AI Is Rewriting Compliance (GRC)

Compliance isn’t “paperwork”—it’s the last line between your customers and the next Equifax-level mess.

But GRC teams are stuck chasing screenshots and questionnaires instead of reducing real risk—and AI is about to change that.

In this episode of Legitimate Cybersecurity, hosts Frank Downs and Dustin Brewer sit down with Richa Kaul, CEO & Founder of Compliance (an AI-native enterprise GRC platform), right after her company’s $20M raise led by Google Ventures.

We dig into:

Why GRC gets hated (and how to stop being the “business blocker”)

What real AI in compliance looks like vs. “LLM sticker on legacy software”

The uncomfortable truth: audits shouldn’t disappear—and why incentives matter

How to reduce hallucination risk with tight inputs/outputs + guardrails

Third-party risk management (TPRM): the questionnaire nightmare… and the path out

Media/interview: admin@legitimatecybersecurity.com

Audio: https://legitimatecybersecurity.podbean.com/

Chapters:

00:00 – Compliance is the job (and also… you wanted to be an astronaut)

01:20 – Meet Richa Kaul + the “privacy nut” origin story

02:11 – $20M from Google Ventures: why GRC is getting real investment

02:52 – Quick GRC explainer (governance, risk, compliance)

03:35 – “Compliance is broken”: why everyone hates the process

04:49 – The real pain: chasing evidence vs. reducing risk

07:00 – What “AI-powered” actually means (and why most vendors are faking it)

09:31 – Force multipliers: where AI should increase capability, not just save time

11:25 – Completeness problem: you can’t protect what you don’t know exists

13:09 – Example: encryption checks → automation + AI completeness/accuracy criteria

15:58 – The future: continuous monitoring, audits, and what should change

17:24 – Why audits shouldn’t go away (incentives + independence)

20:07 – Gatekeeping, CMMC, and “audit industry” friction

23:58 – TPRM hell: questionnaires, insurance, and repetitive evidence requests

27:05 – Why Richa cares: privacy, consumer harm, and the mission behind GRC

28:46 – Equifax as the “spark” (without breach-shaming)

31:52 – Hallucinations: how to build AI you can trust in compliance workflows

35:24 – “Do you use compliance to ensure compliance?” (dogfooding)

36:00 – Outro: “Keep on cyberin’”

#GRC #Compliance #Cybersecurity #AI #RiskManagement #Audit #ThirdPartyRisk #DataPrivacy #Governance #securityculture #legitimatecybersecurity