Can GRC Professionals Co-Exist with GenAI? Yes, But With a Catch

Why Trust Techopedia

A crossroads is coming where generative AI crosses over with Governance, Risk, and Compliance (GRC) — will it empower GRC professionals or make the task harder?

At the heart of the matter, as we zoom in on the evolution of generative AI and how fast it is spreading across enterprises, is whether this fast-paced adoption could be outpacing the adjustments needed to ensure that GRC professionals catch the loopholes when it comes to Gen AI in organizations.

There is also a seeming lack of certainty around current regulatory frameworks for Gen AI use. At best, we currently have early-bird AI regulations, which, as time progresses, may require more fine-tuning to get to good standards.

It may not all be bad news though, despite the many unknowns surrounding the inner workings of Gen AI models.

How should GRC professionals approach risk and compliance in the age of Generative AI? We explore the latest research and canvas expert opinions.

Key Takeaways

  • Traditional GRC practices relying on established processes and historical data may no longer be sufficient due to the “black box” nature of most AI models.
  • Forrester’s research suggests generative AI can empower GRC professionals to take a strategic, value-driven approach by evaluating use cases, ensuring ethical application, and identifying projects requiring additional oversight.
  • Key challenges for GRC professionals include the fast evolution of generative AI technology and the lack of comprehensive regulatory guidance, requiring them to stay updated on shifting AI compliance requirements.
  • Avoiding mistakes such as failing to keep up with rapidly evolving global AI regulations, not involving GRC teams early in the adoption process, and not considering the organization’s broader goals are crucial for safe and successful generative AI implementation.

Redefining Risk Management in the Age of Generative AI

Traditionally, GRC professionals rely on established processes and historical data to identify and manage risks. However, given the current “black box” nature of most AI models, this traditional GRC practice may no longer subsist.

Advertisements

Despite these challenges, research and advisory company Forrester notes that Generative AI might offer a new window of effectiveness to GRC practitioners.

In the research, the analysts argue that Gen AI creates a fundamental shift in risk management, transforming it from a reactive, cost-cutting function to a strategic, value-driving discipline.

According to Forrester, this new paradigm empowers GRC professionals to take the lead in evaluating Gen AI use cases, ensuring ethical application, and identifying projects that require additional risk management controls and oversight.

“Risk management is no longer just about minimizing costs,” explains Forrester. “It’s about enabling organizations to capitalize on new opportunities, make better strategic decisions, and avoid costly missteps.”

This shift, according to Forrester, puts GRC teams in the driver’s seat — tasked with determining the optimal speed for Gen AI adoption and balancing the need for alignment, trust, and adaptivity to achieve superior business results.

Safe Gen AI Adoption Depends on GRC Professionals

While the overall responsibility for the safe implementation and use of Gen AI requires cross-functional participation and collaboration, Forrester suggests that the bulk of this responsibility rests on GRC professionals.

Speaking with Techopedia, Forrester Senior Analyst, Alla Valente, emphasized the importance of teamwork in generative AI adoption. “GRC has a significant role, but ultimately Gen AI adoption is a team sport requiring participation across functions,” she said.

Valente explained that while business units identify Gen AI use cases, GRC pros evaluate these for undue risk and ensure ethical, compliant deployment.

She added:

“GRC has a critical role to play by helping evaluate these use cases for undue risk, making sure that Gen AI is being applied ethically and doesn’t overstep any regulatory guidance. GRC will identify which AI projects will require additional risk management guardrails, oversight, and controls.”

The Road May Still be Bumpy for GRC Pros

Although Forrester’s research found Gen AI to be more of an enabler than a stumbling block to GRC practice, Valente did not shy away from acknowledging that there are still challenges to overcome.

She cited fast evolution and lack of proper regulatory guidance as key challenges and calls on GRC Pros to keep a finger on the pulse of shifting AI compliance requirements:

“GenAI is challenging in that it’s evolving so quickly, and regulatory guidance is lagging. GRC pros must understand the nuances of approved regulations and stay abreast of the evolving AI regulatory landscape.

 

“At the same time, in geographies that don’t yet have comprehensive AI regulations, such as the U.S., GRC professionals have to ensure that their organization’s genAI use cases don’t run afoul of existing privacy and security regulations.”

While GRC professionals can offer headway towards safer AI adoption in organizations, Ryan Smith, Founder and CEO at QFunction, told Techopedia that the outlook is not that rosy.

He hinted that since Gen AI is a new domain, GRC pros will face challenges when trying to enact policies regarding its use.

“The fact that generative AI is so new is what makes it challenging for GRC professionals. It’s difficult to make policies around generative AI when the field is changing rapidly, and few subject matter experts on it even exist as of this point.

 

“What makes it even more challenging is that people are already using generative AI, and establishing controls around a technology already in use is much more difficult than establishing controls around a technology that hasn’t been deployed yet.”

The above is in line with Stuart King, CTO at AnzenSage, a security consulting firm, who cited that GRC professionals may have a hard time understanding Gen AI’s full nature due to its novelty.

He told Techopedia that for GRC pros to be able to help organizations with safe AI adoption, they’ll have to commit to extensive research to have a deeper grasp of the risks associated with the technology.

In his words:

“GRC teams are going to have to do a lot of research into the Gen AI tools that their businesses want to use in order to understand the full nature of the risk — strategic, regulatory, financial, security — those tools might be bringing along.

 

“Some of the challenges are going to be in helping to facilitate the implementation of something that may have a lot of business benefits but for which the full scope of risk is difficult to understand.”

Mistakes to Avoid in the Gen AI Adoption Journey

While there is no denying the place of GRC professionals in guiding organizations through their Gen AI adoption process, there are mistakes that must be avoided for safe Gen AI adoption.

One key mistake highlighted in the Forrester research is failing to keep abreast of the rapidly evolving global AI regulations.

With regions, countries, and jurisdictions taking diverse approaches to regulating AI, GRC professionals have to adopt a comprehensive and coordinated approach to monitoring regulatory proposals, understanding the nuances of approved regulations, and staying up-to-date with compliance milestones.

The research notes the importance of understanding the varying goals and requirements of different regulatory regimes.

Agreeing with Forrester on the above, Ameesh Divatia Co-Founder and CEO at Baffle, an enterprise data security platform, highlighted to Techopedia the need for GRC practitioners to consider the bigger picture when guiding organizations through their Gen AI journey.

“As with any other technology initiatives, GRC needs to keep the big picture and the company’s goals in mind. Working with the GenAI team to help the initiative become successful while managing risk is going to be a fine line as GenAI technology is still maturing.

 

“This means that GRC needs to be flexible and come up with solutions instead of roadblocks.”

Another critical mistake to avoid is sidelining GRC at the early stage of AI adoption, Valente warns. She argues that GRC must be a strategic partner from the start in generative AI adoption efforts.

“If GRC is only brought in at the final stages of planning or only to support implementation, then the value of what it can bring to the table, which is far more than just compliance checks, is lost.

 

“Safe, secure, ethical genAI efforts hinge on using GRC strategically, not just tactically. GRC and business alignment are key for helping organizations move from genAI experimentation to implementation — and then to optimization — faster and without endangering strategic goals or brand reputation.”

The Bottom Line

Generative AI is a budding technology and, as such, still raises many uncertainties. But one thing is sure: its adoption in businesses must be done with utmost care lest companies become more vulnerable to known and unknown risks than they can handle.

While everyone is tasked with ensuring the safe and secure use of AI and adherence to AI security compliance policies, the GRC expert has a much bigger role to play in all of these.

Hence, this Forrester research reels out what we could call the ‘new normal’ for GRC practice in the age of Gen AI. We can co-exist, but we need to be tactical and watch for the roadblocks.

Advertisements

Related Reading

Related Terms

Advertisements
Franklin Okeke
Technology Journalist
Franklin Okeke
Technology Journalist

Franklin Okeke is an author and tech journalist with over seven years of IT experience. Coming from a software development background, his writing spans cybersecurity, AI, cloud computing, IoT, and software development. In addition to pursuing a Master's degree in Cybersecurity & Human Factors from Bournemouth University, Franklin has two published books and four academic papers to his name. Apart from Techopedia, his writing has been featured in tech publications such as TechRepublic, The Register, Computing, TechInformed, Moonlock, and other top technology publications. When he is not reading or writing, Franklin trains at a boxing gym and plays the piano.