Compliance Chaos: Navigating 2025's Complex GRC Landscape

As you fly over a city on approach, you look out the airplane window and the area below seems almost simplistic with clearly outlined roads and bright lights. However, buried within that high overview lies a complex landscape of people, buildings, businesses, and communities. 

Similarly, a high overview of the current Governance, Risk, and Compliance (GRC) landscape can seem equally simplistic. Despite various laws, regulations, and frameworks, many focus on similar categories of security controls. Simultaneously, once you start digging into the nuances, the GRC landscape becomes more complex, with many interconnected underlying standards, objectives, and penalties. 

Navigating this chaotic compliance landscape can become overwhelming, which is why organizations need to consider implementing a dedicated GRC platform that automates tasks and streamlines processes.

What Makes the Current GRC Landscape So Complex?

As your business grows, your compliance needs expand. New markets—geographical or industry vertical—can come with new compliance requirements. Meanwhile, legislative bodies and industry standards organizations are changing how they view data protection and cyber resilience. 

Shifting Priorities

The Digital Operational Resilience Act (DORA) went into effect on January 17, 2025. The regulation is one of many that shifts away from data protection by focusing on the impact a security incident can have on interconnected, digital business operations. 

While DORA focuses on financial institutions and critical ICT service providers, the regulation focuses on maintaining service availability and business operations. A single security incident that takes a critical vendor offline can have a domino effect across the global economy. DORA responds to this by focusing on three primary objectives:

• Proactive risk management

• Incident response and recovery

• Resilience testing

While this strengthens the global economy, the law expands the scope of your compliance requirements and audits. Now, you need to think about how an incident would interrupt business operations and the impact it would have across all your customers, not just the impact to a limited set of sensitive data. 

Increased Disclosure Requirements

The US Securities and Exchange Commission (SEC) published a final rule on “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” in September 2023. The rule added the following additional requirements about reporting risk management, strategy, and governance:

• Form 8-K: Nature, scope, timing, and impact or reasonably likely impact of material cybersecurity incidents within four business days of determining materiality

• Form 20-F: Description of the board's cybersecurity risk oversight and management’s role in assessing and managing material risks from cybersecurity threats. 

• Form 6-K: Information on material cybersecurity incidents, disclosed or otherwise

The Form 8-K reporting requirements are both vague and confusing. For example, according to Questions and Answers of General Applicability, the SEC reminds organizations that determining materiality for reporting includes determining if “there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the total mix of information made available.” 

With few clear guidelines around these reporting requirements, many organizations worry that they may either under- or over-report an incident. 

New Artificial Intelligence (AI) Governance Frameworks

As AI becomes embedded in more tools and processes, organizations need to consider the security of their AI integrations. With new technologies come new compliance requirements, including ones that seek to improve the security of and governance over AI, like the NIST AI Risk Management Framework (NIST AI RMF) and Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile.

Despite focusing on different types of AI and their risks, both standards focus on the probability of an event and the magnitude of its impact, requiring organizations to manage risk across the AI lifecycle. For example, Appendix B of the NIST AI RMF notes that organizations should consider the risks that traditional frameworks fail to address, including:

• Managing harmful bias.

• Risks related to GenAI.

• Security concerns like evasion, model extraction, membership inference, availability, and machine learning attacks.

• Complex attack surface.

• Third-party AI technologies where systems trained outside of the orgs security control. 

What are the Primary Challenges Organizations Face Managing GRC?

Many organizations struggle to wrangle their compliance needs. The processes and documentation that look doable from 30,000 feet suddenly become an overwhelming morass of security tools, controls, and documentation. 

Staying Up-to-Date

As the GRC landscape continues to evolve, many companies struggle to keep pace with new requirements, especially when they move into new markets or implement new technologies. The State of GRC 2025 report surveyed 300 U.S. IT and security professions, finding that: 

• 52% are exhausted identifying new frameworks requiring compliance and integrating those into existing programs.

• 48% struggle to keep pace with updates to existing compliance frameworks and identifying areas needing attention.

While laws and standards take time to become a reality, you may want to prepare yourself ahead of time. Often, the timeline for getting compliant is short. However, since you never know which laws will pass through legislatures or an agency’s timeline, keeping pace with all the different updates and changes becomes overwhelming. 

Additional Complexity

Every new technology an organization adds to its business processes increases the IT environment’s complexity. AI provides a valuable example of the impact that these new technologies have. According the to State of GRC 2025 report:

• 10% of organizations feel completely prepared to manage increased employee use of AI. 

• 44% believe AI will cause a complete overhaul or have a massive impact on the GRC function.

These pose several challenges, including:

• Data security concerns as employees use AI models: Employees using public AI models, like ChatGPT, may accidentally feed them sensitive data, like credentials, that attackers can get by using prompt injection attacks.

• GRC processes share sensitive information found in log data: Without transparency around a GRC tool’s AI, companies can create new risks, even as they streamline processes. 

Communication and Collaboration

As compliance increasingly becomes a business enabler, more people from across the organization become involved. Even in a small company, the following stakeholders may need information about the compliance posture:

• Sales: Responding to customer security questionnaires from buyer procurement departments

• Compliance/Legal: Preventing penalties arising from compliance violations

• IT team: Understanding patch management and vulnerability remediation timeline requirements

• Security team: Identifying security controls when engaging in an incident investigation

Each of these users needs access to compliance information  so they can complete their job functions. However, when the compliance data is siloed or managed in hard-to-update spreadsheets, these people have no way to use compliance meaningfully.

Organizing Compliance to Control Chaos

As you start your own compliance journey, understanding how you can build a flexible and scalable program can reduce general costs while improving overall business processes. 

Centralize Compliance Activities

When you centralize all activities in a single hub, you improve communication and collaboration. With a centralized source of compliance truth, everyone works from the same data about and understanding of your compliance posture. To extend your security controls across these internal users, you should consider a platform that allows you to set appropriate access controls, so people have access only to the compliance data they need to do their jobs. 

Automate Risk Calculations

Almost all compliance requirements build from a foundation of risk. The large enterprise with 3000 employees has a different risk profile than a startup company with only 10 employees. However, both have similar categories of sensitive information. 

With a platform that provides automated risk calculations, you can continuously review risk, even as it changes. For example, adding a new tool to your technology stack may impact how your security controls function. With automated risk calculations, you can rapidly remediate any issues, even as your business and IT environment grow. 

Map Security Controls

Compliance is never a one-and-done activity. However, many controls are similar across different mandates and frameworks. For example, nearly every modern compliance publication requires organizations to limit user access according to the principle of least privilege. 

Your compliance program should be based on your risk profile and security needs. Once you implement these controls, you can then map them across the different mandates and frameworks. If you can standardize the controls, you can more easily add new compliance requirements as your business needs or the GRC landscape evolve. 

Integrate Technology Stack

Auditors want evidence that proves your security controls work as intended. To streamline the documentation gathering process and reduce audit costs, you want to have all your technologies integrated into your GRC solution. 

For example, to get real-time insights into control effectiveness, you should be able to integrate technologies that help manage business processes and technology monitoring, like:

• Human resources information systems (HRIS)

• Single sign-on (SSO)

• Cloud providers, like Google, AWS, and Azure

• Task management tool

• Ticketing systems

• DevOps toolchain

Incorporate AI

While AI can be a risk, it provides many benefits when used purposefully. Before integrating a solution that leverages AI, you should feel comfortable with their approach. For example, you should understand the principles that they build around, like:

• Enforcing strict data separation

• Designing with fairness, inclusivity, safety, reliability, and privacy

• Regularly reviewing data quality

• Ensuring you have control over features and settings

Once you feel comfortable with the technology, you may want to determine the best use cases that align to your needs and risk profile. For example, AI excels at analyzing large bodies of text, making it useful for activities like:

• Summarizing security test results 

• Summarizing security questionnaire responses and SOC reports

• Answering customer questionnaires 

How Drata Streamlines Compliance to Reduce Complexity

Drata’s GRC platform enables you to create a flexible, scalable compliance program that focuses on your business’ needs. Our platform provides:

• Custom risk scoring so you can define and configure your risk scores and thresholds to your business needs.

• Risk drawer that allows you to edit and add risk data, including descriptions, categories, owners, documents, and impact.

• Automated treatment plans based on your unique risks’ impact and likelihood.

• Custom frameworks so you can easily and quickly bring in requirements related to your unique business needs.