The Problem With GRC in 2026
Most risk managers spend the majority of their time on work that does not require their expertise.
Chasing evidence from the first line. Compiling reports manually. Following up on overdue actions. Reconstructing the same control documentation every audit cycle. According to research from Gartner, risk and compliance teams spend up to 40% of their time on manual data collection and reporting tasks, time that could be redirected to strategic risk analysis and stakeholder engagement.
This is not a people problem - it is a structural one. And the structure is reaching its limits.
This blog recaps the webinar On-demand: GRC in 2030. Why spreadsheets and periodic compliance won’t survive AI that Joachim Jonkers (CPO, CERRIX) shared last week.
Why the Traditional GRC Operating Model Is Failing
The GRC operating model that most organizations rely on today was designed for a slower, simpler environment. It was not designed for DORA, NIS2, the EU AI Act, or CSRD, each of which demands continuous oversight rather than annual attestation.
Four structural weaknesses define the current model:
- Periodic assessments. Risk is reviewed once or twice a year. Between those reviews, the organization is flying blind. A new threat that emerges in February may not be formally assessed until Q4. By then, the opportunity to act has passed.
- Manual evidence collection. Evidence is gathered by chasing colleagues, copying files between systems, and re-entering data that already exists in source systems. This is not just inefficient, it is also unreliable. Evidence submitted weeks after the fact is not evidence of control effectiveness. It is evidence of administrative compliance.
- Fragmented tooling. Excel registers, SharePoint folders, disconnected point solutions, email threads. No single source of truth. No real-time visibility. No way to identify patterns or anomalies across the full control environment.
- Accelerating regulation. The pace of new regulatory requirements across the EU has increased sharply since 2022. Financial institutions in particular are now managing obligations under DORA, NIS2, MiCA, CSRD, and the EU AI Act simultaneously, each with its own reporting timelines, evidence requirements, and control expectations.
The result is what Joachim Jonkers, Chief Product Officer at CERRIX, describes as a growing credibility gap: "The gap between what organizations are expected to demonstrate and what their current operating model can actually deliver keeps growing. Manual processes and siloed reporting are not just inefficient. They are structurally inadequate for the pace of modern risk and compliance."
What Is Intelligent GRC?
Intelligent GRC is the integration of automation and AI into governance, risk, and compliance processes to enable real-time risk monitoring, automated evidence collection, and predictive risk insights, replacing periodic, manual operating models with continuous, data-driven ones.
An intelligent GRC platform functions as an operating system for enterprise risk: a single source of truth that connects to source systems, ingests regulatory feeds, surfaces anomalies, and reduces the administrative burden on all three lines of defense.
The transition from traditional GRC to intelligent GRC involves three shifts:
The most practical way to understand AI's impact on GRC is by role. The changes look different, and arrive at different speeds, depending on where you sit in the three lines of defense.
First Line: From Risk Reporter to Risk Owner
Today, first-line professionals are asked to log incidents, upload evidence, execute controls, and document results. Each task pulls them away from their primary work. The follow-up burden falls on the second line. Incomplete submissions are the norm.
By 2030, that changes substantially.
The first line is not removed from the process. Their judgment still matters. But their role shifts from data entry and status reporting to validation and strategic input.
Second Line: From Data Collector to Strategic Advisor
The second-line risk manager sits between operational reality and board expectations. In most organizations, too much of their time is spent in between: chasing, compiling, consolidating, rather than advising.
Real-time risk scoring removes dependency on planned review cycles. AI-validated evidence collection removes the need to chase the first line. Anomaly detection catches weakening controls before periodic reviews would have surfaced them.
This frees second-line professionals for the work that actually requires their expertise: interpreting what risk data means for the organization's strategic goals, advising the board with confidence, and having honest conversations with business leaders about emerging threats.
Third Line: From Sampling to Continuous Assurance
Internal audit operates with significant constraints, with limited team size, broad scope, and a planning model often based on a fixed calendar rather than real-time risk signals.
The audit function's value is not in executing administrative processes. It is in providing independent assurance that the risk management framework is working. AI enables auditors to spend significantly more of their time on exactly that.
The Right Sequence: Automation First, AI Second
One of the most common mistakes organizations make when adopting AI in GRC is skipping the foundation.
AI does not create value in isolation. It creates value when it operates on top of structured, centralized, connected data. Feed incomplete or inconsistent data into an AI system and it will produce noise, not insight.
The foundation is automation and integration:
- Direct API connections with source systems so evidence flows automatically rather than manually
- Real-time data from operational systems, incident logs, and regulatory intelligence feeds
- A single platform connecting all three lines of defense rather than a collection of disconnected tools
Once that foundation is solid, AI becomes genuinely powerful. It can process control environment data at a scale no human team could match, generate forward-looking risk indicators before threats materialize, and reduce the cognitive load of routine analysis so professionals can focus on decisions that require judgment.
As Joachim Jonkers explains: "You can use AI without that automation layer in place, and there are still valid use cases. But the most valuable use cases, the ones that genuinely change what risk management can do, are built on deep integration and structured data."
Five Steps to Embed AI Into Your Risk Operating Model
Organizations that successfully transition to intelligent GRC follow a consistent sequence. These five steps reflect the practical experience of organizations that have already begun the transition:
1. Start where friction is highest. Evidence collection, report assembly, status chasing. These activities create the most visible frustration and consume the most time. Automating them delivers immediate, measurable value and builds organizational confidence in the broader transition.
2. Get your data house in order. Clean, structured, centralized risk data is the prerequisite for everything else. This step is often more organizational than technical. It requires agreement on taxonomy, ownership, and what a single source of truth actually looks like across lines of defense.
3. Clarify ownership before automating. Automation surfaces ambiguity efficiently. If it is not clear who owns a particular risk, control, or escalation path before you automate, that ambiguity becomes a visible operational problem. Resolve it first.
4. Think platform, not point solutions. Integrated risk management across all domains, one platform connecting all three lines of defense. That is what makes the data foundation possible. Disconnected tools cannot support connected intelligence.
5. Layer AI on top of structured data. Once the foundation is solid, introduce AI features progressively, starting with high-friction use cases that have clear measurable outcomes. If a use case is a nice-to-have rather than a genuine problem to solve, adoption will not sustain.
How CERRIX Approaches AI in GRC
CERRIX is building toward this vision of intelligent GRC through a combination of automation, AI-assisted workflows, and, following the acquisition of Ruler, integrated regulatory intelligence.
Current AI capabilities in CERRIX include AI-assisted risk and control description generation aligned to best-practice conventions, and AI-powered extraction of risks and controls from policy documents and regulatory frameworks. These features address the high-friction tasks that slow down risk cycles: initial risk identification, control documentation, and framework alignment.
The Ruler acquisition adds a regulatory intelligence layer: automated monitoring of regulatory bodies across the EU, with AI-powered gap analysis connecting new regulatory requirements directly to an organization's existing risks, controls, and policies. When a new regulatory alert is published by a financial authority, the system identifies which existing controls need updating, proposes new controls, and enables risk managers to act rather than discover.
CERRIX's AI development principles reflect a consistent position: AI should empower risk professionals, not replace them. Human sign-off remains central to every AI-assisted recommendation. Data security and regulatory compliance are built into every feature. And every capability is evaluated on the basis of real impact rather than technology novelty.
Watch the full webinar recording: GRC in 2030: Why spreadsheets and periodic compliance won't survive AI, presented by Joachim Jonkers, Chief Product Officer, CERRIX, April 2026.
Ready to see what intelligent GRC looks like in practice? Book a demo with CERRIX
Tags: AI in GRC, GRC 2030, intelligent GRC platform, three lines of defense, risk manager AI, GRC automation, DORA compliance, NIS2, EU AI Act, continuous control monitoring, risk operating model
How to implement ISMS with a GRC Platform | ISO 27001 in Practice
Accessible popup
Welcome to Finsweet's accessible modal component for Webflow Libraries. This modal uses custom code to open and close. It is accessible through custom attributes and custom JavaScript added in the embed block of the component. If you're interested in how this is built, check out the Attributes documentation page for this modal component.
What Does GRC Look Like in 2030?
By 2030, AI in GRC will automate evidence collection, control monitoring, and routine reporting across all three lines of defense, shifting risk managers from administrative work to strategic advisory roles
The Complete GRC Chain: Connecting Regulatory Change Management, Risk, and Controls in One Platform
The future of Governance, Risk & Compliance (GRC) lies in connecting regulatory change management directly to risks, controls, incidents, actions, and assurance activities in one integrated platform.
Embedding automation into your risk operating model: Where AI fits and how to make It work
This second part focuses on what makes that automated model intelligent. Where AI fits. What it means for risk professionals in practice.
From checkbox to continuous: How to embed automation into your risk operating model
What it means to truly embed automation into the risk operating model: what changes, what stays the same, and what it takes to make it work in practice.
.jpg)
Why CERRIX acquired Ruler, and what it means for the future of GRC
CERRIX acquires Ruler to connect regulatory change with risk management.
%20(1).png)
Why Data Quality Is the Foundation of AI and Automation in GRC
A strategic look at why structured data in a GRC tool is imperative for automation, AI enabled workflows, and real time risk insights.
.jpg)
Internal Control Framework Challenges: Why COSO and ISO 31000 Implementations Struggle in Practice
Why do internal control framework implementations (COSO, ISO 31000) struggle? Explore common challenges in process design, ownership, tooling, and governance
%20(3).jpg)
Control Assurance Explained: How Organizations Move from Control Testing to Continuous Monitoring
Discover how modern control assurance moves beyond periodic testing to continuous monitoring, with clear ownership, automation, and expert opinion.
Incident Management under DORA: What Risk and Compliance Leaders Need to Rethink
Incident Management under DORA: What Risk and Compliance Leaders Need to Rethink
.jpg)
How to Apply ISO 31000 Risk Treatment in Practice: Insights for Risk and Compliance Leaders
A practical recap of CERRIX ISO 31000 risk treatment webinar
%20(1).jpg)
How We Use CERRIX GRC to Manage Our ISMS: ISO 27001 in Practice
We use our own CERRIX GRC software to manage CERRIX’s ISMS, turning compliance into confidence and showing how ISO 27001 can become part of daily business practice.
.jpg)
Why the Three Lines of Defense Model Is Outdated? What Every Board Should Know About the Three Lines Model
Three Lines Model Explained: Why Boards Must Move Beyond 3LOD
.jpg)
What Is ISO 31000 and How Does It Work?
Discover what ISO 31000 is, how it works, and why it’s essential for risk management in 2025. Learn the principles, framework, and how tools like CERRIX help organizations turn ISO 31000 into practice.
.jpg)
How to Write an Incident Report That Stands Up to Audits
Learn how to write incident reports that are clear, evidence-backed, and audit-ready. Includes a template, best practices, and compliance alignment for risk professionals.
.jpg)
How to Implement ISO 31000: Real-Time Risk Decisions with AI‑Enabled Tools
Discover how to move beyond compliance and operationalize ISO 31000 using AI, real-time dashboards, and structured risk assessments. Learn from webinar insights and best practices tailored for financial services and regulated industries.
%20(1).jpg)
What’s Blocking Your ISMS Rollout? 7 Fixable Challenges for Financial Institutions
Discover the 7 biggest blockers in ISMS rollout for financial institutions—and how to solve them. Learn practical strategies to secure buy-in, define scope, streamline controls, and prepare for ISO 27001 certification.
.jpg)
Trends Driving ISMS Adoption in 2025: What Risk & Compliance Leaders Need to Know
Discover the top trends pushing organizations toward ISMS adoption in 2025—from regulatory changes and remote work to threat evolution and AI. Learn what to prioritize to stay ahead in risk and compliance.
%20(1).jpg)
What Is an ISMS? A Practical Guide for Risk & Compliance Leaders in 2025
An Information Security Management System (ISMS) is more than policy—it’s your organization’s shield against evolving threats, regulation, and reputation risk. Discover what ISMS means, how to implement it, and why it matters in 2025.
.jpg)
The Intelligent Future of GRC: How AI is Reshaping Governance, Risk & Compliance in 2025
Explore how AI is transforming GRC in 2025—from predictive insights and automation to ethical oversight. Learn what features matter, what risks to manage.
.jpg)
How Do You Implement an ISMS in Financial Services Without Slowing Down Innovation?
Implementing an ISMS in financial services? Explore a practical, risk-aligned roadmap tailored for banks, fintechs, and insurers to meet ISO 27001, GDPR, and DORA compliance—without compromising agility.
How Do You Build a Robust ISMS Framework Based on ISO 27001?
Learn how to build a robust ISMS framework aligned with ISO 27001. Discover the key components—people, policies, processes, and controls—to strengthen security and achieve compliance.
.jpg)
When to Conduct Risk Assessments: 6 Enterprise-Critical Moments
Learn when to conduct risk assessments—annual, quarterly, after incidents or change—and how CERRIX ensures continuous compliance.
.jpg)
How do you build a system of quality management that works under ISQM 1?
Learn how to build a system of quality management under ISQM 1. Move beyond compliance to an operational model that proves audit quality.
Top GRC Platforms Compared: Risk Assessment Tools for 2025
Discover the top GRC platforms for 2025 with a focus on risk assessment tools.
What Are Risk Scoring Methods for Financial Institutions? [2025 Guide]
From Risk Assessment to Risk Management: Moving Beyond Checklists in 2025
Understand the evolution from risk assessment to strategic risk management in 2025. Learn why leading organizations are embedding risk into decision-making—and how GRC platforms like CERRIX support this shift.
What is risk management? A strategic guide for leaders in 2025
How Audit Firms Embed ISQM into Daily Practice
In our second ISQM webinar, experts from RSM, Grant Thornton, and CERRIX shared practical insights on how audit firms can embed ISQM into the heart of their operations.
.jpg)
What is the maximum fine for GDPR violations?
Discover the maximum fine for GDPR violations: €20 million or 4% of global turnover. Learn the two-tier penalty system, notable examples, and how to prevent costly data protection breaches.
How do you conduct a GDPR compliance assessment?
Learn how to conduct a GDPR compliance assessment with our step-by-step guide covering data mapping, documentation requirements, and 6 common gaps organizations discover. Reduce risks and ensure compliance.
What are the main requirements of GDPR?
Discover the 7 essential GDPR requirements every organization must follow. Learn about data protection principles, individual rights, breach handling, and practical compliance strategies in this comprehensive guide.
%20(2).jpg)
How often should you review third party risks?
Discover how often to review third party risks with our tiered approach: quarterly for high-risk vendors, semi-annually for medium, and annually for low-risk partnerships.
What should be included in a vendor due diligence process?
Discover what a comprehensive vendor due diligence process should include: financial stability assessment, security controls, compliance verification, risk evaluation criteria, and ongoing monitoring frameworks.
How do you assess vendor risk?
Learn how to implement vendor risk assessment in 5 clear steps. Discover essential strategies to protect your organization from third-party threats and ensure regulatory compliance.
What are the main types of supplier risks?
Discover the 5 critical types of supplier risks that threaten your business continuity. Learn effective strategies to identify, assess, and mitigate these vulnerabilities before they impact your operations.
What is a compliance risk assessment?
Discover how to conduct an effective compliance risk assessment to identify regulatory risks, prevent violations, and transform compliance challenges into strategic business advantages.
How do you report compliance violations?
Learn how to report compliance violations effectively through proper channels while protecting your identity. Discover documentation requirements, whistleblower protections, and what happens after you submit a report.
How do you calculate risk probability and impact?
Learn how to calculate risk probability and impact using proven methods. Transform uncertainty into measurable risks for better decision-making and strategic resource allocation.
What is third party risk management?
Learn what third party risk management is, how it protects your organization from external threats, and the steps to implement an effective TPRM program to ensure compliance and security.
What are the benefits of risk management for businesses?
Discover how risk management benefits businesses by protecting financial health, improving decision-making, ensuring compliance, and creating competitive advantages that transform threats into opportunities.
What is a risk register and how do you create one?
Wondering what a risk register is? Learn how to create this essential tool to identify, assess, and manage organizational risks effectively and boost compliance.
How often do ISO certifications need to be renewed?
Wondering about ISO certification renewal? Understand the three-year cycle, annual surveillance audits, and preparation strategies to maintain compliance seamlessly.
What documents are required for ISO 27001 implementation?
Discover the mandatory and recommended documents required for successful ISO 27001 implementation. Learn how to organize, create and maintain effective ISMS documentation that satisfies auditors and enhances security.
Do I need a consultant for ISO certification?
Wondering if you need a consultant for ISO certification? Discover key factors to make the right decision for your organization based on expertise, resources, and certification complexity.
What industries benefit most from ISO certification?
Discover which industries gain the most value from ISO certification. Financial services, technology, healthcare, and manufacturing organizations see superior ROI while enhancing compliance and competitive advantage.
Can a company lose its ISO certification?
Can a company lose its ISO certification? Discover the 8 common reasons, consequences, and prevention strategies to protect your business reputation and investment.
How long does it take to get ISO 9001 certified?
Discover how long ISO 9001 certification takes, from 4-12 months depending on your organization's size and complexity. Learn the key phases, challenges, and ways to accelerate your quality management journey.
What is ISO 27001 and why is it important for businesses?
Discover how ISO 27001 certification protects your business data, builds customer trust, and ensures regulatory compliance in today's high-risk digital landscape. A complete implementation guide.
From Spreadsheets to GRC Software: Why Pension Funds Need a Modern Approach to Risk Management
What to know about GRC software for nis2
Explore how GRC software helps businesses comply with the NIS2 Directive, enhancing cybersecurity and risk management.
Can automation reduce compliance costs?
Explore how automation can reduce compliance costs, enhancing efficiency and ensuring regulatory adherence.
What industries benefit from compliance automation?
Discover which 6 industries benefit most from compliance automation and how it transforms regulatory burdens into strategic advantages through risk reduction and operational efficiency.
How automation streamlines compliance processes
Discover how compliance process automation reduces costs by 40-60% while minimizing errors and risks. Transform manual workflows into strategic advantages for your organization.
Is cybersecurity compliance automation secure?
Discover if cybersecurity compliance automation strengthens or risks your security posture. Learn implementation best practices that enhance protection while simplifying regulatory management.
Does automation reduce compliance risks?
Explore how automation impacts compliance risks, its benefits, limitations, and integration strategies.
Key sectors affected by NIS2 compliance
Explore the impact of NIS2 compliance on key sectors like energy and healthcare, enhancing cybersecurity and data protection.
Are automated compliance tools reliable?
Exploring the reliability of automated compliance tools and their role in cybersecurity.
%20(1)%20(2).jpg)
DORA compliance checklist for beginners
An essential guide for beginners to understand and implement DORA compliance effectively.
Key benefits of adhering to DORA compliance
Explore the key benefits of DORA compliance, enhancing security, efficiency, and regulatory adherence.
NIS2 compliance: top strategies for success
Explore effective strategies for NIS2 compliance to enhance cybersecurity and regulatory adherence.
EU AI Act vs. GDPR: what's the difference?
Explore the key differences and overlaps between the EU AI Act and GDPR, focusing on regulation, impact, and compliance.
Can GRC tools predict compliance risks?
Exploring if GRC tools can predict compliance risks and their role in risk management.
Can a GRC tool adapt to regulatory changes?
Explore if GRC tools can adapt to regulatory changes, covering compliance management and risk assessment.
How does AI governance impact compliance?
Explore the impact of AI governance on compliance, focusing on regulation, ethics, and risk management.
.jpg)
How to prepare for the EU AI Act implementation?
Learn how to prepare for the EU AI Act implementation with practical steps for compliance.
Is your business ready for the EU AI Act?
Explore readiness for the EU AI Act with insights on compliance, challenges, and strategic planning for businesses.
.png)
How does DORA compliance impact financial sectors?
Discover how DORA compliance strengthens financial sectors, enhancing risk management, digital resilience, and regulatory standards.
.jpg)
What is DORA compliance and why does it matter?
Explore DORA compliance, its significance in financial services, and strategies for effective implementation.
DORA compliance vs other regulatory standards
Explore the differences between DORA compliance and other regulatory standards, focusing on financial regulations and cybersecurity.
Can automation improve DORA compliance efforts?
Explore how automation can enhance DORA compliance efforts by streamlining processes and ensuring ongoing monitoring.
How to integrate GRC with existing systems?
Integrating GRC with existing systems enhances compliance, risk management, and efficiency.
Can settlement discipline improve market stability?
Exploring how settlement discipline can enhance market stability, focusing on its benefits and challenges.
Why real-time analytics in GRC are vital
Real-time analytics in GRC is crucial for proactive risk management and continuous compliance monitoring.
Top 10 Features Every GRC Tool Should Have in 2025
Explore essential GRC tool features like integration, risk management, compliance, governance, and customization.
How to prepare your business for CSDR compliance?
Guide to preparing your business for CSDR compliance, covering key strategies, challenges, and technology solutions.
Embedding ISQM 1 into the DNA of Your Audit Firm: A Risk-Based Approach to Quality Management
Discover how to implement ISQM 1 with a risk-based approach. Learn how audit firms can embed quality management into daily operations and governance.
%20(1).avif)
CERRIX User Conference 2025
On March 12, 2025, industry leaders, assurance experts, and CERRIX customers came together for the CERRIX User Conference 2025—a day of knowledge-sharing, insightful discussions, and collaboration on the future of risk management, compliance, and AI-driven GRC solutions.
From Spreadsheets to GRC Software: Why Pension Funds Need a Modern Approach to Risk Management
CERRIX and BR1GHT Strengthen Long-term Partnership to Enhance Governance, Risk, Compliance and Audit Solutions
Implementing DORA: From Compliance to Long-Term Resilience
