At our recent Drataverse City Tour in San Francisco, I had the privilege of sitting down with the inimitable and seasoned security veteran, Vitaly Gudanets, CISO at Anthropic, for a lively and engaging conversation that encapsulated how many of us are feeling about the meaningful changes that are taking place in the field of GRC and Trust Management.
As a security and GRC practitioner myself, I’m constantly struck by how quickly things continue to evolve in these spaces. Even looking back just five, ten, or fifteen years, so many of the capabilities we showcased on stage at Drataverse were simply out of reach and only imagined. Today, they’re becoming table stakes and readily accessible to all of us to use, jump start, and accelerate our security and GRC programs.
Vitaly opened with a line that palpably grabbed the attention of the room immediately: “most GRC programs today are very little G, very little R, and a very big C.”
He’s right. Many organizations naturally start with checking the boxes—being “compliant”---but they fail by stopping the journey after the box is checked. If you’ve spent any time inside a GRC program, whether you lead one, audit one, or support one, you know exactly what he means.
For too long, GRC has been synonymous with labor-heavy, auditor-fearing compliance efforts: chasing screenshots, collecting evidence, updating spreadsheets, and preparing for annual audits. Necessary and foundational work to showcase your company is doing what it’s saying it’s doing, yes. But many forget that these frameworks and controls were all created due to a larger driving factor: the underlying risks that these controls are mitigating. Not progressing to this risk-centric part of the GRC journey is not the work that reflects our ultimately goal—identifying and mitigating real risk, informing business decisions and roadmaps, or helping companies keep pace with new technologies (such as AI), regulatory expectations, or the velocity of modern scaling.
I’m hearted to witness, alongside GRC professionals world-wide, that GRC is evolving significantly to keep up with our needs and ultimate intentions—because we need it to be built on continuous assurance, automation, and ultimately on building and maintaining trust between organizations.
From Checklist Compliance to Strategic Risk Management
For years, frameworks have centered our approach to GRC. SOC 2. ISO 27001. HIPAA. PCI. All done in the name of demonstrating our good faith efforts to comply with industry best practices and build trust. We performed the gap assessment, fixed the processes, gathered the evidence, passed the audit, maintained the status quo, and moved on to the next framework.
Vitaly put it plainly during our conversation, remarking that, “compliance gives you a baseline…but it doesn’t actually have a notion of risk.”
I agreed. Compliance tells us whether you passed the test, but it doesn’t tell us if we’re actually mitigating a more present risk, that we’re actually “safe”, what our top three, top five, or top ten risks are, or how those risks will impact our business objectives and mission.
From my own experience leading our own internal IT, Security, GRC, and Business Applications and Systems at Drata, I see this healthy dialogue daily. Security teams will clamor, “We need to protect, defend, recover.” GRC teams will push, “We need to comply with existing and new frameworks, answer auditors, pass audits, manage risk registers, train control and risk owners.”
Those are all important, but my personal craving for intentionality in all things is to often ask, deeply: “Why?”
The real answer behind everything we do on our security and GRC teams is: To build and maintain the trust of customers.
Not just external customers—we also need to maintain and build the trust of our internal customers: our fellow team members, leaders, our executive team, our board, and our investors. All of them are a living ecosystem trusting us to tell the truth about our posture and to act with integrity.
Vitaly emphasized that trust starts with speaking the right language, saying “you have to quantify risk in terms the business can understand.” When GRC becomes risk-driven and business-aligned, it shifts from reactive box-ticking to strategic enablement with substantive context, reason, and backing.
Why Assurance Is Becoming the Core of Modern GRC
Vitaly highlighted something that nearly everyone in the room identified with when he said, “teams spend thousands of hours chasing evidence and screenshots. It’s incredibly inefficient.”
I’ve been there personally starting a number of GRC and security programs from the ground up. We’ve all lived that reality with our teams drowning in audits, attestation requests, and third-party security questionnaires—only to rinse and repeat again six months to a year later. At scale, that doesn’t just create burnout, it delays deals and slows the business. Personally, life’s too short for these archaic methods to achieve the collective outcomes we are hoping for.
From the Drata side, we’ve seen firsthand how much this matters. Our platform has helped customers unlock material amounts of revenue simply by speeding up the trust building process. As Vitaly put it perfectly, “when go-to-market teams are ready to sign a contract and all that stands in the way is our ability to answer a questionnaire, we are literally impacting the company’s ability to grow.”
That’s when assurance becomes the anchor, then enabler, and the fuel that maintains velocity. We see this when:
Monitoring becomes continuous—not annual
Evidence collection becomes automated—not manual
Control mappings become programmatically inferred and apply to many—not duplicative
Risk management becomes living and dynamic—not static and only once annually
Ultimately, all of these efforts lead us to gain the ability to answer the questions leadership really cares about:
How much risk do we actually carry today?
Where is that risk concentrated?
And what are we doing about it, right now?
As Vitaly said “without the assurance piece, you can’t provide regular updates to the board on how much risk you carry and what you’re doing about it.”
In other words, continuous trust isn’t a buzzword, it’s a business necessity.
GRC Is Becoming an Engineering Discipline
One of the clearest and most exciting transformations happening right now is the rise of “GRC Engineering,” a crucial role on GRC teams needed to progress beyond the initial phases of a GRC journey.
Historically, GRC has been rooted in documentation like policies, spreadsheets, test plans, and one-off evidence collection of randomly selected samples. Vitaly, with his hardcore technology and engineering background, offered a perspective that hit at the heart of the matter: “Engineering teams are trained to automate themselves out of the job. That mindset is what GRC needs.”
He talked about how, at places like Google and Netflix, you simply can’t hire your way out of the problem. At that scale, you can’t throw more people at audits, questionnaires, and control testing. You have to build your way out of it.
We’re now watching organizations hire professionals with an application development background to stand up and lead their own GRC engineering efforts and teams responsible for:
Embedding controls directly into systems and workflows
Automating evidence collection
Managing integrations and data pipelines
Building custom control tests
Enabling live mappings across multiple frameworks
Operationalizing risk signals in near real time
I love this builder mindset. Our minds crave a good problem to solve. As I said on stage, “we’re never going to get bored when we think this way.” There’s always another layer to automate, another manual workflow to turn into a system, another painful process to optimize or retire. That mindset is at the heart of how Drata itself was founded: life was too short to keep doing compliance the old way.
Vitaly added that “we need to shift left in GRC, just like we shifted left in security. We never talk about it, but we should.” That’s exactly what’s happening: GRC is shifting left into product and engineering lifecycles, not just showing up at audit time.
AI Is Accelerating GRC Into Its Next Phase
Of course, we had to talk about AI!
As I joked on stage, one of my kids asks more questions than I am adequately able to answer to his satisfaction; so, I’ve moved to outsourcing this to Claude, ChatGPT, Gemini, and everything now available at our finger tips today! AI is no longer a niche topic; it’s expanded to touch every part of our lives and businesses—and GRC is no exception.
Vitaly captured the dual nature of AI succinctly, stating that “AI helps us tremendously. Without it, we’re not going to be able to keep up or scale” but then cautioned that “over-reliance on AI could get us in trouble. Some areas still require humans in the loop.”
He illustrated his point by using risk acceptance as an example. “Risk acceptance requires business context. AI isn’t quite there yet—that’s still on us,” he said.
I’ve seen both sides of this firsthand. At one point, I ran a SOC 2 report through a leading AI model and asked it to identify all the exceptions and management responses. It found three of the four exceptions.
I remember thinking: “You lazy AI model—there are four! I know there are four.”
Then I ran the same report through Drata’s own model, which we’d purpose-built for this use case. It found all four, correctly. The lesson wasn’t “AI is bad” or “AI is magic”—it was that context, training, and design matter. And that humans still need to review, validate, and guide.
Today, AI is already unlocking powerful capabilities such as:
Continuous monitoring to detect drift and misconfigurations
Automated evidence collection and mapping across frameworks
Scalable vendor risk management, including questionnaires and attestations
Governance of non-human identities, a rapidly growing attack surface
AI-augmented risk models that correlate signals across many systems
Vitaly highlighted the identity challenge in the agentic world. He said, “until recently, we mostly worried about human identities. In the agentic world, you’re going to have 10x, if not 50x, non-human identities per employee. Securing that space at scale is very challenging.”
I’m personally excited about what this means for things like VRM agents and quantified risk at scale. As I mentioned during our conversation, I can’t wait to use our own vendor risk management (VRM) agent as “Customer Zero” at Drata and offload the hundreds of third-party reviews every year to well-trained, accountable agents that can work continuously, not just when a human has time.
AI doesn’t replace practitioners. It frees us to focus on the parts only we can do: strategy, storytelling, leadership, and decision-making.
Continuous Trust and the Revenue Impact
One of the most tangible benefits of continuous trust is how it can be tied directly to revenue and partnerships.
We’ve both lived the reality of what I called the “revolving door of customer auditors”, or the annual (or more frequent) assessment cycles, the last-minute questionnaires, the time-sensitive security reviews that stand between your sales team and a signed contract.
Vitaly described it well, saying “when those questionnaires sit unanswered, we’re literally standing in the way of the business.”
I shared an example from just a few weeks before Drataverse: a sales team in Sydney needed a questionnaire completed urgently. Dinner was 30 minutes away. I ran the questionnaire through our AI-powered Q&A product, which answered the bulk of it in minutes. I reviewed and adjusted a handful of items, and we shipped it back before my wife noticed I was late to assist with preparing family dinner.
That kind of turnaround illustrates what continuous, AI-enabled assurance can unlock:
Faster sales cycles
Reduced friction for go-to-market teams
Better customer experience in due diligence
More time for practitioners to focus on meaningful risk work
It doesn’t mean abandoning traditional artifacts like trust centers, SOC reports, or audit evidence. It means meeting customers where they are, whether that’s an industry-standard report or a custom, AI-assisted questionnaire.
As Vitaly pointed out, today’s industry still leans on some outdated assumptions (like password rotation every 30 days being a “security control”). But the direction is clear: the market is clamoring for more continuous trust, and tools like Drata are helping define what that looks like in practice.
What GRC Will Look Like Three Years From Now?
Vitaly framed his future-state GRC vision with refreshing clarity. “We understand our top risks. We actively address them. And we’re non-blocking.”
If we zoom out, the trajectory is unmistakable:
Actionable, prioritized views of real risk
Frictionless controls embedded by design
Continuous assurance for customers and executives
AI agents augmenting evidence, VRM, control testing, and modeling
A culture where trust is treated as an organizational value
He said, “we never want to be the organization of ‘no.’ Secure by default, private by design—with as little friction as possible.” That north star is one every modern security leader should embrace.
The Human Core of GRC’s Future
Even as automation and AI reshape the discipline, GRC remains deeply human at its core. It requires judgment, business context, and the ability to translate technical signals into meaningful decisions.
As we wrapped, Vitaly offered advice that resonated across the room. “Be kind to yourself. We have a lot of responsibility and accountability. It’s a hard job—sometimes a lonely one.”
He pointed out to everyone that there’s a strong community of CISOs and practitioners out there, talking in Slack groups, at dinners, and in side conversations at events like Drataverse. That's where people are candidly sharing what works and what doesn’t. “Don’t be afraid to ask questions,” he reminded us. “Don’t be afraid to reach out for help. We can learn a lot from each other.”
We closed with a laugh about how we both listen to podcasts at 2x–3x speed and tend to speak the same way on stage. Maybe that’s a sign of the pace our industry is moving at, and the speed with which AI will soon be working alongside us.
But beneath the humor lies a serious point. The expectations are rising. The landscape is shifting quickly, and we need to stay nimble and keep up.
Organizations that embrace continuous assurance, intelligent automation, and AI-driven GRC will define the new standard of trust.
This next chapter isn’t theoretical. It’s here. It’s accelerating. And those who step into it now will set the pace for where trust goes next.
See how Drata can help you build the future of GRC. Schedule your Demo to learn more.
About Vitaly Gudanets
Vitaly Gudanets is the Chief Information Security Officer at Anthropic and has over 30 years of experience across security engineering, privacy, governance, and large-scale risk management. His career includes leadership roles at global technology companies including Symantec, Zendesk, Google, and Netflix, where he built and led high-performing security organizations focused on automation, engineering excellence, and culture-driven security practices.
A lifelong martial arts practitioner and dedicated family man, Vitaly is known for his pragmatic, engineering-first perspective on modern GRC and his commitment to helping the industry navigate the rapid evolution of AI, continuous assurance, and intelligent security operations.
