GRC 20/20 Says the Architecture Moment Has Arrived Today

The GRC industry has no shortage of opinions. What it has less of is signal. When Michael Rasmussen, founder of GRC 20/20 Research and one of the most cited independent analysts in the field, writes that GRC is entering “a very different phase,” practitioners tend to stop and read.

His recent post, following a strategy session with the SureCloud team in London, did not arrive as promotional content. It arrived as an analyst’s honest read on where the market is going. And what he described is something GRC teams have been quietly sensing for a while: the tools that define the next decade of compliance and risk management are not the  

The shift Rasmussen identifies is from systems of record to systems of intelligence, action, and orchestration. That distinction matters more than it might first appear.

Systems of record store information. They track what happened, who signed off, what controls exist, which frameworks apply. They are the backbone of modern GRC programmes. They are also, increasingly, insufficient on their own.

The problem is not that GRC teams lack data. It is that the work of acting on that data — gathering evidence, monitoring controls, assessing third parties, preparing board reports, responding to new regulatory obligations — still falls almost entirely on people. Smart, experienced, expensive, and stretched people. SureCloud’s own research finds that 49% of enterprises are currently managing five or more major regulations at once, 63% cite internal skills gaps as a primary constraint, and 57% say budget limits their ability to hire.

GRC is not a knowledge problem. It is an execution problem.

This is the gap Rasmussen is pointing at. And as he notes, simply layering AI chat onto legacy workflows does not close it. The gap closes when the platform itself can act: when it understands context, scales expertise, orchestrates activity across the programme, and keeps humans accountable for the decisions that require human judgement.

One of the sharper observations in Rasmussen’s post concerns the quality of AI in GRC. Generic AI produces generic answers. What separates genuinely useful GRC AI from a sophisticated chatbot is context: the policies, controls, obligations, risk appetite, and business processes that make an organisation’s GRC programme its own.

This is why most AI bolted onto GRC platforms underdelivers. The AI is operating without the relational depth that makes GRC work meaningful. It can summarise a document. It cannot tell you which control gaps are most material given your current risk register, your regulatory deadlines, and how your business is actually structured.

Architecture is the answer. And as Rasmussen notes, without the right foundation — the right data, permissions, workflows, and auditability layer underneath — AI risks becoming a veneer rather than a transformation.

“Without that foundation, AI risks becoming a veneer rather than a transformation.”

— Michael Rasmussen, GRC 20/20 Research

That word, veneer, is precise. It describes a lot of what the GRC market is currently being sold.

The most striking passage in Rasmussen’s post is about speed. During the strategy session, he challenged the SureCloud team on Monte Carlo simulation for risk analysis. Within hours, the team had built a working capability inside the platform. Something Rasmussen says he has seen take comparable teams twelve to eighteen months to build through traditional development.

“That is not just a product point. It is a signal of how dramatically AI may change software development, implementation timelines, and the pace of innovation in GRC.”

— Michael Rasmussen, GRC 20/20 Research

This is the practical proof behind the architecture argument. When context is embedded, when the platform is built to act rather than just record, and when AI is integral to how the platform develops and operates rather than layered on top, the pace of what becomes possible changes fundamentally.

For GRC teams sitting on capability backlogs, managing compliance obligations with headcount that has not kept pace with workload, this matters.

At SureCloud, we use the phrase executable GRC. Not a report on what needs doing. The work itself, getting done.

Gracie AI Agents with Personas and Skills is how that comes to life. Gracie is not a chatbot or a generic AI assistant. It is a virtual GRC team of expert agents, each with a defined role, operating within the platform’s permissions model, drawing on codified Skills to perform the activities that currently consume the capacity of your best people.

A Compliance Lead Persona gathers evidence for ISO 27001 certification. A Vendor Risk Manager Persona runs supplier assessments. A Risk Manager Persona monitors the controls library and flags gaps. Senior Agent Collaboration convenes multiple Personas when a new regulatory obligation touches risk appetite, control coverage, and third party obligations simultaneously: the kind of cross domain question that currently lands in the inbox of whoever is most senior and most available.

Every action is recorded. Every reasoning step is traceable. The platform’s event sourced architecture means nothing disappears into a black box. Humans remain in control of the decisions that require human judgement. Gracie handles the rest.

“SureCloud’s event-based architecture converts every user action into a discrete, traceable event. As regulatory scrutiny intensifies, this architecture will be particularly valuable for firms handling sensitive data in highly regulated sectors.”

— Verdantix, 14 Innovative Vendors Pursuing New Strategies in GRC Software 2026

Rasmussen is careful to note that analyst enthusiasm does not replace evidence. The market needs evidence around accuracy, auditability, repeatability, control, cost economics, and real world performance.

That is fair. Organisations using SureCloud’s Continuous Controls Monitoring see a 75% reduction in audit preparation time. Control testing that used to be a point in time exercise runs continuously. Board reports that took teams two weeks to prepare now take two days. Manual evidence collection effort falls by 50 to 65%. Decisions that depend on unified risk data arrive 40% faster.

Gartner, Verdantix, and Chartis Research recognised SureCloud across eight research publications before Gracie AI launched in May 2026. Not because we asked them to. Because independent analysis was reaching the same conclusion Rasmussen reached in London: the architecture is right, the timing is right, and the market is moving.

Rasmussen closes with this: “AI-native GRC orchestration is no longer theoretical. It is starting to take shape.”

The window between getting this right and being left behind is narrowing. DORA is in active enforcement. NIS2 reaches its October 2026 deadline. The FCA issued £15.7 million in fines in Q1 alone. Regulatory pressure is not aspirational. It is structural and it is accelerating.

If your GRC programme is still built around manual evidence collection, point in time control testing, and board reports that take weeks to prepare, the gap between what your team is doing and what is now possible is significant and growing.

The architecture moment has arrived. The question is what you do with it.

Explore Gracie AI at surecloud.com/gracieai