AI in GRC: Why I Stopped Trusting Automation (And What I’m Reconsidering Now)
With the rise of large language models, the intersection between AI and Governance, Risk, and Compliance (GRC) feels inevitable. One of AI’s greatest strengths is ingesting massive datasets and inferring the answers we need. In theory, this makes it perfect for risk assessments.
In this four-part series, I’m going to examine the real-world use cases for AI in GRC, weigh the benefits against the risks, and try to answer a tough question: Does AI actually belong in these workflows?
My History with the Hype
My skepticism isn’t coming from a theoretical place: Back when I was working on an enterprise security team a few years ago, we piloted an early-generation AI automation tool to handle our risk assessments. The pitch was seductive: feed it the questionnaires and docs, and let it spit out findings, severities, and remediation plans. The promise of cranking out risk reports at lightning speed was alluring.
In practice? It fell apart fast.
Honestly, nine times out of ten, the output was useless for actual risk inference. Instead of speeding us up, the tool created a massive bottleneck. I found myself re-doing nearly the entire assessment, correcting hallucinations, and flagging critical gaps the AI completely missed. After a while, I stopped looking at its output entirely and went back to doing the work manually.
This wasn’t just a case of AI needing “human oversight.” It was a case of the tool being fundamentally incapable of handling the nuance. At that moment, it felt obsolete compared to human judgment.
I always tell this anecdote to my friends in the industry when they panic about “AI is going to take our jobs!”. Here’s hoping they found it reassuring…or at least amusing.
But That Was Then and This is Now: Has Anything Changed?
That experience made me deeply skeptical. But lately, as I’ve watched models evolve — seeing things like Claude and others find vulnerabilities in code that humans miss — I can’t help but wonder: Could they do the same for knowledge-based work now?
Could today’s AI accurately discern risk from a policy document today? Can it evaluate a network diagram better than a junior analyst? Where does the line fall between leveraging AI and retaining expert judgment?
I’m exploring these questions in this series. I won’t be running benchmarks or citing empirical data. Instead, I’ll be drawing on my years in the trenches to offer a pragmatic, maybe even messy, look at where we currently stand and where we may end up at the crossroads of AI and GRC.
Next time, I’ll do something that doesn’t come naturally to me: argue in favor of AI in GRC. We’ll look at where it might actually earn its keep. Come back soon for that.
