EP 16 | All about compliance commoditization, GRC 4.0 & AI

This time on Risk Grustlers, our CEO, Aayush Ghosh Choudhury, sat down with our CISO, Nicholas Muy, for a laid-back but loaded conversation on some of the more provocative topics shaking up the GRC space. From the commoditization of compliance to the rise of AI in security workflows, no trend was off-limits.

With nearly 20 years of cybersecurity experience, Nicholas brings a grounded perspective to the hype. He's seen plenty of buzzwords come and go and knows how to separate the noise from the real inflection points.

Read on for a closer look at the trends sparking debate across GRC.

Watch the episode here.

Aayush: Is compliance becoming commoditized with the rise of automation tools and the flood of SOC 2 auditors?

Nicholas: Personally, I see it less as commoditization and more as democratization. The fact that more companies are thinking early about how to meet security standards is a good thing.

Compliance used to be something only big enterprises with massive budgets could handle. But now, smaller startups can access tools and frameworks that give them structure from the start. That doesn't make compliance meaningless it makes it more accessible. If we don't lower the barrier to entry, when will smaller companies begin to care about doing it right?

Sure, some people worry that automation devalues the work. But I'd argue the opposite. Making compliance easier to start doesn't make it less valuable. It just means more companies can do it better, earlier.

Aayush: What about SOC 2 and ISO 27001 audits? Have they become commoditized?

Nicholas: I don't think so. I think what we're seeing is a shift in who these standards are for. SOC 2, ISO 27001 they were built with large organizations in mind. Big teams, big resources, long timelines. But now, small companies are being asked to meet those same standards, even though they weren't designed for their size or stage.

So, the conversation shouldn't be about whether audits are commoditized. It should be about how to adapt these frameworks for smaller teams. Without that, you end up with startups either over-engineering their compliance or avoiding it altogether.

That's why the role of automation is so important. It helps smaller teams start investing in security earlier, even if they don't have a compliance department. That's not commoditization it's just helping more players get on the field.

Aayush: So the pain smaller companies feel does it come from the information gap, since these frameworks were built for enterprises? Or is it more about the ecosystem trying to bridge that gap?

Nicholas: It's really both. The frameworks are complex and weren't built with smaller teams in mind. That makes them feel overwhelming and inaccessible. So naturally, a whole ecosystem has emerged to help manage that gap.

Companies like Scrut and others have stepped in to simplify the process making it easier for startups and growth-stage companies to understand what matters and where to focus. Because most teams don't have the expertise or bandwidth to go deep on every control from day one.

And honestly, that's a good thing. As a practitioner, I'd rather see more companies engaging with security and compliance even if it's with help than avoiding it altogether because it feels too hard.

Aayush: There's a lot of FUD around audits especially for SMEs. People say the quality of an external audit depends on how much you spend and how many hours go into it. But that makes thoroughness feel cost-prohibitive for smaller teams. What's your take?

Nicholas: That narrative comes up a lot. And frankly, it makes audits sound more intimidating than they need to be. Cost and effort alone aren't reliable indicators of audit quality, especially for small to midsize companies.

What really matters is whether your auditor understands your environment. If you're cloud-native and remote-first, it makes no sense for your auditor to be asking about your server room. You need someone who can actually evaluate your cloud configurations and understands what modern infrastructure looks like.

I never recommend early-stage companies spend tens of thousands just to prove compliance. Instead, look for auditors who get your setup and are transparent about their own oversight like whether they've been peer reviewed by the relevant certification bodies.

Because at the end of the day, it's not about how much you spend. It's about finding someone who knows how to assess your risks in a way that actually fits your business.

Aayush: There's a lot of debate about whether compliance means security or vice versa. From your experience, how do you see the relationship between compliance and actual security?

Nicholas: For us, compliance and security have always been intertwined rather than separate or opposing forces. When we were a small startup, compliance requirements pushed us to implement fundamental controls like mobile device management, antivirus, and disk encryption. These steps laid a strong foundation early on.

As we grew from five people to over 200 across multiple countries, those controls naturally matured. If we had waited until we were bigger to start, catching up would've been a huge challenge. Compliance gave us the time and structure to gradually build and refine our security posture.

Take disaster recovery and business continuity for example. We began with basic processes, and as our infrastructure expanded across three regions, we evolved those plans accordingly. Similarly, our endpoint security grew from basic antivirus to a comprehensive endpoint detection and response solution covering every device.

In cloud security, we started by applying CIS benchmarks and continuous monitoring. As our cloud environment grew, we maintained and enhanced those controls. Starting compliance early allowed us to grow securely, avoiding a scramble to fix gaps later.

Ultimately, compliance jump-started our security journey. It's not the end goal itself, but a necessary foundation that enabled us to build a mature, risk-based security program over time.

Aayush: How can companies or products use AI to create meaningful GRC and security outcomes? We've been dogfooding several agentic use cases ourselves over the past months to see what really works.

Nicholas: One clear value I've seen is AI helping enforce and maintain security posture. For instance, AI agents can track whether mobile device management (MDM) is properly installed and configured on all devices, and follow up automatically when endpoints aren't checking in regularly. This frees up time for small teams because they don't have to manually track down compliance issues or respond to repetitive inquiries.

Another benefit is how AI agents reduce the volume of routine questions the IT and security teams receive from employees. Usually, employees will message IT with questions about configurations or troubleshooting, which can clog communication channels and slow response times.

With AI handling many of these follow-ups and providing clear instructions, the team can focus on more complex, strategic issues. This helps maintain security at scale without needing to drastically increase headcount.

Another major benefit has been in third-party risk management. As we've grown, so has our vendor list from the basics like AWS and Slack to hundreds more across teams innovating with new tools. I don't want to slow that down, but I do need to ensure every vendor is properly assessed.

That's where agentic teammates have helped us scale: they review all vendors upfront, surface which ones are high-risk based on usage context, generate follow-up actions, and retain insights between assessments. This has reduced bottlenecks, ensured consistent evaluations, and freed my team from back-and-forth delays all while respecting how differently vendors can impact different parts of the business.