The increasing complexity of both cyberthreats and the regulatory landscape and the adoption of AI and other technologies in enterprises has raised the profile of governance, risk, and compliance (GRC) teams, many of which are trying to keep up with the equally expanding demands.
In a recent survey of 300 IT and security pros in the United States, Drata found that 96% see GRC rising in the business spotlight and 98% believe that GRC accomplishments are worth touting to customers and stakeholders.
That said, there are challenges that come with this evolving GRC landscape, with 48% of GRC pros saying that struggle to keep pace with updates to existing compliance frameworks and with identifying the areas that need attention. In addition, 52% say they are exhausted identifying new frameworks that require compliance and integrating those into existing programs.
“What’s more, GRC teams face mounting pressure as companies now expect more robust, mature internal GRC programs to unlock revenue, sell faster, build customer trust, expand globally and into new market verticals, and drive new business,” the authors wrote in the report, State of GRC 2025: From Cost Center to Business Driver. “But their plate is already overflowing. Those who perform GRC functions are managing an average of eight compliance frameworks with 60% managing at least five.”
That won’t get easier as 2025 rolls on. Companies expect that over the next 12 months, they’ll add an average of six more compliance frameworks that already stretched GRC teams will need to manage.
Easing the Burden
For their part, vendors like Drata – whose automated platform offers such functions as risk management, compliance-as-code, and a trust center for managing security postures – and MSSPs will be further pressed to help lighten that load.
Not only are enterprises trying to keep up with updates to existing frameworks, but “the rise in new regulations make it even more challenging to maintain compliance with multiple frameworks, requiring businesses of all sizes to increase their time, attention, and investment in GRC,” Akello Ragwar, director of channel partnerships at San Diego, California-based Drata, told MSSP Alert. “Naturally, organizations also have to address a revolving door of cybersecurity threats to ensure they maintain a proactive risk management environment.”
MSSPs' Expanding Role
MSSPs play a central role in all this, in large part by serving as an extension of a company’s security and compliance efforts, Ragwar said. That includes acting as compliance advisors by guiding clients through the varying frameworks, standards, and regulations, such as SOC 2, ISO 27001, and HIPAA, which helps streamline the process.
“In addition to their expertise, MSSPs can bring key security capabilities such as incident response, threat and vulnerability assessments, and continuous monitoring that allow business to identify gaps, swiftly react and mitigate threats, and ensure business continuity,” she said, adding that this is particularly important for businesses that have limited resources and budgets.
Drata has seen the effect of the complexity and challenges, with Ragwar noting that the vendor has seen a rise in the number of MSSPs in its partner program, particularly over the past year.
The Good and Bad of AI
As with everything else in IT and business, AI is playing an increasingly large role as both an asset and a concern.
“There’s no doubt that AI can positively shape GRC through enhanced efficiency and accuracy, especially when coupled with automation to further streamline the compliance journey,” Ragwar said. “As our use of AI increases, so will the risks around data privacy and security. As a result, expect to see even more official regulations this year and beyond addressing this high rate of adoption.”
Her comments reflect what survey respondents said. The benefits are plentiful, with between 37% and 46% saying that AI will improve regulatory compliance, increase data security, enhance risk management and decision-making, reduce errors in compliance tasks, and streamline audit processes. However, there also was a mix of worries, with 43% saying AI biases could impact GRC decision-making and AI hallucinations giving improper GRC guidance.
That said, AI is coming and companies are falling behind in their preparation. All of the survey respondents said they expect their employees to grow their use AI, but only 10% said their companies have a GRC program fully prepared to manage it.
