B (3:04)

Nice. Love that. I'm a foodie myself. Um, cool. Okay. Well, thank you for sharing a little bit. It's nice to get to know you outside of the diving right into the episode. So let's get, get into our first segment here, which is called GRC Mythbusters where we have our guests debunk common myths and misconceptions in the GRC space. So, Matt, we'll start with you. Let us know if this is a myth or a fact. The current geopolitical climate has pushed us into a period of deregulation, making regulator driven risk and compliance programs largely unnecessary.

C (3:48)

Asking me geopolitical questions right off the bat. Wow.

B (3:52)

All right.

C (3:53)

I think this is a big myth, right? From. From a couple of different lenses. Certainly under the current United States political administration, there has largely been some, some large sweeping deregulations that, that is really targeted though, if you look at it, around climate, around immigration, and around DEI policies. Right. So if you're in one of those areas, I think you have seen a lot of deregulation in the United States market if you play there. Right. But if you look at the global landscape, Europe has actually put a lot more regulation and EMEA in place over the last several years. Things like dora, things like GDPR that came out about five or six years ago. Things like the Corporate Sustainability Act. Right. Which is basically reporting on esg, environmental, social and governance activities. And there's been several more. So different parts of the world have actually increased regulation. I would also kind of highlight that while maybe the United States regime is deregulating, I think a lot of what organizations put in place is not just to be compliant with a state, local or federal regulation. It's actually to build trust with your customers at the end of the day. And your customers want to see that you have in place the right systems, requirements, protocols, controls, policies in place to feel comfortable that you will be a good partner with them, that you'll secure your data well, that they can share customer data with you. The government regulations is a nice way to kind of show that in some cases, but in other cases, I think that, that the need for the regulatory landscape is really more driven by your customers than, you know, potential regulatory fines that you might get from government agencies.

B (5:57)

Yeah, that's, that's a great point there and kind of leads us in a little bit on the, I know you mentioned the global scale into this next myth or fact from you, Diego, that I'm planning to ask is because AI isn't yet globally regulated organizations don't need formal AI governance or compliance programs.

A (6:21)

Yeah, I think this is a big myth as well. It's definitely false. And yes, like the AI isn't regulated globally today. But Matt touched on this. Regulations are emerging fast like the eu, AI Act, Colorado, AI Act, Utah and more. We just learned recently about this emerging potential Illinois regulation around note takers and the liabilities that might exist around, around there that we all, you know, many of us use and we need to be aware of. So organizations can still face legal, ethical, reputational and operational risks from AI use and you want to be on top of it. So now more than ever is a time to ensure your company has an AI governance program in place and so that you are ready when regulations come, but also ready to navigate the current landscape and make sure you're doing it the right way.

C (7:25)

I would also add to that really quick is, you know, when you think about kind of the AI governance program, you know, maybe the regulations aren't there to a T, right? Specifically like hey, we've got SOC regulations and we have ISO regulations and we have NIST regulations. But putting an AI governance program in place really puts you on your front foot when you think about your over AI strategy. And the first part of that is just understanding the AI sprawl that you have within your organization so that then you can make good decisions on do we have the risk appetite and tolerance to take on this AI and is it worth it for us from a business perspective? So you're really setting yourself up whether we have regulations or not that you need to comply with that you potentially might get fines on. You're setting yourself up for more business success by having an AI governance policy. And I would argue that that's more critical than being compliant with some sort of state, local or federal regulation that's out there. So you potentially will avoid some probably minuscule fine if you're not.

A (8:25)

That's a great point because yeah, you know, like we were talking about compliance but I think Matt, what you say brings up to me like the risk in AIUs and are you really understanding it? And you know, like, well, I think we spent many years trying to like bring down like shadow it and like your own devices. I think we got as soon as we have a better handle that. Now shadow it is emerging again in the form of AI and folks using their own and maybe putting company data in ways that they shouldn't be. And so just understand, like you want to understand what's happening so you can manage the risk and make decisions accordingly.

C (9:05)

100%.

A (9:07)

Good call.

B (9:08)

Okay, let's move into some Q and A. So first we're going to talk about GRC landscape blind spots. Matt, looking at the 2026 landscape, what is one thing, one risk or market shift that most CISOs or GRC leaders are currently underestimating or not accounting for that you think they should be?

C (9:31)

I think one of the big ones is your data. Right. Organizations are just, they're developing and putting out so much right now that are going to other vendors, and in some cases those vendors are holding that data hostage from you and can you use it, can you access it? So I think a big risk is really on the supply chain side, the third party vendor side, the third party diligence side of the house, and making sure that really your procurement, your contracting, your third party risk is buttoned up and you understand the pros and cons of the vendor and what that vendor is going to potentially do with your data, how they're going to access that data, how they're going to use that data, how they're going to give you back that data, and what safeguards can you put in place, probably contractually, with the data access that they have?

B (10:29)

That's a great point. Yeah, I think that's critical for security for organizations going into 2026. All right, so moving on to kind of the agentic shift and the concept of the digital workforce that's here. Diego, this question is for you. As AI adoption grows, will GRC teams remain necessary or will AI agents fully operate GRC programs by the end of 2026? And how do organizations avoid automated complacency and keep humans capable of stepping in if an AI agen were to drift?

A (11:11)

Thanks for the question and what a great topic. And I can tell you GRC teams will remain essential, and I mean, like humans will remain essential to running GRC programs definitely in 26 and well beyond. I'm a huge fan of what's happening with AI, the potential that AI brings to really transform how we work, how we live. But I also see it happening in a way that's going to enable us humans to do our best work and to do it in the best way possible. Specifically for grc. We still need humans to interpret context, make judgment calls, make ethical decisions that AI alone can't fully manage. Definitely not today. And I don't think that so in the future, so Organizations need to make sure that they're implementing programs and adopting AI in a way that enables humans and not just. We're not at a point where you can take them out of the loop. And I don't think we'll ever get there. It's so important for humans to be involved, to be the AI experts. And I love how Logicate is being so intentional about how we are enabling our customers with AI, first of all giving them choice, but also just giving them full control of where do you want to use AI, how do you want to use it, what do you want to delegate to an agent, how much? And I think that's going to continue to be the case for the years to come.

C (12:44)

Yeah, I would totally echo what Diego just said. I think both Diego and I have talked to many, many CISOs, CROs, chief risk officers, chief compliance officers, chief audit officers over the course of the last probably 12 to 18 months. And all of them are saying we're getting a lot pressure from our board and leadership team of how are we using AI to drive efficiencies in these back office programs that our organizations need to run, to be secure, to be compliant, to have trust with our customers. So how are we using AI to that. And in the same exact breath, all of them to a T have said, and I am nowhere near being okay and comfortable from a risk tolerance perspective of turning our third party risk program, our controls management program, our RCSA process over to an agent to run that end to end. Right. So I think Diego hit the nail on the head and what we're really excited about here at Logic8 too is the ability to give them that control and give those folks the controls to turn on and turn off. Agents have humans in the loop at different steps to really mirror the risk tolerance that they have for those agents. But over time, as they get more and more comfortable and as these things become more and more mainstream, be able to augment and shift the technology that they, the program is on for the agents to run these things end to end.

B (14:06)

Yeah, thanks for sharing your input on such a. I know it's such a hot topic right now for everyone, so appreciate that. Okay, Matt, moving into the next question for you, giving the growing discussion around this concept of death of soc. Are SOC in a box platforms losing relevance as checkbox compliance becomes insufficient? And what does this mean for GRC programs?

C (14:32)

Yeah, it's a great question. You know, I think it really depends on where you are in the market. Right. Maybe if you're a, you know, when Logic8 was a super small startup and we had $5,000 to spend and it was just like get our socks so we can compete. Maybe you know, just a check the box sock works for you. But if I think if you're at any scale of an organization, you, you know, you need to have a much a larger, more sophisticated program that is built on risk and built on transparency. It's built on compliance. And I don't think that a soc, because of some of the folks in the market today of just kind of this check the box compliant maintain and mentality and automatically getting the SoC if you go with a specific vendor, it doesn't hold the same weight that a SOC I think once held within the industry. Right. And with vendors and just say, hey, if you have a SOC in place, I don't need to do a security review. I feel very comfortable with you. That is not what I am seeing anymore in the market. Especially as you get into, even the mid market organizations, you know, they're really looking for your. Do you have a very robust risk program, security program, privacy program, compliance program in place? And how do I test that? How do I constantly monitor what you're doing against it and not just I've got a piece of paper that is rubber stamped by someone on it. So I think, you know, the more modern GRC platforms out there give the dynamic nature and give the ability for organizations to fully execute on that broader regulatory risk compliance vision as opposed to just, you know, a check the box compliance solution.

B (16:23)

Right. I think you're spot on. That kind of the outcomes really outweigh just the checkbox.

C (16:29)

So.

B (16:30)

Totally, totally agree there. Moving on to our next topic of kind of navigating the boardroom and bridging risk and business value. That, that concept, that discussion. So Diego, when it comes to the rapid increase of connectivity and AI adoption, how can CISOs confidently navigate saying yes to the board, all while ensuring AI adoption and accelerance without sacrificing years of security investment and program maturity?

A (17:04)

Yeah, I think they should remember the concept of yes and, and I hear what you're describing a lot, which is like, oh, I have this mandate that use AI like AI at all costs. How many agents are we? And then the reality is you go out to the market and a lot of these are emerging technologies, emerging companies and it might come to be perceived as a trade off, like yes, I could use AI, but all the years that I spent building my security protocols and frameworks and controls, I'd have to put them to the side, make an Exception in order to follow the mandate of using AI. And, and I mean, I think in some ways that's true with every emerging technology. But I'd say, like, you don't have to make that trade off. And especially, you know, in the GRC world where managing risk security is top of mind, you should have partners that can enable your teams to make the most of AI while still being compliant to what we talked about earlier. Understanding the risks that you're managing and not doing anything crazy like you should be. You should be able to work with partners that live up to your standard when it comes to security and enterprise capabilities and things like that.

B (18:30)

Totally. Yep. I think that's, that's really important to not, not drop below the standard of, of what you've built as a company in an organization. So, okay, we're going to touch on the future of GRC tools. So Matt, by 2026, what will set the leading enterprise GRC programs apart from the rest, and what will the average program still be missing?

C (18:56)

Well, we are in 2026, so not by 2076, but today. I think there's a couple things. One is I think an open platform that organizations can aggregate data onto to have one central hub for their regulatory, risk, compliance and security data. Maybe that's data that is on that the platform provider like Logic8 will offer, and maybe that's data from other security platforms. Think about a wiz or a tenable or a crowdstrike or a, a vital four or a black kite, right to centralize that data. Two is, I think, a connected ecosystem, meaning a connected ecosystem of regulatory, risk and compliance solutions and processes that can easily share data and talk to each other. So you have one system of truth. You have one system that folks are logging into. You have one repository of controls, you have one repository of policies, you have one repository of regulations. I can't tell you how many organizations I've worked with over the years that have five, six, seven different control sets in different places. And it's like, what is the system of truth for all of that and how do we update all of that? Just the time and efficiency savings to that. I also think, you know, if you can do those two things right, you can have one central repository and you can be an open, connected platform. What that allows you to do is own a lot of the regulatory, risk, compliance and security data within an organization. And if you can do that, the company that can do that is the one that's going to have the most, the best agents over time because they're going to be able to use that data to really train the models that these agents are driven off of. And you're going to get, over time, very, very, very good sophistication in agents, specifically for controls management agents, specifically for TPRM agents, specifically for regulatory compliance or RCSA processes. And I think if you project out three, four, five years, those agents, the company that has the best, well, the most well trained agents is going to be the one that wins in the market. And then lastly, I would say, you know, the world is one of getting more connected and one that is moving every day at greater and greater speed. Right. And we actually see this in Logic 8. One of the things that we're focusing on in 2026, how do we move fast into the future that's coming? And when you think about speed, that means organizations are going to be changing really dynamically on a quick basis. So you need a provider and a solution and a platform that can meet you where you are today for your goals and objectives from a regulatory, risk and compliance perspective that meet your overall organizational goals and security perspective. But those goals are going to change in 12 months, 18 months, 24 months, 36 months down the road. So you really need a, a partner. You know, I hate saying provider, but a partner and a platform that can morph with you very easily over time as your goals and objectives for the company changes. So I think that those are really, it's going to be kind of the bar and what sets, you know, the market leaders in this space across from the average Joes in this space.

B (22:21)

Thanks. Yeah, well said. Okay, well, thank you both so much. We're going to move into our next. It's our closing segment. We like to leave our listeners with a little bit of practical advice and kind of call to action. So I am going to leave you with this last question. Warren Buffett says that the best investment is investing in yourself. So as a final question, what are each of you investing in personally right now? And what investment do you believe will matter most for the future of the business? Diego, we can start with you.

A (22:59)

Okay. On a personal level, I've always believe in just like physical activity and trying to keep your body as healthy as possible. And one thing I'm doing right now, like, probably my favorite gift from Christmas this year or like these goggles that show you metrics while you're swimming. I'm not a big swimmer, but, like, these goggles make you want to swim. It, like, shows you, like, your heart rate, like, how fast you're going, like, and it, like, kind of coaches you as you're swimming. And I. I just think that's so cool. It makes me want to go. Makes me want to go swim. So. And. And that's. That's. That's. It's very healthy. It's also very meditative swimming. It can be very meditative because you're just breathing and kind of like by yourself for 30, 40 minutes. So if you want to get into swimming, get these form goggles. It'll help a lot. I also believe in a gratitude journal just every day, writing three things that you're grateful for that happened the day before. Like, very specific, like, my daughter had my hand when we walked in the parking lot. And like that. You know, we're grateful for that. To like, bigger things, like, we're having a great quarter. I'm grateful for that. So those are two things that I'd recommend are very easy to do. Stay active, be grateful. And for the business. For me, it's just investing in our team and just. I think I want to make sure our logic gate team is the best team any one of us has been a part of. And I think that's an awesome calling, and it's what we're really focused on in 26.

C (24:46)

Love it. About to go to Amazon and buy some goggles.

B (24:52)

You read my mind, Matt. I am writing that down as I.

A (24:56)

Should say, royalties for this or something.

C (24:58)

Exactly.

B (24:59)

New company gift. Get everybody on board for swimming. Okay, thank you for that answer. That was really great, Matt. Moving on, moving on to you.

C (25:11)

So on. On a personal note, I think I'm just really big on. Really. I've always been very big on relationships. I think relationships make the world go round, whether that's professional relationships, whether it's personal relationships. And one of my big goals for 26 is how do I reconnect? And it's so hard, right? You know, you. You get out into the world and you lose touch with people. But one of my big goals for 26 is. Is how do I rekindle some of the relationships that I've had in my past, Both. Both personal relationships and professional to help me. So every. Every week, I think about, hey, who's someone that I haven't talked to in six months? And that could be a personal. A personal friend or a personal relationship that I had, or it could be a professional relationship that I had. It could be, you know, one of one of the CISOs or Chief Risk officers of one of our large customers or small customers that I haven't talked to in a while and I'll just reach out and I'll say hey, you got five minutes. I have no big agenda. I just wanted to say hi, I'm thinking about you. So, so that's a big one for me. That in investment area in 26 is just to continue to, to build my network and invest in, in relationships. When you think about the business, I think the big one for us in 26 is, is AI. Right. And how are we going to implement certainly AI in our product and boy am I excited about what John Officer has from an AI roadmap perspective. And I think he's thinking about it in such the right way of AI to enable humans and at the same time the infrastructure to enable agents and really leaning in in both of those areas from an AI perspective and also AI for our organization and how that's going to change the day to day work that someone like you Jane would do on the marketing team. Right. And how do we lean into this really? It's not a game changing company or a piece of technology. It's not a market leading piece of technology. It's not a disruptor. I would argue it's the biggest piece of technology since the light bulb. Potentially even bigger over time. Right. And those who are on the leading edge of that are going to be those that thrive and not just survive but thrive in this market. So those would be the two things on my mind and what I'm looking forward to IN26 and the investment areas.

B (27:40)

Thanks Matt. Thanks for sharing those great points. Love hearing from you both on that. Okay, well listeners, you've heard from Matt and Diego. So now you tell us in the comments, what investments do you believe will matter most for the future of the business and how are you investing in yourself personally? Thanks so much.

C (28:01)

Thanks Shane. It was fun.

A (28:03)

Thank you Jane.

B (28:06)

And that's a wrap for this episode of GRC and Me, Matt and Diego. It's been a pleasure catching up with you and learning about your 2026 insights and predictions. Thanks everyone for tuning in and catch us next time on grc.