The Hitchhiker’s Guide to the GRC Technology Galaxy

In this episode of The Hitchhiker’s Guide to the GRC Technology Galaxy, Michael Rasmussen sits down with Richa Kaul, founder and CEO of Complyance, for a conversation about one of the most crowded buzzword fields in the modern GRC universe: AI.
The discussion begins with the story of Complyance, how it emerged, and what has helped it stand out in an increasingly competitive market. From there, Michael and Richa dive headfirst into the growing gap between AI marketing and AI reality. Every platform seems to have an AI strategy. Every vendor claims to have agentic AI. But what does that actually mean, and more importantly, what is it actually doing?
Together they explore the difference between AI as a feature, AI as a marketing term, and AI as a genuine system of action that performs work on behalf of GRC teams. The conversation focuses on practical outcomes rather than promises, including how Complyance applies AI to third-party risk management, internal controls, evidence collection, questionnaire responses, and continuous monitoring.
Along the way, Richa shares the questions organizations should be asking when evaluating AI-powered GRC solutions, how to distinguish meaningful capabilities from demonstrations and prototypes, and why the future belongs to platforms that can combine intelligence with action.
The discussion closes with a look toward 2030 and how both Complyance and the broader GRC market may evolve as AI becomes more deeply embedded in governance, risk, and compliance programs.

In this episode of The Hitchhiker’s Guide to the GRC Technology Galaxy, field researcher and intergalactic GRC hitchhiker Michael Rasmussen is joined by Graeme Keith and Stefan Gershater for a conversation that is slightly unusual for the series because there is no technology vendor in sight. Instead, it’s two deeply experienced risk practitioners looking at the GRC technology market from the outside and asking a fairly uncomfortable question: Has the industry become so distracted by AI that it never properly solved the basics in the first place?
The discussion explores a GRC landscape crowded with platforms, overlapping promises, and increasingly indistinguishable products. Graeme and Stefan argue that many vendors are still wrestling with foundational architectural problems while simultaneously racing to attach AI to everything in sight. Along the way, they compare the current AI wave to The Restaurant at the End of the Universe and ask whether AI will ultimately destroy the GRC technology galaxy or accelerate it. The consensus is more grounded than apocalyptic. AI is an amplifier. If your approach to risk and governance is fundamentally sound, AI may accelerate value. If your processes are broken, AI simply helps you fail faster.
The conversation also dives into quantitative risk, uncertainty, machine learning, decision-making, and why so many organizations still struggle to distinguish useful technology from what Michael jokingly compares to the Wizard of Oz, where much of the magic disappears once someone pulls back the curtain.
They close with practical advice for organizations trying to navigate an overcrowded and noisy market, including how to think critically about vendors, architecture, AI claims, and what truly differentiates good GRC technology from polished demos and marketing theater.

In this episode of The Hitchhiker’s Guide to the GRC Technology Galaxy, Michael Rasmussen sits down with Richard Eddolls, co-founder and Platform Director of CoreStream, for a conversation about what happens when a GRC platform is built around one deceptively difficult idea—delivering real value.
Richard shares the origins of CoreStream, how the company evolved from its early beginnings, and how its core DNA has stayed remarkably consistent over the years. Simplicity, flexibility, and measurable outcomes remain central to the way CoreStream approaches GRC, even as the market itself has become larger, noisier, and increasingly crowded with overlapping promises.
The discussion explores why CoreStream focuses so heavily on outcomes rather than features, how configurability became one of the company’s defining strengths, and why organizations ranging from highly regulated enterprises to complex global manufacturers have gravitated toward the platform. Michael also shares a story about a major European manufacturer whose RFP process ultimately revealed something larger than a list of requirements. CoreStream stood out not just for meeting the brief, but for helping the organization think differently about where value could actually be created.
Along the way, they unpack the breadth of use cases CoreStream supports, the philosophy behind its no-code approach, and how its partnership with Sannos fits into the company’s evolving AI strategy. Rather than chasing hype, the focus remains on practical applications that improve efficiency, decision-making, and organizational effectiveness.
The episode closes with a look toward 2030 and what CoreStream may become as GRC continues to evolve from a compliance exercise into something more connected, adaptive, and operationally meaningful.
In a galaxy full of dashboards, acronyms, and feature lists, this conversation keeps returning to a simpler question. Does the technology actually create value?

In this episode of The Hitchhiker’s Guide to the GRC Technology Galaxy, Michael Rasmussen sits down with Adelani Adesida and Dave Rusher of Aravo to explore why third-party risk has become one of the defining challenges of the modern enterprise.
The conversation starts with a simple reality. The extended enterprise is the enterprise now. Organizations increasingly rely on vast networks of suppliers, vendors, contractors, distributors, and partners that stretch across jurisdictions, industries, and regulatory environments. Managing that complexity well is difficult. Managing it poorly, as Michael notes, can resemble Vogon poetry and be painful, confusing, and something no one should willingly endure.
From there, they unpack Aravo’s long history in third-party risk management and what has allowed the company to stand out in a crowded market. Michael highlights four things he believes differentiate Aravo. First, experience. Second, the ability to handle both deep complexity and global scale while still supporting smaller and mid-sized organizations effectively. Third, the breadth and maturity of its domain coverage across legal, compliance, cyber, operational resilience, privacy, sustainability, health and safety, and more. And finally, the people and culture behind the platform.
The discussion also explores why so many TPRM programs fail to mature, what successful implementations look like, and how Aravo approaches AI pragmatically rather than theatrically. 
The episode closes with a look toward 2030 and how Aravo sees third-party risk evolving as supply chains become more interconnected, regulations become more dynamic, and AI becomes increasingly embedded in the way organizations operate.

In this episode of The Hitchhiker’s Guide to the GRC Technology Galaxy, Michael Rasmussen sits down with Guru Sethupathy of Optro to explore a question many organizations are still struggling to answer. What does AI governance actually mean in practice?
The conversation starts with what keeps clients up at night. Not just risk, but the pace of change. AI is moving faster than most governance models were designed to handle, leaving organizations trying to define guardrails while the technology keeps evolving underneath them.
From there, Guru breaks down what good AI governance looks like beyond the buzzwords. They unpack why nearly every platform now claims to offer AI governance, and how to separate meaningful capability from surface-level features. The discussion focuses on what organizations really need, including governance models that are effective, efficient, resilient, and adaptable enough to keep up with constant change.
They also explore how Optro is approaching this challenge, how its AI governance module is designed to operationalize these principles, and what organizations should expect as AI governance matures over the next several years.
The episode closes with a look toward 2030 and how governance itself may need to evolve as AI becomes embedded in everyday decision-making.

In this episode of The Hitchhiker’s Guide to the GRC Technology Galaxy, Michael Rasmussen sits down with Anders Søborg, co-founder and co-CEO of E-V-E AI, in an unusual setting at the Glyptoteket Museum in Copenhagen.
Surrounded by a space that blends art, architecture, and atmosphere into a single experience, the conversation begins with a simple idea. Context changes how you see everything. It turns out that same idea applies to GRC, where meaning is often buried in documents, dashboards, and disconnected processes.
From there, Anders explains what E-V-E AI is and why it approaches compliance differently. Instead of layering automation onto existing workflows, E-V-E is built to analyze evidence directly. It maps controls, identifies gaps, and produces audit-ready outputs without the usual friction. The goal is not just speed but clarity.
They then discuss the role of agentic AI, where it is already delivering value and where it may take GRC in the near future. The conversation also explores how organizations should think about value across four dimensions. Efficiency, effectiveness, resilience, and agility. Not just cost savings.
The episode closes with a look ahead to 2030 and how platforms like E-V-E AI may reshape compliance into something more continuous and embedded in how organizations actually operate.
In a galaxy full of rules and reports, this conversation lands on something simpler. When you understand the context, the rest starts to make sense.

In this episode of The Hitchhiker’s Guide to the GRC Technology Galaxy, Michael Rasmussen sits down with Adil Khan, CEO of SafePaaS, to explore what governance looks like when the enterprise is no longer neatly contained.
They begin with the story of SafePaaS, including where it came from, what it set out to solve, and why it has taken a different path from many other GRC platforms. At its core, SafePaaS focuses on one of the most immediate and material risks organizations face today: cybersecurity risk, and how controls around identity, transactions, and access can be continuously governed rather than periodically checked.
The conversation moves into real-world use cases, from IT general controls and segregation of duties to continuous monitoring across complex ERP and cloud environments. Along the way, Adil explains how SafePaaS delivers not just compliance, but efficiency, effectiveness, resilience, and agility and why those outcomes matter more than features alone.
They also explore how SafePaaS is approaching AI and where it’s being applied today, what’s practical versus speculative, and how automation is reshaping control environments. Finally, they look ahead to 2030 and what governance may need to become as enterprises grow more distributed, systems more autonomous, and risk more dynamic.
In a universe where complexity tends to expand faster than control, staying “under control” may require rethinking how control itself is designed.

In this episode of The Hitchhiker’s Guide to the GRC Technology Galaxy, Michael Rasmussen sits down with Anthony Habayeb, co-founder and CEO of Monitaur, for a conversation that begins with mythology and quickly finds its way into the realities of governing artificial intelligence.
Anthony explains the origin of the name Monitaur, and why the image of navigating a labyrinth isn’t such a bad metaphor for the world organizations now face as they deploy AI systems. From there, the discussion moves into what AI governance actually looks like in practice, and why too many organizations still think of GRC as little more than a compliance exercise.
Michael and Anthony explore a broader idea—governance, risk, and compliance shouldn’t be episodic or checkbox-driven. In an AI-enabled world, it has to become a continuous, orchestrated system that connects risk, controls, performance, and business objectives.
Along the way, Anthony shares advice for organizations just beginning their AI governance journey, explains how companies can measure the value of a platform like Monitaur through real operational outcomes, and offers examples of how customers are already putting these ideas into practice.
The episode wraps with a look ahead to where AI governance may be headed by 2030, and how organizations can prepare for a future where AI systems are no longer experiments, but part of everyday decision-making.
Because in a galaxy full of models, algorithms, and acronyms, governing AI responsibly may turn out to be the most important journey of all.

In this episode of The Hitchhiker’s Guide to the GRC Technology Galaxy, Michael Rasmussen sits down with Stas Bojoukha, founder and CEO of Compyl, to explore a different way of thinking about governance, risk, and compliance.
The conversation begins with what makes Compyl stand out in a crowded market and the kinds of real-world use cases organizations rely on it to solve today. From there, Michael and Stas dive into the idea of GRC Engineering and what it actually means, who it’s for, and why it extends far beyond the IT security function.
Along the way, they unpack a bigger shift happening in the industry. If the role of “information security” alone is no longer enough, what comes next? Michael makes the case that the CISO role is evolving toward something broader, a digital risk and resilience leader responsible for delivering digital trust—a concept that closely aligns with how Compyl approaches GRC.
They also tackle AI, one of the most discussed and misunderstood topics in the market. The discussion separates real, practical applications of agentic AI in GRC from the marketing smoke and mirrors surrounding it, highlighting where Compyl sees genuine value today and where the industry still has work to do.
The episode closes with some of Compyl’s most challenging use cases and a look toward the future, and discuss how the platform may evolve by 2030 as organizations continue to rethink how they manage risk, resilience, and trust in an increasingly digital world.
In a galaxy full of frameworks, acronyms, and automation promises, this conversation focuses on building GRC systems that actually work.

In this episode of The Hitchhiker’s Guide to the GRC Technology Galaxy, Michael Rasmussen explores a familiar but evolving constellation in the GRC universe: Mitratech.
Long associated with what Michael calls “Legal GRC,” Mitratech has steadily expanded its orbit, moving from legal operations into enterprise-wide risk, compliance, and HR governance. The conversation examines what separates Mitratech in a market filled with specialists and generalists alike: not just breadth, but a deliberate effort to connect disciplines that are too often treated as separate planets.
They unpack how Mitratech balances its deep legal roots with enterprise GRC capabilities, how HR has become an essential governance frontier, and how integration, rather than replacement, shapes its strategy. AI enters the discussion as well. What’s real today, what’s emerging tomorrow, and how Mitratech is positioning itself for the next phase of intelligent automation.
Finally, they look ahead to 2030. What does the GRC galaxy look like then? What will organizations expect from platforms that span legal, risk, and people operations? And how does a company evolve without losing its gravitational center?
In a universe of accelerating regulation and complexity, this episode considers what it takes not just to expand but to expand wisely.