TL;DR: Scalable compliance now depends on structured workflows, not just better interfaces, according to Drata. The New Drata Experience focuses on bulk import, configurable tables, OpenSearch search, AI-generated cloud tests, and Actionable Insights to reduce manual GRC work and speed audit-ready execution.
At a glance
What this is: Drata’s new interface focuses on scaling GRC execution with bulk imports, configurable tables, search, and test management that reduce manual handling across compliance workflows.
Why it matters: For IAM, GRC, and security teams, this matters because compliance tooling only improves governance when it reduces friction without weakening data quality, traceability, or control evidence.
By the numbers:
- The Test Library includes over 1,000 new infrastructure tests across AWS, Azure, and GCP, covering 165 unique controls and more than 100 cloud resources.
👉 Read Drata's analysis of the New Drata Experience and GRC workflow scale
Context
GRC programmes often fail at the point where governance has to become repeatable work. When teams are managing hundreds of controls, risks, vendors, and evidence records, brittle search, manual imports, and inconsistent views turn compliance into a coordination exercise rather than a control discipline.
That matters to IAM and identity governance teams because the same operational pattern appears in access reviews, evidence collection, and control testing. If the workflow cannot scale, the programme does not scale, even when the policy design is sound.
Key questions
Q: How should security teams structure GRC data so automation works reliably?
A: Security teams should define a consistent schema for risks, controls, evidence, and ownership before scaling automation. The system must enforce required fields, normalised values, and validation checks so records can be searched, mapped, and reused without manual cleanup. Otherwise, automation only accelerates messy input and weak reporting.
Q: When does GRC workflow automation create more noise than value?
A: Automation creates more noise than value when records are inconsistent, control mappings are unclear, or exceptions are not assigned to a named owner. In that state, bulk actions and generated tests increase volume but do not improve assurance. Teams should pause expansion until the underlying data and governance model are stable.
Q: What do teams get wrong about configurable compliance tables?
A: Teams often treat configurable tables as cosmetic, when they actually shape review quality and speed. If analysts cannot pin the fields they need, save filters, or preserve row density across sessions, they waste time reconstructing the same view. That friction creates inconsistency in control review and evidence handling.
Q: Who is accountable when AI-generated compliance tests are used in audits?
A: The organisation remains accountable for the quality, scope, and mapping of any AI-generated compliance test. Human reviewers must confirm that each test matches the intended control objective, is appropriate for the environment, and is documented well enough for audit scrutiny. Automation changes effort, not responsibility.
Technical breakdown
Why structured data is the real prerequisite for GRC automation
Bulk import is not just a convenience feature. In GRC systems, structured data determines whether controls, risks, personnel evidence, and test records can be queried consistently, reused across reviews, and mapped into downstream automation. CSV and XLSX imports reduce the dependency on tickets and spreadsheet shuttling, but they also introduce a governance requirement: the imported data has to be normalized, validated, and kept current. Without that discipline, the system only digitises inconsistency. The operational value comes when the platform preserves schema quality while reducing manual entry.
Practical implication: standardise data fields and validation rules before expanding bulk import across your compliance programme.
How configurable tables change the control review workflow
Most GRC teams do not struggle because they lack data. They struggle because the data surface is hard to work with at scale. Configurable columns, pinned fields, row density, saved filters, and remembered preferences turn tables into a working interface for reviews instead of a static display. That matters because control owners need the same view to remain stable across sessions, especially when they are comparing failures, tracing changes, or preparing evidence. Searchable custom fields add another layer of operational utility by keeping programme-specific metadata inside the workflow rather than exporting it out.
Practical implication: optimise table views around review tasks so analysts do not have to rebuild their workspace every session.
What AI-generated cloud tests mean for assurance at scale
AI-generated test libraries shift the challenge from writing every test manually to governing which tests exist, how they are mapped, and when they are considered baseline or recommended. That does not remove the need for human oversight. It changes where the control burden sits. In this model, assurance depends on coverage breadth, mapping accuracy, and ongoing auditor validation, not just on volume. For cloud-heavy programmes, the risk is not lack of tests but unmanaged duplication, unclear scope, or weak linkage between tests and actual control objectives.
Practical implication: treat automated test generation as a governed input to assurance, not as a substitute for control ownership.
NHI Mgmt Group analysis
GRC workflow sprawl has become a governance problem in its own right. When teams rely on repeated table setup, manual imports, and fragmented search to run compliance work, the tooling begins to dictate the quality of the control programme. That creates avoidable variance in evidence handling and review cycles. The field should treat workflow design as part of control design, not as a cosmetic layer.
Structured data is the hidden control plane for audit readiness. Bulk import, searchability, and saved views only help when the underlying records are consistent enough to support repeatable decisions. That is the same governance lesson identity teams learn with access reviews and entitlement data. If the data model is unstable, automation amplifies disorder instead of reducing it. Practitioners should prioritise data discipline before they scale tooling.
Automation in GRC still depends on human accountability for mappings and exceptions. AI-assisted test generation can expand coverage, but it does not resolve ownership for control intent, audit suitability, or exception handling. The operational value comes from validated mappings and reviewable outputs, not from volume alone. Teams should evaluate whether their automation strategy improves assurance quality or simply increases the speed of producing work.
GRC platforms are moving toward execution layers, not just reporting layers. The market direction here is away from static compliance dashboards and toward systems that actively shape how teams review, test, and remediate. That shift accelerates operational maturity, but it also raises the bar for configuration governance. Practitioners should assume that better execution tooling will expose weaker programme discipline rather than hide it.
Workspace consistency is becoming a measurable control outcome. Remembered preferences, persistent filters, and configurable tables sound like usability features, but in mature programmes they reduce rework and lower the chance of missed records during reviews. That makes interface stability a meaningful operational control, especially where audit evidence depends on repeatable operator behaviour. Teams should assess UI friction as part of their control effectiveness review.
What this signals
GRC platforms are converging on execution support rather than passive reporting, which means programme leaders will be judged more on how quickly they can operationalise evidence and less on how many dashboards they can produce. The practical signal is that workflow consistency now affects audit readiness as much as policy design does.
Workflow friction debt: when teams repeatedly rebuild views, export to spreadsheets, and re-enter structured data, they accumulate avoidable operational debt that weakens control consistency. That debt shows up later as delayed reviews, incomplete evidence trails, and slower remediation cycles.
For identity and access programmes, the lesson is direct. The same discipline that keeps access review, entitlement data, and evidence management reliable should now be applied to GRC workflow design, because control programmes fail when their operating model cannot keep pace with their data volume.
For practitioners
- Standardise GRC data schemas before enabling bulk import Define required fields, accepted values, and validation checks for risks, controls, personnel evidence, and vendor records before allowing CSV or XLSX imports into production workflows.
- Lock in review-friendly table configurations Configure pinned columns, saved filters, and row density defaults around the tasks your analysts perform most often so they do not rebuild the workspace for every review cycle.
- Govern AI-assisted test generation like any other control source Require documented mapping review, auditor validation, and ownership for every automatically generated test before it is accepted into your baseline assurance set.
- Track pass-to-fail changes as operational signals Use recent test deltas, connection errors, and remediation trends to prioritise follow-up work instead of waiting for periodic manual review.
Key takeaways
- The central issue is not whether GRC teams have enough data, but whether their workflows can turn that data into repeatable control decisions.
- AI-assisted test generation, bulk import, and configurable tables improve scale only when schemas, mappings, and review ownership are already disciplined.
- For mature programmes, interface stability and workflow consistency are becoming part of control effectiveness, not just user experience.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, while ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.PO-01 | Workflow redesign affects how governance policies are executed and maintained. |
| NIST SP 800-53 Rev 5 | AU-6 | Actionable insights and test deltas support audit-focused analysis and review. |
| CIS Controls v8 | CIS-6 , Access Control Management | Structured reviews and evidence handling support control management discipline. |
| ISO/IEC 27001:2022 | A.5.33 | Operational workflows must preserve documented evidence for audit and compliance purposes. |
Apply control management discipline to evidence workflows so exceptions and ownership are consistently tracked.
Key terms
- GRC Workflow Automation: The use of software-driven process steps to reduce manual work in governance, risk, and compliance operations. In practice, this includes bulk data handling, repeatable review flows, and structured evidence collection that can support audit readiness without constant spreadsheet export or ticket-based coordination.
- Actionable Insights: Operational signals that identify what changed, what failed, and what needs attention now. In GRC programmes, these insights help teams prioritise remediation by surfacing recent control-state changes, connection issues, and performance trends instead of forcing manual status checks.
- Structured Evidence: Evidence stored in a consistent format that can be searched, filtered, and mapped to controls without rework. Structured evidence improves auditability because the same record can support review, reporting, and automation without being re-entered or reinterpreted in multiple systems.
What's in the full article
Drata's full post covers the operational detail this analysis intentionally leaves for the source:
- Step-by-step examples of bulk importing risks, controls, and personnel training evidence into the platform.
- Specific table configuration options, including saved filters, pinned columns, and row density preferences.
- The structure of the AI-generated cloud test library, including how tests were mapped and validated.
- Examples of Actionable Insights outputs, including pass-to-fail events and remediation trends.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, secrets management, workload identity, and access lifecycle control. It helps practitioners connect identity discipline to the wider security and compliance programmes they run.
Published by the NHIMG editorial team on 2026-02-25.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org