Reports

State of GRC in the Age of AI

New research from Drata and Wakefield on what 300 IT and security professionals expected from AI in governance, risk, and compliance — and what they actually got.

The tools arrived faster than the governance to manage them, the precision to trust them, or the accountability to own their failures.

What’s Inside

AI's promise was transformation. The delivery has been incremental. The distance between the two is where the market is now correcting.

This report traces three compounding failures behind the expectations gap and lays out what the organizations closing it are doing differently.

Download the report to learn:

  • The scale of the disappointment: 90% say at least some of their AI investments in GRC fell short, and 43% say the tools meant to simplify their work have made it harder.

  • The visibility problem: only 13% are fully confident they can see every AI tool their employees use, which leaves 87% not fully confident they can account for all of it — and 71% say AI has already led to a failed audit or a lapsed regulatory standard.

  • The shift from broad platforms to targeted agents, with 64% of buyers preferring targeted agentic systems (70% among risk-focused buyers), why 86% say too many GRC-focused AI tools are not enterprise-ready, and the three questions to ask every AI vendor.

Methodology

Conducted by Wakefield Research on behalf of Drata among 300 U.S. IT and security professionals at companies with 1,000 to 20,000 employees across a range of revenue sizes. Respondents spanned multiple verticals, including SaaS, FinTech, HealthTech, and Retail. Fielded March 12–27, 2026; margin of error ±5.7 percentage points.