Every week I talk to governance, risk and compliance teams (GRC) of large companies that know, in detail, what artificial intelligence can do agentiva for their work. They have read, seen demonstrations, and clearly distinguish between an IA that accelerates a task and an agent that runs it completely. However, despite the availability of the budget and the technical interest, there is a persistent resistance that cannot always be explained by rational arguments.
When the conversation deviates from technology, a different concern arises: are not sure who they will be when operations no longer depend on them. It is not just fear of losing employment; it is an identity concern. For years many GRC professionals have built their prestige and day-to-day on operational excellence - how to collect evidence, conduct audit cycles and maintain complex programs running with limited resources - and see these tasks automated by agents causes a sense of loss.
This tension has a more hopeful reading. If the history of the area is analysed, GRC was originally not conceived as a permanent operational function, but as a mechanism to help the organization understand and manage risks. The collection of evidence, the follow-up sheets and reports were always means for an end. What has happened is that the tools did not climb to the pace of the programs, and the operational burden devoured the ability to think strategically about risks.
The so-called agentist agents do not just do what was already done faster; they change the nature of the work. They can continuously extract evidence from integrated systems, monitor real-time controls and act on remediation processes without constant human intervention. But there's a key point: agents are not designed alone. The criterion that defines what to collect, what constitutes a deviation, when to scale, or what evidence will convince an auditor comes from the combination of data context and human judgment.
In the policy and good practice landscape, such a human judgment is essential. Frames like the AI Risk Management Framework of the NIST They stress the need for clear controls, explanations and responsibilities when deploying self-contained systems. Technology can implement, but the definition of acceptable risk, metrics and exceptions lies with people who understand business and its costs.
Early adoption will not be a career for who has better models of IA, but for who redesigns the GRC function to take advantage of the time released by automation. When manual tasks disappear, another activity emerges that has historically been relegated: thinking and deciding. The teams that win will be those who use that freedom to raise the level of their work - to manage a program to lead it.
If you look from a professional point of view, change is an opportunity to return to the reasons why many joined GRC: worry about whether the organization is really protected and not just pretending to be. Those who have already passed the change describe it as something more like being authorized to do what they always knew how to do. Your task is no longer to check and paste patches, but to define which controls bring value, when an alert is relevant and how to translate the business context into logic that an agent can run.
It must also be understood that technical transformation is accompanied by cultural and organizational transformation. Data infrastructure and control engineering - which some label as "GRC as code" - allow agents to work reliably: declared controls in versioned repositories, automated tests and deployments through pipelines. Such a technical approach requires different investment and processes, but it gives teams the ability to focus on governance and strategy. If you want to deepen this approach there is practical documentation that explains how to start declaring controls as a code, for example in specialized guides such as those that offer platforms that work on this line ( GRC Engineering 101).
It's not an automatic or painless transition. Redefining responsibilities involves reviewing job descriptions, career development paths and performance metrics. It also requires the establishment of security guards: officers need continuous limits, supervision and audit. External control resources and frameworks help to sustain this change: in addition to NIST TO RMF international standards on information security management (e.g. ISO / IEC 27001) remain relevant to define how the evidence is organized and the automated processes are protected.
It should also be remembered that mass automation changes the nature of the required skills. Reports from agencies and consultants on the future of the work show that automation does not eliminate the need for human talent, but rather moves demand towards capacity for judgment, risk management and business communication ( McKinsey). For GRC this is translated into professionals who know how to translate business scenarios into control rules, who define risk appetite and priorities and who monitor the health of automated processes.
In practice, the path to healthy adoption combines several measures. It is necessary to design agents with transparency and traceability, code controls and tests, clearly articulate who decides in complex cases and define metrics that measure impact rather than activity. At the same time, the organization should facilitate professional reinvention: training in risk thinking, basic technical skills to collaborate with engineering teams and spaces for expert knowledge to shape the logic of the agents.
The psychological barrier to many teams is understandable: delegating the execution feels like giving up a part of the identity itself. But if it is accompanied by a revaluation of what GRC professionals bring - and with structures that channel that value to real decisions - automation is no longer a threat and becomes a catalyst. The transformation, at last, is less a loss than a return to the essence of the role: to think of risk, not just to manage it.
For those who want to explore concrete examples of GRC and how it is technically articulated, there are commercial initiatives and technical repositories that show implementations aimed at integrating agents with a robust database and configurable rules. The public and academic debate on self-employed agents also advances with studies and demonstrations that analyse limits, practical application and risks, such as research work on generative agents ( Generative Agents, Stanford / ArXiv) and platforms that have popularized configurable GPT models ( OpenAI: GPTs).
In the end, the question is not whether technology can replace processes - because in many cases it can already - but how organizations reconfigure roles, responsibilities and governance frameworks so that human value not only survives, but is amplified. Those who lead this conversion will be able to transform GRC from an overloaded operational function into a strategic command that really manages the risk of the 21st century.
If you want to go into practical examples and resources to take the first steps in GRC agentic, a gateway is to review initiatives that combine engineering of controls and automated agents, and to study risk frameworks that establish how to monitor and accountability these new capacities. More information and practical guides are available in specialized resources such as Anecdotes and in the documents and public frameworks mentioned above.
Safety alert Drug critical vulnerability of SQL injection in PostgreSQL requires immediate update
Drucal has published safety updates for a vulnerability qualified as "highly critical" which affects Drumal Core and allows an attacker to achieve arbitrary SQL injection in sit...
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...