Clean Reports, Flawed Systems, and the Future of GRC

TJ, Kendra, and Elliot are back, and welcomed Evan Millman, GRC Manager at Abnormal Security, for what started as a casual chat and evolved into a sharp look at compliance blind spots, the role of AI in GRC, and how professionals can shape their careers in a changing field.[00:02:00] Evan shares how he used ChatGPT to analyze a risk assessment report.[00:05:00] What GRC leadership looks like at Abnormal Security (ISO 27001, 27701, 42001, SOC 2).[00:07:00] The complicated relationship between organizations and auditors — bias, incentives, and the reality of “clean” reports.[00:12:00] Why third-party attestations are table stakes, not real assurance.[00:19:00] TJ and Evan debate solutions: peer reviews, government oversight, or is the system fundamentally flawed?[00:27:00] How Abnormal approaches vendor risk: criticality ratings, renewals, and compensating controls.[00:32:00] Tools and automation in GRC — benefits and buyer’s remorse.[00:36:00] The role of AI: evidence review, documentation search, and “trust but verify.”[00:39:00] Should GRC professionals become coders, or double down on soft skills?[00:44:00] Evan’s career advice: networking, persistence, and why soft skills matter more than technical depth. Hosted on Acast. See acast.com/privacy for more information.