The Drata podcast, When Trust Meets AI, is based on a simple premise. GRC is being rewritten in real time, and the people doing the rewriting deserve a microphone.
Across the first six episodes, Drata CEO Adam Markowitz sat down with CISOs, GRC heads, and cyber risk leaders to pressure-test what trust actually means when AI is shipping faster than policy, when deepfakes can pass a video interview, and when a single unreviewed AI feature can quietly reshape a vendor’s risk profile overnight. They covered how the old playbook filled with annual audits, static policies, point-in-time SOC 2 letters, and GRC as the 'Department of No simply doesn't hold.
Too long, didn’t listen? Here’s a recap of each episode, with the takeaways security and GRC leaders can actually use.
Episode 1: The AI Playbook You Need with Tolga Erbay, Head of GRC at Dropbox
Tolga Erbay opened the series with a direct claim: it is possible to build trust in the age of AI without slowing the business down. Adam and Tolga walked through the real state of AI governance frameworks, covering where they help, where they fall short, and why a SOC 2 report on its own no longer carries the weight it used to with enterprise buyers.
The standout part of the conversation is on metrics. Tolga makes the case for measuring trust the way the rest of the business measures performance, with indicators like trust-influenced ARR, deal cycle time, and the share of security reviews that close without escalation. When GRC leaders can show security and compliance driving revenue rather than absorbing cost, the conversation with the CFO and the CEO changes. So does the budget.
For anyone caught between “move fast” and “stay safe,” this episode is the starting point. It’s also a clear-eyed look at third-party AI risk and how vendors are quietly embedding AI features into existing contracts, and what GRC teams need to do to keep pace.
Episode 2: The $10M Question Every CEO Should Ask Their CISO About AI with Saeed Elahi, Cyber Risk and Assurance Leader at Tenable
If episode one set the framing, Saeed Elahi’s episode set the tone. Saeed argues that trust has become the unit of measurement for due diligence in a connected world. And that nothing in the AI era comes for free, especially not trust.
The core framework here is a three-dimensional view of AI risk. Every AI tool an enterprise considers should be evaluated across the data it touches, the decisions it influences, and the dependencies it introduces. Treating those dimensions as separate questions rather than collapsing them into a single vendor security questionnaire is what separates assurance from theater.
Saeed also gets practical on agent deployment at enterprise scale. The lesson: agents that operate without continuous trust signals are a liability waiting to surface. Agents that operate with continuous monitoring, clear boundaries, and human oversight become a force multiplier. The $10M question, in other words, is whether you can prove what your AI is doing right now.
Episode 3: Switch from the “Department of No” to the “Department of Know” with Ty Sbano, CISO at Webflow
Ty Sbano opened his episode with a question worth sitting with: what even is trust? From there, he and Adam built out a working definition of an ideal modern security program and how it has to evolve in an AI-driven world.
Two ideas anchor the conversation. First, continuous compliance matters more than point-in-time reports. A SOC 2 letter dated nine months ago tells a buyer almost nothing about what’s true today. Continuous control monitoring, real-time evidence, and always-current assurance are the new baseline.
Second, the language change matters. “Department of No” is a posture. “Department of Know” is a function. The shift is from gatekeeping to enablement, or giving the business the information it needs to make good decisions quickly, rather than blocking decisions until risk is theoretically zero. Ty also gets into vendor risk in a post–SOC 2 world, building AI-ready security programs, and how to augment a small team with automation without losing the fundamentals.
Episode 4: Deepfakes, AI Governance, and the Rise of the GRC Engineer with Mike Britton, CIO at Abnormal AI
Mike Britton’s episode is the one to send to anyone who still thinks AI governance is a problem for next quarter. Trust is the currency of modern security, and AI is stress-testing it in ways most programs weren’t designed to handle.
Three things stand out. First, deepfakes are operational now. Video and voice impersonation are part of the social engineering toolkit and traditional identity verification controls weren’t built for that threat model. Second, SaaS vendors are shipping AI features overnight, sometimes without notifying customers, which means governance has to move at the speed of product rather than the speed of the annual review cycle. Third, lightweight governance can still enforce real controls if it’s designed correctly.
Mike also shares how Abnormal AI is becoming AI-native internally without touching customer data, why they built dedicated AI transformation pods, and what it looks like to operationalize the role of a “GRC engineer”, or someone who writes controls, monitors them, and tunes them the way a software engineer ships code.
Episode 5: Your AI Policy Might Be Putting Your Company at Risk with Courtney Hans, VP of Cyber Services at ANV
Courtney Hans makes one of the sharpest points of the series thus far: deploying AI without intentional safeguards is like deploying any new technology without brakes. The instinct to delay an AI policy until things settle down is, in her framing, the actual risk.
The conversation is built around translation. Security risk doesn’t move a board meeting. Business impact does. Courtney walks through how to express AI risk in terms executives already track: revenue exposure, contract delays, regulatory penalty ranges, time-to-remediation. That translation is the skill that gets security leaders heard.
The other thread is organizational alignment. The best AI policy in the world fails if engineering, sales, marketing, and legal each interpret it differently. Getting the whole company on the same page through clear ownership, training, and continuously enforced control is the work. “Trust but verify” still applies, though it looks completely different when the thing being verified is making decisions on its own.
Episode 6: The Death of Traditional GRC: Navigating the AI Revolution with Olivia Rose, CISO and Founder of Williams Rose AI Cyber Advisory
Olivia Rose made perhaps the most pointed argument of the podcast’s initial episode run: there’s no place left to hide from AI, and pretending otherwise is actively harmful to a security program.
The traditional GRC team that’s built around annual cycles, manual evidence, and a posture of restriction no longer exists (or at least it shouldn’t). The security leaders winning today are the ones positioning their teams as drivers of business value, not blockers of it. Olivia walks through what that repositioning looks like in practice, both for the program and for the individual security leader’s career.
She also gets personal. Trust is shifting at the organizational level, but it’s shifting at the personal level too—how teams trust each other, how leaders trust their tools, and how customers trust the businesses they work with. The episode is a clear call to action: embrace AI now, or accept obsolescence. There is no third option.
A Common Thread: Trust is Now A Continuous State
Across all six conversations, the same conclusion surfaces: trust is now a continuous operating state. The teams treating it that way are the ones moving faster, closing deals sooner, and giving their boards fewer reasons to worry.
That’s the gap the Drata Agentic Trust Management Platform was built to close. It keeps trust continuously ready by automating governance, unifying internal and third-party risk, monitoring compliance in real time, and turning assurance into something teams share by default. Less drift. Fewer fire drills. Trust that’s ready when it matters.
Catch Up: Listen to Every Episode
When Trust Meets AI is available on Spotify, Apple Podcasts, and YouTube. Subscribe now so you don’t miss an episode.
