Key takeaways from the CERRIX panel discussion AI in GRC with Joachim Jonkers (Chief Product Officer, CERRIX), Dwayne Valkenburg (Co-founder, AuditAgent) and Jo Coutuer (Founder, 8weeks.co), moderated by Ruben Andeweg (Senior Risk Consultant, CERRIX).

AI is everywhere in the GRC conversation right now. Vendors promise autonomous agents, boards ask about adoption strategies, and risk teams wonder whether they are falling behind. But what actually works today, and what is still a promise?

In a recent CERRIX webinar, three practitioners who build and implement AI in risk and compliance every day cut through the noise. Their conclusion was practical: the value of AI in GRC does not come from the technology itself. It comes from how you organize its use, and from starting with the right problem.

This blog summarizes the discussion along the four levels of AI adoption that structured the session: Aware, Assisted, Applied and Autonomous.

First, a reality check: AI is not new to GRC

Jo Coutuer opened with a provocative point: AI has been embedded in GRC processes for years.

"AI is also machine learning: learning from structured data, looking for patterns and applying signals and alerts. I'm sure that most of the organizations present here actually have AI embedded in GRC processes already." Jo Coutuer, Founder, 8weeks.co

Machine learning models have long powered anti-money laundering and fraud detection in financial institutions. What is new is the latest wave of generative AI, which finally makes unstructured data workable.

"More traditional automation was really good at processing numbers and structured data, like spreadsheets or API formats. New forms of AI are much better at processing unstructured data: PDF documents, screenshots, all the things that are commonly used in organizations as evidence for control tests." Joachim Jonkers, Chief Product Officer, CERRIX

The panel also addressed a cultural barrier specific to the profession. Risk and audit professionals are trained to assess threats first, and that mindset can slow down adoption inside the very departments that oversee it.

"We have a certain type of glasses on, and those glasses are risk glasses. We see the entire world from a risk perspective, not so much from an opportunity perspective. A win for your department would be to just start trying and investigate what the opportunities are." Dwayne Valkenburg, Co-founder, AuditAgent

The irony, Jo added, is that using AI often reduces net risk: "There is a risk in the technology, but my business risk in total is going to decrease." A screening process that would otherwise be too tedious to perform thoroughly becomes feasible, and the business risk of skipping it disappears.

The four levels of AI adoption in GRC

The discussion was structured around a simple maturity model: four levels from first experiments to autonomous AI agents.

1. Aware: AI as a reading and writing aid
2. Assisted: AI structures and supports your daily workflow
3. Applied: AI is integrated with your actual data and systems
4. Autonomous: AI agents perform work end to end

One important nuance from the panel: this is not a ladder you are obliged to climb.

"I don't think it matters where you are on the ladder. There's value everywhere in these four areas. If you can do the right thing at the right level, you have a good strategy. You shouldn't get pushed into putting everything in level four, because not everything needs to be in level four." Jo Coutuer, Founder, 8weeks.co

A highly regulated insurer may deliberately stay at level two for certain processes while pushing level three in others. Think of it as a matrix rather than a race to the top.

A live poll during the webinar confirmed where most teams actually are: more than half of attendees placed themselves at level one, a quarter at level two, around ten percent at level three, and nobody at level four. If your team is still experimenting with chat-based tools, you are in the majority.

Level 1: Aware. From individual chatting to organized prompting

At the first level, AI is a tool you talk to. Drafting risk descriptions, summarizing documents, asking questions about uploaded files. No integration required.

The most valuable insight here was not about the technology but about organization. Jo shared a case of a company operating in a physical materials market that needs near-daily insight into price mechanisms, with very little structured data available. Instead of letting every employee chat with an AI tool individually, the company standardized the approach: one carefully designed prompt, combined with internet research, producing a weekly market trend report in a consistent format across the entire team.

"Honestly, which language model you use is not the most important thing. The important thing is that they organized it in the company in a standard way, and moved from individuals chatting with a chatbot to a uniform way of working. The big difference comes when you organize the use of technology, not when you just use technology." Jo Coutuer, Founder, 8weeks.co

His conclusion applies to every GRC team starting out. Individual chatting burns subscription and token costs without building anything durable. A shared, proven prompt becomes a company asset.

Level 2: Assisted. Consistency as the quiet superpower

Ten risk managers, ten different reports. Anyone who has consolidated risk reporting across departments knows the problem. At the assisted level, AI becomes a structural part of the workflow, and its biggest contribution is consistency.

"Part of it is having that consistency, and part of it is making sure certain standards are applied throughout the organization. If you use AI as a writing aid, it's much easier to enforce standards or get something in a format that matches with everything else in your organization." Joachim Jonkers, Chief Product Officer, CERRIX

The panel also highlighted a structural shift in who can automate. Because generative AI works through language rather than code, business departments can now prototype automations that previously required programmers from day one.

"It's usually people that are close to the real work who know which repetitive tasks need to be automated. With this technology, business departments take more of the value chain. And if they don't make the mistake of thinking they don't need IT, they can hand their work to IT, which can quickly turn it into a more efficient, secure AI automation." Jo Coutuer, Founder, 8weeks.co

The crucial caveat: this only works well when business and IT collaborate. Prototype in the business, then hand over to IT to make it secure, efficient and scalable.

Level 3: Applied. AI connected to your actual data and systems

At level three, AI is connected to your actual data and systems. It tests controls, maps regulations to your framework and queries your risk register directly.

Two use cases dominated the discussion.

Control testing at scale. The panel agreed that sampling-based control testing is living on borrowed time. AI models can analyze full populations rather than five percent samples. Dwayne described correlating an HR system with Active Directory to identify exactly how many offboardings happened too late, across the entire population. He also sketched the next step:

"The potential new way is entire population testing. You give a service account access to log on to a system and collect the evidence itself, with good guardrails, on a continuous basis. Large vendors are already investigating this. That's the step we're going towards: continuous monitoring." Dwayne Valkenburg, Co-founder, AuditAgent

Incident management as a calm copilot. Jo shared a real example. During a live security incident, his team handed their fifty-page playbook to an AI assistant and kept it updated all day. It walked them through each step, challenged their assessment when they were underestimating the severity, and produced the incident report at the end.

"It kept calm, like a calm scrum master: 'You first need to do this. Did you do that?' And it really pointed us to the seriousness of the incident where the human beings were underestimating it. We managed the incident better and ended up with better learnings, better documentation, better compliance, and less residual and regulatory risk. The technology was very simple and out of the box." Jo Coutuer, Founder, 8weeks.co

In conclusion of level 3, Joachim's advice for avoiding AI trap: start from the problem, not the technology.

"It's really important to start with: what is the problem I'm trying to solve, and what does it mean to have that problem solved? Does it mean fewer hours spent on this task? Does it mean better, higher-quality information? What does good look like? And then go back to the technology and figure out what is actually applicable." Joachim Jonkers, Chief Product Officer, CERRIX

Level 4: Autonomous. Agents act, but humans stay in the loop

At the highest level, AI agents perform work end to end: reading supplier reports, flagging deviations, updating your GRC system and assigning follow-up actions.

The panel offered a nuanced view on human oversight. The reflex answer is that everything AI produces must be reviewed. Reality is more differentiated.

"If you're in a bank running an anti-fraud system in your instant payments, you're not going to ask the second line to check every decision the algorithm makes. Not all AI is being double-checked, and not all AI should be double-checked. The AI Act mandates that for life-impacting decisions you need humans in the loop, but not everything is life-impacting. It's automation, so we will need to let it go sometimes, if we can accept the risk." Jo Coutuer, Founder, 8weeks.co

Perhaps the most reassuring observation: across the use cases the panelists have seen in the past eighteen months, AI is not reducing workforces.

"Almost every use case I've seen in the last eighteen months is not really reducing workforce. It is lifting the quality of the work and the process. The processes are getting better. The people are still there." Jo Coutuer, Founder, 8weeks.co

Teams offload repetitive tasks and spend their time on judgment, escalation and risk insight.

The bottom line: how to calculate ROI on AI in GRC

The ROI question has a surprisingly simple answer at the task level.

"If you have a task and can clearly calculate how many hours you save, you can put an ROI on it. A certain task saves you four hours: calculate the hourly rate times four, times the amount of activities you perform, against the prompting and license costs. Then you'll not be in that ninety-five percent of AI initiatives that keeps on failing. You have a clear purpose for what you're developing." Dwayne Valkenburg, Co-founder, AuditAgent

The panel's practical advice for getting started:

• Start where the administrative burden is highest. As Joachim put it: "Start with a process that is time-consuming but relatively easy to automate. Choose something that's valuable, but still something that's easy to achieve."
• Define what good looks like before you build. Fewer hours? Higher quality? Faster turnaround? The answer determines which type of AI, if any, fits the problem.
• Do not start alone. Once a solution is proven, share it with your team so everyone benefits from the same quality.
• Align with IT from the start. Prototype in the business, industrialize with IT, and involve the right stakeholders before scaling.

How CERRIX supports this journey

CERRIX already enables end-to-end integrations that automatically gather and upload control evidence from source systems, moving teams from sampling toward continuous monitoring. With the acquisition of Ruler, regulatory change management and compliance screening can be mapped directly onto your internal control framework, so AI can surface gaps the moment new regulation lands.

And in line with the panel's emphasis on trust, customers keep full control over how and where AI is applied. As Joachim noted during the Q&A: "For some use cases, you may not want to send certain information to an AI system. We want to give customers full control over how they use that functionality."

Want to discuss what AI adoption could look like for your risk team? Get in touch with our team or watch the full webinar recording.

Frequently asked questions

Is AI in GRC the same as automation? AI is a form of automation. The new generation extends automation to unstructured data such as documents, evidence files and free text. Often the smartest solution combines both: use AI to design or write traditional automation, which then runs faster and cheaper at scale.

Do we need to reach level four of AI adoption? No. There is value at every level, and the right level differs per process and per organization. Highly regulated processes may deliberately stay at lower levels while others advance.

Can AI replace sampling in control testing? Increasingly, yes. AI can analyze full populations rather than samples, and evidence collection can be automated through system integrations. Expert review remains essential where judgment and assurance are required.

Does AI in GRC require human review of every output? Not necessarily. The EU AI Act requires human oversight for decisions with significant impact on individuals. For high-volume, lower-stakes decisions, organizations can accept residual risk, as is already common practice in fraud and AML monitoring.

Where should a GRC team start with AI? Start with a high-burden, low-complexity task where hours saved are easy to measure. Standardize the approach across the team rather than letting everyone experiment individually, and involve IT early.

‍