As someone who has “grown up in the GRC space,” I’ve seen an incredible evolution in how organizations think about trust, assurance, and security. Fifteen, ten, even five years ago, the tools we used and the expectations placed on our teams looked dramatically different. At Drataverse New York, I had the opportunity to host a fireside chat with Max Anand, Global Head of Security Trust at Wiz.
Max is not only a standout practitioner, he’s an exceptional person who leads with curiosity, candor, and collaboration. Even in our prep calls, I found myself thinking, “not only is this one of the strongest GRC leaders I’ve met, he’s just an incredible human.”
We covered everything from AI to assurance to Beyoncé songs (there’s a title that defines each of the three phases of his team’s GRC program). Every part of the conversation reinforced how quickly our field is transforming, and I’m excited to share parts of it with you in this blog post.
Redefining GRC as a Foundation for Trust
When Max joined Wiz, he didn’t want to simply replicate a traditional GRC program. He explained that his goal from day one was to “not be rigid” in the way the program was designed and to “expand past just GRC” by integrating customer assurance, data governance, internal audit, and enterprise risk management into a unified trust function.
Max described Wiz’s trust ecosystem as having “three layers of trust: customers, auditors and regulators, and employees,” in that order of priority. That clarity influences everything from how they write policies to how they collaborate internally. And it’s one of the most mature approaches I’ve seen.
In contrast, many early stage GRC program leaders fixate on the first mountain they have to climb (e.g., getting SOC 2), however, I’ve seen more leaders shift toward asking questions like “How do we understand the real risks of the organization? How do we become business advisors?”
Scaling Trust Inside a Hypergrowth Security Company
Wiz grew incredibly fast. When Max started, he was a team of one supporting under 500 employees. Since then, the company has skyrocketed, and he has scaled the trust program alongside it.
Max focuses heavily on partnership instead of enforcement. Instead of walking in with a prewritten policy and saying, “the auditors need this,” he sits with internal teams to understand auditor intent alongside operational realities, and then designs something that works for both sides. I told him this level of intentionality is one of the best ways to meet internal teams where they are and build sustainable, respected programs.
He also made a point that I think the entire room understood. He said that despite the emphasis industries place on SOC 2, “breaches still happen, even when companies have SOC 2.” I added that this is exactly why more practitioners are recognizing that compliance shouldn’t define their own standard or be the goal itself. Rather, it should be the minimum acceptable level of security or risk management. Compliance should be the floor, not the ceiling.
How Wiz and Drata Are Experimenting With AI
AI inevitably came up. I joked onstage that my 11-year-old asks me questions all day long that I don’t always have the answers to, and AI has quickly become a valuable assistant. At the same time, I told the audience I worry about the need for “humans in the loop” to make sure that the answers being shared are actually the right ones.
Max described two angles that Wiz is exploring in regard to AI: how to allow vendors to use it, and how Wiz is designing its own product to leverage AI responsibly. For their internal workflow, he said that SafeBase’s AI for questionnaire responses produced a “massive improvement in time to value” and that he prefers his team “spending time curating knowledge rather than rewriting answers.”
I’ve had my own version of that experience. I told the room about a recent evening when a questionnaire arrived from a teammate in Sydney right as I was heading to a family dinner. I mentioned that SafeBase AI covered almost everything, leaving me only 10–15% to adjust. That let me get the response back to them quickly and still get to dinner on time!
We also had a chuckle about AI hallucinations when I described testing a large model against SOC 2 exceptions and it only found three out of four included. Max responded that this is why he still believes in “trust but verify”, even with AI.
Why Time to Value Matters More Than Ever
In many companies, GRC leaders spend a lot of time proving their impact through revenue influenced. But Wiz didn’t need that because security is a core part of their DNA. That freedom allowed Max to prioritize a different metric.
He organizes his program into three phases inspired by Beyoncé songs: Survivor, Formation, and To the Left (editor’s note: Irreplaceable on the B’Day album is the associated Beyoncé song title for the last one).
The first phase, Survivor, is based on the idea that “you’re surviving, you’re understanding. You need to really figure out what’s going on. The second phase is Formation, which is where you’re establishing good habits based off of what you’ve learned in the survivor phase” Max said. “And the third one is ‘to the left’. Everything that you want to do is shifting to the left, and that is where you want to reduce that time to results.
The idea is to move as much as possible leftward, reducing manual work continuously. He even quipped that he “never allows [his] team to believe they’re in phase three” because once they feel done, he pushes them back into improvement mode.
I loved this framing. I told him “Beyoncé is going to be living rent-free in my mind for the next six to twelve months because of this model.” It’s memorable as well as strategic.
Shifting From Static Compliance to Continuous Trust
Before platforms like Drata came about, Max, I, and many of you lived through that six-week pre-audit panic period. Some of my most stressful moments in past roles came from wondering if my team was truly ready prior to an upcoming audit. Max concurred and pointed out that “a SOC 2 can be a year old” by the time a customer reviews it, so it doesn’t necessarily reflect how a company operates in real time.
This is where continuous trust becomes transformative. Max described Wiz’s philosophy as moving from “prove it to me” to “see it for yourself,” which is only possible when real-time evidence, automation, and transparency are foundational—and we both believe that’s where the industry is already heading.
Preparing for Global Frameworks and Customer Expectations
As Wiz expanded globally, their frameworks and requirements multiplied. Max reported that in the past, mapping across frameworks was a manual comparison exercise, but now “AI can generate a full gap analysis in seconds.”
I still remember doing those manually and comparing ISO to SOC 2 line by line. The contrast between that tedium and today’s capabilities is incredible.
He also brought up how customers in highly regulated industries need to go beyond the standard frameworks. Max and his team work to understand why those questions matter, bringing customers into the room to reduce friction and increase shared understanding. For instance, if or when customers find something in an audit, it’s rarely with the goal of catching you in an error. Rather, it's usually to strengthen the entire chain, because organizations are only as strong as their weakest vendor.
This mindset of being collaborative as opposed to adversarial is essential to the next era of trust.
What High-Performing, AI-Powered GRC Will Look Like in Three Years
When I asked Max what success looks like three years from now, he said he would measure himself by three things:
How few people hours are wasted on repeatable tasks
How much time to value decreases
How much parity we get from AI agents.
He added that we’re just scratching the surface”of what AI will do for GRC, and I couldn’t agree more. Agents, automation, retrieval-augmented workflows are all going to fundamentally reshape how teams operate.
Advice for GRC Leaders
To close things out, I asked Max for advice that he’d give to any leader building a GRC program.
He said to “know your data, know your processes, and trust them yourself first”, and to lead with transparency and vulnerability rather than fear. As leaders, we need to remember our roles carry a unique emotional weight. We’re trying our best to protect customers and the business, and trust really does feel like it’s earned in drips but lost in buckets.
Max also emphasized being obsessed with your customers, which I wholeheartedly believe in as well. When we treat our work not as audits and controls but as assurance-building, the entire organization benefits.
Want to see how Drata can benefit your organization? Schedule a demo and get started.
About Max Anand
Max Anand is the Global Head of Security Trust at Wiz, and builder of scalable, global trust programs across GRC, data governance, internal audit, and customer assurance. Father of two small children who pick out his daily sneaker rotation, he’s known for what he calls being a “phenomenally terrible teller of dad jokes.”
