By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: DrataPublished November 10, 2025

TL;DR: AI was positioned as foundational to audit readiness, continuous assurance, and trust transparency across security and compliance programmes, according to Drata, with a shift from point-in-time checks to always-on trust signals. The practical issue is not whether AI belongs in GRC, but whether teams can govern its use without weakening accountability or evidence quality.


At a glance

What this is: Drata’s Drataverse 2025 recap says AI and continuous assurance are reshaping how trust is presented, monitored, and operationalised in GRC programmes.

Why it matters: For IAM and GRC practitioners, the shift matters because trust narratives increasingly depend on identity controls, evidence quality, and continuous visibility rather than periodic attestation alone.

👉 Read Drata’s recap of Drataverse 2025 and its AI trust themes


Context

AI-assisted governance is moving from experimentation to expectation, but the control problem is unchanged: teams still need reliable evidence, clear ownership, and provable access boundaries. When trust becomes continuous, the programme has to prove itself in real time, not just at audit checkpoints, and that creates new pressure on identity, workflow, and review processes.

This also has a direct identity angle. GRC platforms now influence who can approve, attest, collect evidence, and trigger remediation, which means human identity governance, delegated access, and emerging AI agent permissions all matter to the control model. Drata’s event recap reflects a broader market shift, but the governance question remains typical for mature programmes: how to keep trust active without turning it into theatre.


Key questions

Q: How should teams govern AI in continuous assurance workflows?

A: Teams should constrain AI to low-risk drafting, routing, and summarisation tasks unless a human remains accountable for the final decision. Every AI-enabled workflow should have an explicit owner, approval boundary, logging requirement, and review cycle so the programme can explain who acted and why. Delegated access should be time-bound and tied to a specific control objective.

Q: Why do continuous assurance programmes depend on identity governance?

A: Because continuous assurance only works when the organisation can prove who approved what, who changed evidence, and who can override exceptions. That requires strong human identity governance, least privilege, and auditable delegation across the tools that produce trust reporting. Without those controls, the assurance layer may be current while the underlying authority model is not.

Q: What do security teams get wrong about agentic AI in GRC?

A: They often treat agentic AI as a productivity feature rather than a delegated authority model. In practice, an AI agent that can create tickets, query systems, or update records is part of the control plane and must be governed like any other privileged workflow. If its permissions are broad or persistent, it can amplify process errors at machine speed.

Q: Who is accountable when AI-assisted compliance decisions go wrong?

A: Accountability remains with the business and control owners, not the system that helped assemble the work. If AI drafts an assessment or routes an exception, the human owner must still be able to justify the outcome, evidence, and approval path. Regulatory expectations around accountability, documentation, and control ownership do not disappear because a machine helped produce the record.


Technical breakdown

Continuous assurance changes the evidence model

Continuous assurance means evidence is gathered, updated, and interpreted throughout the control lifecycle rather than at a fixed audit date. That changes the mechanics of trust: logs, attestations, and control checks become part of an ongoing operating model, not a retrospective package. In practice, this increases reliance on integrated systems that can capture identity events, workflow approvals, and policy exceptions quickly enough to be meaningful. It also raises the bar for evidence integrity, because stale or manually assembled artefacts no longer satisfy the operating tempo of modern GRC.

Practical implication: treat evidence freshness as a control objective, not a reporting convenience.

Agentic AI in GRC still depends on identity and delegation controls

Agentic AI in governance workflows is not the same as generic automation. An AI agent can select actions, use tools, and time execution, which means it needs constrained permissions, monitored delegation paths, and a clear accountability boundary. In a GRC setting, that matters because the agent may touch vendors, policies, tickets, or evidence repositories. If those permissions are broad or persistent, the governance layer can become a hidden privilege escalation path rather than a control multiplier.

Practical implication: scope AI agent access by task, owner, and expiry, then review it like any other privileged workflow.

GRC+A is really a control operating model problem

The move from GRC to GRC+A signals that teams want AI to assist with risk scoring, evidence handling, and trust communication. The architectural issue is that automation cannot replace governance decisions, only compress the path to them. That means organisations still need approval rules, exception handling, segregation of duties, and reviewability built around the AI-supported workflow. Where those boundaries are weak, AI may accelerate bad process as quickly as it accelerates good process.

Practical implication: redesign approval and exception paths before expanding AI into control operations.


NHI Mgmt Group analysis

Continuous assurance is becoming a governance requirement, not a messaging layer. Once trust must remain visible at all times, static audit packets stop being enough. That changes how evidence, approvals, and exceptions are managed across the programme, especially where identity data and access decisions sit underneath the GRC stack. Practitioners should treat continuous assurance as an operating discipline, not a presentation problem.

Agentic AI in GRC creates a new governance boundary around delegated decision-making. The risk is not that AI participates in workflows, but that it inherits more authority than the programme can explain or review. That makes identity, privilege, and auditability central to AI-enabled compliance operations. Practitioners should define where AI can assist, where humans must decide, and where evidence must remain human-owned.

Trust centres and continuous visibility can improve accountability, but only if they expose control reality. A trust narrative that is disconnected from actual entitlement scope, approval paths, or evidence freshness simply moves risk into a cleaner interface. The governance test is whether stakeholders can verify controls, not just see them. Practitioners should measure whether trust artefacts reflect live control state.

Drataverse reflects a broader shift from compliance as output to compliance as control design. The market is moving toward systems that make trust observable throughout operations, which raises the standard for identity governance around reviewers, approvers, and machine-assisted workflows. This is not a replacement for GRC discipline. Practitioners should expect tighter scrutiny of who can act, attest, and automate inside compliance programmes.

What this signals

Control freshness will become a more important metric than control volume. As AI-assisted GRC tools spread, teams will be judged less on how many controls they list and more on whether evidence, approvals, and exceptions reflect the live state of the programme. That means identity governance for reviewers, approvers, and delegated workflows will sit closer to the centre of assurance.

Trust operating models will need clearer boundaries between assistance and authority. The practical challenge is not whether AI can help, but whether the programme can prove where human accountability begins and ends. Teams should prepare for more scrutiny of delegated access, workflow ownership, and the quality of machine-assisted evidence.


For practitioners

  • Define AI decision boundaries in GRC workflows Map where AI can draft, classify, and route work, and where a human must approve, attest, or close the loop. Document those boundaries in policy so delegated actions do not become implicit authority.
  • Review privileged access in evidence and trust tooling Check who can modify trust centres, evidence repositories, exception queues, and control mappings. Limit standing access and require time-bound approval for any role that can alter audit evidence or control state.
  • Measure evidence freshness as an operational metric Track how long it takes for a control change, exception, or remediation to appear in the reporting layer. Use that lag to identify where manual handling, fragmented tooling, or weak integrations are distorting trust reporting.

Key takeaways

  • AI is becoming part of the GRC operating model, which means trust now depends on continuous evidence and delegated authority controls.
  • Continuous assurance raises the importance of identity governance because reviewers, approvers, and AI-assisted workflows all affect control integrity.
  • Practitioners should define boundaries, tighten privileged access, and measure evidence freshness before expanding AI deeper into compliance operations.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST AI RMF set the technical controls, while ISO/IEC 27001:2022 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0GV.OV-01Continuous assurance and trust visibility align with governance oversight in the CSF.
NIST SP 800-53 Rev 5AU-6Continuous monitoring depends on timely audit review and analysis of control events.
NIST AI RMFGOVERNAgentic AI in GRC needs clear accountability and governance boundaries.
ISO/IEC 27001:2022A.5.15Access control is central where AI and humans act inside trust and evidence tooling.

Align access control rules so only approved roles can alter evidence, exceptions, and trust state.


Key terms

  • Continuous Assurance: A governance model where control evidence is maintained and reviewed continuously rather than only during formal audit cycles. It depends on current telemetry, timely review, and process ownership so the organisation can prove trust as operations change.
  • Agentic AI: Software that can choose actions, use tools, and decide timing during runtime rather than simply following a fixed script. In governance workflows, it becomes a delegated actor and therefore needs constrained authority, logging, and explicit accountability.
  • Trust Centre: A public or customer-facing mechanism for communicating security, compliance, and privacy posture. In practice it is only useful when the claims it presents are tied to live control data, approved evidence, and clear ownership inside the programme.
  • Delegated Authority: Permission granted to a person or system to act on behalf of a control owner for a defined purpose. In identity-heavy workflows, delegated authority must be bounded by scope, time, and reviewability or it can create hidden privilege and accountability gaps.

What's in the full article

Drata's full article covers the event detail this post intentionally leaves for the source:

  • Session-level takeaways from the San Francisco, New York, and London stops that show how the themes differed in practice.
  • Product roadmap references to Drata's vendor risk management agent and SafeBase Trust Center work.
  • Event atmosphere and speaker commentary that give more context to the trust and AI messaging.
  • The specific examples behind the shift from cyclical audits to continuous assurance.

👉 Drata’s full recap adds the event context, speaker themes, and product references behind the trust discussion.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, secrets management, and identity lifecycle control. It is designed for practitioners who need to connect identity discipline to broader security and compliance programmes.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org