TL;DR: AI is turning trust into a continuous operating state, not a point-in-time control, according to Drata's podcast recap, with episodes covering continuous compliance, third-party AI risk, deepfakes, and governance metrics across six conversations with CISOs and GRC leaders. The governance model is shifting from annual review cycles to live evidence, measurable trust signals, and tighter oversight of vendor and agent behaviour.
NHIMG editorial — based on content published by Drata: When Trust Meets AI podcast recap
Questions worth separating out
Q: How should security teams govern AI systems that change faster than policy cycles?
A: Treat AI governance as a continuous control function rather than a periodic review exercise.
Q: Why do deepfakes create identity and access risk for GRC teams?
A: Deepfakes undermine the assumption that voice, video, or appearance can be trusted as proof.
Q: What do organisations get wrong about third-party AI risk reviews?
A: They often treat the review as a one-time vendor approval rather than an ongoing behaviour check.
Practitioner guidance
- Define continuous trust metrics Track trust-influenced ARR, deal cycle time, and security review closure rates so governance can be measured in business terms, not only audit terms.
- Review AI-related third-party changes continuously Add triggers for embedded AI feature changes, dependency shifts, and new decision paths so vendor risk updates do not wait for annual review cycles.
- Harden identity verification against synthetic impersonation Require layered challenge steps for onboarding, help-desk resets, and high-risk approvals so video or voice alone cannot establish trust.
What's in the full article
Drata's full podcast recap covers the operational detail this post intentionally leaves at the governance level:
- Episode-by-episode discussion points from six practitioner conversations on AI, trust, and GRC
- Specific examples of how security leaders are translating AI risk into business metrics
- Practical commentary on continuous compliance, third-party AI risk, and deepfake-driven verification gaps
- The closing discussion of how GRC teams can shift from static review cycles to live assurance
👉 Read Drata's recap of When Trust Meets AI and the six GRC lessons →
AI trust in GRC: what continuous assurance changes for teams?
Explore further
Continuous trust is now a governance control, not a cultural slogan. The podcast’s central argument is that AI has collapsed the gap between policy cycles and operational reality. Security leaders can no longer treat trust as something documented once and reviewed later. For IAM and GRC teams, the practical conclusion is that assurance has to be continuous, measurable, and tied to live control state.
A question worth separating out:
Q: Who is accountable when an embedded AI feature changes a vendor risk profile?
A: The vendor may implement the feature, but the buying organisation remains accountable for the risk it accepts. That means procurement, security, legal, and GRC need explicit ownership for monitoring changes, documenting exceptions, and deciding when a new feature requires a fresh assurance review.
👉 Read our full editorial: AI trust is becoming a continuous GRC control problem