The Risk Wheelhouse
The Risk Wheelhouse is designed to explore how RiskTech is transforming the way companies approach risk management today and into the future. The podcast aims to provide listeners with valuable insights into integrated risk management (IRM) practices and emerging technologies. Each episode will feature a "Deep Dive" into specific topics or research reports developed by Wheelhouse Advisors, helping listeners navigate the complexities of the modern risk landscape.
The Risk Wheelhouse
S6E7: AI Upends GRC - From Clipboards To Control Planes
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
What happens when the firm that helped define integrated risk management turns a critical lens on the category's foundations?
In this episode, analysts Ori Wellington and Sam Jones preview two major Wheelhouse Advisors research publications: The Integration Trap for GRC and the IRM50 AI Disruption Risk Index. The data reveals a surprising finding: when 50 IRM vendors are scored on structural exposure to AI disruption, market leadership and market durability turn out to be very different things.
At the heart of the analysis is what Wheelhouse calls the Integration Trap. Many established platforms excel at compliance documentation and assurance reporting but were never architected for real-time operational control. That distinction matters now more than ever. Agentic AI does not need dashboards or user interfaces. It needs APIs and control planes. Vendors with deep operational DNA are naturally positioned for this shift, while those built primarily around human workflows face difficult architectural decisions.
The episode examines how major financial institutions like Citigroup and Goldman Sachs are already reshaping the landscape, one by building its own orchestration layer internally, the other by deploying production-grade AI agents for compliance work. These moves signal that buyer expectations are evolving fast, and every vendor in the market will need to respond.
Ori and Sam also address the structural pressures facing professional services firms as AI compresses the cost of compliance labor, and why consumption-based revenue models may prove more resilient than traditional seat-license pricing.
The conversation closes with three questions buyers should ask before their next vendor renewal, guidance for investors evaluating revenue quality, and a challenge to product teams across the industry: build for the agentic era, not the last one.
Full tier assignments, vendor profiles, and the evaluation framework are available exclusively on The RTJ Bridge.
Visit www.therisktechjournal.com and www.rtj-bridge.com to learn more about the topics discussed in today's episode.
Subscribe at Apple Podcasts, Spotify, or Amazon Music. Contact us directly at info@wheelhouseadvisors.com or visit us at LinkedIn or X.com.
Our YouTube channel also delivers fast, executive-ready insights on Integrated Risk Management. Explore short explainers, IRM Navigator research highlights, RiskTech Journal analysis, and conversations from The Risk Wheelhouse Podcast. We cover the issues that matter most to modern risk leaders. Every video is designed to sharpen decision making and strengthen resilience in a digital-first world. Subscribe at youtube.com/@WheelhouseAdv.
Shocking Findings In IRM50
Ori WellingtonWelcome back to the Risk Wheelhouse edition of the Deep Dive. I'm Ori Wellington, and with me is my co-host and fellow analyst here at Wheelhouse Advisors, Sam Jones.
Sam JonesIt's good to be here.
Ori WellingtonSam, we uh we spend a lot of our time looking at vendor briefings, right? We sit through slide decks, we listen to a lot of you know very polished marketing pitch. But today we are looking at a data set that, well, it essentially takes a sledgehammer to the current consensus of the risk market.
Sam JonesI think sledgehammer is probably the right word. We're previewing two um two pretty major upcoming research notes from our CEO, John Wheeler.
Ori WellingtonAnd for those who might not know, John is well, he's the guy who literally coined the term integrated risk management or IRM way back in 2016. He basically created the category.
Sam JonesHe did. And now, ten years later, he is releasing a critique that suggests the entire category is in uh, let's just say, serious trouble.
Ori WellingtonThe notes are titled The Integration Trap for GRC and the IRM 50 AI Disruption Risk Index. And I want to start right at the top with the headline finding. Because when I first saw this, I I actually thought it was a typo in the spreadsheet.
Sam JonesOh, I know exactly which stat you're talking about. I had the same reaction.
Ori WellingtonOkay, so Wheelhouse scored the top 50 vendors, we call them the IRM 50, on their exposure to disruption by AI. Now, in any mature market, you expect the leaders, right? The big names, the ones with the biggest market cap, you expect them to be the safest bets.
Sam JonesThat's the whole point of being a leader. Stability, safety.
Ori WellingtonIt's the nobody gets fired for buying IBM logic. But here's the reality check from the data. There are currently six designated market leaders in the IRM space. We're talking about heavyweights.
Sam JonesThe ones you see in every analyst report.
Ori WellingtonExactly. ServiceNow, Risk Connect, Archer, One Trust.
Sam JonesAnd the big service firms, KPMG and EY.
Ori WellingtonRight. These are the firms that dominate every magic quadrant, every wave you've ever seen. But when John ran them through the AI disruption risk index, these six leaders landed in get this, five different risk tiers.
Sam JonesWhich is, I mean, it's structurally incoherent if you believe the standard analyst narrative. It just doesn't compute.
Ori WellingtonIt makes no sense. If leadership means safety, they should all be clustered together in tier one, maybe tier two. But they're scattered all over the map. Some are safe, some are in the danger zone, and uh some are arguably on the brink of obsolescence. Yeah. So, Sam, before we get into the how and the why, I have to ask: does the term market leader actually mean anything anymore? Or is it just a measure of who has the biggest marketing budget?
Sam JonesI think that is the core question of this entire deep dive. And we have to distinguish between two things commercial leadership and structural durability. Aaron Powell Okay, unpack that. The market leaders you just mentioned, they are absolutely commercial leaders. They have the revenue, they've got the huge customer base, the brand recognition, that is undeniable. But this research isn't measuring their stock price today.
Ori WellingtonRight. It's a forward-looking index.
Sam JonesIt's measuring their architectural exposure to a technological shift that is, you know, unlike anything we've seen before. It's looking at their foundations.
Ori WellingtonYou're talking about a genet AI.
Sam JonesI am. And what the data shows, Ori, is that what made these companies so successful in, say, 2020, these massive all-in-one platforms designed for humans to click around and input data, that very architecture might be the exact structural liability that drags them down in 2027.
Ori WellingtonBoy. So the strength becomes the weakness.
Sam JonesPrecisely. So the disruption disconnect is this. You can be a market leader in revenue and a complete market laggard in survival.
Ori WellingtonOkay. That is a bold claim. A market laggard in survival. We need to unpack that because if I'm a CIO, if I'm a chief risk officer listening to this, and I just signed a five-year contract with one of these vendors, I'm probably sweating a little bit right now.
Sam JonesYou should be asking some hard questions at least.
Ori WellingtonAnd we should be clear, we aren't going to name and shame here. We aren't revealing which specific vendor is in which tier today.
Sam JonesNo, for that you have to go to the full research on the RTJ bridge.
Ori WellingtonBut we are going to explain the mechanics, the why behind the numbers, why are some safe, and why are others, to use your words, walking into a buzzsaw?
The Integration Trap for GRC Defined
Sam JonesAnd to understand that, we have to get technical. We have to talk about something John calls the integration trap.
Ori WellingtonThe integration trap. It sounds dramatic, but I have to push back on this a bit, Sam. Because every single vendor I talk to, their first slide says one platform. They all say connected GRC. Is John Wheeler saying they are all lying?
Sam JonesHe's not saying they are lying. He's saying they are integrated in the wrong direction.
Ori WellingtonOkay. What does the wrong direction mean?
Sam JonesWe evaluate these platforms against our IRM navigator model, specifically looking at four key objectives. We use the acronym PRAC, performance, resilience, assurance, and compliance.
Ori WellingtonP-R-A-C.
Sam JonesRight. And I want to take some time here because these aren't just buzzwords. They represent fundamentally different architectures, fundamental different data models.
Ori WellingtonOkay, let's break them down then. Start with the easy ones assurance and compliance.
Sam JonesYeah.
Ori WellingtonThe A and the C.
Sam JonesOkay. So compliance is binary. It's a checkbox. Did you follow the rule? Yes or no? Did you change your password every 90 days? Did you sign the policy? In software terms, this is a form. It's a record in a database. And software. Assurance is the reporting layer on top of compliance. It's proving to a third party, an auditor, a regulator, your board, that you checked all the boxes. It's all about aggregation, dashboards, visualization, documentation.
Ori WellingtonI always think of it as the clipboard guy analogy.
Sam JonesThat's a perfect analogy. Think of a factory. The assurance and compliance layer is the person walking around with a clipboard or an iPad, it doesn't matter. And they're just noting down what they see. Machine A is running, machine B is stopped. They are creating a record of the past.
Ori WellingtonA historical record. And frankly, that is what 90% of the GRC market has been for 20 years. It's a very expensive, very fancy digital clipboard.
Sam JonesExactly. And that brings us to the other two: performance and resilience. The P and the R, this is where the trap snaps shut.
Ori WellingtonHow so?
Sam JonesWell, performance isn't about checking a box, it's about optimization. It's asking, is the risk control actually working efficiently right now in this second? And resilience is about reaction speed. The control just failed. How fast can we recover?
Ori WellingtonSo to stick with your factory analogy, performance isn't just writing down the machine is running. Performance is being plugged directly into the machine's motor, sensing the vibration and adjusting the torque in real time to prevent a failure.
Sam JonesYes. Exactly. And resilience is the automatic kill switch that triggers when that vibration hits a critical threshold, shutting it down before it explodes. Now, here is the architectural problem, Ori. Okay. You cannot build performance and resilience using the same software architecture you used for assurance and compliance.
Ori WellingtonNo, why not? I mean, software is software, isn't it? Can't you just add a new feature, a new module?
Sam JonesIt's not that simple. It comes down to the data. Compliance is based on static data forms, documents, periodic reviews, things that are already in the past. Performance and resilience require streaming data.
Ori WellingtonReal-time data.
Sam JonesReal-time telemetry. They require an event-driven architecture that can handle millions of signals a second.
Ori WellingtonAh, I see. So you can't just add a feature to a form-filling application that magically turns it into a real-time sensor network. The whole foundation is wrong.
Sam JonesYou can try. And that is the essence of the integration trap. These vendors have spent two decades building these massive monolithic platforms designed to ingest forms and generate reports. They're incredibly deep in assurance and compliance.
Ori WellingtonBut when they try to do performance and resilience.
Sam JonesThey are incredibly shallow. They're faking it.
Ori WellingtonFaking it how? Give me an example.
PRAC: Performance, Resilience, Assurance, Compliance
Sam JonesOkay, they will sell you a resilience module, but when you open it up, what is it really? It's just another form. It's a place for you to document your resilience plan. It's a Word document in a database.
Ori WellingtonIt's not a tool to execute the plan. No.
Sam JonesSo you have this beautiful digital binder with your disaster recovery plan in it, but the software can't actually touch your servers, it can't reroute network traffic, it can't freeze a bank account to stop the bleeding.
Ori WellingtonSo the trap is this organizations buy these integrated platforms thinking they're getting a command center.
Sam JonesWell, what they are actually buying is a library.
Ori WellingtonA library versus a command center. I like that. So they can detect risks, maybe, but they can't act on them within the platform itself. You get faster reporting without faster response.
Sam JonesYou get a prettier dashboard telling you the house is on fire, but you don't get a sprinkler system.
Ori WellingtonAnd historically that was kind of okay. Right. Because a human did the acting. The software gave me the report, I read the report, and then I ran over and fixed the server myself.
Sam JonesIt was fine for the last decade, but now we have AI. And this is where the physics of disruption really comes into play.
Ori WellingtonLet's pivot to that. Why does this deep compliance, shallow performance architecture make a vendor so vulnerable to AI? I mean, AI is just another technology. Why does it break this specific model so badly?
Sam JonesIt's because of what Gen AI and more importantly, a Gentic AI are specifically good at replacing. We call it the compression sequence. Disruption doesn't happen all at once, it eats the value chain in a very specific order.
Ori WellingtonOkay, walk us through that sequence. What gets eaten first?
Sam JonesThe first thing to go is artifact generation.
Ori WellingtonThe reports.
Sam JonesThe reports, the policy summaries, the audit documentation, the emails to stakeholders, the entire assurance layer we just talked about. Or you think about what a traditional GRC vendor actually charges you for. They charge for seat licenses for human beings to log in and create these artifacts.
Ori WellingtonRight. Their value prop is I help you write your audit report 50% faster.
Sam JonesWell, guess what? A large language model can now do that instantly for a near zero marginal cost. If your software's main value is, I provide templates and workflows to help humans write documents, your value just evaporated.
Ori WellingtonYou are selling a typewriter in the age of the word processor.
Sam JonesYou are. So the deep compliance layer, the library, is the first thing that AI completely commoditizes.
Ori WellingtonOkay, that makes sense. But what's next?
Sam JonesThe next phase is workflow automation.
Ori WellingtonSo this is the routing part, the send to Bob for approval button.
Sam JonesExactly. Traditional GRC platforms are, at their core, glorified routing engines. Ticket number one, two, three goes to analyst A. Analyst A checks a box, it then goes to manager B. But with agentic AI, and we need to be really clear about this term, we are not talking about a chat bot.
Ori WellingtonRight. This isn't a help desk bot.
Sam JonesNo. We are talking about autonomous software agents that can reason, plan, and execute multi-step tasks. An agent doesn't need a ticket routed to it, it just monitors the queue.
Ori WellingtonAnd it does the work itself.
Sam JonesIt monitors the queue, it opens the file, it checks the data against the policy, and if it matches, it approves it. It doesn't need a UI, it doesn't need a user experience, it does not need a dashboard.
Why Forms Can’t Do Real-Time Control
Ori WellingtonIt is a huge point. These market leader vendors spend millions and millions on UX design. Look at how pretty our buttons are. Look at our intuitive interface.
Sam JonesBut if the primary user is a software agent, the buttons are irrelevant.
Ori WellingtonThey're worse than irrelevant, they're friction.
Sam JonesThey're friction. The agent wants an API. It wants direct, high-speed data pipe. So if your platform is this heavy, UI-centric form filler, you are structurally obsolete for an agentic workforce.
Ori WellingtonOkay, so the artifacts are gone, the human-centric workflows are gone. What's left? Where is the safe harbor in all this?
Sam JonesThe control plane.
Ori WellingtonUh the operational doing. Trevor Burrus, Jr.
Sam JonesThe performance and resilience layer we talked about, the P and the R. The systems that actually touch the money, touch the data, touch the infrastructure.
Ori WellingtonWhy is that safe?
Sam JonesBecause AI is not yet trusted, and frankly won't be for a very long time, to autonomously shut down a global payments grid without a hard-coded human-vetted safety layer.
Ori WellingtonThe guardrails.
Sam JonesThe guardrails. The vendors who build the actual controls, the ones embedded in the code, the ones embedded in the network firewall, they are durable because the AI needs them. The AI is the brain, but these vendors are the hands and feet. You can always swap out the brain for a better AI model, but you still need the hands to turn the valve.
Ori WellingtonSo to summarize the vendor danger zone, if you are selling a check-the-box platform, you are in deep trouble because AI can check the boxes for free.
Sam JonesRight.
Ori WellingtonBut if you are selling a turn-the-valve platform, you are safe because the AI needs you to execute the physical or digital change.
Sam JonesThat is the dividing line. And that single distinction explains why those six market leaders are scattered all over the risk index. Some of them have spent the last few years buying or building real control plane capabilities. They are sticky. Others are still just selling better clipboards.
Ori WellingtonI want to challenge you on this, Sam. This all sounds very logical here in a podcast studio. But in the real world, big companies move slowly. They have massive sunk costs. Are we really seeing this shift happen right now? Or is this just theoretical architecture talk?
Sam JonesOh, it's happening, and it's happening right now, and the money involved is staggering. The research highlights two specific examples that, frankly, prove the entire thesis: City and Goldman Sachs.
Ori WellingtonTwo names that get your attention. Let's talk about City first, because this feels like a case study in the build versus buy resurgence.
Sam JonesIt is. I mean, think about City, one of the largest, most complex banks in the world. They have a nearly unlimited budget. If there was a GRC platform on the market, one of those so-called leaders that actually solved this integration problem, they would have just written a check for $50 million and been done with it.
Ori WellingtonAbsolutely. It would have been far easier. No CIO wants to take on the headache of building custom software if they don't have to.
Sam JonesExactly. But they didn't buy. They built something called stylus workspaces internally.
Ori WellingtonAaron Powell So why? What could stylist do that the big vendors couldn't provide?
Sam JonesIt comes right back to the data model we just talked about. City has thousands of applications, mainframes from the 80s, modern cloud apps, a million spreadsheets, external data feeds. The integration trap vendors come in and say, hey, no problem. Just import all of that data into our proprietary database, spend two years mapping it to our rigid fields, and then we can give you a pretty report.
Ori WellingtonWhich takes five years to implement, and by the time you're done, the entire business has changed. It's a non-starter.
Sam JonesIt's a dead end. City realized they couldn't move the data to the platform. They needed a platform that could sit on top of the data wherever it lived.
Ori WellingtonAn orchestration layer.
AI’s Compression Sequence Hits Assurance
Sam JonesThat's the perfect term for it. Stylus isn't a repository, it's a workspace. It pulls data from finance, from risk, from HR in real time, allows a human or in the future an agent to work on it, and then it pushes the result back to the source system. It leaves the data where it is.
Ori WellingtonThat sounds an awful lot like performance and resilience.
Sam JonesIt is. It's operational. It's designed to do work, not just report on work that was done. And the fact that City felt compelled to build this from scratch is, I think, a damning indictment of the entire vendor market. It's a giant vote of no confidence.
Ori WellingtonIt's Citi saying your products are so stuck in the assurance trap that you cannot support our actual operations.
Sam JonesThat's exactly what it says. So that's the platform side of what John calls the pincer movement. Now let's look at the other side, the labor side. Let's talk about Goldman Sachs.
Ori WellingtonOkay, what's Goldman doing?
Sam JonesGoldman is attacking the problem from the bottom up. They have deployed production-level AI agents for compliance and accounting workflows.
Ori WellingtonAnd again, let's be really specific here. We are not talking about a chatbot that helps you write an email faster.
Sam JonesNo, absolutely not. We are talking about complex, multi-step cognitive tasks that a human used to do. Things like review these 5,000 transaction logs, cross-reference them with the new sanctions list from the Treasury Department, identify any fuzzy matches, validate those against the client's KYC file, then flag the real hits for human review.
Ori WellingtonThat is literally the job description of a first-year junior analyst.
Sam JonesIt was. Now it's the job description of a software agent. And Goldman is running this in production in a highly regulated environment right now.
Ori WellingtonSo putting these two examples together, City proves you need a new kind of architecture, an orchestration layer that the market isn't selling.
Sam JonesRight.
Ori WellingtonAnd Goldman prove you can automate the cognitive labor that the old platforms were designed to manage.
Sam JonesAnd the traditional vendors are squeezed right in the middle. On one side, their platform isn't technical enough for the CITIS of the world. On the other side, the human users they sell seat licenses for are disappearing, replaced by the agents of the Goldman's of the world.
Ori WellingtonThat is the pincer movement. Wow. And it leads us to uh perhaps the most controversial part of this entire report, tier five, the service firm crisis.
Sam JonesYeah, this is the one that is going to get us some angry emails, Ori.
Ori WellingtonThe finding is that every single major professional services firm landed in tier five. That's the highest risk category. And remember, two of the market leaders we mentioned at the top, KPMG and EY, they fall into this bucket because they're hybrid product and service firms.
Sam JonesStructurally, they are in the exact same boat, yeah.
Ori WellingtonBut Sam, come on. These are the big four. They have brands that have lasted a hundred years. They have deep C-suite relationships with every Fortune 500 company on the planet. Are we really saying they are at high risk of disruption? That seems exaggerated.
Sam JonesLet's strip away the brand for a second and just look at the unit economics. How do these firms make their money?
Ori WellingtonThey sell time, billable hours.
Sam JonesThey sell human effort applied to compliance and assurance problems. Their model is we will send a team of 50 bright young associates to audit your controls.
Ori WellingtonAnd they'll charge you $300 an hour for each one of them.
Sam JonesRight. Now look back at the Goldman Sachs example we just discussed. The work that those 50 associates are doing, checking spreadsheets, validating controls, sampling data, is the exact work that the AI agents are now doing at Goldman.
Ori WellingtonSo the core commodity they are selling human compliance labor is plummeting in value.
Agentic AI Kills Human-Centric Workflows
Sam JonesThe marginal cost is racing towards zero. If I'm a bank, why would I pay a firm $5 million for an audit team when I can run an internal agencorm for $50,000 that does the same work in half the time with higher accuracy?
Ori WellingtonWell, the counterargument is always trust. I pay KPMG because I trust their signature on the final report. I need the formal assurance.
Sam JonesThat's true for the final signature. You still need the partner to sign off, but you do not need the giant pyramid of 500 junior associates underneath him to do the grunt work anymore.
Ori WellingtonSo the pyramid collapses.
Sam JonesThe entire leverage model collapses. These firms are built on leverage one partner billing out the time of 20 associates. If the associates are replaced by software, the revenue model fundamentally breaks.
Ori WellingtonBut what if they just use the AI themselves? Can't they pivot and say, we use AI to do your audit faster and cheaper?
Sam JonesThey can, and they absolutely are trying to, but think through the economics of that. If they use AI to do the work in one hour instead of 100 hours, can they charge 100 times their old hourly rate?
Ori WellingtonNo way. No client is going to pay $30,000 an hour.
Sam JonesExactly. So their revenue shrinks no matter what. This is the classic innovators' dilemma. They cannot cannibalize their own billable hour model fast enough to survive the deflationary pressure that AI is creating.
Ori WellingtonSo when we see them in tier five, it's not because they aren't smart. It's not because they don't have good people or good tech. It's because their fundamental business model is selling labor in an economy that is rapidly moving to automated labor.
Sam JonesAnd in their case, scale acts as an anchor, not a sale. They have too many bodies, too much expensive real estate, too much overhead dedicated to a way of working that is becoming obsolete.
Ori WellingtonThat is a very grim outlook for the consultants. But let's move back to the software vendors. We've got the leaders scattered all over, we've got the service firms in tier five. Who's actually winning? Let's talk about the contested middle and the lonely tier one.
Sam JonesRight. So tiers three and four are what we call the contested ground. This is where most of the 50 vendors in the index actually live.
Ori WellingtonThese are companies that have, you know, credible platforms. They aren't vaporware, but they haven't really solved the integration trap yet.
Sam JonesExactly. They are still mostly form fillers, but maybe they have better APIs than the laggards, or maybe they have a specific niche where they do performance really well, but not across the board.
Ori WellingtonSo what happens to them?
Sam JonesIt's a move up will die scenario. We think they have a limited window, maybe 18 to 24 months, to fundamentally re-architect their platforms. They need to stop building better dashboards and start building real control planes.
Ori WellingtonThey need to become the hands and feet for the AIs.
Sam JonesThat's their only path to survival. But re-architecting is brutally expensive, and investors hate it.
Ori WellingtonInvestors hate it because it kills short-term margins. The CFO gets on the earnings call and says, why are you spending 40% of revenue on RD to rebuild the back end? Just sell more of the old licenses.
Sam JonesSo the CEO of a tier three vendor is in an incredibly tough spot. If they pivot hard, their stock tanks today. If they don't pivot, their company dies tomorrow.
Ori WellingtonThat is the ultimate leadership test, isn't it? Are you optimizing for the next quarter or are you optimizing for survival in the agentic era?
Sam JonesAnd clearly someone passed that test because there is one vendor and only one in tier one.
Ori WellingtonIt's just one. All alone. Again, we are not naming them here. You have to go to rtj bridge.com to see the full list. But Sam, can you give us the characteristics of this tier one vendor? Without giving away the name, what did they do right?
Sam JonesI think the simplest way to put it is they prioritized architecture over marketing. Meaning they likely started their life in the performance layer. They didn't start as a compliance tool. They probably started as an operational tool, something that monitors IT assets or manages third party data pipes or handles cybersecurity incidents in real time.
Ori WellingtonSo they have the control plane DNA from the very beginning.
Sam JonesYes. And because they were already built on that foundation of streaming operational. Data, the real truth of what is happening second by second, it's relatively easy for them to build the compliance reports on top of that.
Control Planes As The Safe Harbor
Ori WellingtonAh, so it's much easier to go from deep performance up to shallow compliance than it is to try and go from deep compliance down into the weeds of performance.
Sam JonesInfinitely easier. You can always summarize a rich stream of real-time data into a simple report. You can never ever explode a simple static report back into a rich stream of data. The tier one vendor understood from day one that the data model is destiny.
Ori WellingtonData model is destiny. I like that. It sounds like something John Wheeler would put on a slide.
Sam JonesHe probably has many times.
Ori WellingtonSo let's bring this home for our listeners. We have a lot of different people listening to this show. Let's start with the buyers, the CISOs, the CROs, the heads of audit. You are sitting there with a $2 million renewal contract for a market leader on your desk. What do you do?
Sam JonesYou pause, you do not sign it blindly, and you need to call your vendor and ask three very specific, very uncomfortable questions.
Ori WellingtonGive them to us.
Sam JonesQuestion one: show me how your platform executes a remediation action without any human intervention.
Ori WellingtonNot how do I document it in your platform, but how does the platform actually do it?
Sam JonesExactly. Question two: show me your API documentation for agentic AI, not a chatbot for humans, an API designed for machines. Can my internal AI agents read and write to your platform at scale programmatically?
Ori WellingtonAnd if their answer is, oh yeah, we have a REST API from 2015, that's a big red flag.
Sam JonesHuge red flag. Agentic APIs need to be granular, high speed, and bidirectional. It's a different world. And finally, question three What is your detailed roadmap for moving your architecture from assurance to performance?
Ori WellingtonAnd if their answer is just we are adding a new gene AI button to help you write reports faster.
Sam JonesThen you know they are stuck deep in the integration trap. And you should probably go look at the index to see who is in tier one or tier two.
Ori WellingtonOkay, what about the investors? We mentioned that Morgan Stanley stat earlier: $235 billion in U.S. leverage loans are exposed to AI risk.
Sam JonesInvestors need to get sophisticated and they need to do it fast. You have to stop looking at annual recurring revenue, or ARR, as the only metric of health. High ARR in a tier five business model is just a measure of how far you have to fall.
Ori WellingtonSo you need to look at the quality of revenue. Is that revenue coming from seat licenses for humans, which is a high risk category, or is it coming from consumption fees for automation, which is safe?
Sam JonesThat's the key. If the vendor charges per user and AI is steadily reducing the number of human users, their revenue model is structurally short AI. If they charge per transaction or per asset manage, they grow as AI adoption grows.
Ori WellingtonThat is a crucial distinction. Seat licenses are a short position on AI. Consumption models are a long position on AI.
Sam JonesYou got it.
Ori WellingtonAnd finally, for the vendors themselves, for the people working at these companies, in product or in strategy, what's the message for them?
Sam JonesIt's time to be brutally honest with your leadership. If you are building features that just make the clipboard prettier, you are rearranging deck chairs on the Titanic, you have to push for deep operational integration, you need to push for control plane capabilities.
Ori WellingtonEven if it's hard, even if it's expensive and tanks the stock for two quarters.
Sam JonesEspecially because it's hard. The hard is the moat. Writing reports is easy. AI can do it. Autonomously controlling a complex enterprise environment is hard. AI needs you for that. Build the hard stuff.
Ori WellingtonBuild the hard stuff. That seems like the perfect message for 2026.
Sam JonesIt's the only strategy that's left.
Citi’s Build Signal: Stylus Workspaces
Ori WellingtonThis has been honestly a bit of a wake-up call, Sam. We look at these quadrants and these awards and we just assume leadership is a static thing. But this research really shows that the ground is shifting right under our feet.
Sam JonesThe tectonic plates are moving. And when they move, the biggest, tallest buildings, the market leaders, often take the most damage if their foundations aren't built on solid rock.
Ori WellingtonFor everyone listening, you really need to see this data for yourself. You need to see where your vendors land, where your competitors land, and where your investments land.
Sam JonesThe full research includes the specific tier assignments for all 50 vendors. It has seven deep dive vendor profiles, and it has the 12 question evaluation framework so you can actually test your own tech stack against these principles.
Ori WellingtonAnd it is available exclusively on the RTJ Bridge. That is RTJ-bridge.com. Or you can visit wheelhouseadvisors.com for more context on the methodology.
Sam JonesAnd frankly, Ori, if you consider the cost of making a bad vendor choice right now, locking yourself into a three-year deal with the platform that's dying, the subscription cost is a rounding error. This is institutional grade competitive intelligence at a fraction of the legacy cost.
Ori WellingtonThe category creator, John Wheeler, is now the one holding the category accountable. I just I love that narrative arc. If there has ever been a time to subscribe, this is definitely it.
Sam JonesCouldn't agree more.
Ori WellingtonSam, thank you for guiding us through the trap.
Sam JonesAlways a pleasure, Ori.
Ori WellingtonAnd thank you all for listening to the Risk Wheelhouse edition of the Deep Dive. I'm Ori Wellington.
Sam JonesAnd I'm Sam Jones.
Ori WellingtonBut don't get trapped. Stay durable. We'll see you next time.