TL;DR: Modern GRC is shifting from static compliance toward continuous trust, with AI, real-time evidence, and cross-functional assurance replacing audit panic and manual gap analysis, according to Drata’s conversation with Wiz’s Max Anand. The result is a governance model where speed, transparency, and human judgment matter more than checkbox maturity.
NHIMG editorial — based on content published by Drata: a conversation on continuous trust, AI-assisted GRC, and modern assurance
Questions worth separating out
Q: How should security teams run GRC programmes with continuous trust rather than annual audit panic?
A: Security teams should design GRC around live evidence, clear ownership, and short feedback loops.
Q: Why do AI-assisted assurance workflows still need human review?
A: AI can accelerate drafting, comparison, and summarisation, but it cannot own accountability.
Q: What do teams get wrong when they separate customer assurance from identity governance?
A: They create duplicate evidence chains and miss shared control dependencies.
Practitioner guidance
- Define a continuous evidence model Map the control evidence that must stay current for customers, auditors, regulators, and internal leaders, then identify where those evidence sets diverge.
- Add human review gates to AI-assisted outputs Treat AI-generated questionnaires, gap analyses, and control summaries as draft artefacts only.
- Shorten the time from control change to evidence update Track how long it takes for policy changes, access removals, logging gaps, or exception closures to show up in governance reporting.
What's in the full article
Drata's full blog post covers the operational detail this post intentionally leaves for the source:
- The structure of a trust function that combines customer assurance, internal audit, data governance, and enterprise risk.
- The practical use of AI for questionnaire responses and gap analysis in day-to-day assurance work.
- The three-phase operating model used to reduce manual effort and improve time to value.
- The discussion points on how teams balance transparency, human review, and speed in modern GRC.
👉 Read Drata’s conversation on continuous trust, AI-assisted GRC, and modern assurance →
Continuous trust in GRC: what it means for assurance teams now?
Explore further
Continuous trust is becoming the governing idea that replaces audit-season security theatre. Point-in-time compliance may still satisfy minimum obligations, but it no longer answers the operational question of whether controls are working today. For identity programmes, that means access, entitlement, and machine identity evidence must be current enough to support real decisions. Practitioners should treat continuous trust as a control operating model, not a branding exercise.
A question worth separating out:
Q: How do organisations measure whether continuous trust is actually working?
A: Measure the time between a control change and its appearance in governance reporting, the percentage of evidence that is current, and the speed at which exceptions are closed. If those numbers are improving, the programme is becoming more trustworthy. If they are not, the organisation still relies on periodic assurance.
👉 Read our full editorial: Continuous trust is reshaping GRC, assurance and AI-assisted audits