Compliance is becoming too dynamic, evidence-heavy, and operationally connected to cybersecurity to be managed as a static documentation exercise. The opportunity for AI is not to replace governance judgment, but to help organizations turn evidence into defensible decisions faster.
Recently, I asked buyers to inspect the machinery. This week, I am asking vendors to open the hood. The conversation about AI in GRC has reached a turning point. The market has heard the vision. It has seen the demos. It has absorbed the language of orchestration, agentic intelligence, autonomous assurance, and dynamic decision support. The frameworks have been published. The white papers have circulated. The analyst briefings have been given. The conference keynotes have landed.
The simultaneous arrival of a new capital-market authority, a rewritten companies law, and stricter governance and audit rules is transforming UAE corporate governance from a compliance exercise into a demonstrable system of control.
There is a particular kind of language that survives long after the conditions that produced it have changed. It remains in annual reports, in strategy decks, in conference agendas and regulatory consultations, carrying forward assumptions that no longer quite fit the world it describes. Sustainability increasingly feels like one of those words. We still use it. We still build departments around it. We still publish targets beneath its banner.
Somewhere inside a government agency, a public institution, or a private company, an employee is almost certainly pasting information into an AI tool that nobody formally approved. The employee is probably not trying to circumvent policy. They are trying to get through their workday. A chatbot can summarize a report in seconds. A coding assistant can solve a technical problem faster than a colleague can respond to a message. An automated note-taking application can generate meeting minutes before participants have even left the call. The attraction is obvious. So is the speed with which these tools have spread through workplaces.
The first paper I wrote as an analyst at Forrester back in 2013 was about mitigating risk in the customer journey. That was also my first exposure to marketing’s alternative vocabulary for risk they call it customer pain points or challenges. I call it risk. Same thing, different outfit.
The second day of Risk-!n Zurich had a different character from the first. Day one was largely about visibility and how organizations can see risk clearly enough in environments shaped by artificial intelligence, cyber acceleration, operational complexity, climate exposure and emerging technologies. Day two moved the discussion one step further. If organizations can see more, faster and with greater precision, what exactly are they supposed to do with that visibility?