Point-in-time GRC is obsolete. What’s replacing it? It isn’t AI alone
The post Point-in-time GRC is obsolete. What’s replacing it? It isn’t AI alone appeared first on TrustCloud.
The last generation of Governance, Risk and Compliance (GRC) software built a multi-billion dollar ecosystem by becoming systems of record for risk. ServiceNow became the system of IT workflows. Archer for audits. Diligent for policy management. Own the control framework, own the workflow, own the audit trail.
It worked: for a world where risk moved slowly enough to be captured annually. That world is gone. Point in time attestations are obsolete.
The Apple Watch didn’t replace the annual checkup. It changed what was measurable — catching warning signs that a once-a-year visit would rarely, if ever, catch. That’s the right model for what enterprise GRC needs next. Not only faster assessments. Different measurements entirely.
Right now, most of the industry is focused on making the annual checkup faster. The prevailing answer is AI: add features, automate workflows, change everything. I half-agree. Better AI on the same broken measurement layer doesn’t fix the underlying problem, in fact it compounds it further
Abheer Bipin
Director of Product & Applied AI, TrustCloud
“AI on bad data is bad AI.”
That’s the problem TrustCloud and ServiceNow set out to solve: replacing the broken measurement layer underneath enterprise GRC with something deterministic, continuous, and built natively into the workflows enterprises already run on. But before the solution, the problem deserves a full diagnosis.
What “point-in-time” really means
I’ve spent enough time in security leadership to know what the real cost of point-in-time GRC is. It isn’t just operational inefficiency. It’s personal exposure.
When a CISO presents board-level risk posture based on a control survey someone filled out six months ago, two things are happening simultaneously. The board believes they’re seeing governance. What they’re actually seeing is theater. And when the breach comes — not if, when — that CISO owns it.
This isn’t hypothetical. It’s the pattern we’ve watched play out across every major incident of the last five years. The security program looked compliant on paper. The controls were attested. The dashboards were green. And then the Wall Street Journal ran the story anyway.
That’s the reputational exposure nobody talks about when they pitch periodic assessments as “good enough.” It isn’t good enough. It never was. And four structural forces are making it worse simultaneously.
Digital and AI transformation is accelerating risk surfaces faster than teams can track. Every new agent, every MCP, every third-party integration expands the attack surface. The control landscape that existed when your last assessment was run looks nothing like the one your organization operates in today. Point-in-time programs were built for stable environments. Stable environments no longer exist.
Ever growing backlog of manual attestation. Consider a top-5 pharma company with thousands of applications, distributed teams, global vendors, and a complex regulatory surface. Covering that risk landscape with periodic sampling and auditor-driven assessments isn’t inefficient. It’s mathematically impossible. And those organizations aren’t edge cases — they represent what modern enterprise complexity actually looks like.
Subjective signals produce noise, not decisions. Executive dashboards reflect what people said, not what systems confirmed. The delta between attestation and reality is exactly where material risk lives — unobservable, until it surfaces as a breach on the front page.
The skills and resources gap makes the status quo unsustainable. GRC teams are already stretched. The expectation that the same headcount can manually assess an expanding risk surface, is unsustainable. Traditional GRC implementations compound this: the standard systems integrator engagement costs 2–3× the ACV of the SaaS platform and runs three years. By the time it’s live, the environment has already changed making it impossible to keep up. Effectively, GRC teams are not managing risk. They’re documenting what risk used to look like.
The distinction that matters
Most AI applied to GRC tries to make the existing model faster. Better questionnaire automation, smarter control mapping, AI-assisted evidence collection. While those are real improvements, they’re not transformational.
The real gap is this:
Abheer Bipin
Director of Product & Applied AI, TrustCloud
“Point-in-time assessment tells you what the control state was at the moment someone checked. Continuous assurance tells you what the control state is, validated deterministically against live evidence, mapped to business impact, updated as the environment changes.”
Those aren’t the same product with different speeds. They’re different epistemological claims about what you can actually know about your risk posture. That gap is what TrustCloud is closing and why we built it with ServiceNow.
What TrustCloud and ServiceNow are building together
ServiceNow is the operating system of the modern enterprise. Sixty percent of the Fortune 500 run their risk, security, and IT workflows on the Now Platform. The missing piece has never been the workflow. It’s been the signal quality feeding it.
But signal quality isn’t the only problem. There are four structural gaps that no amount of AI layered onto existing architecture can close.
You cannot test everything, efficiently. IRM is designed for sampling — a statistical slice of the control landscape. Sampling leaves the gaps that become headlines.
Time-to-value is measured in years, not weeks. Operationalizing enterprise continuous control monitoring within IRM requires years and millions in spend. By the time the program is live, the risk surface has moved.
You can’t test all types of controls. IRM can’t automate technical, documentation, and process controls across cloud and on-premises environments in a unified way. A platform that sees part of the data plane can only partially assure the business it claims to protect. A control failure doesn’t live in one tool. It depends on cloud configuration state, CMDB records, policy documents, prior assessment history, and cross-functional business context. To meaningfully automatically test a control, a system needs to sit within a cross-system execution path.
Findings aren’t linked to business impact. Without native ties to contracts, DPA’s, customer obligations, and business context, every finding lands in a backlog nobody can prioritize fast enough to matter. When an assessment closes, the context that produced it isn’t preserved as durable evidence. You can’t replay the state of the environment at assessment time, which means you can’t audit the result, learn from it, or treat it as continuous signal.
TrustCloud, running natively inside the Now Platform, closes all four. The TrustCloud Store Plugin feeds validated, continuous control signals directly into ServiceNow IRM, SecOps, CMDB, and AI Control Tower — not as a separate layer, but natively, so findings create incidents and tasks inside the workflows teams already own. The architecture runs on one operational loop: Observe via the Hybrid Data Fabric, Reason via the Control Graph, and Act via TrustCloud’s collection of agents — deterministic checks, cited evidence, no hallucinations.
Abheer Bipin
Director of Product & Applied AI, TrustCloud
“The system doesn’t ask teams to change how they work in ServiceNow. It changes what they do when they get there. This is the structural architecture incumbents can’t replace. ”
Production numbers – going beyond pilots
Here’s what this looks like in live enterprise deployments — not pilots, not lab conditions:
Top 5 pharma and Fortune 500: One team went from 20 manual application assessments per year to 200–300 applications being assessed weekly. Same team. Same budget. 100–150× throughput. A comparable pharma customer switched from 5% sampling to 100% landscape-based testing measuring risk far more accurately.
Global Technology Conglomerate and Fortune 100: Application assessments condensed from 3–4 weeks per app to under 90 minutes resulting in a 500% increase in remediation timelines. Near-real-time risk coverage across a sprawling enterprise infrastructure.
Hyperscaling pre IPO tech company:. Up to 80% of inbound security questionnaires deflected at ~95% accuracy — materially compressing sales cycles across the partner ecosystem.
These aren’t edge cases. They’re the same result pattern appearing across industries, at enterprise scale, in production environments. And they point to something bigger than efficiency gains — they point to a category shift.
From workflows to security assurance
The question isn’t whether legacy GRC platforms survive. They will. The question is whether the next generation of cyber governance is built by adding AI to attestation data, or by replacing attestation with continuous, validated, evidence-backed security assurance.
I believe it’s the latter. And for a security leader, I think the stakes go beyond operational efficiency.
The CISO who can walk into a board meeting with a real-time, deterministic view of their control landscape — one they can defend to a regulator, explain to a customer, and stand behind when something goes wrong — is operating with a fundamentally different risk posture than one relying on a six-month-old attestation survey.
When you combine continuous control signals, business-impact scoring, and automated remediation inside the Now Platform, you’ve done more than accelerate a process. You’ve converted isolated security tasks into an integrated governance fabric.
Your annual checkup catches what it catches. Continuous monitoring catches what you’d otherwise miss — before it becomes the incident that makes the front page. That’s not a feature. That’s a different category of product. And it’s what TrustCloud alongside ServiceNow will deliver for the next generation of strategic CISOs.
The post Point-in-time GRC is obsolete. What’s replacing it? It isn’t AI alone first appeared on TrustCloud.
*** This is a Security Bloggers Network syndicated blog from TrustCloud authored by Abheer Bipin. Read the original post at: https://www.trustcloud.ai/ai/point-in-time-grc-is-obsolete-whats-replacing-it/
