Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

GRC trends and third-party risk: what should compliance teams change?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: As GRC expands across cybersecurity, third-party risk, and fragmented internal systems, OneTrust argues that manual evidence collection and disconnected controls are no longer sustainable, with its article pointing to a projected $134.86 billion market by 2030 and a 60% reduction in compliance cost from automation. The real issue is not more compliance activity, but connected governance that can keep pace with scale.

NHIMG editorial — based on content published by OneTrust: 10 GRC Trends: What’s Next for Governance, Risk, and Compliance?

By the numbers:

Questions worth separating out

Q: How should organisations reduce audit fatigue in fragmented GRC programmes?

A: Start by consolidating control ownership, evidence sources, and exception tracking into a single operating model.

Q: Why does third-party risk matter so much in GRC programmes?

A: Third-party risk matters because external services expand the organisation’s control boundary without fully handing over accountability.

Q: What do security teams get wrong about automated compliance workflows?

A: They often assume the workflow itself is the control.

Practitioner guidance

  • Map control ownership across domains Create a single view of which teams own policy, evidence, exceptions, and remediation for cloud, third-party, privacy, and identity controls.
  • Inventory third-party access paths Track vendor and partner access separately from procurement records, including shared credentials, service accounts, and offboarding steps.
  • Automate evidence collection before the next audit cycle Prioritise integrations that pull control evidence from existing systems of record, then define which items still require human validation.

What's in the full article

OneTrust's full blog covers the operational detail this post intentionally leaves for the source:

  • The 10-driver and 10-trend framework used to organise GRC programme change
  • The compliance automation capabilities OneTrust describes for evidence reuse and scoping
  • The infographic content that maps future GRC priorities into a visual reference
  • The examples of how third-party risk and mobile GRC engagement are positioned in the source

👉 Read OneTrust's blog on 10 GRC trends shaping governance, risk, and compliance →

GRC trends and third-party risk: what should compliance teams change?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

Fragmented control evidence is now a governance risk, not just an audit inconvenience. When controls live in separate systems, organisations overcompensate with duplicate processes and inconsistent reporting. That weakens the reliability of assurance across IAM, cloud, and third-party programmes, especially when evidence must be reused across multiple frameworks. The practical conclusion is that governance teams should treat evidence fragmentation as a control failure mode, not a back-office nuisance.

A question worth separating out:

Q: Why do code injection flaws matter to IAM and NHI governance?

A: They matter because injected code often runs under a trusted application or pipeline identity. That can expose API keys, tokens, certificates, and deployment privileges even when user authentication is strong. IAM and NHI teams should therefore govern the identities behind applications, not only the people who use them.

👉 Read our full editorial: GRC trends show why fragmented controls are raising audit risk



   
ReplyQuote
Share: