AMA: GRC, SOC 2, and the State of Audits

It’s the last day of 2025, which means it’s time to wrap season one. When Troy and I piloted this series, we didn’t expect thousands of you to tune in, and certainly didn’t expect to pickup the wonderfully smart Kendra to join our crew.With that, we want to thank you for encouraging us to keep this series going. We’ll be back for season 2 soon, and are taking in new pitches for episodes now. To wrap the year, we conducted a AMA on the current state of GRC. We pulled questions from Reddit and LinkedIn and tackled them live in conversation.What we coveredAre we “anti–GRC automation tools”?Short answer: no. Long answer: automation isn’t the problem. It’s misuse, blind trust, and compromised audit integrity are.Cheap SOC 2s and bundled auditsWhy budget startups often don’t have a real incentive to avoid low-cost, bundled auditors, and what you give up when you go that route.SOC 2 pentesting vs PCI DSSWhy SOC 2 allows weak or missing pentests, why PCI doesn’t, and how automated scans differ from real manual testing.Conflicts of interest in the GRC ecosystemPlatforms, auditors, and vCISOs all partner, so where does objectivity break down, and is it even possible to keep it clean?Who’s really at fault: tools or auditors?A blunt discussion on incentives, accountability, and why low-quality audits keep winning.Offshoring and the race to the bottomWhen cost-cutting leads to offshoring, what should clients actually be worried about and what’s just noise.The future of audits and AIWill AI replace auditors? Where automation helps, where humans still matter, and what happens if we stop caring about independent assurance altogether. Hosted on Acast. See acast.com/privacy for more information.