TL;DR: Modern GRC is shifting from static compliance toward continuous trust, with AI, real-time evidence, and cross-functional assurance replacing audit panic and manual gap analysis, according to Drata’s conversation with Wiz’s Max Anand. The result is a governance model where speed, transparency, and human judgment matter more than checkbox maturity.
At a glance
What this is: This is a GRC leadership conversation about moving from audit-centric compliance to continuous trust, with AI increasingly used to speed assurance work and reduce manual effort.
Why it matters: It matters to IAM, GRC, and security leaders because the same governance shift is happening across identity, NHI, and AI workflows where evidence, accountability, and timely control decisions now need to be continuous.
👉 Read Drata’s conversation on continuous trust, AI-assisted GRC, and modern assurance
Context
GRC programmes are under pressure because annual or point-in-time assurance no longer reflects how organisations actually operate. When control evidence, policy decisions, and risk signals move faster than audit cycles, teams need a governance model that treats compliance as a floor rather than the objective. That shift also intersects with identity governance because access, delegated authority, and machine identity controls increasingly need continuous review rather than periodic attestations.
The article centres on how a security trust function can unify customer assurance, internal audit, data governance, and enterprise risk without becoming rigid. That is relevant beyond GRC because the same operating model is emerging in identity and NHI programmes: control ownership has to be distributed, evidence has to be current, and automation has to support judgment rather than replace it.
Key questions
Q: How should security teams run GRC programmes with continuous trust rather than annual audit panic?
A: Security teams should design GRC around live evidence, clear ownership, and short feedback loops. That means control status is updated continuously, exceptions are triaged as they occur, and audit preparation becomes part of normal operations rather than a seasonal project. The goal is not more reporting, but faster and more reliable governance decisions.
Q: Why do AI-assisted assurance workflows still need human review?
A: AI can accelerate drafting, comparison, and summarisation, but it cannot own accountability. Human review is needed wherever exceptions, risk acceptance, customer commitments, or regulator-facing statements depend on context and judgment. Without that gate, teams can move faster while making confidently wrong decisions.
Q: What do teams get wrong when they separate customer assurance from identity governance?
A: They create duplicate evidence chains and miss shared control dependencies. Access reviews, delegated authority, service account oversight, and policy exceptions often underpin both customer assurance and broader compliance. A unified evidence model reduces rework and makes drift easier to spot across the programme.
Q: How do organisations measure whether continuous trust is actually working?
A: Measure the time between a control change and its appearance in governance reporting, the percentage of evidence that is current, and the speed at which exceptions are closed. If those numbers are improving, the programme is becoming more trustworthy. If they are not, the organisation still relies on periodic assurance.
Technical breakdown
Continuous trust versus point-in-time compliance
Continuous trust is a governance model in which evidence, control status, and accountability are maintained in near real time rather than assembled for an annual audit. In practice, it replaces the old pattern of preparing for an assessor with the better pattern of making the control environment observable all year. For identity and access programmes, that means relying less on static attestations and more on live signals from provisioning, access reviews, logging, and exception handling. It also changes the role of GRC from document collection to control orchestration.
Practical implication: build assurance workflows around continuously updated evidence, not audit-season snapshots.
AI in GRC workflows and human verification
AI is increasingly used to accelerate questionnaire responses, gap analysis, and policy comparison, but it does not remove the need for human verification. The risk is not just hallucination, it is misplaced confidence in outputs that look complete but miss exceptions or context. In identity-adjacent governance, this matters because delegated access, service account approvals, and control exceptions often hinge on nuance that models can flatten. The control pattern is therefore human review of AI-assisted output, with clear ownership for the final decision.
Practical implication: require review gates for AI-generated assurance artefacts before they are used in customer, audit, or regulator-facing workflows.
Why trust functions are expanding beyond traditional GRC
A modern trust function increasingly spans customer assurance, audit, data governance, and enterprise risk because the organisation is judged as one operating system, not as separate compliance silos. That integrated model matters when the same evidence supports multiple stakeholders with different priorities, from customers to auditors to regulators. It also maps well to IAM and NHI governance, where lifecycle controls, access evidence, and policy exceptions often need to satisfy more than one assurance use case. The strategic benefit is lower duplication and faster decisions, but only if the underlying control data is trustworthy.
Practical implication: design one evidence model that can serve compliance, customer assurance, and identity governance together.
NHI Mgmt Group analysis
Continuous trust is becoming the governing idea that replaces audit-season security theatre. Point-in-time compliance may still satisfy minimum obligations, but it no longer answers the operational question of whether controls are working today. For identity programmes, that means access, entitlement, and machine identity evidence must be current enough to support real decisions. Practitioners should treat continuous trust as a control operating model, not a branding exercise.
AI changes assurance throughput, but it does not change accountability. Automated gap analysis and questionnaire handling can reduce toil, yet the decision burden still sits with the human owner. That matters in GRC, IAM, and NHI governance because the riskiest failures are often exceptions, not standard paths. Practitioners should use AI to compress cycle time while preserving human sign-off on material judgments.
Trust functions are converging because organisations cannot afford separate evidence chains for every stakeholder. Customer assurance, internal audit, data governance, and enterprise risk now depend on the same underlying facts, just framed differently. That convergence also mirrors identity governance, where one control set must often support compliance, operational resilience, and access risk management. Practitioners should design governance around shared evidence, not duplicated process.
AI-assisted governance will expose programmes that still rely on manual comparison work and informal ownership. If gap analysis can happen in seconds, the bottleneck shifts from analysis to control action and accountability. That means GRC teams need clearer ownership models, better data quality, and faster exception handling. Practitioners should prepare for a governance environment where time to decision is the new maturity signal.
Continuous trust creates a named concept worth tracking: assurance latency. Assurance latency is the delay between a control changing in reality and that change becoming visible to the people who must rely on it. The shorter that latency, the more credible the trust model becomes. Practitioners should measure and reduce the time between control drift, evidence capture, and governance action.
What this signals
Continuous trust changes the operating rhythm for identity-adjacent governance because evidence now has to be credible in near real time. Where IAM or NHI programmes still rely on periodic attestations, the assurance lag becomes a business risk because the control state and the reported state drift apart.
Assurance latency: the delay between a control changing and the governance function seeing that change will become a practical metric for programme maturity. Teams that can cut that delay will have a stronger position when auditors, customers, or regulators ask for proof rather than policy statements.
For identity teams, this is also a reminder that access reviews, exception tracking, and service account oversight should be designed as operational telemetry, not paperwork. If the evidence cannot be refreshed quickly, the governance model is already behind the system it claims to oversee.
For practitioners
- Define a continuous evidence model Map the control evidence that must stay current for customers, auditors, regulators, and internal leaders, then identify where those evidence sets diverge. Use a single source of truth for core facts so that assurance work does not fragment into separate reporting pipelines.
- Add human review gates to AI-assisted outputs Treat AI-generated questionnaires, gap analyses, and control summaries as draft artefacts only. Require named reviewers for high-risk exceptions, access decisions, and regulator-facing statements before anything leaves the governance workflow.
- Shorten the time from control change to evidence update Track how long it takes for policy changes, access removals, logging gaps, or exception closures to show up in governance reporting. If the lag is measured in days or weeks, the programme is still operating like a periodic audit function.
- Unify assurance, audit, and identity signals Where identity governance is part of the programme, connect access reviews, service account oversight, and secrets controls to the same evidence process used for broader assurance. That reduces duplication and makes control drift easier to detect.
Key takeaways
- The core shift is from audit-season compliance to continuous trust, where evidence must stay current enough to support real decisions.
- AI can compress assurance work, but human accountability remains necessary for exceptions, risk acceptance, and external commitments.
- Identity and GRC programmes are converging on shared evidence models, which makes assurance latency a useful maturity signal.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST AI RMF, NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OC-01 | Continuous trust depends on current organisational context and governance ownership. |
| NIST AI RMF | GOVERN | AI-assisted assurance workflows require human accountability and oversight. |
| NIST SP 800-53 Rev 5 | AU-6 | Continuous trust depends on timely review and analysis of security-related events and evidence. |
| CIS Controls v8 | CIS-6 , Access Control Management | Identity evidence and entitlement oversight sit inside the wider trust model. |
Use AU-6 to ensure evidence review and exception analysis happen continuously, not only at audit time.
Key terms
- Continuous Trust: A governance model where evidence, control status, and accountability are maintained continuously rather than assembled for periodic review. It shifts assurance from retrospective proof to ongoing visibility, which is especially useful when identity, NHI, and AI workflows change faster than audit cycles.
- Assurance Latency: The delay between a control changing in the real environment and that change becoming visible to the people responsible for governance. Shorter latency improves confidence, while long delays create a gap between how a system operates and how the organisation thinks it operates.
- Human Review Gate: A required checkpoint where a person validates AI-assisted or automated governance output before it is used for decision-making. It is a control against confident but incomplete analysis, especially when exceptions, commitments, or risk acceptances depend on context.
What's in the full article
Drata's full blog post covers the operational detail this post intentionally leaves for the source:
- The structure of a trust function that combines customer assurance, internal audit, data governance, and enterprise risk.
- The practical use of AI for questionnaire responses and gap analysis in day-to-day assurance work.
- The three-phase operating model used to reduce manual effort and improve time to value.
- The discussion points on how teams balance transparency, human review, and speed in modern GRC.
Deepen your knowledge
NHI Mgmt Group’s NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, IAM, secrets management, and workload identity. It helps security and identity practitioners build the governance foundations that continuous trust depends on.
Published by the NHIMG editorial team on 2025-12-23.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org