Michael Rasmussen

Recently, I asked buyers to inspect the machinery. This week, I am asking vendors to open the hood. The conversation about AI in GRC has reached a turning point. The market has heard the vision. It has seen the demos. It has absorbed the language of orchestration, agentic intelligence, autonomous assurance, and dynamic decision support. The frameworks have been published. The white papers have circulated. The analyst briefings have been given. The conference keynotes have landed.

Last week I argued that much of what is being marketed as agentic AI in GRC is not actually agentic. The market response was interesting because very few people challenged the core premise. Most practitioners already sense that something is off. They sit through the demonstrations and hear the language. They watch the AI summarize documents, answer questions, generate narratives, and produce recommendations. Then they leave wondering whether they just witnessed the future of GRC or a very polished presentation wrapped around capabilities that have existed in various forms for years.

In my recent article, GRC Alchemy: Imagination, Knowledge, and the Future of GRC, I argued that many organizations have become trapped in the mechanics of governance, risk, and compliance while losing sight of the larger architectural and strategic purpose behind it all. The challenge is no longer simply collecting more data, automating more workflows, or building more dashboards. Most organizations already have more information than they know what to do with.

The response to my session at Icon 2026 reminded me of something I have seen many times in this field. Organizations are not struggling to agree with the argument for supplier risk management. They are struggling to act on it. In the latest piece on my website, We Are Measuring the Value of TPRM Wrong, I argued that the business case for supplier risk management has been framed too narrowly and too focused on workflow, controls, and compliance, and not nearly enough on avoided disruption, avoided loss, and the confidence to move through uncertainty.

In my most recent article on my site, I raised a concern that should not be easy to dismiss. The term “agentic AI” is being used far too loosely across the GRC market, often applied to capabilities that, while useful, fall well short of anything resembling true autonomy or orchestration.

There is a moment that repeats itself across countless science-fiction stories. A ship’s sensors detect something unusual. Signals arrive that do not quite align with expectations. Perhaps it is a gravitational anomaly, a sudden communications blackout, or an unexpected hostile vessel appearing where none should exist. The bridge crew does not simply stare at the blinking lights. They interpret them. The captain asks the science officer what the signals mean, the engineer considers how the ship might respond, and the tactical officer evaluates defensive posture. Information becomes interpretation, interpretation becomes decision, and decision becomes action . . . capability.

In one of the latest articles on my website, I argued that GRC platforms must re-architect around digital twins, knowledge models, and agentic intelligence if they intend to survive the coming decade. But there is a deeper implication that deserves equal attention.