Half of GRC professionals struggle to keep pace with changes to compliance requirements

New report from Drata shows the growing complexity of GRC and mixed sentiments on AI.

  • Sunday, 2nd March 2025 Posted 1 month ago in by Phil Alsop

Drata has published the results of its report, titled, The State of GRC 2025: From Cost Center to Strategic Business Driver, with a focus on how governance, risk, and compliance (GRC) professionals are approaching data protection regulations, AI, and ability to maintain customer trust. The report highlights trends, challenges, and an outlook on the future of GRC.

The rise of AI and increasing global regulations have elevated the stakes for businesses, as they navigate complex requirements to protect sensitive data and ensure ethical practices. 96% of respondents cite high-profile breaches and compliance fines as reasons GRC is getting more attention. With surmounting pressure to properly address GRC, 45% of those surveyed are worried about balancing compliance and innovation, data privacy and protection, and maintaining operational resilience. As customer expectations around privacy and transparency grow, The State of GRC Report shows a robust GRC strategy isn’t just a regulatory obligation; it’s a foundation for securing long-term business success. 98% of professionals surveyed believe GRC achievements are worth touting to customers and other critical stakeholders to build internal and external trust.

Additional findings include:

Businesses are experiencing significant consequences due to inadequate compliance postures and processes, from brand safety and reputation issues (51%) to security or data breaches (49%).

48% of GRC professionals struggle to keep pace with updates to existing compliance frameworks and identifying areas needing attention.

100% of companies surveyed expect employees to increase their use of AI technologies in the next 12 months, yet only 10% have a GRC program fully prepared to manage it.

While 46% believe AI will improve regulatory compliance, many shared their fears center around AI biases impacting GRC decision making (43%) and AI hallucinations giving improper GRC guidance (39%).

Manual interventions with GRC account for 14 hours per week on average.

“Governance, risk, and compliance has long been a pain point for organizations, and despite the improvements we’ve seen in recent years, it’s clear many of those challenges still exist today, making it difficult for business to properly maintain their GRC program and effectively maintain trust,” said Matt Hillary, Drata VP of Security and CISO. “In addition to adding more compliance frameworks to their program, security and GRC teams should anticipate significant changes to the GRC function as a result of AI. GRC teams who aren’t prepared for these changes will experience major roadblocks with scaling their compliance programs and up-leveling their organizations to meet these demands.”

Failure to prioritise testing and integrate generative AI tools raises concerns as agentic AI adds pressure.

CIOs 'overspend' on cloud

Posted 4 days ago by Phil Alsop
43% of CIOs say their CEOs and/or board of directors have concerns about their company’s cloud spend.
Research revealed at Coterie Connect event highlights shifting team structures, evolving skills priorities, and urgent training needed for partner...
Endava has launched its latest research report “AI and the Digital Shift: Reinventing the Business Landscape”.

3,000% surge in enterprise use of AI/ML tools

Posted 1 week ago by Phil Alsop
Zscaler has released the ThreatLabz 2025 AI Security Report, based on insights from more than 536 billion AI transactions processed between February...
Over one in four (28%) British small business owners have used AI tools to help run their business.

Tech fragmentation cited as biggest cyber challenge

Posted 1 week ago by Phil Alsop
New Palo Alto Networks data shows 82% of UK organisations confident in their use of AI, despite AI being identified as biggest cyber risk for 2025.
MIT researchers crafted a new approach that could allow anyone to run operations on encrypted data without decrypting it first.