Three Analyst Firms. Eight Publications. One Conclusion.

When a single analyst firm names you in a research publication, it is worth noting. When three independent firms name you across eight separate publications, spanning five distinct GRC categories, before you have launched your most significant product, something more substantive is happening.

Gartner, Verdantix and Chartis Research each arrived at their conclusions independently, through their own research methodologies, evaluating different segments of the GRC market. None coordinated their coverage. And all three reached a version of the same view: the GRC market is shifting, AI is central to where it is going, and SureCloud is among the platforms shaping that direction.

The recognition predated the launch of Gracie AI Agents with Personas and Skills. That matters. It means the underlying architecture — not the product announcement — is what the analyst community was responding to.

Read Michael Rasmussen's full LinkedIn post here

Gartner: Three Publications, Three GRC Categories

Gartner named SureCloud as a Representative Vendor in three separate publications:

1. Hype Cycle for Cyber Governance, Risk and Compliance 2025 — Representative Vendor
2. Innovation Insight: Cyber GRC — Representative Vendor
3. Market Guide for Third-Party Risk Management 2025 — Representative Vendor (one of 78 vendors identified globally across the TPRM market)
4. eGRC Systems — Enterprise Solution
5. Third-Party Risk Management Technology Quadrant 2025
6. Risk and Compliance Analytics Quadrant 2025
7. Operational Resilience Management Quadrant 2025

Appearing across Gartner's Hype Cycle, an Innovation Insight report and a Market Guide in the same research cycle signals breadth across the analytical categories Gartner uses to map the GRC market. It is not a single analyst view; it reflects coverage across multiple Gartner research teams.

Verdantix: One of 14 Vendors Shaping the Next Generation of GRC

Verdantix named SureCloud in 14 Innovative Vendors Pursuing New Strategies in GRC Software 2026 — a report specifically identifying platforms the firm believes are defining the next generation of GRC technology. Being named as one of 14 globally, in a report focused on genuinely new strategies rather than incremental improvement, is a different kind of recognition from a broad vendor list.

Verdantix specifically noted the architectural foundation that sits underneath SureCloud's AI capabilities:

SureCloud's event-based architecture converts every user action into a discrete, traceable event. As regulatory scrutiny intensifies, this architecture will be particularly valuable for firms handling sensitive data in highly regulated sectors.

— Verdantix, 14 Innovative Vendors Pursuing New Strategies in GRC Software 2026

That observation gets at the question GRC leaders in financial services, legal and critical national infrastructure are now asking about AI — not whether it is capable, but whether it is auditable, accountable and safe to rely on when regulators come asking. Event-sourced architecture, where every agent action is captured as a discrete and retrievable record, is the structural answer.

Chartis Research: Four Quadrant Reports, Enterprise Designation

Chartis Research recognised SureCloud across four separate quadrant reports:

1. eGRC Systems — Enterprise Solution
2. Third-Party Risk Management Technology Quadrant 2025
3. Risk and Compliance Analytics Quadrant 2025
4. Operational Resilience Management Quadrant 2025

The Enterprise Solution designation in the eGRC Systems quadrant is significant: it reflects Chartis's assessment that SureCloud's platform meets the complexity, integration and scalability requirements of large, highly regulated organisations — not just mid-market compliance teams.

Analyst recognition in GRC is rarely about features. The firms that evaluate this market are sophisticated enough to look past capability lists. What they are assessing is whether a platform's architecture is right for where the market is heading — not just for where it is today.

The GRC market is heading toward platforms that can act, not just report. The tools that dominated the last decade were systems of record: they stored risk data, tracked compliance status and produced reports. Useful. But increasingly insufficient, given the volume of regulatory obligation, the pace of third-party risk change, and the board-level scrutiny that GRC functions now operate under.

SureCloud's own research captures the resourcing constraint plainly: 49% of enterprises are managing five or more major regulations simultaneously, 63% cite internal skills gaps as a primary constraint, and 57% say budget limits their ability to hire. GRC is not a knowledge problem. It is an execution problem. That is the gap an act-not-report architecture closes.

Michael Rasmussen of GRC 20/20 Research — one of the most cited independent analysts in the field — visited the SureCloud team in London in May 2026 and described what he observed:

AI-native GRC orchestration is no longer theoretical. It is starting to take shape.

— Michael Rasmussen, GRC 20/20 Research, May 2026

Gracie AI Agents with Personas and Skills launched on 7 May 2026. It is the product the analyst community was evaluating as it took shape — and the most significant release in SureCloud's 20-year history.

Gracie is not a chatbot or a generic AI assistant layered onto an existing platform. It is a virtual GRC team of expert agents, each defined by a Persona — a role-based specification that determines what the agent is qualified to do, which workflows it operates in, and how it interacts with the humans working alongside it.

1. A Compliance Lead Persona gathers evidence for ISO 27001:2022 certification and maps it to the correct Annex A controls.
2. A Vendor Risk Manager Persona runs third-party supplier assessments against documented risk criteria.
3. A Risk Manager Persona monitors the controls library and flags gaps against the current risk register.
4. Senior Agent Collaboration convenes multiple Personas when a new regulatory obligation — such as DORA or NIS2 — touches risk appetite, control coverage and third-party obligations simultaneously.

Every agent action is recorded. Every reasoning step is traceable. SureCloud's event-sourced architecture means nothing disappears into a black box. Humans remain in control of the decisions that require human judgement; Gracie handles the execution that currently consumes the capacity of your best compliance people.

During the strategy session with Rasmussen, the SureCloud team built a working Monte Carlo simulation capability inside the platform within hours — something Rasmussen said he has seen take comparable teams 12 to 18 months through traditional development. That is not a product claim. It is a signal of what an AI-native architecture makes possible when context, permissions, workflows and auditability are built into the foundation rather than bolted on. 

Independent analyst recognition matters to GRC leaders for a specific reason: their own organisations demand it.

Procurement processes, board sign-off and vendor risk assessments all require independent evaluation before significant technology decisions. Being named by Gartner, Verdantix and Chartis is not a marketing distinction. It is an answer to the question your CISO or CFO will ask.

The operational evidence is equally direct. Organisations using SureCloud's platform report:

Control testing that used to be a point-in-time exercise runs continuously. Risk decisions that depend on unified data arrive 40% faster. These are the metrics that compliance leaders can take to a board — not analyst citations, but operational change.

DORA (the EU Digital Operational Resilience Act) is in active enforcement since 17 January 2025, with oversight by the EBA, EIOPA and ESMA. NIS2 (the EU Network and Information Security Directive 2) reaches its transposition deadline for member states in October 2024, with implementation obligations running into 2026. The FCA issued £15.7 million in fines in Q1 2026 alone. The compliance pressure on GRC teams is structural and it is accelerating.

The analyst community has independently concluded that the platforms getting the architecture right now are the ones that will define the next decade of GRC. Three separate firms, five categories, eight publications — all pointing in the same direction before the product launch that those publications were effectively predicting.

For compliance leaders currently evaluating risk management software: the question is not whether AI belongs in GRC. The question is whether the platform you are evaluating has the architecture to make AI accountable — auditable, explainable, and integrated into your actual workflows rather than sitting alongside them.

The architecture moment has arrived. The window between getting this right and being left behind is narrowing.

If you are currently shortlisting platforms, our agentic AI GRC platform evaluation guide sets out the criteria that separate platforms built for accountability from those that are not.