Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Trusted AI Safety Expert (TAISE)
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Trusted AI Safety Expert (TAISE)
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
ChaptersEventsBlog
We're exploring how organizations adapt IAM to AI. Take the AI Identity and Risk Readiness Survey by September 5 →

The Missing Piece in GRC

Published 08/11/2025

Home
Industry Insights
The Missing Piece in GRC
Originally published by Scrut Automation.
Written by Aayush Ghosh Choudhury.

In our last post, we explored how the governance, risk, and compliance (GRC) landscape is evolving and how AI is reshaping its future. This next phase is what we call GRC 4.0. While Generative AI (GenAI) has been around for years, its widespread accessibility has only taken off recently, especially following advancements in large language models (LLMs) made available to the public.

The result? An explosion of AI-powered tools designed to automate repetitive work and support cross-functional collaboration. And GRC is uniquely positioned to benefit from this transformation.

4 stages of GRC

Microsoft CEO Satya Nadella recently predicted that AI agents will reshape the SaaS world entirely. Some have even called it the “Death of SaaS.” That may be bold, but one thing is clear: products that merely automate workflows will struggle in the agentic AI era.

For GRC, this presents both a challenge and an opportunity. It’s time to move beyond checklists and focus on proactive, risk-aware decision-making.

 

Why Move to GRC 4.0?

Today’s GRC platforms — let’s call them GRC 3.0 — have made important strides in automating compliance fundamentals. They’ve helped teams establish policies, centralize documentation, and reduce audit overhead.

Critics say this commoditizes compliance. But in reality, it raises the bar: empowering even lean teams to meet regulatory demands with confidence.

Still, most 3.0-era platforms rely on rigid, predefined workflows. They’re great for documentation. But they often fall short when real-world risk requires contextual judgment and timely action.

 

The Expertise Gap in GRC Tools

GRC tools show you what you have

Two examples illustrate the limits of current systems:

 

Vendor Management

You can automate questionnaires and tracking, but identifying high-risk vendors, interpreting their responses, and following up on red flags still require manual analysis.

 

Policy Attestation

You can centralize documents and track completion, but employees still wade through dense policies, leading to misunderstandings, more helpdesk tickets, and slower onboarding.

These examples point to a common theme: automation alone isn’t enough.

 

Vertical Agents: The GRC Missing Link

In response, the industry is moving toward AI agents — software that doesn’t just automate tasks, but understands context, reasons across data, and takes initiative. But not all agents are built the same.

Horizontal LLMs (like ChatGPT or Claude) are built to be general-purpose. They’re powerful, but they’re not tailored to the unique demands of GRC.

 

Where General-Purpose LLMs Fall Short

issues with general-purpose LLMs

  • Hallucinations: Even a small error in a policy interpretation or risk score can have major implications. In GRC, there’s little room for guesswork.
  • Loss of Context: Long-running processes like audits or risk assessments require memory. Horizontal LLMs often can’t retain sufficient context across steps or teams.
  • No System Access: Horizontal agents can't offer meaningful, actionable support without integration into policy repositories, risk registers, ticketing systems, or evidence libraries.
  • Poor Scalability: What starts as a clever LLM integration can become unmanageable over time, especially as compliance requirements expand or frameworks evolve.

 

The Case for Domain-Specific Agents

vertical agents

GRC workflows are not just checklists — they’re interdependent systems requiring precision, continuity, and institutional memory.

What’s needed now is an evolution from automated tools to vertical agents: AI designed specifically for GRC, with access to internal systems, fluency in regulatory language, and the ability to operate across security, risk, compliance, and privacy domains.

These agents won’t replace human judgment. But they’ll augment it by surfacing relevant evidence, suggesting next steps, flagging anomalies, and helping teams stay ahead of evolving risks.

 

Conclusion

As GRC shifts from a reactive function to an intelligent, always-on capability, traditional platforms will need to evolve — not just to automate faster, but to reason deeper.

The missing piece isn’t more tools — it’s context-aware intelligence, purpose-built for the complexity of GRC. That’s the promise of GRC 4.0.

ComplianceRisk ManagementTacticalArtificial Intelligence

Share this content on your favorite social network today!

Future Cloud
Related Resources
Certificate of Competence in Zero Trust (CCZT)
The industry's first Zero Trust certificate program.
AI Organizational Responsibilities
A blueprint for enterprises to secure AI development and deployment.
AI Safety Initiative
Addressing present and future challenges of AI safety and security.
Latest from CSA
Register Now for CSA's Virtual AI Summit 2025
Secure IAM for Agentic AI Systems
Participate in the Data Security in AI Environments Peer Review
Unlock Cloud Security Insights

Unlock Cloud Security Insights

Choose the CSA newsletters that match your interests:

Subscribe to our newsletter for the latest expert trends and updates

Audit Cloud Providers with Confidence & Enroll in STAR Lead Auditor Training
Related Articles:
Vulnerability Management Needs Agentic AI for Scale and Humans for Sense

Published: 08/22/2025

A Breakdown of the ISO 27001 Certification Process

Published: 08/21/2025

Announcing the AI Controls Matrix and ISO/IEC 42001 Mapping — and the Roadmap to STAR for AI 42001

Published: 08/20/2025

Securing the Agentic AI Control Plane: Announcing the MCP Security Resource Center

Published: 08/20/2025