The Risk Wheelhouse
The Risk Wheelhouse is designed to explore how RiskTech is transforming the way companies approach risk management today and into the future. The podcast aims to provide listeners with valuable insights into integrated risk management (IRM) practices and emerging technologies. Each episode will feature a "Deep Dive" into specific topics or research reports developed by Wheelhouse Advisors, helping listeners navigate the complexities of the modern risk landscape.
The Risk Wheelhouse
S5E4: Unified IRM - AI Governance, Acquisitions and Alliances
The ground under GRC is shifting, and it’s not subtle. We break down how unified integrated risk management is replacing checklist compliance with an operating model that ties performance, resilience, assurance, and compliance together. From AI governance to ESG at the board level, we follow the money, the deals, and the data to show where risk management is actually going—and how to get there without drowning in spreadsheets.
We dive into why AI governance is now table stakes for any serious IRM platform, what an effective AI registry and dynamic risk assessment look like, and how automated compliance mapping to the NIST AI RMF, ISO 42001, and the EU AI Act changes daily work. Along the way, we unpack recent moves like AuditBoard’s AI-focused acquisition and its expanded alliance with a major consultancy, illustrating why services plus software has become the adoption formula. On the ESG front, partnerships that link board reporting with carbon accounting signal a deeper integration of climate and sustainability data into operational risk and financial performance.
For leaders in regulated industries, we highlight practical gains from automated evidence collection, pre-built control content, and faster audit cycles—and we hammer on outcome proof as the only real test of integration. You’ll leave with three actionable steps: treat AI governance as foundational, demand verified customer outcomes, and pair your platform with expert implementation to deliver value in 90 days. We close by exploring the next frontier: agentic AI for continuous control monitoring, and the new risks that come when machines start guarding the machines. Subscribe, share with a colleague who owns risk or audit, and leave a review telling us the one metric you need to trust a platform’s integration.
Visit www.therisktechjournal.com and www.rtj-bridge.com to learn more about the topics discussed in today's episode.
Subscribe at Apple Podcasts, Spotify, or Amazon Music. Contact us directly at info@wheelhouseadvisors.com or visit us at LinkedIn or X.com.
Our YouTube channel also delivers fast, executive-ready insights on Integrated Risk Management. Explore short explainers, IRM Navigator research highlights, RiskTech Journal analysis, and conversations from The Risk Wheelhouse Podcast. We cover the issues that matter most to modern risk leaders. Every video is designed to sharpen decision making and strengthen resilience in a digital-first world. Subscribe at youtube.com/@WheelhouseAdv.
Okay, if you're working in governance, risk, or compliance today, um you definitely know the job is changing. I mean, faster than ever.
Sam Jones:Oh, absolutely. You've got AI completely reshaping operations.
Ori Wellington:Right. And then new global rules like the EU AI Act demanding attention like yesterday.
Sam Jones:Yeah.
Ori Wellington:Plus all the ongoing geopolitical stuff. It's a lot.
Sam Jones:It really is. How do you keep up, or maybe even get ahead of it?
Ori Wellington:So yeah, that's what we're digging into today. We're doing a deep dive on some really key recent industry moves, acquisitions, partnerships that all seem to be pointing pretty strongly away from that old silo GRC approach.
Sam Jones:And towards something the market's starting to call uh unified IRM, integrated risk management.
Ori Wellington:Unified IRM. Okay, and look, it's really crucial to get this. Unified IRM isn't just slapping a new label on GRC. It's a totally different operating model. How so? Well, it forces platforms, data, and even services to line up across four specific pillars: performance, resilience, assurance, and compliance. They have to connect. Wait, hold on. Why those four? What makes that the right framework now? Ah, because today risk doesn't just stay in one box, does it? Think about it. A supply chain problem, it's just resilience, right?
Sam Jones:But it hits your quarterly earnings.
Ori Wellington:Yeah.
Sam Jones:Performance. You need a system that connects those dots automatically.
Ori Wellington:Got it. And assurance and compliance fit in how?
Sam Jones:Well, assurance is making sure your controls actually work. They're effective. And compliance, that's making sure you're meeting all the rules, the regulations. The whole point is that one single event, whatever it is, feeds into a shared understanding, a common language, driving actions across the whole business. That just wasn't happening when GRC was more of a checklist exercise.
Ori Wellington:That makes a lot of sense. So it's less defensive compliance and more about actually enabling the business, maybe even finding opportunities.
Sam Jones:Exactly. And the deals we've been tracking just this past week show this isn't just theory, it's happening. Especially with getting AI oversight built in, you know, operationally at scale. Right. So for you listening, the big takeaway signal seems to be buyers aren't looking for just point solutions anymore. They need these integrated models. They really do. They want something that handles the full life cycle. Aaron Powell Okay.
Ori Wellington:So let's unpack the biggest one first. Audit board agreeing to acquire FairNow. That's a purpose-built AI governance platform.
Sam Jones:Yeah, that was a significant move.
Ori Wellington:I bet anyone trying to manage AI risk right now feels like they're drowning and spreadsheets scattered everywhere. Is that the pain point here?
Sam Jones:That's precisely it. And what's interesting, I think, is that Audit Board didn't just like build a new module. They went out and bought a dedicated engine for this. Fair now slots these essential capabilities right into the main platform. Things like an AI registry, which is crucial for just knowing what models you even have.
Ori Wellington:Okay, inventory first. Right. Then dynamic risk assessments, because AI models change, they learn, the risk isn't static. And the really key part, automated compliance mapping. Automated mapping. That sounds like where the rubber meets the road. What specific regulations are we talking about? The big ones everyone's worried about.
Sam Jones:Yes. This integration is clearly aimed at the heavy hitters, the ones that are becoming non-negotiable if you're using AI seriously. So that's the NIST AI risk management framework.
Ori Wellington:Okay, the US standard. Trevor Burrus, Jr.
Sam Jones:The international standard, ISO 42001, and probably the most urgent one for many, the EU AI Act.
Ori Wellington:Right. The EU AI Act is huge. So this acquisition basically says AI governance isn't an add-on anymore.
Sam Jones:Exactly. It's becoming a core expected capability of your main GRC sorry, IRM platform, table stakes. Trevor Burrus, Jr.
Ori Wellington:And connecting this wider, this deal happened. Basically at the same time, Audit Board extended its alliance with EY-US.
Sam Jones:It did, yeah.
Ori Wellington:Which points to this services plus software model that sources are talking about.
Sam Jones:Absolutely. Look, just think about the EU AI Act alone. It's complex, it's not enough just to have the software tool.
Ori Wellington:Right. You need someone to help figure it out.
Sam Jones:Platform vendors are realizing they have to pair these advanced AI governance features with serious consulting muscle. That EY relationship helps speed up adoption, helps clients actually get value faster.
Ori Wellington:But hang on, that raises a question, doesn't it? If the software is so integrated and easy to use, shouldn't companies need less consulting help?
Sam Jones:Huh. Yeah, that's a great point. It's kind of a necessary tension right now.
Ori Wellington:Conflict of interest, maybe?
Sam Jones:Well, maybe short term. But right now, just interpreting the regulations and designing the actual AI governance program, the policies, the roles, the strategy, that's still really new and complex for most organizations. Okay. So firms like EY help set up that structure, get the program running. And then the software automates the day-to-day execution, the monitoring, the evidence.
Ori Wellington:So for the buyer, the takeaway is you probably need both technology and some expert help to get these new AI risk programs off the ground successfully. Trevor Burrus, Jr.
Sam Jones:That seems to be the winning formula right now, yes. Program enablement alongside the tech.
Ori Wellington:Okay. So AI governance is moving into the core IRM platform and it needs advisory support. But this unification trend, it goes beyond just AI risk, right? Oh, yeah. We're seeing big moves connecting things up to the boardroom level too, especially around ESG. Let's talk about that diligent and personphone partnership.
Sam Jones:Right. So diligent, they're strong in board governance, reporting, disclosures. Personi is all about carbon accounting, the environmental data.
Ori Wellington:Okay, so connecting those two.
Sam Jones:It's primarily about helping companies with sustainability reporting, sure. But for risk leaders listening, this is a really strategic bridge. It connects that high-level board oversight, what gets disclosed directly with the nitty-gritty operational ESG data.
Ori Wellington:Which effectively pulls ESG out of just being a reporting silo.
Sam Jones:Exactly.
Ori Wellington:And makes it a core risk concern.
Sam Jones:Precisely. The real insight here is that ESG data, especially things like climate risk, supply chain exposures related to climate, it needs much tighter integration with your operational risk programs.
Ori Wellington:Because you can't really measure your overall resilience if you don't factor in climate impacts on your operations or your financial performance. You got it. This partnership is another signal. ESG data is moving firmly into the central risk picture. Okay, so board-level reporting and operational risk are connecting. Where else is this unification playing out? Let's maybe pivot to specialized compliance. We saw that alliance between Hadrias and Sales GRC.
Sam Jones:Yeah, that's an interesting one, focused on highly regulated industries.
Ori Wellington:What financial services?
Sam Jones:Exactly. Financial services, maybe healthcare. For them, that assurance pillar proving controls are working is absolutely critical. This alliance is about delivering AI-powered compliance tools. Okay. But crucially, unifying those very specific compliance workflows directly with the broader risk oversight picture. Because honestly, these sectors are just drowning in compliance checks and audit requests.
Ori Wellington:So what's the tangible benefit? How does unifying that help them?
Sam Jones:It really comes down to measurable efficiency, making that assurance cycle faster and less painful. Buyers in these regulated industries should be looking for real proof points now. Like what? Things like pre-built content packs for specific regulations, controls already mapped to requirements, and real-time evidence automation.
Ori Wellington:Automated evidence. How does that work?
Sam Jones:Well, say a control needs daily proof, maybe checking system access logs. An integrated system could potentially automate pulling that log, checking it, and linking it as evidence for the control.
Ori Wellington:Oh, okay. So less manual chasing.
Sam Jones:Exactly. The promise is a dramatic cut in audit cycle times and manual effort. That's how you prove the integration is actually delivering bottom line value.
Ori Wellington:And speaking of delivering value, maybe we should just briefly touch on the capacity building signal, river on, acquiring Eden data.
Sam Jones:Right. That fits the pattern.
Ori Wellington:Expanding their risk and compliance advisory services, adding more digital and security expertise. It just seems to confirm what we've been saying.
Sam Jones:Yeah, buyers want the enablement piece alongside the technology. They need people who know how to set up, configure, and actually drive value from these increasingly integrated systems. Okay. So if we kind of zoom out and pull all these moves together, the acquisitions, the partnerships, the advisory growth, we can actually see it reflected in broader research too.
Ori Wellington:Oh, really? Like what?
Sam Jones:Well, the recent Risk Connect 2025 survey findings really back this up. That research showed this widening gap.
Ori Wellington:Oh, yeah. Between what?
Sam Jones:Between the potential impact of new risk, especially things like geopolitics and AI, and how prepared organizations actually feel they are.
Ori Wellington:Ah, the preparedness gap. Yeah, I've seen that.
Sam Jones:And that gap is basically forcing companies to rethink their budgets. They're shifting investment away from older siloed systems towards these modern, integrated platforms that are actually designed to handle this new level of complexity.
Ori Wellington:Okay, that makes perfect sense. So let's translate all these market signals into some practical advice for you, the listener, whether you're looking at buying software soon or just planning your risk roadmap.
Sam Jones:Right. Based on everything we've discussed, the first big takeaway has to be treat AI governance as table stakes immediately. Absolutely. If AI touches any part of your customer-facing stuff or your core operations, having robust AI governance within your IRM platform isn't optional anymore. It's foundational.
Ori Wellington:So you need to check your current systems or potential vendors.
Sam Jones:Yes. Validate that they can fully support the mapping, the controls, the evidence needed for NIST AI RMF, ISO 402001, and especially the EU AI Act.
Ori Wellington:And ensure it connects.
Sam Jones:Critically. Make sure your AI model inventory, the use case approvals, all of that flows seamlessly into your existing audit workflows, your remediation tracking, your reporting. If it doesn't, you've got a major platform gap to address. Okay, solid advice. Second major takeaway: demand outcome proof for integration. Don't just take their word for it or look at pretty slides. Yeah, be skeptical of the marketing hype, what some call slideware. You need a critical eye here.
Ori Wellington:How do you do that? Well, like in our own internal vendor compass analysis, we look hard at two things. Solution coverage, do they have the features? But more importantly, the level of integration do those features actually work together seamlessly.
Sam Jones:Yeah.
Ori Wellington:And how does a buyer test that?
Sam Jones:Don't just look at feature lists. Ask for verified customer outcomes. Real proof points. Ask for, say, documented examples of reduced audit cycle time because of automated evidence. Or uh customer references who can quantify how much faster they onboarded vendors after implementing measurable results. Exactly. If the integration is real, the benefits should be measurable in dollars saved or days reduced. Makes sense.
Ori Wellington:Okay, third practical takeaway, and this ties back to that audit board Yay Alliance. Pair platform with services from day one. Yes. Don't assume you can just buy the software and figure out complex new areas like AI governance entirely on your own, especially not quickly.
Sam Jones:So learn from that EY alliance model. Use it as a best practice example. Define your internal roles clearly, sure. But get a name delivery partner involved early. And then focus on a tight, maybe 90-day plan aimed at delivering quick, tangible value.
Ori Wellington:And what should that value look like? It should map directly back to those four IRM pillars we talked about. Performance, resilience, assurance, compliance, getting your foundational AI model inventory stood up, maybe automating some initial control testing within that first 90 days that should be achievable now with the right platform and the right advisory support working together. So wrapping this up, what we've tracked today, this pattern of acquisitions plus alliances, it really feels like more than just cosmetic changes.
Sam Jones:Oh, it's definitely structural.
Ori Wellington:It seems like managing these big emerging risks, especially AI, is getting hardwired into the daily operating rhythm of risk management. It's not just an overlay project anymore.
Sam Jones:No, it's becoming the core. And looking ahead, the winners in this consolidating market, I think, will be the vendors who can go beyond just talking about features.
Ori Wellington:They need to prove the integration works.
Sam Jones:Yes. And prove it with outcomes, customers can measure in months, not years. That fast ROI is what's justifying this big budget shift we're seeing towards integrated platforms.
Ori Wellington:Okay. So that structural shift leaves us with maybe one final provocative thought for you to consider as you plan your own risk roadmap. Given this trend of specialist alliances like Hadrias and Cellus GRC and the Board ESG Convergence with diligent Persephone. How quickly do you think vendors will start adding agentic AI?
Sam Jones:You mean AI that can act on its own? Aaron Ross Powell Yeah.
Ori Wellington:AI agents to actually perform tasks like automating evidence collection or even doing continuous control monitoring autonomously.
Sam Jones:Interesting. That could be powerful.
Ori Wellington:It could. But maybe more importantly, if we get that level of automation and compliance assurance, what new, maybe unexpected risks does that introduce into your control environment?
Sam Jones:That's a really good question. How much autonomy do you give the machines guarding the machines?
Ori Wellington:Exactly. Something to think about as you decide just how integrated and automated you want your risk systems to become.