know what an agent is versus agentic AI you know whatever it might be but there is we are moving to the point where we have to be able to enable agents to help us with with our workloads like the the vulnerability uh in patch management like I think for the

first time in my life like I' I've seen it actually like being you know being useful and actually closing out uh closing out vulnerabilities and closing out uh closing out issues. Um the other things that like so we are detecting a lot more um and I I I completely agree with that but the a lot of the time um like for example right you have you'll have people that um they'll put risk on a risk register right and they it's great they're trying to help out to be able to actually quantify if that risk is real or not to the business like you can do that now right you can actually like somebody writes you know

we we might have an issue with this system well we don't it's because it's airgapped we know everything about it here's the actual owner of it and we'd send it out to risk acceptance. So like there are those flows that are now pretty easy. Um but the you know I had I had one the other day where like um we're tracking every uh every single every single procurement contract for an organization and they're like well like uh like these are out of date or like these are expired or like these have in inundated cl or you know clauses that are uh no longer relevant to the company. So I have to go and do all of

this stuff. Um, so they did do it manually, but I think where it's going is you'll be able to actually tell an agent to go through the like comb through the contracts and actually update them and put in different clauses. I think that's where we're going. Was there like a particular example that you had? >> Yeah, >> you talking about building the system. >> Yeah, let's go for access controls. >> Yeah, >> we can go and I can remove access and stuff. >> Yeah, >> but with the exemp uh the exceptions or the saying, oh, I'm going to remove access. Well, they actually had a legitimate need for that. retroactively have to either fix that

>> and so that's problem with automation. It works until you run for an exception. >> Yeah. >> Yeah. So that I so the question is so if you have like access control for example and uh somebody removes access from a user and then it gets put back you have to be have you have to have the ability to be able to manage by exception which is the point I made earlier uh earlier in in the presentation. I think this whole thing is about managing by exception. So like um for access controls it would be it would be things like doing a use like a user access review and being able to flag something that you know it looks off or the rest

of the users in that department or uh or role they don't have that same privilege and being able to flag it but then putting exception in that this person is legitimately or legitimately has this for x reason. And that's the like that's the biggest thing that I find with like auditors is um a lot of the times like you'll have a scenario just like this and then the auditor points out like hey this person is overprivileged like and there's no exception process there because what they're trying to do is remove it so that it's not there in the first place but there's a legitimate reason. So just it's the man it's having the ability to be able to put in a

process that has the ability to have an exception in that process >> and not the exceptions become unmanageable >> and the exceptions becoming non unmanageable. Exactly. But this also like this is where the live risk register thing goes as well, right? like as your business changes and you integrate new vendors and new suppliers, like to be able to um have the platform be able to monitor all of that and actually give you recommendations being like, hey, it looks like everybody on this team actually needs access to, you know, to Salesforce this this permission. Do you want to just add it onto your uh your segregation of duties policy? Do you want like it it's all

like this is like next level sci-fi like sci-fi stuff that we're like looking at. It's it's really neat. >> Awesome. >> Hi, I'm sorry to bother you. >> No, no, no, no, please. Yeah. Um, so there are I'm sure there are a ton of questions surrounding like third-party um and vendor risk management. I mean there's I think um somebody was just talking about how many cool new vendors um just popped up on the scene and you were just talking about that too, right? And how could you possibly catch everything and and >> anyway I have questions but this was not the question that I had. Okay. The question that I had was about policy misalignment and drifting. Um,

is it like the is it the is the policy old or is the action wrong? Right. Like so we're talking about meeting reality, right? I'm curious. You had mentioned something if if the computer can do it, just let it do it. Um, how can this tech find um that com that drift from company policy and call out what it is and how to remediate it? I mean you're saying something that you know there is some type of a technology that would be interesting to hear a little bit more about. >> Yeah absolutely. I mean I can I can answer both questions. So like the the vendor piece yeah there are a ton of new vendors popping up all the time. Um it's

fascinating how much data you can pull on vendors on on vendors now even even new ones. Um there is so much again this utilizing like um utilizing like open source intelligence gathering, deep web deep web analysis, dark web analysis like you can pull a lot of data out on a on a company even a company that's a couple months old. It's it these are things that are now absolutely possible um on the policy detection side and drift side. So um a lot of policies are out of date. This is things that like most GRC practitioners this is the thing that they hate the most, the business hates the most. they don't want to sign off anything. They don't want to take on

the risk of a policy because they don't really even know what's in it. Um or if if they've even read it. Um so a lot of the time, you know, we're stuck with an acceptable use policy that's two to three pages that like everyone has to sign, but no one has ever looked at any of the other policies that it references. Um so you have to do this holistically. You have to be able to get um you have to be able to have a holistic set of policies that are aligned to the framework that you're trying to adhere to like NIST or ISO or you know uh HIPPA high trust whatever industry you might be in. Um yep go on

question. just joking about how like after all 18 revisions from NIS comes out like >> but this is but this is where it's going right this is you this is the reason why the policies are so out of date is nobody's keep nobody's keeping up with them so you have to do it it has to be birectional you have to be able to look at the policies holistically break down if are all the controls being met and what clauses are they being met and then what how do you actually underpin this right not everything can be done by technology so like simple things like password management, you know, MFA blah blah blah blah blah. Sure, you can pull

out systems and pull out records and make sure things are, you know, in place for other things like, you know, does, you know, is the board, you know, is there uh board consent? Is there do you have a pentest? Do you have insurance? Like all this stuff has to be uploaded manually as well. So like you have to be able to catalog and track all of that and tag it back to the policies um from policies down. But then you have to do it from the other way as well. So if there are other things that are happening in the business like um you know lack of remediation for um you know vulnerability management or whatever it

might be then you might need to adjust how often you remediate your um you know your patch management policy and so to be able to have suggestions like hey your policy says this you are actually doing it but you're not doing it as often and then being able to make that suggestion to the policy is is is doable now. Um, and all of the NIST, like all of the NIST revisions, all of like the EU AI act, all like all of that is you should be able to just pick a new framework that you're trying to adhere to. It knows what you're already doing and then gives you the suggestions. This isn't this really isn't like two years

ago. Like this is doable now. So, I don't know if that answered your question. >> Absolutely. Yeah. Go on. So, we're seeing a lot of the GRC tools that are doing thirdparty risk management and assessing the information, the evidence that's being submitted by the vendor using AI to create a risk score and prevent or present that to the to the company. But even with the information that they're collecting like I I work for an organization that is a vendor provide it's a service provider security consult consultancy >> I'm still getting 800 questionnaires from these organizations that are using these platforms with the AI like risk assessment stuff. Are you starting to see a shift and feel free to name and

shame if you want for companies that are um that are starting to uh adjust and tailor those questionnaires based on the types of services like not everybody is a um is a SAS platform that's going to be handling sensitive data like the types of questions that you need to ask out of 800 questions there's actually like 230 that are applicable to our organization are we starting to see a shift where those are starting to tailored to where they're actually more applicable to the organization you're trying to assess. >> Yeah, really good question. So, um, the larger organizations are still struggling to catch up here, right? I mean, the perfect example of like, yes, we're a SASbased organization. We have

no physical data centers yet. There are, you know, 30 questions about our physical data center. So, like um they're getting smarter in the sense like, you know, like they they will issue out um, you know, a SIG and it and it has branching in it and an Excel sheet, but it's still not not great. Um but what we are seeing is that from like from like a GRC GRC perspective we do have plugins now um where if they you know upload the Excel sheet we'll answer the Excel sheet not a big deal um but you also have like Chrome extensions where if they do send it you know they send it to you via like one trust or um

you know one of the other numerous um uh vendor management platforms they can prefill that for you with a with a chrome extension as well. I think the real change here though is because of these like trust centers and the amount of data that is available. Um what we are seeing is the like the mid like um the mid-range companies and like lower enterprise are definitely adopting like let's get as much information as we can about these vendors and then let's follow up with anything that's missing. So like trust but verify. So like yeah they say they have all this stuff great and we can see it. If they're a public company obviously you can verify more.

Um but then like here are the immediate next steps that I want to follow up and then you might have short short-term and long-term things that you might want to follow up on as well. Um we're seeing huge adop adoption on that. So like taking something from like even a 20 part questionnaire and shrinking it down to six points which is you know do you have a date you know do you have a sock do you have an ISO obviously upload that. It said that you had an incident last year what did you do about the incident and like like um provide any evidence any supporting evidence of that. Like do you have a DPA? Um do you

upload that? what's your business like your business impact information is missing or you know not where it needs to be. So like taking it from uh a generic questionnaire just really get it focused and then being able to read it on the other side too like so even when they do upload the sock to ISO you don't nec I mean you should read it but you don't necessarily need to it will align it to like what you know what we pulled back that's publicly available plus what they provided do they do they do they support one another or do they not and if they don't there's there's obviously a bigger issue there. Any other questions?

>> Any final words? >> Um, yeah. I mean, I I'm, you know, I'm I'm very um what's the word? Very like humbled by like all like the Thank you all for being here. I appreciate it. But like just uh just again like 5 years ago like this this space just wasn't like wasn't very uh wasn't very interesting. And like now just uh um I'm really glad to see the amount of people that are interested in it, where we're going to take it, and like what we're, you know, where where this is going. Like I think like in uh even like in 6 to 12 months time, I think the GRC space is going to be completely flipped on its head just

like a lot of other um a lot of other technologies. And like I'm excited to see where it goes. So like let's keep pushing guys. >> Fantastic. And thank you everyone.