I’m joined today by Simon Glairy, a distinguished expert in risk management and AI-driven assessment, to discuss the seismic shifts happening in the governance, risk, and compliance (GRC) landscape. We’ll explore how AI-native platforms are moving beyond legacy systems to redefine enterprise security, transforming sluggish, manual audits into real-time, continuous oversight. Our conversation will delve into the practical impact of this technology, from empowering GRC teams to focus on strategic work to the core mission of ultimately protecting consumer data.
Your passion for consumer data privacy reportedly led you to focus on securing enterprises. How does this core mission shape Complyance’s product roadmap, and can you share a specific example of how your AI agents are designed to ultimately protect the end consumer?
That passion is the very foundation of what we’re building. For me, it reached a tipping point where I realized that the most effective way to safeguard individuals’ data wasn’t just helping them with their phone settings at parties, but by empowering the enterprises that hold vast amounts of this sensitive information. This mission is woven into every agent we design. For instance, our platform doesn’t just check for generic compliance; an AI agent can perform custom checks on incoming data, comparing it against a company’s specific risk thresholds. When it flags a potential non-compliance issue in seconds, it’s not just an abstract alert—it’s a direct intervention that prevents consumer data from being mishandled, ensuring the privacy promises made to the end-user are actually kept.
Traditional risk reviews can be a slow, manual process that takes weeks. How exactly do your AI agents turn this into a continuous, real-time function? Could you walk us through the step-by-step process for a client and share some metrics on the efficiency gains you’ve observed?
The difference is night and day. A traditional risk review feels like a massive, once-a-year or quarterly fire drill where teams scramble for weeks, even months, to run checks and generate reports. It’s an exhausting, point-in-time snapshot. Our AI agents transform this into a constant, quiet hum of vigilance. Once a client integrates our app into their tech stack, the agents get to work immediately. They continuously monitor data flows and system configurations in real time. If a new third-party vendor is onboarded, for example, our agent instantly assesses their risk profile against the client’s policies, flagging any issues right away. Instead of waiting three months for a manual audit to discover a problem, the GRC team knows in seconds, allowing them to act before a risk can escalate.
The GRC market has established players. What does being “AI-native,” rather than just adding AI features, mean for a user’s daily workflow? Please provide a concrete comparison of how a specific task, like third-party vendor assessment, is completed on your platform versus a legacy system.
Being “AI-native” is a fundamental architectural difference, not a marketing term. Many incumbents have simply layered AI features on top of their old, rigid frameworks, which is like putting a jet engine on a horse-drawn carriage. On a legacy system, assessing a new vendor is a painful, manual process. A GRC analyst has to send out questionnaires, chase people for documents, manually review security certificates, and then input all that data to get a risk score. It’s a multi-day ordeal filled with administrative drag. On our AI-native platform, the workflow is automated. The agent connects to data sources, ingests the vendor’s information, runs custom checks against our client’s specific criteria, and presents a comprehensive risk assessment, with flagged concerns, almost instantly. It’s about building the entire user experience around intelligent automation from the ground up.
You plan to expand from 16 to over 40 purpose-built agents. What specific, mundane tasks are these new agents designed to eliminate for GRC teams? Can you give an example of a new agent and describe the strategic work it will “unblock” for your clients?
The core goal of this expansion is to liberate GRC professionals from the drudgery that consumes their days. These teams are filled with brilliant strategists who signed up to protect their businesses, but they spend most of their time chasing down evidence for audits or hounding people to complete compliance training. One of our 30 new agents in development, for example, is designed to automate evidence collection for specific compliance frameworks. Instead of an analyst manually taking screenshots and pulling reports for weeks, the agent will continuously gather and organize the required proof. This completely unblocks that analyst, freeing them from being a glorified paper-pusher. They can now use that time to analyze emerging threat landscapes or advise business units on how to innovate securely, which is the high-value, strategic work they were actually hired to do.
Securing a $20 million Series A led by GV is a significant milestone, especially when they approached you. What specific capabilities or client results do you believe made your AI-led product so compelling to investors who were actively searching for a solution in this space?
It truly was a bit of a fairy tale scenario. GV had been actively searching for a genuinely enterprise-grade, AI-led product that wasn’t just a concept but was actively winning over sophisticated clients. I believe what made us so compelling was our proven ability to deliver tangible results for large, complex organizations, including several Fortune 500 companies. They saw that our AI-native approach wasn’t just theoretical; it was solving real-world GRC pains and demonstrating clear efficiency gains. Investors could see that we were not only automating tasks but also fundamentally redefining how enterprise GRC teams operate and perceive their roles. We were showing, with actual client adoption, that we could unblock these teams to focus on strategic priorities, and that’s a powerful value proposition that resonates deeply in the current market.
What is your forecast for the GRC industry over the next five years?
Over the next five years, I believe the GRC industry will undergo a complete transformation driven by AI-native platforms. The idea of periodic, manual, audit-based compliance will become obsolete, viewed as dangerously inadequate. Continuous, automated risk management will become the baseline standard for any serious enterprise. We’ll see GRC professionals shift from being reactive auditors to proactive strategic advisors who partner with the business to drive growth securely. The tools they use will be less about checklists and more about intelligent agents that provide real-time insights, predict potential risks, and automate remediation, allowing humans to focus entirely on judgment, strategy, and protecting their customers.
