GRC Modernization Push

Executives are still slowing down governance, risk and compliance upgrades even as companies add more artificial intelligence tools that are harder to track. (onspring.com) Governance, risk and compliance — usually shortened to GRC — is the internal system companies use to set rules, measure risk and document compliance. Onspring said in January 2026 that effective AI governance inside GRC starts with knowing where AI is used, assigning accountability and monitoring controls over time. (onspring.com) Onspring, a Kansas-based GRC software vendor, launched Onspring AI on October 14, 2025, pitching the product as a way to cut manual work and give teams real-time visibility into risk posture, security controls and accountability measures. The company said the tools were built to align with internal governance standards rather than bypass them. (onspring.com) Outside the vendor pitch, the pressure to modernize is coming from the speed of AI adoption. Moody’s said in a 2026 study of 600 risk and compliance professionals that 53% are actively using or testing AI, up from 30% two years earlier. (moodys.com) Oversight has not kept up at the board level. Deloitte said on October 24, 2024 that nearly 500 board members and C-suite executives across 57 countries reported limited engagement, with 45% saying AI had not made it onto their board agenda at all and only 14% saying boards discussed it at every meeting. (deloitte.com) Regulators and standards bodies have been moving in the other direction. The National Institute of Standards and Technology released its Artificial Intelligence Risk Management Framework on January 26, 2023, added a generative AI profile on July 26, 2024, and published a critical infrastructure concept note on April 7, 2026. (nist.gov) The security case for faster governance has also gotten more concrete. IBM said in its 2025 Cost of a Data Breach report that attackers used AI in 16% of breaches, while Palo Alto Networks said in a January 5, 2026 white paper that ransomware attacks can now unfold in as little as 25 minutes. (ibm.com) (paloaltonetworks.com) That leaves GRC teams trying to replace spreadsheets and scattered approvals with centralized systems that can show who approved an AI use case, what controls apply and where exceptions sit. Onspring said policies alone are not enough and argued that shared platforms are needed to coordinate risk, compliance and security teams around AI. (onspring.com) The hesitation is not hard to explain. McKinsey has estimated generative AI could add $2.6 trillion to $4.4 trillion a year to the global economy, so executives are under pressure to deploy quickly even as governance work slows launches and exposes gaps in visibility. (mckinsey.com) The result is a familiar corporate split: AI budgets move first, oversight follows later, and GRC modernization becomes the place where that lag shows up in dashboards, audits and board agendas. (deloitte.com) (onspring.com)