With that, we want to thank you for encouraging us to keep this series going. We’ll be back for season 2 soon, and are taking in new pitches for episodes now. To wrap the year, we conducted a AMA on the current state of GRC. We pulled questions from Reddit and LinkedIn and tackled them live in conversation.

What we covered

Are we “anti–GRC automation tools”?

Short answer: no. Long answer: automation isn’t the problem. It’s misuse, blind trust, and compromised audit integrity are.

Cheap SOC 2s and bundled audits

Why budget startups often don’t have a real incentive to avoid low-cost, bundled auditors, and what you give up when you go that route.

SOC 2 pentesting vs PCI DSS

Why SOC 2 allows weak or missing pentests, why PCI doesn’t, and how automated scans differ from real manual testing.

Conflicts of interest in the GRC ecosystem

Platforms, auditors, and vCISOs all partner, so where does objectivity break down, and is it even possible to keep it clean?

Who’s really at fault: tools or auditors?

A blunt discussion on incentives, accountability, and why low-quality audits keep winning.

Offshoring and the race to the bottom

When cost-cutting leads to offshoring, what should clients actually be worried about and what’s just noise.

The future of audits and AI

Will AI replace auditors? Where automation helps, where humans still matter, and what happens if we stop caring about independent assurance altogether.

Hosted on Acast. See acast.com/privacy for more information.

With Troy actively auditing today and Kendra working with auditors in real time, the team breaks down where rigor actually shows up, where the system is broken, and why SOC 2’s value is slipping as fast as demand for speed is rising.

03:00 – “Quality theater” and firms self-labeling as high quality

04:10 – Who defines quality—auditors or customers?

05:00 – The four-hour SOC 2 audit example

06:00 – The danger of “better than the worst” logic

07:00 – What thorough auditing actually looks like (Kendra’s experience)

09:30 – SOC 2 inconsistency across auditors and firms

11:00 – Should audit firms be objectively measured?

15:00 – Kendra’s “secret shopper auditor” idea

19:20 – Automation platforms producing shallow “green checkmark” results

22:00 – Drive-by auditors rubber-stamping automated data

26:00 – Peer review and “enhanced oversight” gaps

33:00 – Why the industry isn’t incentivized to fix the quality problem

39:00 – Ethical auditors exist—but the system doesn’t reward them

Hosted on Acast. See acast.com/privacy for more information.

The crew also debates the future of SOC 2 — from fast-track “15-hour audits” to the rise of AI-generated reports — and whether the entire model needs a ground-up rebuild.

Guest: Zlatko Unger, CISO Expert at Wiz

Hosts: Troy Fine, Kendra Cooley, Elliot Volkman

00:03 — Framework overload

00:07 — Auditor “vibe check”

00:11 — SOC 2’s fall from grace

00:16 — TPRM and audit fatigue

00:25 — SOC 2 for robots

00:36 — Reform or rebuild?

Hosted on Acast. See acast.com/privacy for more information.

[00:02:00] Evan shares how he used ChatGPT to analyze a risk assessment report.

[00:05:00] What GRC leadership looks like at Abnormal Security (ISO 27001, 27701, 42001, SOC 2).

[00:07:00] The complicated relationship between organizations and auditors — bias, incentives, and the reality of “clean” reports.

[00:12:00] Why third-party attestations are table stakes, not real assurance.

[00:19:00] TJ and Evan debate solutions: peer reviews, government oversight, or is the system fundamentally flawed?

[00:27:00] How Abnormal approaches vendor risk: criticality ratings, renewals, and compensating controls.

[00:32:00] Tools and automation in GRC — benefits and buyer’s remorse.

[00:36:00] The role of AI: evidence review, documentation search, and “trust but verify.”

[00:39:00] Should GRC professionals become coders, or double down on soft skills?

[00:44:00] Evan’s career advice: networking, persistence, and why soft skills matter more than technical depth.

Hosted on Acast. See acast.com/privacy for more information.

Key Moments

• [00:03:00] – How Merritt uses ChatGPT to re-voice her own drafts — and why she immediately strips out the “saccharine” endings.
• [00:05:30] – Why security and innovation don’t need to “hold hands” — they just need shared expectations.
• [00:08:45] – The “foot guns” moment: how an accounting firm’s chatbot started teaching customers to hide assets from the IRS.
• [00:13:30] – Why most enterprises don’t even know where AI is being used internally.
• [00:15:00] – How to build guardrails that are realistic, enforceable, and tuned over time.
• [00:24:30] – Why “ostrich” policies will fail — and how enforcement actions, not regulations, will shape AI accountability.
• [00:40:00] – Merritt’s closing advice for CISOs: you don’t need to be an expert, but you do need a plan.

Hosted on Acast. See acast.com/privacy for more information.

[00:02:00] AI and Auditing – Will automation replace auditors or make them indispensable?

[00:06:00] The Positive Side of GRC – How automation is reshaping the auditor’s role.

[00:15:00] Are Compliance Platforms Lowering the Bar? – Check-the-box programs vs. meaningful assurance.

[00:23:00] The SOC 2 Debate – Is it still valuable, or creating a false sense of security?

[00:30:00] Toward Continuous Assurance – Dynamic trust centers and evidence as the new currency.

[00:40:00] The Future of Risk in GRC – Why risk registers must evolve and become data-driven.

[00:46:00] Closing Thoughts – Optimism about where GRC is headed despite today’s challenges.

Hosted on Acast. See acast.com/privacy for more information.

From the limits of SOC 2 and the myth of standardization to the risks and rewards of AI-powered questionnaires, the group unpacks why TPRM is so fragmented—and why that’s not necessarily a bad thing. They also get real about AI in audits, the future role of assurance professionals, and why human connection still matters.

06:30 – Why TPRM Is Fragmented by Nature

09:00 – SOC 2 Isn’t Enough (And Never Was)

13:30 – Does Anyone Really Trust Audit Reports?

17:30 – Blacklists, Quality Checks & the SOC 2 Vibe Check

20:00 – The Rise of AI in Vendor Assessments

25:30 – AI Answers vs. AI Confidence

28:30 – Auditing the Auditors (and Their AI)

32:00 – Reasonable Assurance in an AI World

35:30 – Skepticism, Trust, and Human-in-the-Loop Auditing

38:00 – Does AI Kill Creativity? A Side Quest

44:00 – Will TPRM Be Agent-to-Agent in the Future?

Guest: Henry Stanley, Founder of Security Program.io

Hosts: Troy Fine, Kendra Cooley

Producer: Elliot Volkman

Runtime: ~56 minutes

Hosted on Acast. See acast.com/privacy for more information.

The promise? Fewer controls, faster approvals, and greater automation.The concern? That all sounds a little too familiar.

Together, they explore whether FedRAMP 20x is an overdue modernization or the start of a dangerous slide toward the kind of checkbox compliance that has made SOC 2 certifications easier to get but harder to trust. From control mapping and auditor disruption to agency adoption and AI-assisted audits, this episode provides a deep dive into what happens when good frameworks move too quickly and how to maintain trust when they do.

[00:01:00] – Guest intro: John’s history with SOC 2, FedRAMP, and working with Troy

[00:06:00] – How SOC 2 influenced John’s transition into federal compliance

[00:08:00] – What is FedRAMP 20x, and why is it happening now?

[00:10:00] – From 12-month review cycles to fast-tracking assessments

[00:14:00] – Key Security Indicators (KSIs): replacing hundreds of controls with a handful of validations

[00:18:00] – Are KSIs basically just vague control summaries? (Spoiler: yes)

[00:22:00] – Why GRC platforms are being prioritized in the pilot

[00:25:00] – Potential expansion to FedRAMP Moderate and High

[00:28:00] – Will agencies even accept this?

[00:31:00] – Advice for cloud service providers evaluating FedRAMP now

[00:34:00] – Is FedRAMP on the path to commoditization?

[00:39:00] – Evaluating rigor vs. relevance: security posture ≠ certification

[00:44:00] – The problem of vague frameworks and audit inconsistency

[00:48:00] – Comparing SOC 2, FedRAMP, and the race to the bottom

[00:54:00] – Closing thoughts on AI, automation, and the future of white-collar work

Guest: John Santore, Director of Cyber Acceleration, Constellation GovCloud

Hosts: Troy Fine & Elliot Volkman

Runtime: ~58 minutes

Hosted on Acast. See acast.com/privacy for more information.

[00:01:00] — Intro & guest introduction: Who is Richa and what is Complyance?

[00:03:00] — Why Complyance is not “SOC 2 in a box” and how their ethos differs

[00:06:00] — Segmenting the GRC tooling market: Startups vs mid-market vs enterprise

[00:08:00] — Mid-market struggles: From Excel to Airtable to tailored automation

[00:12:00] — The audit bundling debate: Why Complyance refuses to package audits

[00:15:00] — Saying no to venture capital pressure and building for the right customer

[00:18:00] — What GRC software should enable: peace of mind, not paperwork

[00:19:00] — Roundtable: Troy and Kendra weigh in on AI in GRC

[00:27:00] — Conversational AI, embedded AI, and the rise of Agentic AI

[00:31:00] — Risk owners, vendor reviews, and trust in automation

[00:34:00] — Is AI replacing entry-level jobs or just reshaping them?

[00:38:00] — Teaching with AI: From education to GRC upskilling

[00:42:00] — The risk treatment plan case study: AI as a draft, not a decision

[00:47:00] — Closing thoughts on AI, SaaS disruption, and Jetsons-level predictions

Hosts: Troy Fine, Kendra Cooley

Producer: Elliot Volkman

Runtime: ~49 minutes

Hosted on Acast. See acast.com/privacy for more information.

As organizations contend with growing threats and shrinking GRC teams, this episode explores the widening talent gap in governance, risk, and compliance. Guest Shruti Mukherjee, a former software engineer turned GRC practitioner, shares her journey, her insights on the evolving nature of the field, and her call to action for both professionals and organizations to rethink what GRC careers can look like.

Guests: Shruti (GRC Professional)

Hosts: Troy Fine, Kendra Cooley

Producer: Elliot Volkman

Runtime: ~55 minutes

Show Notes & Segments:

00:00 – Intro & Banter

Casual chatter and AI banter with the crew, including Shruti’s first ChatGPT query and a few carrot cake recipes.

09:00 – GRC’s Image Problem: Is It Just Boring?

Shruti discusses the perception problem around GRC, generational gaps in interest, and why it’s often viewed as unsexy or undervalued work.

14:30 – Reframing the Pipeline: Who Should We Be Recruiting?

The group considers alternative talent pipelines, especially mid-career professionals who better understand the strategic value of GRC.

Quote: “Maybe it’s time to come to the good side.” – Kendra

20:30 – The Role of AI and Automation: Friend or Foe?

Shruti and the hosts weigh in on how automation platforms are shaping the field—for better or worse—and whether GRC jobs are at risk of being replaced.

Quote: “I treat AI like an intern. It can do some of the work, but I’ll always check it before it leaves the building.” – Shruti

26:00 – What Should New GRC Pros Learn?

Shruti shares what she wishes she had known earlier—especially around audit practices—and the value of soft skills and continuous learning.

30:30 – Critical Thinking, Not Just Checkboxes

Why GRC professionals must retain their ability to think critically, validate automation outputs, and question assumptions.

Quote: “We are losing our ability to be critical thinkers.” – Kendra

36:00 – Does GRC Need to Be Technical Now?

Shruti unpacks how her technical background helps her talk with engineers, understand tooling, and embrace AI; arguing that technical fluency is becoming essential.

44:30 – Final Thoughts: Risk Culture, Knowledge Transfer, and the Future

The group reflects on the need to pass down GRC fundamentals, resist overreliance on AI, and target new demographics for hiring.

Hosted on Acast. See acast.com/privacy for more information.

This episode explores how governance, risk, and compliance (GRC) roles are filled, and why it's getting harder to land one. Pete Strouse unpacks the current job market, share recruiter insights, and offer advice to job seekers and hiring managers navigating a GRC landscape shaped by automation, offshoring, and unrealistic expectations.

[02:30] – GRC Careers Usually Start in Consulting

[09:45] – Are Candidates Using ChatGPT to Fake It?

[17:00] – How Recruiters Actually Source Talent

[23:00] – Red Flags: What Turns Recruiters Off Immediately

[28:30] – Is There Really a Talent Shortage in GRC?

[36:00] – How Automation and Offshoring Are Reshaping GRC Roles

[42:00] – Advice for Candidates and Hiring Managers

Hosted on Acast. See acast.com/privacy for more information.

[00:10:00] The CPA Debate

Troy breaks down the CPA backlash in cybersecurity, explaining why the criticism isn’t always fair—and why the problem might be deeper than just the credential.

[00:16:00] What Does “Technical” Really Mean?

The team explores what it means to be “technical” in security and whether that should be a requirement for auditors or GRC pros.

[00:30:00] Kendra’s Take: Use Your Auditor to Scale Security

Kendra flips the audit narrative: instead of hiding problems, she embraces audits as an opportunity to advocate for budget and resources.

Hosted on Acast. See acast.com/privacy for more information.

05:38 Compliance vs. Security: A Deeper Dive

11:26 The Role of Compliance in Building Security

25:19 The Impact of Breaches on Security Practices

32:35 Balancing Security Spending and Compliance

34:08 Risk Reduction and Customer Trust

38:03 Quantifying Risk and Compliance

47:09 Compliance Tools and Automation

51:00 High Trust Certification and Breach Impact

Hosted on Acast. See acast.com/privacy for more information.

05:08 Diving into CPA and Compliance

08:50 Challenges in Peer Review and Quality Control

12:09 Market Influence and Future Directions

25:22 The Role of GRC Tools

Hosted on Acast. See acast.com/privacy for more information.

04:43 The Importance of Third Party Risk Management

05:45 Challenges with Low Quality Audits

07:45 Evaluating SOC 2 Reports

12:55 Issues with Sales-Focused GRC Tools

14:44 The Need for Better Compliance Programs

27:50 High-Risk Vendor Architecture Review

29:07 SOC 2 Reports and Vendor Risk Management

31:50 Challenges with SOC 2 and Auditor Quality

36:49 Financial Impact of Data Breaches

38:10 Differences in Security Between Old and New Systems

47:43 Proactive vs. Reactive Security Measures

Hosted on Acast. See acast.com/privacy for more information.

Key Takeaways

• ISO 42001 is becoming essential for companies adopting AI, not just for compliance but to build customer trust.
• AI risk assessments are more complex than traditional security frameworks, requiring new approaches to impact analysis.
• Shadow IT and vendor AI features introduce unexpected risks—companies must proactively monitor and review new AI functionalities.
• AI governance isn’t just about compliance; it’s about trust. Businesses that prioritize transparency and ethical AI use will have a competitive edge. Also, AI may or may not be making us dumber.

02:23 Discussing AI in GRC and ISO 42001

02:56 ChatGPT and AI Experiences

08:07 Implementing ISO 42001: Challenges and Insights

19:20 Third-Party Risk Management and AI

26:43 Scope and Complexity of AI in Software Products

27:57 Challenges in High-Risk AI Applications

29:43 Regulatory Landscape and AI

32:02 Driving Forces Behind ISO Certification

38:53 AI Risks and Business Understanding

43:56 Ethical and Societal Impacts of AI

Hosted on Acast. See acast.com/privacy for more information.

Joseph shares his insights on how the influx of private equity funding and the rise of 'SOC in a box' platforms have transformed the GRC landscape, often negatively impacting audit quality and independence. Key topics include the challenge of maintaining ethics in auditing, the adverse effects of aggressive marketing by compliance tools, and the importance of conducting thorough, unbiased audits. The conversation also touches on the difficulty audit firms face when pressured to lower costs or cut corners to retain business.

01:21 The Impact of SOC 2 Platforms

02:51 Private Equity's Influence on the Industry

03:04 Challenges Faced by Licensed Practitioners

04:32 Marketing Dollars and Industry Perception

06:06 The Role of Compliance Tools

10:51 Conflicts of Interest in Auditing

21:08 The Reality of Zero-Touch Audits

24:46 Trusting Compliance Platforms

33:44 Challenging the Status Quo in Auditing

34:27 Targeting the Right Market

35:09 The Role of Audit and Customer Expectations

35:44 Critique of AICPA and Cybersecurity Education

36:55 Practitioners' Responsibility in Auditing

39:13 The Problem with Automation Tools

43:30 Shady Business Practices in Auditing

47:29 Ethics and Integrity in Auditing

50:34 The Importance of Thorough Audits

Hosted on Acast. See acast.com/privacy for more information.

01:04 Introductions and Ground Rules

02:23 Discussing Auditor Independence

04:30 Challenges in the Audit Industry

06:19 Vendor Relationships and Audit Integrity

10:14 Education Gap in Compliance

23:58 Industry Price Fixing Concerns

27:30 Discussing Audit Automation and Vendor Practices

28:19 The Problem with Bundling Services

29:02 Challenges in Vendor Accountability

30:34 The Role of TPRM and AI in Compliance

33:29 The Importance of Education in Compliance

38:24 Market Dynamics and Compliance Requirements

Hosted on Acast. See acast.com/privacy for more information.

00:00 Introduction to GRC Uncensored

00:42 Meet the Hosts: Troy Fine and Elliot Volkman

01:34 Troy's Journey into Auditing and Memes

03:10 The Role of CPAs in Cybersecurity

05:29 The Purpose of GRC Uncensored

07:08 Pilot Season and Episode Preview

09:51 Commoditization of Compliance

19:02 Quality of Audits and Future Topics

21:45 Conclusion and Call for Feedback

Hosted on Acast. See acast.com/privacy for more information.

They explore the significance of audit integrity, the staying power of governance programs, and the varying expectations of companies undergoing audits. Amidst an insightful dialogue, the hosts debate the future of automated compliance tools, check-the-box audits, and the elusive definition of audit quality. Ultimately, the episode underscores the issue's complexity, emphasizing that it's not just about the vendors or auditors but also market demands and expectations.

00:00 Introduction to GRC uncensored

00:42 Meet the hosts: Troy and Kendra

01:05 Controversies and LinkedIn debates

01:37 International expansion and podcast updates

02:28 Commoditization of compliance 03:07 Introduction to Dave and his expertise

04:43 The role of vendors in compliance

07:49 Audit quality and market dynamics

09:49 The importance of audit integrity

13:11 Defining audit quality

20:26 Market expectations and audit quality

23:48 Staying power in compliance programs

28:00 High-quality vs. low-quality audit firms

28:59 Top qualities of a good auditor

29:19 Importance of knowledge in auditing

31:06 Compliance automation tools

32:26 Challenges in finding quality auditors

34:30 The reality of check-box audits

35:34 Accreditation and certification nuances

42:12 The future of auditing and trust centers

43:42 Closing remarks and shameless plugs

47:05 Final thoughts and tagline

Hosted on Acast. See acast.com/privacy for more information.

The discussion spans the necessity and use of various compliance tools, the challenges of scaling compliance, and the importance of having well-defined processes and dedicated personnel. They highlight the actual costs and benefits of compliance, questioning superficial practices and emphasizing the need for personalized solutions. The episode also addresses misconceptions and executive decisions crucial for maintaining compliance, offering comprehensive insights into modern GRC strategies and the evolving role of tools in achieving SOC 2 compliance.

00:00 Introduction to GRC Uncensored

00:22 Meet the Hosts and Guest Introduction

00:38 The Need for GRC Tools

02:52 Legacy vs. Modern GRC Tools

05:26 Challenges with GRC Tools

12:12 When to Choose GRC Tools

12:49 The Role of Processes in GRC

20:49 GRC Tools for Startups

23:20 The Cost of Compliance

24:43 The Role of Auditors

26:47 Touchless Audits: Pros and Cons

28:19 The Value of SOC 2 Reports

30:50 Choosing the Right Compliance Tools

32:31 The Future of Compliance Tools

40:46 Final Thoughts and Reflections

Hosted on Acast. See acast.com/privacy for more information.

The conversation touches upon the challenges security practitioners face in conveying the true value of GRC to businesses, the potential pitfalls of 'SOC in a box' offerings, and the broader implications of compliance becoming a 'check the box' exercise. Moreover, the episode delves into the broader regulatory landscape and the ongoing debates about the role of government regulations in cybersecurity compliance. This candid dialogue sets the stage for future episodes that promise further to dissect the nuances of cybersecurity audits and standards.

00:00 Welcome to GRC Uncensored

01:34 Introducing Kendra Cooley

02:05 Love-Hate Relationship with GRC

03:16 The SOC 2 Debate

04:33 Challenges with SOC 2 Audits

09:10 The Value of SOC 2 in the Industry

12:04 The Evolution of Compliance Frameworks

20:39 False Sense of Security in Compliance

24:46 The Buzz Around AI and Quantum

25:10 Staying Updated as a Security Professional

26:45 Challenges in Penetration Testing and Vendor Assessments

27:37 Compliance and Its Impact on Security

30:10 Government Regulations and Their Effectiveness

32:23 The Complexity of Privacy Laws

38:29 The Role of GRC Teams in Risk Management

42:30 Concluding Thoughts and Future Episodes

Hosted on Acast. See acast.com/privacy for more information.

Hosted on Acast. See acast.com/privacy for more information.