Insights

The Next Competitive Advantage in GRC Is No Longer Software

For much of the past twenty-five years, the GRC technology market rewarded providers for building broader platforms. New modules became competitive advantages. More configurable workflows became competitive advantages. Larger control libraries, deeper reporting, additional dashboards, more sophisticated risk quantification, and expanded third-party capabilities, with every release cycle promising another collection of features designed to distinguish one platform from another. Buyers responded in kind, and procurement teams assembled exhaustive requirements, while consultants developed detailed evaluation methodologies. Analysts compared products capability by capability until selection often resembled an exercise in accounting rather than strategy.

How AI Is Changing Internal Audit Before It Changes AI Governance

The first time artificial intelligence changes an audit function, it probably won't be because an auditor is reviewing an AI governance framework. It will be because someone quietly asks a large language model to summarize a hundred-page policy, compare two years of control testing, identify unusual journal entries, or draft the first version of an audit report.

Why Risk & Internal Audit Aren't Focused on What Matters Most

In a recent LinkedIn post, I posed what I believe is one of the most important questions facing the risk management and internal audit professions today. If risk is defined in ISO 31000 as "the effect of uncertainty on objectives," why don't both professions begin with an organization's Mission Critical Objectives? It seems like an obvious place to start. Yet in most organizations, it isn't.

When Brands Go Quiet: The Fragility of Consumer Loyalty

For the past decade, many major brands experimented with political voice as a growth strategy. They spoke on social justice, democracy, climate, privacy, labor, and civil rights not as side commentary, but as identity. Consumers were encouraged to see purchases as moral alignment. Then something shifted. Some of those same brands have become quieter, more cautious, or selectively neutral. To consumers, that silence is not invisible. When a brand that once framed itself as values-driven retreats from political expression, the market interprets it as a renegotiation of trust. 

The End of Point-in-Time Security

The most dangerous assumption in enterprise security is rarely the one anyone remembers making. It settles quietly into the organization, becoming less a decision than a background condition, until eventually everyone begins treating a moment in time as though it were a durable fact. A system was patched, supplier was assessed, and administrator's access was reviewed. The penetration test found nothing significant and the audit closed without material findings. The evidence exists, neatly timestamped and carefully preserved, carrying all the reassuring weight that documentation has always carried. Then the environment changes around it and almost never dramatically.

When Trade Changes Suppliers, Third-Party Risk Changes Too

A supplier that looked perfectly sensible in January can become a liability by April without having changed at all. The factory is the same, the quality standards are the same, and the people answering the phone are the same people they were a few months earlier. What changed happened somewhere else, perhaps in a government office thousands of miles away, perhaps in the latest round of trade negotiations, perhaps in a policy announcement that never mentioned the supplier by name. Yet procurement is suddenly looking elsewhere, finance is recalculating costs, and operations is asking how quickly production can move if it has to.

From Static Checklists to Decision Systems: How AI Is Changing Compliance Work

Compliance is becoming too dynamic, evidence-heavy, and operationally connected to cybersecurity to be managed as a static documentation exercise. The opportunity for AI is not to replace governance judgment, but to help organizations turn evidence into defensible decisions faster.