{"id":14456,"date":"2025-07-17T07:12:10","date_gmt":"2025-07-17T07:12:10","guid":{"rendered":"https:\/\/newestek.com\/?p=14456"},"modified":"2025-07-17T07:12:10","modified_gmt":"2025-07-17T07:12:10","slug":"how-ai-is-changing-the-grc-strategy","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14456","title":{"rendered":"How AI is changing the GRC strategy"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

As businesses incorporate cybersecurity into governance, risk and compliance (GRC), it is important to revisit existing GRC programs to ensure that the growing use and risks of generative and agentic AI are addressed so businesses continue to meet regulatory requirements.<\/p>\n

\u201c[AI] It\u2019s a hugely disruptive technology in that it\u2019s not something you can put into a box and say \u2018well that\u2019s AI\u2019,\u201d says Jamie Norton, member of the ISACA board of directors and CISO with the Australian Securities and Investment Commission (ASIC).<\/p>\n

It\u2019s hard to quantify AI risk, but data as to how the adoption of AI expands and transforms an organization\u2019s risk surface provides a clue. According to Check Point\u2019s 2025 AI security report<\/a>, 1 in every 80 prompts (1.25%) sent to generative AI services from enterprise devices had a high risk of sensitive data leakage.<\/p>\n

CISOs have the challenge to keep pace with business demands for innovation while securing AI deployments with these risks in view. \u201cWith their pure security hat on, they\u2019re trying to stop shadow AI from becoming a cultural thing where we can just adopt and use it [without guardrails],\u201d Norton tells CSO.<\/p>\n

AI is not a typical risk, so how do GRC frameworks help?<\/h2>\n

Governance, risk and compliance is a concept that originated with the Open Compliance and Ethics Group (OCEG)<\/a> in the early 2000s as a way to define a set of critical capabilities to address uncertainty, act with integrity, and ensure compliance to support organizational objectives. Since then, GRC has developed from rules and checklists focused on compliance to a broader approach of managing risk. Data protection requirements, the growing regulatory landscape, digital transformation efforts, and board-level focus have driven this shift in GRC.<\/p>\n

At the same time, cybersecurity has become a core enterprise risk and CISOs have helped ensure compliance with regulatory requirements and establish effective governance frameworks. Now as AI expands, there\u2019s a need to incorporate this new category of risk into GRC frameworks.<\/p>\n

However, industry surveys suggest there\u2019s still a long way to go for the guardrails to catch up with AI. Only 24% of organizations have fully enforced enterprise AI GRC policies, according to the 2025 Lenovo CIO playbook. At the same time, AI governance and compliance is the number one priority, the report found<\/a>.<\/p>\n

The industry research suggests that CISOs will need to help strengthen AI risk management as a matter of urgency, driven by leadership\u2019s hunger to realize some pay-off without moving the risk dial.<\/p>\n

CISOs are in a tough spot because they have a dual mandate to increase productivity and leverage this powerful emerging technology, while still maintaining governance, risk and compliance obligations, according to Rich Marcus, CISO at AuditBoard. \u201cThey\u2019re being asked to leverage AI or help accelerate the adoption of AI in organizations to achieve productivity gains. But don\u2019t let it be something that kills the business if we do it wrong,\u201d says Marcus.<\/p>\n

To support risk-aware adoption of AI, Marcus\u2019 advice is for CISOs to avoid going alone and foster broad trust and buy-in to risk management across the organization. \u201cThe really important thing to be successful with managing AI risk is to approach the situation with a collaborative mindset and broadcast the message to folks that we\u2019re all in it together and you\u2019re not here to slow them down.\u201d<\/p>\n

This approach should help encourage transparency about how and where AI is being used across the organization. Cybersecurity leaders must try and get visibility by establishing a security process operationally that will capture where AI\u2019s being used currently or where there\u2019s an emerging request for new AI, says Norton.<\/p>\n

\u201cEvery single product you\u2019ve got these days has some AI and there\u2019s not one governance forum that\u2019s picking it all up across the spectrum of different forms [of AI],\u201d he says.<\/p>\n

Norton suggests CISOs develop strategic and tactical approaches to define the different types of AI tools, capture the relative risks, and balance potential pay-off in productivity and innovation. Tactical measures such as secure by design<\/a> processes, IT change processes, shadow AI discovery programs or risk-based AI inventory and classification are practical ways to deal with the smaller AI tools. \u201cWhere you have more day-to-day AI \u2014 that bit of AI sitting in some product or some SaaS platform, which is growing everywhere \u2014 this might be managed through a tactical approach that identifies what [elements] need oversight,\u201d Norton says.<\/p>\n

The strategic approach applies to the big AI changes that are coming with major tools such as Microsoft Copilot and ChatGPT. Securing these \u2018big ticket\u2019 AI tools using internal AI oversight forums is somewhat easier than securing the plethora of other tools that are adding AI.<\/p>\n

CISOs can then focus their resources on the highest-impact risks in a way that doesn\u2019t create processes that are unwieldy or unworkable. \u201cThe idea is not to bog this down so that it\u2019s almost impossible to get anything, because organizations typically want to move quickly. So, it\u2019s more of a relatively lightweight process that applies this consideration [of risk] to either allow AI or be used to prevent it if it\u2019s risky,\u201d Norton says.<\/p>\n

Ultimately, the task is for security leaders to apply a security lens to AI using governance and risk as part of the broader GRC framework in the organization. \u201cA lot of organizations will have a chief risk officer or someone of that nature who owns the broader risk across the environment, but security should have a seat at the table,\u201d Norton says. \u201cThese days, it\u2019s no longer about CISOs saying \u2018yes\u2019 or \u2018no\u2019. It\u2019s more about us providing visibility of the risks involved in doing certain things and then allowing the organization and the senior executives to make decisions around those risks.\u201d<\/p>\n

Adapting existing frameworks with AI risk controls<\/h2>\n

AI risks include data safety, misuse of AI tools, privacy considerations, shadow AI, bias and ethical considerations, hallucinations and validating results, legal and reputational issues, and model governance to name a few.<\/p>\n

AI-related risks should be established as a distinct category within the organization\u2019s risk portfolio by integrating into GRC pillars, says Dan Karpati, VP of AI technologies at Check Point. Karpati suggests four pillars:<\/p>\n