Compliance melts my brain. Three hundred controls written in a dialect of English that seems to live only inside audit firms, and something in my head quietly powers down. I have admitted that before. What I have not said enough is the obvious next thing. That is exactly why I have so much respect for the people whose brains it does not melt. The great governance, risk, and compliance people. The ones who read that workbook the way I read an attack path.
We tend to describe that pairing, the security leader and the GRC lead, as something like Batman and Robin. That gets it wrong, because Robin is a sidekick. A truer picture is Grace and Rocky in Project Hail Mary. A human scientist and an alien engineer who share no language, no senses, and not even the same biology, who become the most effective partnership in the book precisely because neither can do what the other does. One reasons in light, the other in sound. One runs the science, the other builds the thing that lets the science survive contact with reality. Neither is the sidekick. Apart, they both fail. Together they are something neither could be alone. A security program is that together.
Two different operating systems of thought
They are two fundamentally different operating systems running in two different heads. One mind is built to generate and to see around corners: what could go wrong, what could we build, where is the risk nobody has named yet. The other is built to structure and to sustain: prove it, write it down so it survives a staff change, make it defensible to someone who was not in the room. Most people have a strong version of one and a thin version of the other. The rare and valuable thing is two people who each run the opposite system and genuinely trust each other.
That is what makes it symbiosis and not seniority. The generative mind gets to move fast because the structural mind makes it defensible. The structural mind’s work suddenly matters because the generative mind points it at what counts. Neither is carrying the other. They are making each other dangerous in the good way. Grace never outranks Rocky. They just see different halves of the same problem and trust what the other one sees.
Where it dies in a big company
Here is where that partnership tends to suffocate at scale. The structural work calcifies into checkboxes. A control becomes a yes or no question, answered once a year, filed, and forgotten. The GRC team spends its genius chasing screenshots instead of synthesizing meaning. The program looks complete and tells you almost nothing about whether you are actually safe, because compliance is not the same thing as security. The two brains never get to do the thing they are good at, because they are both buried alive in evidence collection.
AI is good at the exact thing that buries them
This is the part I am genuinely excited about. Used carefully, AI is very good at the one task that drowns these teams: synthesis. Pulling the signal out of a hundred systems and stating, in plain language, what it means. Connect an AI to your environment through something like MCP, the standard that lets an assistant read from your systems, and the dreary half of the job, the gathering and the cross-referencing, starts to take care of itself. What that frees up is the synthesis and the judgment, the part that needed a human brain all along.
Take the auditing of firewall rules. It is some of the most thankless work in the building: thousands of lines, hunting for the rule that lets any source reach any destination, the stale entry nobody remembers opening, the rule that quietly shadows another. A person can lose a week down there and surface holding a spreadsheet. An AI can read the whole ruleset in one pass and flag the handful that actually create exposure. The point is not just speed, it is where the time goes next. The dredging belongs below the waterline. When a compliance person’s hours move above the water, onto collaboration and judgment instead of evidence collection, you get the thing you needed all along: a better, truer story of the risks and findings that genuinely deserve attention, told by the person best equipped to tell it.
Do that across an organization and something changes in kind, not just in speed. A static set of checkboxes starts to behave like a nervous system. Sensors throughout the body, signals flowing back, a brain making sense of them, and a response that adapts. A program built that way does not sit in a binder. It senses, it reports, it adapts, and it starts to spread on its own, because the moment one part of the business sees a live read on its own risk, the next part wants one too. Security stops being the department of no and becomes a sense organ the business actually uses.
From checkbox to nervous system, three examples
The unit that makes this work is not the checkbox. It is a short chain: the control, the recommendation, and the trendline. The control is the requirement. The recommendation is what a human, accelerated by AI, says you should actually do about it. The trendline is the living signal that tells you whether it is getting better or worse, tied to an outcome the business genuinely cares about. Made concrete:
- Access control. The control is a yes or no: do you review who has administrator access. The old program answers “yes, annually” and moves on. The living version is useful. The recommendation reads “your finance system has fourteen administrators and four have not logged in this quarter, take it to three and require an approval.” The trendline is the count of standing admin accounts falling toward the floor it should sit at. The business outcome an owner actually feels is a smaller blast radius when someone gets phished, and a cyber-insurance premium that quietly rewards exactly that number.
- Multi-factor authentication. The control asks whether MFA is on. The recommendation, drawn from what the AI can really see, reads “it is on for ninety percent of accounts, the missing ten percent are two executives and the shared finance mailbox, fix those first.” The trendline is coverage climbing toward complete and staying there. The business outcome is immediate: the wire-fraud path closes, and the customer security questionnaire that has been holding up a contract can finally be answered with a true yes instead of a hopeful one.
- Third-party access. The control asks if you keep a vendor inventory. The recommendation reads “five vendors have standing access to your systems and none has been reviewed in eighteen months, start with the two that can reach customer data.” The trendline is the share of vendors reviewed in the last twelve months. The business outcome is the supply-chain risk you actually carry, and the SOC 2 report your biggest customer is about to demand, both moving the right way at once.
Notice what each chain does. It turns a dead yes or no into a direction. It hands the GRC mind a synthesized starting point instead of a blank workbook, and it hands the security leader a signal tied to something the board already understands. The two brains finally get to work on top of the gathering instead of underneath it. That is the difference between a program that proves you did the paperwork and a program that makes the company measurably harder to hurt and easier to run.
The leash stays on
None of this works if you let the machine off the leash. An AI will produce a confident, fluent, completely wrong answer, and in compliance a confident wrong answer is worse than no answer, because it feels finished. So the rules do not bend. AI drafts, gathers, and flags. A human, almost always the GRC mind, decides and attests. The AI can lower your confidence in a control on its own. It must never be able to raise it. Treated that way, it accelerates the synthesis without ever being trusted to conclude. Treated carelessly, it just manufactures beautiful, false certainty faster than a human ever could. And the AI is not Rocky here. It is the ship’s automation that gave the two of them their time back. The partners in this story are still human.
In the interest of being straight with you: my firm builds in this space, so weigh my optimism accordingly. But the part I most want to land has nothing to do with software. The GRC and risk people reading this are not overhead, and they are not Robin. They are one of the two brains a real security program runs on. The tools are finally good enough to lift the drudgery off them and hand back the work only they can do.
So this is mostly a thank-you. To the people who translate the chaos of how a company really runs into something a business can act on: you are not the sidekick. You are half the brain. Grace and Rocky saved two worlds because neither one tried to be the other. They trusted what the other could see, and let the machine do the dredging so the two of them could do the thinking. Find your Rocky, or be someone’s. I would love to hear from the GRC and risk folks out there. What is the one checkbox you wish you could turn into a living trendline tomorrow, and what would it finally tell the business that it cannot see today?
Further reading and sources
- From Resolute Security: Compliance Is Not Security
- From Resolute Security: Zero Trust Requires a High-Trust Team
- From Resolute Security: Your Employees Are Already Using AI
- The Model Context Protocol, the open standard behind connecting an AI assistant to your systems.
- NIST AI Risk Management Framework, on using AI deliberately and managing what it can get wrong.
- NIST Cybersecurity Framework, the control language a lot of this maps back to.
- The novel: Project Hail Mary by Andy Weir, for the Grace and Rocky of it all.
Some compliance work needs a consultant. Some of it is just paperwork that needs a system.
We built a tool for the paperwork.
See the compliance tool →