Insights

The most dangerous assumption in enterprise security is rarely the one anyone remembers making. It settles quietly into the organization, becoming less a decision than a background condition, until eventually everyone begins treating a moment in time as though it were a durable fact. A system was patched, supplier was assessed, and administrator's access was reviewed. The penetration test found nothing significant and the audit closed without material findings. The evidence exists, neatly timestamped and carefully preserved, carrying all the reassuring weight that documentation has always carried. Then the environment changes around it and almost never dramatically.

A supplier that looked perfectly sensible in January can become a liability by April without having changed at all. The factory is the same, the quality standards are the same, and the people answering the phone are the same people they were a few months earlier. What changed happened somewhere else, perhaps in a government office thousands of miles away, perhaps in the latest round of trade negotiations, perhaps in a policy announcement that never mentioned the supplier by name. Yet procurement is suddenly looking elsewhere, finance is recalculating costs, and operations is asking how quickly production can move if it has to.

Compliance is becoming too dynamic, evidence-heavy, and operationally connected to cybersecurity to be managed as a static documentation exercise. The opportunity for AI is not to replace governance judgment, but to help organizations turn evidence into defensible decisions faster.

Recently, I asked buyers to inspect the machinery. This week, I am asking vendors to open the hood. The conversation about AI in GRC has reached a turning point. The market has heard the vision. It has seen the demos. It has absorbed the language of orchestration, agentic intelligence, autonomous assurance, and dynamic decision support. The frameworks have been published. The white papers have circulated. The analyst briefings have been given. The conference keynotes have landed.

The simultaneous arrival of a new capital-market authority, a rewritten companies law, and stricter governance and audit rules is transforming UAE corporate governance from a compliance exercise into a demonstrable system of control.

There is a particular kind of language that survives long after the conditions that produced it have changed. It remains in annual reports, in strategy decks, in conference agendas and regulatory consultations, carrying forward assumptions that no longer quite fit the world it describes. Sustainability increasingly feels like one of those words. We still use it. We still build departments around it. We still publish targets beneath its banner.

Somewhere inside a government agency, a public institution, or a private company, an employee is almost certainly pasting information into an AI tool that nobody formally approved. The employee is probably not trying to circumvent policy. They are trying to get through their workday. A chatbot can summarize a report in seconds. A coding assistant can solve a technical problem faster than a colleague can respond to a message. An automated note-taking application can generate meeting minutes before participants have even left the call. The attraction is obvious. So is the speed with which these tools have spread through workplaces.