The Problem With GRC in 2026

Most risk managers spend the majority of their time on work that does not require their expertise.

Chasing evidence from the first line. Compiling reports manually. Following up on overdue actions. Reconstructing the same control documentation every audit cycle. According to research from Gartner, risk and compliance teams spend up to 40% of their time on manual data collection and reporting tasks, time that could be redirected to strategic risk analysis and stakeholder engagement.

This is not a people problem - it is a structural one. And the structure is reaching its limits.

This blog recaps the webinar On-demand: GRC in 2030. Why spreadsheets and periodic compliance won’t survive AI that Joachim Jonkers (CPO, CERRIX) shared last week.

Why the Traditional GRC Operating Model Is Failing

The GRC operating model that most organizations rely on today was designed for a slower, simpler environment. It was not designed for DORA, NIS2, the EU AI Act, or CSRD, each of which demands continuous oversight rather than annual attestation.

Four structural weaknesses define the current model:

- Periodic assessments. Risk is reviewed once or twice a year. Between those reviews, the organization is flying blind. A new threat that emerges in February may not be formally assessed until Q4. By then, the opportunity to act has passed.

- Manual evidence collection. Evidence is gathered by chasing colleagues, copying files between systems, and re-entering data that already exists in source systems. This is not just inefficient, it is also unreliable. Evidence submitted weeks after the fact is not evidence of control effectiveness. It is evidence of administrative compliance.

- Fragmented tooling. Excel registers, SharePoint folders, disconnected point solutions, email threads. No single source of truth. No real-time visibility. No way to identify patterns or anomalies across the full control environment.

- Accelerating regulation. The pace of new regulatory requirements across the EU has increased sharply since 2022. Financial institutions in particular are now managing obligations under DORA, NIS2, MiCA, CSRD, and the EU AI Act simultaneously, each with its own reporting timelines, evidence requirements, and control expectations.

The result is what Joachim Jonkers, Chief Product Officer at CERRIX, describes as a growing credibility gap: "The gap between what organizations are expected to demonstrate and what their current operating model can actually deliver keeps growing. Manual processes and siloed reporting are not just inefficient. They are structurally inadequate for the pace of modern risk and compliance."

What Is Intelligent GRC?

Intelligent GRC is the integration of automation and AI into governance, risk, and compliance processes to enable real-time risk monitoring, automated evidence collection, and predictive risk insights, replacing periodic, manual operating models with continuous, data-driven ones.

An intelligent GRC platform functions as an operating system for enterprise risk: a single source of truth that connects to source systems, ingests regulatory feeds, surfaces anomalies, and reduces the administrative burden on all three lines of defense.

The transition from traditional GRC to intelligent GRC involves three shifts:

The most practical way to understand AI's impact on GRC is by role. The changes look different, and arrive at different speeds, depending on where you sit in the three lines of defense.

First Line: From Risk Reporter to Risk Owner

Today, first-line professionals are asked to log incidents, upload evidence, execute controls, and document results. Each task pulls them away from their primary work. The follow-up burden falls on the second line. Incomplete submissions are the norm.

By 2030, that changes substantially.

The first line is not removed from the process. Their judgment still matters. But their role shifts from data entry and status reporting to validation and strategic input.

Second Line: From Data Collector to Strategic Advisor

The second-line risk manager sits between operational reality and board expectations. In most organizations, too much of their time is spent in between: chasing, compiling, consolidating, rather than advising.

Real-time risk scoring removes dependency on planned review cycles. AI-validated evidence collection removes the need to chase the first line. Anomaly detection catches weakening controls before periodic reviews would have surfaced them.

This frees second-line professionals for the work that actually requires their expertise: interpreting what risk data means for the organization's strategic goals, advising the board with confidence, and having honest conversations with business leaders about emerging threats.

Third Line: From Sampling to Continuous Assurance

Internal audit operates with significant constraints, with limited team size, broad scope, and a planning model often based on a fixed calendar rather than real-time risk signals.

The audit function's value is not in executing administrative processes. It is in providing independent assurance that the risk management framework is working. AI enables auditors to spend significantly more of their time on exactly that.

The Right Sequence: Automation First, AI Second

One of the most common mistakes organizations make when adopting AI in GRC is skipping the foundation.

AI does not create value in isolation. It creates value when it operates on top of structured, centralized, connected data. Feed incomplete or inconsistent data into an AI system and it will produce noise, not insight.

The foundation is automation and integration:

• Direct API connections with source systems so evidence flows automatically rather than manually
• Real-time data from operational systems, incident logs, and regulatory intelligence feeds
• A single platform connecting all three lines of defense rather than a collection of disconnected tools

Once that foundation is solid, AI becomes genuinely powerful. It can process control environment data at a scale no human team could match, generate forward-looking risk indicators before threats materialize, and reduce the cognitive load of routine analysis so professionals can focus on decisions that require judgment.

As Joachim Jonkers explains: "You can use AI without that automation layer in place, and there are still valid use cases. But the most valuable use cases, the ones that genuinely change what risk management can do, are built on deep integration and structured data."

Five Steps to Embed AI Into Your Risk Operating Model

Organizations that successfully transition to intelligent GRC follow a consistent sequence. These five steps reflect the practical experience of organizations that have already begun the transition:

1. Start where friction is highest. Evidence collection, report assembly, status chasing. These activities create the most visible frustration and consume the most time. Automating them delivers immediate, measurable value and builds organizational confidence in the broader transition.

2. Get your data house in order. Clean, structured, centralized risk data is the prerequisite for everything else. This step is often more organizational than technical. It requires agreement on taxonomy, ownership, and what a single source of truth actually looks like across lines of defense.

3. Clarify ownership before automating. Automation surfaces ambiguity efficiently. If it is not clear who owns a particular risk, control, or escalation path before you automate, that ambiguity becomes a visible operational problem. Resolve it first.

4. Think platform, not point solutions. Integrated risk management across all domains, one platform connecting all three lines of defense. That is what makes the data foundation possible. Disconnected tools cannot support connected intelligence.

5. Layer AI on top of structured data. Once the foundation is solid, introduce AI features progressively, starting with high-friction use cases that have clear measurable outcomes. If a use case is a nice-to-have rather than a genuine problem to solve, adoption will not sustain.

How CERRIX Approaches AI in GRC

CERRIX is building toward this vision of intelligent GRC through a combination of automation, AI-assisted workflows, and, following the acquisition of Ruler, integrated regulatory intelligence.

Current AI capabilities in CERRIX include AI-assisted risk and control description generation aligned to best-practice conventions, and AI-powered extraction of risks and controls from policy documents and regulatory frameworks. These features address the high-friction tasks that slow down risk cycles: initial risk identification, control documentation, and framework alignment.

The Ruler acquisition adds a regulatory intelligence layer: automated monitoring of regulatory bodies across the EU, with AI-powered gap analysis connecting new regulatory requirements directly to an organization's existing risks, controls, and policies. When a new regulatory alert is published by a financial authority, the system identifies which existing controls need updating, proposes new controls, and enables risk managers to act rather than discover.

CERRIX's AI development principles reflect a consistent position: AI should empower risk professionals, not replace them. Human sign-off remains central to every AI-assisted recommendation. Data security and regulatory compliance are built into every feature. And every capability is evaluated on the basis of real impact rather than technology novelty.

Watch the full webinar recording: GRC in 2030: Why spreadsheets and periodic compliance won't survive AI, presented by Joachim Jonkers, Chief Product Officer, CERRIX, April 2026.

Ready to see what intelligent GRC looks like in practice? Book a demo with CERRIX

Tags: AI in GRC, GRC 2030, intelligent GRC platform, three lines of defense, risk manager AI, GRC automation, DORA compliance, NIS2, EU AI Act, continuous control monitoring, risk operating model

‍