AI is rewriting the rules of risk management

Times

14-05-2025

With cyber risks and compliance demands increasing, automation is quickly becoming the smartest way for businesses to stay secure, agile and ahead of the curve
Organisations today face unprecedented challenges when it comes to managing risk. More applications, increased cloud migration and the proliferation of software-as-a-service solutions have dramatically expanded the threat landscape. Meanwhile, security teams are struggling with strict regulations, shrinking budgets and talent shortages.
At the same time, chief information and security officers are keen to demonstrate the business value that the security function provides, rather than just being viewed as a cost centre. They want to convey cybersecurity's role in mitigating risk, achieving compliance standards and helping to win new business.
It is against this backdrop that artificial intelligence (AI) presents a double-edged sword, often representing both a significant threat and a powerful solution.
Cybercriminals are using AI to create more convincing phishing attempts and generate more complex attack codes. But AI-powered tools are also providing unprecedented capabilities in risk management and compliance.
'We're seeing more vulnerabilities and attack vectors than ever before,' explains Jeremy Epling, chief product officer at Vanta. 'AI is being used by attackers to create new threats, whether through sophisticated phishing attempts or AI-generated attacks.
'But AI also gives us a capability we never had before: dealing with unstructured data. So much of compliance and security revolves around documents and screenshots, and now we have an entirely new way to understand and provide value.'
Vanta's most recent The State of Trust Report reveals a striking insight: 77 per cent of IT decision-makers believe automation can relieve the manual burden of compliance, saving them time and money. Yet only 60 per cent of business leaders agree. This gap likely stems from a fundamental misunderstanding of the manual burden faced by security teams, says Epling.
'It boils down to who feels the pain every day. Business leaders are looking at the numbers and the ROI and driving the business, but they're not living in these tools every day and building a deep appreciation for how many hours get sucked into these reviews,' he explains. 'Governance, risk and compliance has been underserved for a long time in terms of providing a high level of innovation and helping to drive efficiencies.'
Businesses are spending more time than ever before on compliance. In the UK, companies already dedicate 12 working weeks per year to keeping operations compliant. Security teams in particular often dedicate far more time to compliance than to other value-adding activities, such as cyber strategy and threat mitigation.
Here, intelligent automation offers multiple operational benefits. 'AI can help generate secure code, automate remediation processes and provide a single pane of glass for your entire security programme,' Epling says.
For example, AI can automatically respond to complex security questionnaires and analyse vendor documents, identifying risks and providing actionable insights. It can also ensure consistency around security policies, as AI can detect irregularities across multiple policy documents. Automated systems can also immediately identify documentation issues, which can help prevent last-minute audit complications.
'Instead of spending hours manually reviewing documents and copy-pasting responses, AI can take a first pass on these tasks,' says Epling.
Perhaps most importantly, intelligent automation enables security teams to be seen as strategic business enablers rather than cost centres. 'When you achieve compliance standards, you can unlock new markets and win additional business,' Epling says.
He continues: 'Automation helps us clearly show time savings and improvements in efficiency. For example, when teams use Vanta's automated workflows, we can quantify how much faster they're completing tasks compared to before. That makes it easy for security leaders to go back to their management and explain the tool's value.'
But it's not just security teams that benefit from automation tools, he explains; these systems can also help engineering and IT teams to work more efficiently. 'Since they're not in the security trenches every day, giving them focused, actionable remediation guidance, along with context about why it matters, helps them prioritise effectively,' Epling says.
And with Vanta's tools, such as automated questionnaires, customers are constantly providing feedback to help the firm improve its programmes.
'It's a way to turn security from a cost centre into a growth enabler,' says Epling. 'When you can show how your trust posture helps close deals faster or opens new opportunities, it becomes a clear business-value driver. And it bridges the gap between security teams and leadership, so they're finally speaking the same language.'
For organisations considering intelligent automation, Epling offers some practical guidance.
The first step is to start small – focus on specific areas such as supplier risk or questionnaire management. Then trial AI tools with existing documents and policies, and make sure the AI solutions provide clear citations and explanations.
Epling also advises organisations to consider comprehensive platforms that offer a holistic view of governance, risk and compliance.
'For startups and small businesses, there are tools designed to help you get your first certification,' says Epling. 'You don't need prior knowledge – the right platform will guide you step by step.'
As cyber threats become more sophisticated and the compliance burdens increase, intelligent automation isn't just a 'nice-to-have' – it's becoming a necessity.
Such automation marks a transformative approach to risk management. By embracing AI-powered tools, organisations can not only mitigate risks more effectively but also turn compliance into a strategic business advantage.
'The goal is to spend less time on paperwork and more time on deep, impactful security work that truly protects your organisation,' says Epling.
As cyber threats continue to evolve, the message is clear: intelligent automation isn't just a technological upgrade, it's a critical component of your security strategy.
To learn more, please visit vanta.com