Anecdote by GRC Engineering Evangelist, Maril Vernon.
Each vendor on each panel now says the phrase “company.” However most of them fail to clarify what truly adjustments while you cease treating GRC like a submitting cupboard and begin treating it like a fluid system.
I spent years on the offensive facet, teaming the pink and purple and breaking the management that I swore the GRC groups had been working below. Similar outcomes, identical hole, completely different quarters. So after I say agent AI goes to reshape the best way GRC operates, I am not promoting you a buzzword. I am telling you what I’d take note of if I used to be nonetheless making an attempt to recover from your management.
Here is an sincere model of the place this goes and what it truly seems to be like while you construct certainly one of these brokers.
What does “agent” truly imply right here?
Automation shouldn’t be new to GRC. We have been scripting proof assortment and bolting RPA into our workflows for years. The issue is that almost all of them simply transfer busy work sooner. It nonetheless generated static artifacts, nonetheless ran on schedule, and nonetheless answered the one query legacy GRC is aware of easy methods to ask: “Did this management move?”
Brokers differ in three particular methods. Autonomy permits it to behave when situations are met, fairly than ready for a human to provoke a job. This has context, so it really works in opposition to the precise state of your program, not a screenshot from final quarter. It additionally performs a number of steps, permitting evaluation, choices, and actions to be taken sequentially fairly than dumping rows right into a report for later processing.
The programs we handle are already agentized. The cloud is elastic, identities are fluid, infrastructure is ephemeral, AI is non-deterministic, and CI/CD by no means stops. Attackers understood this a very long time in the past, however too many compliance packages nonetheless try to handle real-time programs primarily based on point-in-time assumptions.
Now, agentic doesn’t suggest deferring choices to a probabilistic parrot; in actual fact, most work ought to stay deterministic. Fashions present inference, summarization, and orchestration. Controls, thresholds, and coverage choices nonetheless should be made by people.
Frankly, this is likely one of the greatest use circumstances for AI in cybersecurity. GRC is full of a considerable amount of repeatable work that’s carried out in opposition to a recognized baseline. That is precisely the form of drawback machines are good at. We already belief AI to assist us detect anomalies, prioritize alerts, and sift via mountains of telemetry.
Utilizing this to assist analysts establish gaps in proof or monitor management drift shouldn’t be fairly the basic leap some individuals assume.
Backside line: AI mustn’t exchange judgment. It ought to give practitioners extra alternatives to use it creatively.
Agent Studio is a no-code builder for customized GRC brokers. Select a set off, describe the duty in plain English, and deploy with a full audit path.
Be part of our early entry program and construct your first agent in minutes.
Request early entry
3 issues that can truly change
The analyst’s job strikes from assortment to administration. Nobody dabbles in GRC with desires of chasing screenshots or manually updating spreadsheets. Analyst jobs are altering, however not in the best way individuals worry.
Brokers don’t make practitioners passive supervisors. Brokers don’t exchange practitioners. Give them again the time to make choices when it truly issues.
Compliance strikes from periodic to steady. Traditionally, annual and quarterly cycles existed as a result of people had been unable to repeatedly consider all controls and all adjustments. Brokers dramatically increase their capabilities, making steady analysis a actuality the place periodic critiques had been beforehand the one possibility.
When constraints are eliminated, the query “Are we compliant now” turns into a query that may truly be answered, and never a snapshot to defend three months after it’s not true.
Belief turns into the bottleneck. Please be aware that move/fail is the results of compliance. Belief is a results of safety.
As soon as the hassle is affordable, the onerous query is, are you able to belief and show the agent’s actions, or do you simply transfer the handbook work to affirmation tax, which individuals underestimate. It is a governance challenge and one which deserves consideration.
What occurs while you construct it?
Idea is well out there and could be stored on file. It is a particular model utilizing Anecdotes Agent Studio. It is a no-code builder that my staff dropped at early entry. The hot button is the construction, so observe the construction even in the event you use one thing else.
Agent improvement will depend on three choices:
Choose a set off. That is the situation that awakens the agent. It may be a schedule (working each Monday), or it may be an occasion throughout the program (a change in threat stage, or when management proof turns into stale past a freshness threshold you set). I choose occasion triggers. It is because occasion triggers fireplace the second one thing adjustments, fairly than ready for the following scheduled execution. This ensures that monitoring is steady fairly than periodic.
Please clarify your work in plain English. You may write directions the best way you’d clarify them to a junior analyst, no code required. Think about ISO 27001:2022 Management A.8.5, Safe Certification.
The directions may learn, “If the MFA proof in A.8.5 is older than 24 hours, contact your id supplier for his or her present MFA enforcement coverage, examine it to your group’s required MFA baseline, and if any teams are out of enforcement, open the findings and assign remediation duties to the management proprietor.” Begin with pre-built recipes or create your individual.
Please increase and see. Subsequent, monitor what the agent truly does when the set off fires.
It reads the reside MFA coverage from the id supplier via a linked plugin (Okta, Entra ID, and many others.), retrieves the present enforcement state for every group, and compares it to the A.8.5 baseline you outlined to detect {that a} newly provisioned administration group was created with out an MFA coverage connected. Open the discovering, connect the extracted coverage snapshot as proof, hyperlink to A.8.5, and assign the remediation to the IAM proprietor.
Every of those steps is recorded in an execution log, together with triggering occasions, information learn, comparisons carried out, choices reached, and actions taken.
This one run is the distinction between “I handed A.8.5 in my final evaluation” and “A.8.5 is now in power and here is the time-stamped proof.”
The half that safety personnel (correctly) promote
In case your intestine feeling after studying that is, “I am not trusting a black field to make compliance choices,” that is nice. Please hold it.
Agent GRC is defensible for one motive. Which means the work is observable. A helpful execution log data which triggers fired, the precise inputs the agent learn, the foundations or baselines it evaluated, the selections it reached and why, the actions it took, and the proof it touched. All are timestamped. This file means that you can reconstruct the choice after the very fact and move it on to the evaluator with out having to take the agent’s phrase for it.
Two scoping guidelines hold it protected. Give brokers minimal privileges. The agent has solely read-only entry to the programs it assesses and write entry to the GRC objects it’s allowed to create, comparable to findings and duties. Then gate something that has a big affect behind individuals. Drift detection and opening of findings could be carried out unattended. If you wish to shut a threat or mark a management as enabled, it should be routed to a human for approval.
Non-deterministic fashions typically make errors, so plan for the agent to be mistaken. If a result’s opened that seems to be a false constructive in A.8.5, the log will present you precisely what was learn and the conclusion, so you possibly can modify the directions as an alternative of guessing.
Logs are extra essential than fashions as a result of actions that may be tracked are actions that may be undone.
the place to start out
Do not begin with the very best stakes management. Begin with the arduous, low-judgment duties, those your staff hates doing the identical manner week after week.
Assume discovering gaps in proof, extracting findings from audit studies, or producing guidelines to research proof with out testing procedures. So show the sample, learn the logs, construct belief, after which scale.
If you wish to be taught extra about this, try the complete agenda for GRC Information & AI Summit 2026 on August twelfth. It is a free digital occasion the place safety, threat, and compliance leaders discover what agent readiness actually requires. Reserve your spot right here.
GRC was so comfy that I would not return. I returned it as a result of it was unfinished. Brokers are the primary instrument that’s starting to be deployed to match the pace, scale, and interconnected nature of the programs we are attempting to handle. If you wish to see what constructing seems like, Agent Studio is at present in early entry.
My recommendation? Construct one thing boring first. Please inform me what has modified since then.
Marilu Vernon is a former Purple and Purple Crew Operator and Principal GRC Engineering Evangelist at Anecdotes. She writes and speaks about advancing GRC engineering, steady management monitoring, and programs that handle compliance into the identical decade.
Sponsored and written by Anecdotes.
