The Risk Wheelhouse

S5E4: Unified IRM - AI Governance, Acquisitions and Alliances

Wheelhouse Advisors LLC Season 5 Episode 4

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 15:42

The ground under GRC is shifting, and it’s not subtle. We break down how unified integrated risk management is replacing checklist compliance with an operating model that ties performance, resilience, assurance, and compliance together. From AI governance to ESG at the board level, we follow the money, the deals, and the data to show where risk management is actually going—and how to get there without drowning in spreadsheets.

We dive into why AI governance is now table stakes for any serious IRM platform, what an effective AI registry and dynamic risk assessment look like, and how automated compliance mapping to the NIST AI RMF, ISO 42001, and the EU AI Act changes daily work. Along the way, we unpack recent moves like AuditBoard’s AI-focused acquisition and its expanded alliance with a major consultancy, illustrating why services plus software has become the adoption formula. On the ESG front, partnerships that link board reporting with carbon accounting signal a deeper integration of climate and sustainability data into operational risk and financial performance.

For leaders in regulated industries, we highlight practical gains from automated evidence collection, pre-built control content, and faster audit cycles—and we hammer on outcome proof as the only real test of integration. You’ll leave with three actionable steps: treat AI governance as foundational, demand verified customer outcomes, and pair your platform with expert implementation to deliver value in 90 days. We close by exploring the next frontier: agentic AI for continuous control monitoring, and the new risks that come when machines start guarding the machines. Subscribe, share with a colleague who owns risk or audit, and leave a review telling us the one metric you need to trust a platform’s integration.



Visit www.therisktechjournal.com and www.rtj-bridge.com to learn more about the topics discussed in today's episode. 

Subscribe at Apple Podcasts, Spotify, or Amazon Music. Contact us directly at info@wheelhouseadvisors.com or visit us at LinkedIn or X.com

Our YouTube channel also delivers fast, executive-ready insights on Integrated Risk Management. Explore short explainers, IRM Navigator research highlights, RiskTech Journal analysis, and conversations from The Risk Wheelhouse Podcast. We cover the issues that matter most to modern risk leaders. Every video is designed to sharpen decision making and strengthen resilience in a digital-first world. Subscribe at youtube.com/@WheelhouseAdv.


From GRC To Unified IRM

Ori Wellington

Okay, if you're working in governance, risk, or compliance today, um you definitely know the job is changing. I mean, faster than ever.

Sam Jones

Oh, absolutely. You've got AI completely reshaping operations.

Ori Wellington

Right. And then new global rules like the EU AI Act demanding attention like yesterday.

Sam Jones

Yeah.

Ori Wellington

Plus all the ongoing geopolitical stuff. It's a lot.

Sam Jones

It really is. How do you keep up, or maybe even get ahead of it?

Ori Wellington

So yeah, that's what we're digging into today. We're doing a deep dive on some really key recent industry moves, acquisitions, partnerships that all seem to be pointing pretty strongly away from that old silo GRC approach.

The Four Pillars Explained

Sam Jones

And towards something the market's starting to call uh unified IRM, integrated risk management.

Ori Wellington

Unified IRM. Okay, and look, it's really crucial to get this. Unified IRM isn't just slapping a new label on GRC. It's a totally different operating model. How so? Well, it forces platforms, data, and even services to line up across four specific pillars: performance, resilience, assurance, and compliance. They have to connect. Wait, hold on. Why those four? What makes that the right framework now? Ah, because today risk doesn't just stay in one box, does it? Think about it. A supply chain problem, it's just resilience, right?

Sam Jones

But it hits your quarterly earnings.

Ori Wellington

Yeah.

Sam Jones

Performance. You need a system that connects those dots automatically.

Ori Wellington

Got it. And assurance and compliance fit in how?

Sam Jones

Well, assurance is making sure your controls actually work. They're effective. And compliance, that's making sure you're meeting all the rules, the regulations. The whole point is that one single event, whatever it is, feeds into a shared understanding, a common language, driving actions across the whole business. That just wasn't happening when GRC was more of a checklist exercise.

Ori Wellington

That makes a lot of sense. So it's less defensive compliance and more about actually enabling the business, maybe even finding opportunities.

AI Governance Moves Center Stage

Sam Jones

Exactly. And the deals we've been tracking just this past week show this isn't just theory, it's happening. Especially with getting AI oversight built in, you know, operationally at scale. Right. So for you listening, the big takeaway signal seems to be buyers aren't looking for just point solutions anymore. They need these integrated models. They really do. They want something that handles the full life cycle. Aaron Powell Okay.

Ori Wellington

So let's unpack the biggest one first. Audit board agreeing to acquire FairNow. That's a purpose-built AI governance platform.

Sam Jones

Yeah, that was a significant move.

Ori Wellington

I bet anyone trying to manage AI risk right now feels like they're drowning and spreadsheets scattered everywhere. Is that the pain point here?

Sam Jones

That's precisely it. And what's interesting, I think, is that Audit Board didn't just like build a new module. They went out and bought a dedicated engine for this. Fair now slots these essential capabilities right into the main platform. Things like an AI registry, which is crucial for just knowing what models you even have.

Ori Wellington

Okay, inventory first. Right. Then dynamic risk assessments, because AI models change, they learn, the risk isn't static. And the really key part, automated compliance mapping. Automated mapping. That sounds like where the rubber meets the road. What specific regulations are we talking about? The big ones everyone's worried about.

Sam Jones

Yes. This integration is clearly aimed at the heavy hitters, the ones that are becoming non-negotiable if you're using AI seriously. So that's the NIST AI risk management framework.

Ori Wellington

Okay, the US standard. Trevor Burrus, Jr.

Sam Jones

The international standard, ISO 42001, and probably the most urgent one for many, the EU AI Act.

Ori Wellington

Right. The EU AI Act is huge. So this acquisition basically says AI governance isn't an add-on anymore.

Sam Jones

Exactly. It's becoming a core expected capability of your main GRC sorry, IRM platform, table stakes. Trevor Burrus, Jr.

Ori Wellington

And connecting this wider, this deal happened. Basically at the same time, Audit Board extended its alliance with EY-US.

Sam Jones

It did, yeah.

Mapping To NIST, ISO, And EU AI Act

Ori Wellington

Which points to this services plus software model that sources are talking about.

Sam Jones

Absolutely. Look, just think about the EU AI Act alone. It's complex, it's not enough just to have the software tool.

Ori Wellington

Right. You need someone to help figure it out.

Sam Jones

Platform vendors are realizing they have to pair these advanced AI governance features with serious consulting muscle. That EY relationship helps speed up adoption, helps clients actually get value faster.

Ori Wellington

But hang on, that raises a question, doesn't it? If the software is so integrated and easy to use, shouldn't companies need less consulting help?

Sam Jones

Huh. Yeah, that's a great point. It's kind of a necessary tension right now.

Ori Wellington

Conflict of interest, maybe?

Sam Jones

Well, maybe short term. But right now, just interpreting the regulations and designing the actual AI governance program, the policies, the roles, the strategy, that's still really new and complex for most organizations. Okay. So firms like EY help set up that structure, get the program running. And then the software automates the day-to-day execution, the monitoring, the evidence.

Ori Wellington

So for the buyer, the takeaway is you probably need both technology and some expert help to get these new AI risk programs off the ground successfully. Trevor Burrus, Jr.

Sam Jones

That seems to be the winning formula right now, yes. Program enablement alongside the tech.

Ori Wellington

Okay. So AI governance is moving into the core IRM platform and it needs advisory support. But this unification trend, it goes beyond just AI risk, right? Oh, yeah. We're seeing big moves connecting things up to the boardroom level too, especially around ESG. Let's talk about that diligent and personphone partnership.

Sam Jones

Right. So diligent, they're strong in board governance, reporting, disclosures. Personi is all about carbon accounting, the environmental data.

Ori Wellington

Okay, so connecting those two.

Services Plus Software: EY Alliance

Sam Jones

It's primarily about helping companies with sustainability reporting, sure. But for risk leaders listening, this is a really strategic bridge. It connects that high-level board oversight, what gets disclosed directly with the nitty-gritty operational ESG data.

Ori Wellington

Which effectively pulls ESG out of just being a reporting silo.

Sam Jones

Exactly.

Ori Wellington

And makes it a core risk concern.

Sam Jones

Precisely. The real insight here is that ESG data, especially things like climate risk, supply chain exposures related to climate, it needs much tighter integration with your operational risk programs.

Ori Wellington

Because you can't really measure your overall resilience if you don't factor in climate impacts on your operations or your financial performance. You got it. This partnership is another signal. ESG data is moving firmly into the central risk picture. Okay, so board-level reporting and operational risk are connecting. Where else is this unification playing out? Let's maybe pivot to specialized compliance. We saw that alliance between Hadrias and Sales GRC.

Sam Jones

Yeah, that's an interesting one, focused on highly regulated industries.

Ori Wellington

What financial services?

Sam Jones

Exactly. Financial services, maybe healthcare. For them, that assurance pillar proving controls are working is absolutely critical. This alliance is about delivering AI-powered compliance tools. Okay. But crucially, unifying those very specific compliance workflows directly with the broader risk oversight picture. Because honestly, these sectors are just drowning in compliance checks and audit requests.

Ori Wellington

So what's the tangible benefit? How does unifying that help them?

Sam Jones

It really comes down to measurable efficiency, making that assurance cycle faster and less painful. Buyers in these regulated industries should be looking for real proof points now. Like what? Things like pre-built content packs for specific regulations, controls already mapped to requirements, and real-time evidence automation.

Ori Wellington

Automated evidence. How does that work?

Sam Jones

Well, say a control needs daily proof, maybe checking system access logs. An integrated system could potentially automate pulling that log, checking it, and linking it as evidence for the control.

Ori Wellington

Oh, okay. So less manual chasing.

Sam Jones

Exactly. The promise is a dramatic cut in audit cycle times and manual effort. That's how you prove the integration is actually delivering bottom line value.

Ori Wellington

And speaking of delivering value, maybe we should just briefly touch on the capacity building signal, river on, acquiring Eden data.

Sam Jones

Right. That fits the pattern.

Ori Wellington

Expanding their risk and compliance advisory services, adding more digital and security expertise. It just seems to confirm what we've been saying.

Regulated Industries And Assurance

Sam Jones

Yeah, buyers want the enablement piece alongside the technology. They need people who know how to set up, configure, and actually drive value from these increasingly integrated systems. Okay. So if we kind of zoom out and pull all these moves together, the acquisitions, the partnerships, the advisory growth, we can actually see it reflected in broader research too.

Ori Wellington

Oh, really? Like what?

Sam Jones

Well, the recent Risk Connect 2025 survey findings really back this up. That research showed this widening gap.

Ori Wellington

Oh, yeah. Between what?

Sam Jones

Between the potential impact of new risk, especially things like geopolitics and AI, and how prepared organizations actually feel they are.

Ori Wellington

Ah, the preparedness gap. Yeah, I've seen that.

Sam Jones

And that gap is basically forcing companies to rethink their budgets. They're shifting investment away from older siloed systems towards these modern, integrated platforms that are actually designed to handle this new level of complexity.

Ori Wellington

Okay, that makes perfect sense. So let's translate all these market signals into some practical advice for you, the listener, whether you're looking at buying software soon or just planning your risk roadmap.

Sam Jones

Right. Based on everything we've discussed, the first big takeaway has to be treat AI governance as table stakes immediately. Absolutely. If AI touches any part of your customer-facing stuff or your core operations, having robust AI governance within your IRM platform isn't optional anymore. It's foundational.

Ori Wellington

So you need to check your current systems or potential vendors.

Sam Jones

Yes. Validate that they can fully support the mapping, the controls, the evidence needed for NIST AI RMF, ISO 402001, and especially the EU AI Act.

Ori Wellington

And ensure it connects.

Automated Evidence And Real Outcomes

Sam Jones

Critically. Make sure your AI model inventory, the use case approvals, all of that flows seamlessly into your existing audit workflows, your remediation tracking, your reporting. If it doesn't, you've got a major platform gap to address. Okay, solid advice. Second major takeaway: demand outcome proof for integration. Don't just take their word for it or look at pretty slides. Yeah, be skeptical of the marketing hype, what some call slideware. You need a critical eye here.

Ori Wellington

How do you do that? Well, like in our own internal vendor compass analysis, we look hard at two things. Solution coverage, do they have the features? But more importantly, the level of integration do those features actually work together seamlessly.

Sam Jones

Yeah.

Ori Wellington

And how does a buyer test that?

Sam Jones

Don't just look at feature lists. Ask for verified customer outcomes. Real proof points. Ask for, say, documented examples of reduced audit cycle time because of automated evidence. Or uh customer references who can quantify how much faster they onboarded vendors after implementing measurable results. Exactly. If the integration is real, the benefits should be measurable in dollars saved or days reduced. Makes sense.

Ori Wellington

Okay, third practical takeaway, and this ties back to that audit board Yay Alliance. Pair platform with services from day one. Yes. Don't assume you can just buy the software and figure out complex new areas like AI governance entirely on your own, especially not quickly.

Advisory Capacity Expands

Sam Jones

So learn from that EY alliance model. Use it as a best practice example. Define your internal roles clearly, sure. But get a name delivery partner involved early. And then focus on a tight, maybe 90-day plan aimed at delivering quick, tangible value.

Ori Wellington

And what should that value look like? It should map directly back to those four IRM pillars we talked about. Performance, resilience, assurance, compliance, getting your foundational AI model inventory stood up, maybe automating some initial control testing within that first 90 days that should be achievable now with the right platform and the right advisory support working together. So wrapping this up, what we've tracked today, this pattern of acquisitions plus alliances, it really feels like more than just cosmetic changes.

Sam Jones

Oh, it's definitely structural.

Ori Wellington

It seems like managing these big emerging risks, especially AI, is getting hardwired into the daily operating rhythm of risk management. It's not just an overlay project anymore.

Sam Jones

No, it's becoming the core. And looking ahead, the winners in this consolidating market, I think, will be the vendors who can go beyond just talking about features.

Ori Wellington

They need to prove the integration works.

Sam Jones

Yes. And prove it with outcomes, customers can measure in months, not years. That fast ROI is what's justifying this big budget shift we're seeing towards integrated platforms.

Research Confirms The Preparedness Gap

Ori Wellington

Okay. So that structural shift leaves us with maybe one final provocative thought for you to consider as you plan your own risk roadmap. Given this trend of specialist alliances like Hadrias and Cellus GRC and the Board ESG Convergence with diligent Persephone. How quickly do you think vendors will start adding agentic AI?

Sam Jones

You mean AI that can act on its own? Aaron Ross Powell Yeah.

Ori Wellington

AI agents to actually perform tasks like automating evidence collection or even doing continuous control monitoring autonomously.

Sam Jones

Interesting. That could be powerful.

Ori Wellington

It could. But maybe more importantly, if we get that level of automation and compliance assurance, what new, maybe unexpected risks does that introduce into your control environment?

Sam Jones

That's a really good question. How much autonomy do you give the machines guarding the machines?

Ori Wellington

Exactly. Something to think about as you decide just how integrated and automated you want your risk systems to become.