A

You're listening to the Cyberwire Network, powered by N2K. Hey, everybody.

B

Dave here today. We're bringing you a conversation from a recent webinar where I sat down with Kane McLadry and Alam Ali from Hyperproof, along with Matthew Cassidy from Grant Thornton. We talked about how agentic artificial intelligence is starting to reshape governance. Risk and compliance organizations are beginning to experiment with AI driven agents and there's a lot to navigate. There are promising new opportunities and emerging risks.

A

We want to bring this discussion to.

B

The podcast so you can hear firsthand how these experts are thinking about the future of of GRC in an AI powered world. Let's take a listen.

A

Well, welcome everyone and thank you for joining us here today for our webinar. We are excited to share our information with you today. My name is Dave Bittner and I am the host of the Cyberwire Daily podcast. And it's my distinct honor and pleasure to be the moderator of today's panel. I want to introduce our panelists here today, but before I do, just a quick reminder of our topic. We're talking about agentic AI and GRC governance, risk and compliance, and this kind of brave new world that we find ourselves in when it comes to the blending of those two things. Let me introduce our panel here today, beginning with Matthew Cassidy, who Matt is a partner for Risk Advisory with Grant Thornton Advisors. We've got. I'm sorry, we've got Cain. Easy for me to say, right? I kept wanting to say Kanye, but I knew that wasn't right.

C

It's Kane McLadry.

A

Yeah, no, yeah, I bet you get that a lot. Kane McLadry, who's CISO in residence at Hyperproof, and then Alam Ali, who's senior Vice President for Product Management at Hyperproof. Before we dig in here, can I just go around the table and get each of you to do a little brief introduction of yourselves for our audience? Give us an idea of how you got your start in this business and what led you to where you are today. Matt, let me start with you.

D

Yeah, thanks, Dave. Really appreciate you hosting us today. And so I've been a consultant my entire career. I really got into IT from an IT audit standpoint. I was a MIS major in college, so that kind of naturally led into some of the IT audit. And really what we're seeing, you know, from IT audit to AI, is that there's so many risks that are sitting within AI, you know, data risks, business risks, all sorts of things. And really the best place to do that is, you know, with the IT audit realm. So I'm leading the charge for the firm around the governance aspect. We've got other teams that do, you know, it's more of the programming things, but I'm really focused on the governance.

A

All right, Kane, how about you?

C

Fantastic. Thanks, Dave. So I was a theater kid who transitioned into cybersecurity because that is a natural transition to get into government consulting as your as your first real adult job. Since then I have done executive advisory work on three continents. I work with the IEEE as a spokesperson on cybersecurity and as the CSO and residents at Hyperproof. The reason I came over was a lot of the clients that I was advising had a real problem of measuring like are we actually reducing is the budget we're spending as a ciso? Is it good value for money? And when I was a CISO at a defense industrial based company that was audited. Oh shoot. Sometimes weekly, multiple times a week. Super fun. We had to figure out how do we effectively manage this so that we can communicate the business value of our security stance. And when my buddy Matt said hey, we're going to make a company that'll make it easier for companies to represent their security stance and to be able to better understand it themselves internally and communicate that to their board, that company is hyperproof. Still here after three years. Still absolutely loving it and super excited about Today's conversation about AI. I just talked about this in Nashville at ISC2 last week. Lot of interest there in doing this responsibly and effectively.

A

All right, terrific. And lam, you're bringing up the rear here. Last but not least, tell us a bit about yourself.

E

So Alam Ali, I've been in sort of Software, large scale SaaS software development for a long time. I spent a long time at Microsoft building everything from large scale database systems to SaaS products, app Microsoft products to other companies in the industry on various types of business workflow focused software. So in the GRC space I'm trying to bring to bear all the things that I've learned. I've been in machine learning and artificial intelligence since 97 at Microsoft or so bring to bear how do we really improve as Kane was mentioning, the automation, the life, the time, the money, the toil spent in the GRC process overall end to end. I think with the latest tech we have significant opportunity to make real leapfrogs in how we save time, money and toil across the product. That's why I'm super excited about this.

A

All right, well we've got a lot to Talk about. And for the folks in our audience here today, we are going to set aside some time for your questions. If you look in the Bright Talk interface here, over on the right hand side, you'll see there's a little tab button there for your questions to go in. So if you have a question that comes up along the way, please don't hesitate to fill that in there. And then we may even have a poll or two as we make our way through today's presentation as well. All right, well, let's dive in here. Matt, let me start with you. I think it's fair to say that we are seeing AI spread across the GRC landscape. What sort of things are you seeing with your colleagues at Grant Thornton? Where's it being used?

D

So, yeah, we're trying to really use it everywhere, Dave, but really taking kind of a methodical approach at this point in time. We're really seeing it in a couple places being really, really effective. So, you know, the first really being as kind of an assistant. Right. So, you know, in consulting, we've got all different levels, all different experience, and trying to take a lot of that experience from around the firm, centralize it so that we can build, like a small language model with our own proprietary data and really put that in the hands of everybody so that they can access it. No more sending rcms via email, dropping it into a chat so that somebody can share it, knowing who has the right level of data, things like that. So we're really trying to see that there's a bunch of other different use cases. As an assistant, that's probably one of the biggest things that we're using it for at the moment. We're also, you know. Oh, go ahead, Dave.

A

Oh, I was just going to say, what are some of the challenges that you faced along the way here? Have there been any roadblocks or speed bumps?

D

You know, I think that in that regards, it's managing some expectations on, you know, what AI is, what it is not, and ensuring that, you know, we don't set the expectation that it's going to do everybody's job 100% accurately. It's really around, you know, what can we use it for? What have we tested it for? What have we proved it out? You know, that's kind of the main challenge. You know, there's other security risks out there, right. Access to data. But a lot of those security risks we've already seen. Right. When we were looking at things like, you know, bots, when bots became a big thing in business, it Was, you know, what access does it have? Right. Bot governance came up. So we're really seeing, you know, lessons learned from that type of technology and trying to apply it to AI because we know if we give it access to data, it's going to use it even more than what the bots did. So we're really trying to manage some of that expectation.

A

Yeah, that's a really interesting insight, Kayna. I'm curious for your comments on that, particularly about sort of the pre existing infrastructure or lessons learned for security professionals and how you choose what previous knowledge you can apply to these AI challenges.

C

Yeah, I think one of the most interesting conversations I had, I was down in Nashville last week for ISC2 Congress and it was with an individual who was concerned that look, if we open up our logging of all of our stuff, of all of our control operation to AI, aren't we going to get more exceptions and aren't we going to potentially get more findings? Because in theory, instead of doing sampling or just choosing a subset of the information to act on, you could say, well, let's just have continuous control observation or continuous monitoring, which I think is this nirvana state that a lot of GRC professionals have tried to get towards. But I think ultimately if you're able to proactively before you are audit, if you're able to have a view of all of how your controls have been working over a duration of time, if you start to see control deficiencies like maybe, you know, access management, that's a popular thing lately, if you were to have a continuous failure observed in your access management and that was surfaced by an AI, it'd be a lot better to know about that sooner rather than the old way of how we did auditing, which is you waited 364 days, panicked, realized you had to put together the evidence to satisfy the requirements of the audit, and then you find out that you have a problem. And so I think the advantage of being able to use, at least from an internal CISO perspective to have a continuous observability of how well your controls are, reducing risk, gives you not only confidence when you're getting ready to talk to an auditor, which, I mean, I'm not going to say they're scary people, they are nice people, but sometimes people go get a little anxious before they talk to their auditor about things, but also it gives you leverage with your vendors. Because if you find out that, hey, your access control management system in this example is failing on a periodic basis, if I'm a ciso, I'm going to go have a conversation with them and say, look, either you can give us some professional services or when your renewal comes out for maintenance, we'll go find a different vendor, we will rip and replace the solution. And it's that ability to have facts rather than opinions. And previously when we've tried to do this, the challenge is staff time more than anything else. Every time we've had to go ask like the SecOps team, hey, can you show me evidence that the thing you're doing for a living is doing the thing that it's supposed to be doing? I mean, it's first of all kind of a bit of an off putting question from second line of defense to first line of defense. But also secops teams just don't have the time. And so anything we can do to automate that evidence action, which, which we've done before we had agentic AI or before we had AI, it's often just an API call. But the ability that we can have now when we're preparing for audits is take all of those pieces of evidence from desperate sources and put them together in a way that's fairly friendly for auditors to be able to consume and actually allows them to focus on strategic matters rather than asking, hey, can I have another screenshot? Which I don't think Matt ever gets excited about chasing people for screenshots, right?

D

Never. Yeah, like wasting people's time is something that we hate as well. But you know, we need to get that right because we can't forget about our basic audit principles around, you know, objectivity, you know, is, is the, you know, source that we got it from, is it objective? Did we get the right thing? Is it complete and accurate?

A

Right.

D

Did we gather the whole population from whatever the report is that's coming out of the system? And then also when we're using the AI, making sure that's auditable as well. Right. It seems a little recursive to a degree. But keeping those principles in mind, especially around time saving, I think there's a good mesh there.

A

Alam, let me bring you into the conversation here. What are your insights when it comes to these adoptions into people's workflows? Any particular places where you're seeing success and challenges?

E

Well, the area that we are seeing that companies really want to adopt AI is around control automation. This is sort of the largest area of time and money that folks are putting into trying to automate it. And what really folks are wanting is the end to end automation. Right. To automate a control. There could probably about 15 to 20 different steps that are required. So almost every single customer that I talk with today, like every single day, is that how can you help me automate my control end to end? And they're really evaluating which pieces of that automation flow are we able to actually automate. And it's a very serious business question that teams are asking of us today.

A

All right, well, I tell you what, I think this is a good time to go to a poll question here for our listeners. You'll see there's a little tab there on the right hand side of your interface that's labeled polls. Let me see here.

C

Yeah, and this just get us a better read of the room here, Dave, more than anything else to understand who's here and how far they've gone down this particular rabbit hole. Because what I've heard, and I don't mean to put my thumb on the scale as people start voting for, you know, how far they are in evaluating this, what I'm seeing is that companies in highly regulated or fairly, fairly sensitive industries are both wanting to and also less likely to have tried anything to do with AI and grc. And the concern there is ultimately the risk that the system produces an erroneous error that then produces a regulatory or a litigatory or an otherwise unwanted like, hey, cool, the AI made a mistake and now everybody's at fault and panic, panic, panic, fines, nobody wants that. And I think that's what's really driving a lot of conversations right now. If you're in a less regulated industry, it's probably very easy to adopt it. But you don't also see the, the same like, value out of that as you would if you had the ability to reduce the amount of staff time and effort and people's time that they're just doing toil to prepare for audits.

A

All right, well, we've got some good responses here on our poll question. I'm going to leave it open for just about another minute or so while these registrants continue to vote. Interesting to see the distribution here. Again, the question is, have you tried an AI powered GRC solution yet? Tell you what, let me go ahead and end the poll here. And what do you guys make of these results? I mean, it's sort of definitely a bump in the middle there. People are. So let me read the numbers out. So 30% say they're currently piloting or testing AI powered solutions. 30% say no, but they're evaluating solutions. And 36% say no, but they're planning to explore in the next 12 months. So nobody has. Nobody said yes, we're all in. And nobody said no, never. Is this about what you would expect from this sort of poll?

E

Cain?

C

I think so. I think this mirrors where the security community and the audit community really are. And we realize, hey, that's a technology that could solve some problems, but it also has the risk of creating some problems. And so this absolutely matches what my expectations are. And it really comes to a question of like, how are the GRC vendors, including Hyper Proof? How well are we meeting the needs of the market and their expectations of the market as companies move into grc? And we definitely were not the, we were intentionally not the first mover because it's, we didn't want to be like, hey, this looks like something everybody else is doing, so let's just do it poorly. We had to take a far more thoughtful approach, knowing again that the concern is that if an AI makes a mistake, the people who sign off on that mistake, your CEO, your CFO and so forth, they're going to be the people who are going to carry liability for it. And we owe it to them to not make those mistakes.

A

Matt, let me touch on that point with you. I mean, I think everybody who works with AI regularly knows the potential for hallucinations. And we've seen cases with lawyers being taken to task for going in front of a judge with made up references and previous case law. Where do we stand with that? With the ability to integrate AI into grc, but having that sitting on your shoulder, that potential peril?

D

Yeah, and there's a lot of different aspects in that, Dave, and kind of leveraging the poll, I would say that probably a lot of those holdups is the governance process within organizations. Right. Understanding the risks at an organizational level and then, you know, looking at the tools and applying some of those risks, but making it a process that's kind of, you know, streamlined and within risk appetite. But you know, I think also with within the industry, right, there have to be certain things that are being done, right? So not only are you aligning things to risk appetite, but you're making sure that it's referenceable, right? There has to be a reference. It can't just say that, you know, I pulled this and this is the answer. There has to be references on that. That's probably the most important. I think a lot of like these large language models, a lot of their data comes from sources like Reddit, which love Reddit, but there's way too much junk on there that could cause a hallucination and then you know, I would say probably, you know, the last thing is that humans. Right. We still need some of that human intervention in it to look at some of the concepts. Again, going back to the theme of a little bit of an assistant now, right. There still needs to be that critical analysis for things that may not be native to machines like ethics and making decisions that are not necessarily on either end of the spectrum, but again, somewhere in the middle. So there's definitely that human aspect that needs to be involved.

A

Yeah, I've found it helpful just for myself to think of some of these LLMs as being a tireless intern in that I can set them on any task and they will do it quickly and with as much depth as I request. But I'm also not going to bet the company on an intern. That's how I've come at it. Does that make sense to you?

D

That's a really good way to look at it. There's always the trust, but verify. We got that a long time ago. And that's absolutely the case where it has to be referenceable. Right. It can't just come out of thin air. It's got to be reference. Well, and then you got to check that reference. That person needs to check that reference. Because again, just because you publish a book, you publish a website, you know, there, there still needs to be that critical eye on it. Especially this day and age when there's so much information out there.

A

Yeah, go ahead.

C

Something else I was going to say is I have audited companies before and one of the biggest challenges that I'd found, and this was pre AI, was you'd ask a company, hey, show us evidence that you've got a policy document and that you're written information security policy, for example, and that you've got controls that are operating on that. And depending on the maturity of the client and depending on how far along in their cybersecurity journey they were, you'd get answers immediately and you'd get answers a week later going, we're not sure what you mean, or we can't find it. And so something, I think that is a potential force accelerator is that if you think about it, a policy document could be on maybe a SharePoint site, it could be on a Confluence site, it could be on your intranet. Who really knows where these things are stored unless you've got good document management. So if you can imagine that you had an AI that was able to say, cool, so here's all of our possible document repositories where stuff is going to Live, go figure out what this question means and go find us something that actually matters. That's going to make it faster to respond to an audit. But then if you can tie it to a specific control phrase or control language requirement inside of that policy document, that's going to make it easier for the auditor to have something consumable. But it's also easier for a human to consume and go, hey, this actually is what the auditor had been requesting. That's just a simple thing like hey, do you have a policy that says whatever? Maybe people have to use multi factor authentication. If you get into a harder example, that one I'm sure you probably see a lot of is, I don't know, change management, for example. That is non trivial, right? You have to bend together a whole bunch of different data sources. You have to start at your change management system. You've probably got some sort of ticketing system that says, hey, we're making a change and that change has to be approved. And then it has to go into some kind of source code repository. You have to actually verify did the change happen, was the change approved? And then how did it get into your DevOps pipeline? Was there a tool like Jenkins that you could go interrogate and say did it actually make that change? How do we correlate that all effectively? And right now the state of play is we have people doing that and their job is just as fun as that sounds, which is to say it's not fun. They have to correlate all of that information and send it to auditors in a format that can, they can understand and consume or maybe they have to as part of an insurance package, as part of their insurance renewal. They say, hey, we want to be able to prove that we do this so we get a more favorable. Or if you're dealing with incident response and you're dealing with a breach and your insurance investigator has come and asked, so how are we all doing that beforehand before the thing happened again? There is this whole bunch of manual toil and if nothing else, AI is really good at that thoughtless. Connect these things together so that people can then start to focus on more strategic questions like is the way we're doing change management, does that make sense? Is there any way we could actually improve that? Are there any gaps? I'm sure later when we talk about about some of hyperproof capabilities, we'll talk about that ability to do additional gap analysis to determine our controls being reasonably implemented and are they actually understandable and are they producing meaningful value or are there additional things. But right now these are very hard day to day challenges that folks in GRC work with. And I think ultimately the ability to change from that manual process to something more automated where it's the manual, the task that folks just dread doing, I think that's going to actually allow internal teams to be able to focus more on strategic matters rather than on, well, I have to do the work and the work sucks and I got to do it anyway because reasons. And this is the fifth time I've produced this evidentiary package for an auditor this week, which we've heard about. I think we can move away from that so folks can actually do what they are good at, which is thinking about things in strategic terms where maybe the AI doesn't have context or maybe there's this historical context or maybe it be, you know, what fits in your head as an analyst is way more than the token limit for any of the modern AI solutions right now.

B

We will be right back after this quick word from our sponsor.

E

Matt.

A

I'm curious about people properly setting their expectations here. I mean, as Kane points out, you know, you can set the AI on the Drudge work, but I think a lot of folks make the mistake of thinking that that initial first round of output that they get from their LLM, let's say we're done here. But as we talked about, that is not the case. So the notion of how much time and energy you may save, you have to properly calibrate that right?

D

100%. You really have to understand the use case. We look at use cases, whether we're creating an application or we're training a new process or using a new tool, it's the use case and testing that use case and making sure that it works and the information is reliable and things like that. We're not just going to load all our problems, you know, into the system and it's going to solve it. I think that, you know, when we were talking about, Kane was talking about, you know, like, you know, ado and Git and all just the change management stuff. That stuff is such a Gordian knot that you could spend hours and hours and hours and sometimes auditors and developers, they're saying different things while they're actually saying the same thing and being able to use the AI to take all the information and connect it, like that's a really good use case. But again, there's some other use cases that would need to be evaluated, you know, to figure it out because, you know, it's, it can do a lot of High level things. It can do a lot of low level things. But really what's in the middle that's a good use case that's been tested and proved and referenceable and auditable and all those fun concepts that we have to go through.

A

Yeah, let's continue down that path of use cases. I mean, what are the things in your experience, those of you who've been, you know, working with this, what, what are the places where it is most effective?

C

Alam, you look like you had something to say.

A

You were nodding enthusiastically there. Alam, my previous comment about setting your expectations, any additional insights?

E

Yeah, 100%. So I'll talk about, I was nodding vehemently because this is how we think about when I'm designing product is that I'm trying to understand that deep use case of a person trying to accomplish a task. Right. So for example, I'm trying to do a gap analysis between my controls that I have today and what proofs are missing. That's like a real concrete task and a use case. Okay. So then I'm going to look at, okay, how long does it typically take me to do that task? Now it might take me several days to sometimes several weeks depending upon the complexity and the number of controls. So I think about, hey, I'm not just going to go to an LLM and say, hey, magically tell me where all my gaps are and then it's going to spit out one answer and it's like, ah, ta da, right. I have all my gaps. That's not how I think about it. I'm thinking about how do I enable that person, that human in the middle, with tools that suggest to them that they can have a conversation with that decreases that many days, like say I take 10 days, can I decrease that to five days or maybe one day? I'm not trying to eliminate it to a minute. Right. Because if I go to my customers and I say, look, I'm going to give you tools, I'm going to give you, you've got a hammer. I'm going to give you an air hammer that's going to allow you to increase the throughput. So I always encourage when we're building software, it's not magic. I'm trying to enable those professionals to save that time in a very specific, like Matt said, use case focused way.

A

Well, I mean, let's dig into some of the specifics here at Hyperproof. Alam, what sort of things are you all doing today that enables users to use AI for grc?

E

Yeah. So I'll continue on this thinking of how we're thinking about infusing AI through the product. First of all, when we're thinking about it, I'll reinforce that we do not believe that we should just simply go to an LLM and say, hey, what are all the controls and the proofs that I need today? And ta da. Magically it's going to figure it out. Hallucination problems, all kinds of things. We're never doing that. We're never going to rely on a generic foundation model to solve that problem. What we are going to do is take those foundation models, we're going to constrain how we think about the tasks to be done. Like, oh, I have a gap analysis task to be done today. Oh, I need to create a test for this specific control. Help me figure out what the tests are like, help me, the GRC professional, create the test, don't automatically create it for me and run it and magic happens. So we are thinking about that. Just connection to go get data is a huge problem, right? I have to do this integration phase. How do I connect to all these different data sources? The first problem I have is what question do I ask to whom to go get access to that data source? That's like the first basic question. Which LLM can help me do that today? 0llms can help me do that today. However, how we're thinking about it at Hyperproof is that, well, I have some LLMs that can help me construct an email or understand and analyze. Who should I talk to in my IT department that could answer this question? And by the way, how do I frame the question to that person, right? To give me the right answer? Like I'm in the GRC world, I've got super technical people in the IT admin world, we have a language barrier. I don't even know the questions to ask them, right? Using a constrained LLM can help me achieve those tasks. So that's the philosophy we're looking at. And then we're looking at is like every part of the GRC process, right? We're looking at how can we improve that from like the discovery phase, right? Of like how do I understand what's happening in my world? What are all the controls I have? What are the frameworks? What are the status of all those pieces, right? To gap analysis that I mentioned is like how can you advise me on where pieces are going wrong? That then now I can drill in with the AI tool sets and go do specific tasks all the way to like, okay, now can you automate that task? Okay, so I'VE had good conversations with my assistant. Right. And I say, okay, you know, I have created a test, right. For this proof as an example. And now I'd like to automate running of that test. Right. On a regular basis and then alert me when something happens and I can have a conversation around that. That's an example of sort of automation throughout the process. So I'll just pause there. That's how we're really thinking about infusing AI. It's not like, oh, ask a foundation model how to solve all my problems. It's never ever that.

C

Can I add on to ALAM with one other point here?

E

Yeah.

C

Okay. So I think the other thing we've done that I'm so proud of and also is so difficult is we hear this phrase human in the loop, and that's very popular in AI and it's meant to decrease the idea of, oh, the LLM said this was the right answer.

D

Cool.

C

So we should put rocks on pizza, I think. Or was it glue? I can't remember. Sounds delicious. So I think when we're working with the grc, if any of those use cases that ALAM has just mentioned, like, hey, can you build me a test? And hey, can you automate that test? And hey, can you show me the outcome of that test as I prepare for a better audit so that I can have a better interaction with my auditor? When we're talking to AIs, something we thought about is, well, we don't want to create. Like the standard thing that everybody does in AI is you log all the inputs and you log all the outputs. Right, Cool. So now if you follow any of the new AI regulatory changes and laws that are coming in place, like the EUAI Act, Colorado or things that are happening in California, we said, wait a second. So if we are going to produce a log of everything that the AI did, it's going to make it really hard. Now we've added actually work to the GRC folks, and we're trying to make their lives better because now they have to go review the audit logs of what did the AI actually do, which doesn't make the world a better place, actually, that just creates more work. And it's kind of an anti pattern that we wanted to avoid. And so when we were building this, we were very intentional and said, look, let's have a human approve everything. Let's have a human say, yeah, actually go do that. So the AI suggests a test.

E

Cool.

C

It suggests the test. It waits for permission. It's not going to go 17 steps down deep into automating something as a black box, as magic, and then say, look, I'm done. Because that's not inspectable. That's not something we have a high degree of confidence in happening. And certainly we wouldn't expect folks to say, yeah, it seems great. So as we work with the AI, folks have to approve and say, yeah, go do that. Build that test, collect that evidence, show me how that works so that it's more of a partnership. But the other thing there is that that's allowing the test, which could take an individual person hours to set up, to go figure it out. That's an immediate force accelerator for them where they're not having to spend that time to go learn, how do I collect this evidence, how do I collect this test? How do I validate that this is accurate? Is that about a fair way of phrasing how we're thinking about it? It's certainly not the easiest way to do software development.

E

No, it's exactly right. I also want to add on that in this conversation, we're talking about the AI. To me, it's like saying, oh, we're going to ask the dropdown to go do something right. To me, these AI, they're just a set of tools. We employ the tools to accomplish a task. So the way that we have to design and whenever I look at these solutions in the market, the first thing I think to myself is like, are you trying to create magic for me? Are you trying to sell me magic? Oh, our solution is not going to hallucinate because of xyz, but I'm going to try to automate all these things for you. Right? I'm like, okay, I'm going to probably stay away from that. And I'm going to more focus on, like, how are the tool sets going to help my teams, the GRC professional teams, to do the job better. So, for example, there's a question around. Oh, I want to have an audit log of what the AI is doing. Okay. And I thought about that and I'm like, well, let's see. The audit log of everything that the AI is doing is actually what the human has told the AI to go do. So in our design, we have an audit log, right? And it's like, okay, then you log. It's like, which is the user that did that thing. I'm finding that most of those logs, there's a human and with a name that said, yes, this human approved that thing to go happen. And by the way, that human told this process that happens to be an LLM based process to go do its thing. And here, by the way, here is the output. So the source, the authorizing entity is most of the time the human. There are some few exceptions that I'm finding. It's like, oh, it makes sense to start to automate these pieces and we'll log those. But at the source of it is always the human in the audit logs.

A

Matt, can I'm curious your take on that. I mean, is it ultimately the human who signs off on these things, who bears responsibility?

D

100%. It has to be the human on that. They've got the experience, you know, the kind of ethical and moral guides on some of those things and they can really look at it from, you know, again, keep it in mind some of the audit things. Right. The objectivity of it, where it came from, you know, we can use it a lot for completeness and accuracy, talking about populations. But again, there's still some variants there. So yeah, it still has to be the human in the loop on that. And having the audit log that says that is even, even better. I love that feature. That's great.

A

Yeah. All right, I'll tell you what, let's do another poll here. This one is about your biggest concern with using AI in your GRC processes. So we've got the poll up there live now. So take a look, read those possible answers and please weigh in, Let us know what you think here and we can discuss that. While those answers are coming in. I'm curious. There are different types of AI, right? Machine learning, LLMs, agentic AI. What is the process, what's the thought process of choosing which one is best for any particular task? How do we go about deciding what we're going to turn loose on our data and to what degree we give them autonomy?

E

Is that for me?

A

Why don't you kick us off there?

E

Yeah. So the first thing that I think.

D

About is.

E

We don't give them autonomy. There's always a human in the middle. But what we have found, we started investigation with all kinds of. But we've been working in machine learning based models and using machine learning in various parts of our crosswalks that we've had, our jumpstart features that we've had in the product for a couple of years now. So there's machine learned models. Two, we've experimented with the LLMs and applying rag models on top of that, whether we're doing vector databases for search all the way to these agents. They're all different types of hammers, right? To do certain things. What we found lately, right? And is that the agentic model. And agentic model has essentially three components to it. It's like the context or the prompt that you give it. It's like, hey, here's the thing that I want you to go do. Here's some context of how to go do it. And then you give it like a set of tools. It's like, here's a set of tools of databases that you can access. Here's some MCP servers you can go get data from. You might be able to take some action here, some APIs to go take actions on. Those are the tools. And then the brain is like which LLM do you want to use? Which foundation model do you want to use? Right? So those are the three components of what an agent is. So we found that in the agentic model, it actually helps us move faster and satisfy more business requirements. In the GRC space, for example, customers have this one thing that says, hey, don't train models with my data basic thing, right? Well, in the architecture that I just described of what a basic agent is, there's no training involved, right? I give it context, it gives me back output. It's not using anything to train the models. It's an input output type of thing, right? And it can go do certain things. There are other technologies, rag technologies, other fine tuned models that are using that. Those are actually more expensive. For me as a software engineer and developer, they're very expensive. They actually don't help me get to my customer need faster. So at this moment, right, we're finding that the agentic technologies actually are faster. They satisfy my business requirements and what my users want in terms of data protection. So we're moving sort of very strongly in that route. But to be able to feed the context, remember I'm never using a world model to say, hey, do magic. I have to scope that, that LLM. What must IT do? So I have a lot of machine learned models to scope. What should that prompt be? That prompt or context engineering? There's a lot of machine learned models that help me constrain understand the context. For example, when I'm doing gap analysis, what should I be doing gap analysis on? What am I telling the LLM? How am I constraining what it should be going and looking at? What's the world, Right? How do I test that? Right? So there's a lot of machine learning models that are also testing the output of my agents. So that's sort of the basic technologies that we're looking at that we think are the state of the art of where things are at. It's going to evolve, but that's where we're at today.

B

Yeah.

A

All right, well, I'll tell you what, let's take a look at the results of this poll and I think it's pretty clear that the dominant thought here from the folks in our audience is they're concerned with data privacy and security. Does that strike any of you as being not in alignment with where you thought this would go?

C

No, that 100% makes sense. And I want to rotate on that and maybe look at Matt and see if he's got an analogous story. But one of the things we've had to be fairly thoughtful doing, again, I used to audit companies and I remember I was auditing a company that built their own GRC platform and they had an engineer built their own GRC capabilities to do their, their management reporting and so on and so forth. And they had a variety of controls and this one control always crushed it, just killed it, absolutely operating perfectly. Some of the other ones maybe a little not so good. Some of the other ones, who knows? Well, when we got into the audit, we found out that the engineer who wrote it, that their bonus was tied to the control that was always killing it and crushing it, and it wasn't actually being accurately reported. And that's really influenced some of our thinking about when you have an AI taking a system output, maybe it's getting a list of users, right? We have to be able to make sure that that AI hasn't done something untoward or hallucinated or made an interpretation that is not correct. Because then that imperils folks like Matt who have to vouch for any outputs from a system actually had not been tampered with. Because again, that defeats the purpose of having been audited. We had to be very careful and intentional, as Alon was saying, about making sure that we've got this in as transparent of a way as possible and that we're choosing the right hammer for the job instead of introducing that data risk or that privacy risk or that security risk of, well, the AI is just making stuff up because then you're going to actually get even worse audit outcomes, Right, Matt?

D

Yeah, and I love that story. And what I was thinking about when I see this, I think that if you peeled back the layers of data privacy and security concerns, it would also probably be they don't want to make headline news, right? You don't want to be the first mover on it to be a case study in one of these types of presentations to say, this is a bad idea, don't do this. So there's a little bit of hesitation, especially social media, everything that's out there, they don't want to do that. So I think that data privacy and possibly security is maybe the blanket on top of the issue, but it's really forcing people to not make a mistake in the public eye. That's why we always, when we're talking to clients about are you going to use this with customer interaction? Are we going to use this in the background on maybe, you know, saving costs just like, you know, hyperproof. It's always. Well, right now our risk tolerance is let's use this internally, let's see what we can get out of it. Let's see how we can reduce costs with the actual, you know, ROI on this as opposed to we're going to push this out to all our customers and see what happens. That's.

E

Yeah, and I'll just double down on this. Like, I'm actually really happy to see the data privacy security as such a high percentage because like I was mentioning the architecture that we chose, right? This is the leading concern to make sure that the basic architecture that we can preserve those data privacy and security concerns, like, what do you do with my data? Also we can foundationally address those. What do I mean from a software engineering perspective, I'm like, well, if the tech can't do the thing right, like it doesn't expose data privacy or security concerns, that's the best way to address that. So I'm going to start with that. It's like, what's the tech that just doesn't even expose that, right? And then can I build, can I satisfy my business requirements from there? So that's why the agentic route, right? There are still concerns, but of all the options that we've seen so far, like starting with that building from that is foundational. You have to build data privacy and security again from software architecture. You can't put it in later. You have to start from ground up every single element and every single layer of the architecture has to have this from the start.

C

I also want to come back to something that Matt raised and it's one of the polling responses as well, which was about where AI adds value and the concept of roi. Dave, you've probably seen some of the studies that came out over the summer where doomer saying AI doesn't add any value and all these projects fail and it's a terrible idea. And I think that in at least in the GRC space It depends on what you're measuring. Because if you're thinking about it in like, hey, we've got this agentic AI, what's it do for us? What it's doing is it's reducing friction. If you have a SecOps team that has to go, ask your Dev team, your DevOps team, your operations team, if you have auditors that are always following up with them for evidence or saying, hey, show me how you log into a system that's taking their time away. Those product engineers, those product designers, they don't get up in the morning and get excited about sending folks evidence of control operation. That's not the way their brains are wired. And so if we have the capability to automatically collect that, automatically inspect it, do it continuously align it to the risks that the business is facing, that's time that those individuals who honestly aren't that excited about auditing anyway, that's time they're getting back in their day that they can spend doing the things that they love, which would be things like building better products, building better user experience. And if we've got the SecOps team is able to collect this at scale without necessarily adding headcount or without necessarily making their jobs even more tedious, depending, then you can take all of that evidence and work with your auditors to get attestations like an ISO attestation, for example, that shows that you actually are doing this better than your competitors in a similar market space. And I'm saying an ISO cert or attestation as opposed to a SOC 2 type 2, because most folks have got one of those already and it becomes a competitive advantage now. So not only do you have better proof that your company is meeting your regulatory or your legal requirements, your contractual requirements of your suppliers and your customers, but also you're reducing the internal friction Spanish proving that. And now when we want to move into a new market, whether it's a new market vertical or whether it's a new geographical market, we can leverage all those controls, all those learnings, all that continuous inspection, and be able to move a lot faster and more intentionally than going, well, being after the fact and finding out from management, hey, we're all going to open a new office in some new region that's got some cybersecurity requirements that we didn't think we had to deal with and they weren't on your budget plan. Good luck. We get ahead of that a lot faster and I think that's going to be where we see the roi. It's not going to be, hey, we adopted an agentic AI and suddenly like magic happened out of the GRC program. It's a more holistic view of how a company is operating and there are a lot of those opportunities for inspection of value.

A

Well, I want to get to some of the questions from the folks in our audience here today while we've still got some time. Someone writes in and says at the speed at which AI processes or does tasks, how efficient or possible is it to have a human in the loop?

E

Yeah, I, I can take that. I was referring to this a little bit earlier where if somebody promises you to do things without the human in the loop, I'm wary of that.

C

That.

E

So it's about the design of what are you trying to accomplish. Like Matt was saying, it's like what is the task, right? What is the, the scope of thing to be done? So if there is somebody out there that's saying that I'm going to do this magic for you and you human, like the whatever, however way they designed it doesn't involve the human, that's problematic for me. So we are not ever designing that. So we are like the basic thing and like I was saying is like the process of accomplishing a task, gap analysis of controls to proofs. It's not magic. The human. We're assisting the person, right. To, to do those tasks. There's a process, we know, it's well defined of how to go do that task. We're making every step of that task faster. Right? But yeah, but if you encounter a solution, I think, you know the, the person that asked this where it's like, yeah, they're just going to magically do something and you don't have the ability to, to really have a say in that and you don't feel comfortable in that. That's probably problematic. That's a great insight.

D

Right.

A

What about accountability amongst teams?

D

Right?

A

Let's say you, half a dozen people on my team and everybody's using some version of an AI to assist them, to help them run more efficiently. But then there's Bob. And Bob does everything it takes him a minute to do. He runs it through the LLM, Bob's done, you know, wipes his hands and Bob spends the afternoon on the golf course. Like how do we ensure that there is accountability across the organization and a view into individuals processes to make sure that they're taking the proper steps to do things right.

C

So I'll take a swing at that one first. But then also I'm sure Matt and Alal might also have some feelings I'm not sure that's as true in GRC as in other areas of the business and the reason why. And my reading list is absolute fire. If you read the DOJ's guidance, Department of justice guidance on evaluation of corporate compliance programs, they're assuming somebody, a person, not a robot, but a person, actually looked at this and they actually signed off on it. And then if you go to the DOJ's sentencing guidelines of corporate crimes and, you know, if you are found and not be in compliance, they assume that there was a person who looked at this stuff, and if they didn't, that's actually considered in the sentencing guidelines if you have ignorance of how your company is operating your compliance program. So I think in grc, we are a little more isolated from that. And often what we see is the inverse where an organization has not implemented enough organizational change management. Ocm, they've said, hey, we're rolling out this AI thing. It's going to be great and it's going to be so cool. And they just assume people get it. And then you find Bob is actually the slow one. He's doing things the old way because he didn't know what the value was to him as a professional. He might have said, well, I don't understand why I'm doing this. Because the old way of like, like, let's see how a user logs in. Well, I'm going to take my stopwatch out and I'm going to hit the timer button and see how long does it take for them to log in and how long does it take for the screensaver to lock. And they just do those manual tests that don't make any sense in today's world, I think that's the real risk that we have, is that when companies choose to adopt these tools without communicating the value and the advantage of how it'll allow GRC professionals to not do lousy grunt work that nobody gets excited about, and instead, and they can spend their time thinking about bigger, harder issues that agentic AI just can't solve. Matt, what do you think on that one?

D

Yeah, yeah. I think Bob's golf game might get a little bit better, but he's not going to have a job for very long because in kind of our view, there's always time for human review. Now, again, being a consultant, right, We're a people business dealing with people. And to King's point around ocm, right, you can have a policy that says there has to be a human to review certain things, right? We have that policy. I'm sure a lot of people have that policy. But, you know, what are the mechanisms to ensure that nothing hits a client desk or goes to a CEO or a CFO that's completely fictitious. Right. What are the controls that you actually have in place? And then again, also, who's responsible for that? Is it Bob who's going to be responsible for it? Is it Matt, the partner who's taking the bullet for Bob up?

E

Right.

D

There's gotta be, you know, time, effort, controls, processes, all that fun things even for, you know, deliverables that are not necessarily. But yeah, GRC is very. A little bit more black and white on some of these things. But again, there still has to be, you know, that validity, that transparency, the resiliency all built in.

A

All right, well, let's go to another question here from the audience. Someone writes in and asks, do you find that many organizations get stuck at the process phase as many people don't have good documentation of the process? I can't see how you automate a task if you haven't documented a clear process of which so many processes are. In my head, does this resonate?

C

It looks like you're all nodding. Yeah, that sounds very familiar. I'm not saying that we should have runbooks, but I think that we should have at least some process documentation before you start looking at it. And the good thing is, in compliance, there often is that level once a customer, once somebody's been through, like you can get through one audit manually if you do it once a year. When you start getting into 2, 3, 4, 6, 12 multiple audits a year, suddenly you want to have process documentation. That makes sense. And the reason why is not because process documentation is fun. It's because people would like to take holiday, and they don't want to be unable to take holiday because it's audit season and because nobody wrote it down and it's stuck in their head. So I'd say that the. The thing to do there is as organizations mature, they start writing that process documentation. And then as we start looking for those optimizations, you go, cool. If we have a consistent way of doing this, this feels like something. We could have an AI help us build a test. Let's have the AI help us build that test. And now the process is a lot simpler. It's based on what we used to do, but an AI and automation is conducting that for us. And we can focus on outcomes, which is what we were supposed to be focusing on, instead of manual coil, which is what a lot of companies, especially those where it's all written down in their heads and just, you know, maybe it's yellow stickies. That's the world they get stuck in.

A

All right, well, quickly, before we have to wrap up here, Matt or Alam, any additional comments on that one?

C

No.

A

Can you covered it? All right.

E

I may add just quickly onto what Kim was saying is. Yeah, 100%. You have to have the process. The AI tool sets can and should, by the way, help you clarify, refine, and then establish your processes in the tool sets. So, like, one of the key things that we're looking at, Hyperproof, is the advisor or the copilot that is looking at advising, oh, here are the workflows you may need. Right. And then you can have a conversation around that. You have the process in your mind. How do you get that from your mind to the software? So we're like, okay, the advisor is understanding that and then like trying to then create a workflow. Right. A workflow editor. How do you create that as a workflow in the software? Now your process is documented and you can see it in the software. That's how I think about when I'm looking at software design to help that very real ground truth problem.

C

Yeah. And I'd also say if any of this seems a little difficult, you want to see it actually running live and you're like, cool, that sounds neat, but what's it actually mean in practice? Hyperproof IO, Just go there. We have early access now for our AI models available, so if you want to get a demo and see what we're doing, just Hyperproof IO, I think it's right on the homepage about getting the demo of our AI capability.

A

All right, well, we are coming up to the top of the hour, which means the end of our time together here. I want to thank our speakers here for joining us and sharing their information. Kane McGladry, Matt Cassidy and Alama Ali, thank you so much for taking the time. Interesting conversation. We could have gone another hour here easily, but I appreciate you sharing your expertise and insights. Big thanks to everybody at Hyperproof for making this possible and my colleagues over at N2K Cyberwire for their part as well. Please do reach out if you have questions. And thank you for joining us here today. We do value your time and we appreciate you joining us. Do take care and we hope to see you back here again soon. That was my conversation with Kane McGladry.

B

And Alam Ali from Hyperproof and Matthew Katie from Grant Thornton. We covered how agentic AI is creating new possibilities for governance, risk and compliance and the challenges that come with it. As organizations begin to explore these tools, we appreciate them taking the time to share their insights, and we thank you for joining us.