GRC: AI + continuous monitoring
A Deloitte Cloud Security Analyst urged focusing GRC on risk, controls and compliance over tool fetishism, while TrustCloud’s CEO says AI will turn GRC from manual checklists into continuous, ROI‑tied monitoring. The conversation reframes GRC as operational ownership, not periodic audit evidence. ( )
TrustCloud announced an AI‑native Security Assurance Platform on March 18, 2026 that it bills as a way for CISOs to fuse GRC with security operations and continuous assurance. (prnewswire.com) The product centers on a proprietary “Control Graph” and what TrustCloud calls “Assurance AI” that runs Continuous Control Monitoring (ConMon) and links control test results to remediation actions and business impact. (cadria.org) TrustCloud completed a $15 million funding round to scale its AI‑driven GRC capabilities and go‑to‑market, with strategic investor participation reported in coverage of the raise. (regtechanalyst.com) Deloitte’s public cyber practice activity — including recent collaborations with Google Cloud and Rubrik to modernize cyber and data protection workflows — mirrors the shift from periodic evidence‑collection to continuous, operational security controls. (prnewswire.com) Industry vendors and practitioner guides cite concrete SOX/ITGC drivers for continuous monitoring: the “average employee” now touches roughly 10 systems, while SOX programs commonly include roughly 50 entity‑level and 80 process‑level controls, creating scale pressures that CCM targets to cut manual testing. (pathlock.com) Practical implementations being recommended to transition toward living GRC combine cloud native telemetry (AWS Config, Audit Manager), SIEM/analytics, and workflow platforms (ServiceNow) to automate evidence collection and tie controls to risk metrics and remediation ROI. (sans.org)
