AI in GRC: What's Actually Useful Right Now

Category: AI & Automation Author: Cody Swidler Tags: AI, automation, GRC, agentic workflows, risk operations, Claude, Copilot

There's a lot of noise about AI transforming governance, risk, and compliance. Most of it is vendor marketing, and most of the vendor marketing is about features that sound impressive in a demo and create real implementation headaches in production.

I want to write about what I've actually found useful — the specific places where AI has changed how I work, and the places where the hype is still running well ahead of the reality.

Where AI Is Genuinely Useful Today

Evidence collection and summarization. Control testing generates a lot of raw material — log exports, configuration screenshots, interview notes, audit responses. Summarizing that material, extracting key findings, and drafting initial evidence descriptions used to be tedious manual work. With the right AI tooling, it's dramatically faster. The output still needs review, but the starting point is much better.

Control mapping. Mapping controls across multiple frameworks — ISO 27001, SOC 2, NIST CSF, DORA requirements — is one of the most labor-intensive parts of building a unified control library. AI handles the initial mapping pass well. It's not perfect, and the edge cases require human judgment, but getting from zero to a first draft in hours instead of weeks is a real productivity gain.

Risk narrative drafting. When a risk needs to be escalated to executive leadership or the board, the write-up matters. The risk has to be described clearly, contextualized for the audience, and connected to business impact. That's a writing task, and AI is good at writing tasks — especially when you can give it the raw risk data and tell it who the audience is and what decisions they need to make.

Policy and procedure drafting. Same principle. Policy frameworks take a long time to write from scratch. Starting from a well-structured AI draft and editing toward your organization's specific requirements is significantly faster than starting from a blank document.

Meeting preparation and synthesis. Preparing for a risk committee meeting, synthesizing findings from a tabletop exercise, turning raw interview outputs into a coherent risk assessment — these are the kinds of synthesis tasks where AI adds consistent value.

Where It Doesn't Replace Judgment

Here's what AI cannot do in a GRC context, and what it's important to be clear-eyed about:

It can't tell you what risk to accept. Risk appetite is a leadership decision. It requires organizational context, stakeholder alignment, and explicit governance. AI can help you structure the conversation, but it can't make the call — and any tool that implies otherwise is overselling.

It can't validate that a control actually works. Control testing requires evidence of real-world operation. An AI-drafted control description is not a tested control. The testing is human work — or increasingly, automated technical testing, which is different from AI in the GRC sense.

It can't build relationships. A significant part of GRC program effectiveness comes from the relationships between the GRC function and the business. The engineering lead who flags a risky architecture decision early because they trust the resilience team. The CFO who calls you before a major vendor contract because they know you'll catch something important. AI doesn't build those relationships. You do.

It hallucinates on regulatory specifics. This is a real risk. AI models can produce plausible-sounding regulatory citations that are wrong. Any AI-assisted regulatory work needs careful human review. I've seen outputs that looked authoritative and were subtly incorrect in ways that would matter in an audit.

How I'm Actually Using It

In my day-to-day work, the tools I've found most useful are Claude Code for structured analysis and document work, GitHub Copilot for any scripting or automation I'm building to support program operations, and Cursor for more complex workflow development.

The pattern that's worked best is what I'd call agentic assist — not asking AI to run the program, but building workflows where AI handles specific, well-defined tasks within a larger process that I'm directing. Automated risk intake summaries. Draft escalation narratives. Initial control gap analyses against a new framework. Evidence package formatting.

That keeps the judgment and the governance where they belong — with the practitioner — while compressing the time spent on the administrative work that used to eat disproportionate hours.

Where This Is Heading

The GRC platforms that will win over the next few years will be the ones that embed AI into the workflow without requiring practitioners to prompt-engineer their way through every task. The ones that surface the right risk information at the right time, reduce the friction in evidence collection and testing, and make it easier for GRC teams to do the actual work of managing risk rather than managing documentation.

We're not there yet. But the distance between current AI capability and genuinely useful GRC tooling is shorter than most people in the industry think — and shorter than most legacy GRC platforms are willing to acknowledge.

The practitioners who learn to use these tools well now will have a meaningful advantage in the next two to three years. Not because AI will replace the judgment — it won't — but because the administrative overhead that currently consumes a large fraction of GRC team capacity is going to compress significantly, and the programs that adapt will do more with the same headcount.

Cody Swidler is the founder of PivotRisk and a Principal Program Manager, Enterprise Resiliency at Apex Clearing. He uses Claude Code, GitHub Copilot, and Cursor in his daily risk and resilience operations work.