This week, Venture in Security is excited to feature a guest article from Ayoub Fandi. Ayoub is the founder of the GRC Engineer newsletter, host of the GRC Engineering Podcast, and a Staff Security Assurance Engineer at GitLab. He recently brought together executives from seven leading GRC automation platforms for a first-of-its-kind industry roundtable. If you are interested in the GRC space but aren’t yet following Ayoub’s insights, I suggest you start now:

Subscribe to GRC Engineer newsletter

Follow GRC Engineering podcast

Ayoub's focus is on bridging traditional GRC with modern engineering approaches. In this piece he’s trying to build a landscape of the GRC automation space and give visibility into the opportunities and challenges facing this nascent but exciting industry.

Beyond buzzwords: the true GRC market evolution

The Governance, risk, and compliance (GRC) market is experiencing something more nuanced than simple commoditization or democratization. When you look past surface-level discussions, a more interesting pattern emerges: market segmentation driven by fundamentally different business needs and value propositions. This isn't about technology - it's about how different segments of the market approach security and compliance in radically different ways.

What's particularly fascinating is how this segmentation is affecting product development. While vendors push toward "unified platforms," the actual needs of different market segments are diverging more than ever. This isn't about features or capabilities either – it's about fundamentally different business outcomes and operational realities that vary wildly between segments.

Understanding market forces driving GRC segmentation

The traditional lens of GRC as a monolithic market has led to widespread misunderstanding of what's actually happening in the industry. Rather than a simple race to the bottom on price or lowering of barriers to entry, we're witnessing fundamental market forces creating distinct segments with unique economic models. Several key drivers are reshaping the GRC landscape:

Economic Pressures: Budget constraints across different organization sizes create vastly different purchasing behaviors. Startups seek minimal viable compliance at the lowest cost, while enterprises require comprehensive solutions with demonstrable return on investment (ROI) across complex environments.

Regulatory Proliferation: The explosion of industry and regional regulations creates varying compliance burdens. Small companies may need basic framework coverage, while global enterprises must navigate overlapping and sometimes conflicting requirements across jurisdictions.

Technology Evolution: The shift to cloud infrastructure, DevOps practices, and API-driven architectures has fragmented the technical landscape. Organizations at different maturity levels have fundamentally different technical capabilities to implement and integrate GRC solutions.

Sales-Driven Compliance: Perhaps most significantly, compliance has evolved from a risk management function to a revenue enablement requirement. The rise of enterprise security questionnaires has transformed GRC from a cost center to a sales prerequisite, especially for startups and SaaS companies.

Talent Scarcity: The limited availability of talented GRC professionals creates different implementation realities. Startups often lack dedicated compliance staff entirely, while mid-market companies operate with small teams that must cover extensive requirements.

These forces don't merely create price sensitivity differences – they drive fundamentally divergent needs, purchasing behaviors, and success metrics across market segments. Understanding these underlying dynamics is essential for both vendors and buyers to navigate the increasingly specialized GRC landscape.

From startups to enterprises: three distinct GRC universes

These five forces that reshaped the GRC landscape have shaped different realities based on market segments. Each stage building upon the previous one while bringing in unique challenges vendors have to focus on.

1. Startup/SMB: Sales-driven compliance (<1 GRC FTEs)

This segment represents something fascinating: the complete reimagining of compliance as a sales enablement function. Consider a typical scenario: A pre-Series B startup lands their first enterprise customer meeting. They have 30 days to get SOC 2 certified. Their CTO is juggling infrastructure security, AppSec, and cloud security. They don't need comprehensive GRC, they need to close deals.

This dynamic has created what I call "compliance MDR" - managed compliance delivered through automation. The economics here are compelling: short sales cycles (30-45 days), low customer acquisition costs, and natural expansion opportunities as companies grow. Vendors in this space have transformed what was once a complex, lengthy process into something that looks more like a product-led growth motion.

What's particularly interesting is how this segment approaches security and compliance. They're not looking for depth - they're looking for speed and simplicity. Modern GRC platforms have recognized this, offering what essentially amounts to "compliance as a service" - managed offerings wrapped in automation that can get companies compliant quickly. Connect your cloud accounts, answer some questions, and you're certified.

The implications here are significant. While some argue this approach "commoditizes" compliance, I'd argue it's actually democratizing basic security practices. Yes, these implementations aren't as sophisticated as enterprise programs, but they're significantly better than the nothing these companies had before.

2. Mid-market: the technical reality check (1-5 GRC FTEs)

The mid-market segment is where GRC automation claims meet technical reality. These companies have outgrown basic compliance needs but lack enterprise resources. They're dealing with hybrid environments, multiple frameworks, and growing requirements - but without the budget for comprehensive GRC teams.

What makes this segment particularly challenging is the growing gap between their needs and available solutions. Most GRC platforms are either built for startups (too simple) or enterprises (too complex and expensive). Mid-market companies need something in between, but the market hasn't quite figured out how to serve them effectively. An interesting pattern is emerging here: these companies typically start with basic compliance automation but quickly need to add additional frameworks, modules, and capabilities. Initial $25-50K they are prepared to pay for compliance tooling can easily expand to $150-250K within 18-24 months, driving net revenue retention for GRC startups to well above 130%. The challenge – and opportunity – lies in serving this segment's evolving needs without letting customer acquisition costs spiral.

The technical reality in mid-market companies is especially fascinating as they represent a uniquely underserved segment. With 1-5 GRC professionals, many of these organizations established their compliance programs before modern automation tools existed, creating elaborate systems using spreadsheets, shared drives, and productivity suites to manage increasingly complex requirements. Their technology landscape typically includes a challenging mix of commercial off-the-shelf products, legacy systems, IoT devices, homegrown applications, and various SaaS solutions - creating a far more complex integration challenge than startup environments. This established infrastructure creates a significant barrier to adoption: the solution must be customized enough to address their specific needs but not so complex that implementation requires months of professional services and hidden costs. For many mid-market GRC teams, the true competition isn't between various GRC platforms, but whether the proposed solution offers enough value to justify moving away from their deeply entrenched Office 365 or Google Workspace-based processes that, while imperfect, are essentially free and already integrated with their workflows.

Despite vendor messaging, what many platforms position as "enterprise solutions" are actually mid-market offerings in disguise. This marketing mismatch creates confusion in the marketplace. When you examine customer profiles closely, many vendors claiming to serve Fortune 500 enterprises are primarily selling to companies with 500-2000 employees and modest GRC teams. These customers face significant compliance challenges but lack the organizational complexity and regulatory burden of true enterprises. The disconnect becomes apparent when these solutions encounter the complex stakeholder landscapes and legacy system integration requirements of genuine enterprise environments. This misalignment explains why many "enterprise" GRC automation vendors struggle to gain meaningful traction with Fortune 100 companies while finding success with growing mid-market organizations.

3. Enterprise: the integration challenge (5+ GRC FTEs)

Enterprise GRC represents a fundamentally different market dynamic. These organizations aren't starting from scratch - they have established GRC programs, legacy systems that can't be easily replaced, and complex compliance requirements spanning multiple jurisdictions. Their technological landscape defies simple API-driven automation, featuring a diverse mix of homegrown solutions, commercial off-the-shelf products, legacy systems, IoT devices, and various SaaS/PaaS deployments - many with limited or no API capabilities.

Organizationally, they contend with multiple business units where compliance ownership is distributed across numerous business leaders, each with their own priorities and processes. This environment demands sophisticated control orchestration rather than just automation, addressing challenges like inconsistent control execution, variable evidence collection methods, and the need to coordinate both preventive and detective controls across disparate systems. With stakeholder relationships and governance structures that have evolved over decades, enterprise GRC requires nuanced approaches that acknowledge these technological and organizational realities.

What's particularly interesting about this segment is how it approaches vendor selection. Unlike startups that can adopt new tools quickly, enterprises need solutions that can integrate with, enhance, and gradually replace existing investments. As one CISO recently told me, "We don't need another tool - we need our existing tools to work better together."

The data aspect here is crucial. Enterprises aren't just looking for automation - they need completeness and accuracy in their compliance data. They often have what one vendor called "the top tier auditors" who demand real data, not just green checkmarks. This creates an interesting dynamic where vendors must prove not just that they can automate processes, but that they can maintain the rigor enterprises require.

This reality has driven a distinctly modular approach to GRC automation in enterprise environments. Many organizations already have significant investments in platforms like ServiceNow, Archer, or MetricStream where GRC is just one function among many, and often GRC teams aren't the business owners of these systems. This creates a complex dynamic where GRC automation vendors must position themselves as complementary solutions rather than replacements.

The most successful enterprise GRC automation strategies focus on targeted enhancements to existing capabilities - AI-powered questionnaire automation that feeds into legacy systems, third-party risk management (TPRM) modules that integrate with existing vendor management processes, or evidence collection engines that supply data to established GRC platforms. This approach acknowledges organizational realities while still delivering measurable improvements.

The challenge of enterprise GRC modernization isn't technical - it's organizational. Change management, stakeholder buy-in, and process adaptation are bigger hurdles than any technical integration. The most successful vendors in this space understand that they're not replacing existing systems; they're enhancing them through a pragmatic, modular approach that respects established workflows while incrementally improving capabilities.

How enterprises actually adopt GRC automation

The evolution of implementation models represents one of the most fascinating aspects of the current GRC market. The traditional approach of full platform adoption is giving way to more nuanced strategies:

Middleware adoption

Many enterprises are adopting GRC automation tools as a data layer between their existing systems rather than as a complete platform replacement. This approach allows them to enhance rather than replace existing investments.

These organizations typically maintain their established GRC platforms while using new automation tools to feed higher-quality data into these systems through APIs and integration points. This creates a "best of both worlds" scenario where they leverage existing workflows while improving data quality and reducing manual effort.

Modular implementation

Organizations are increasingly taking a modular approach to GRC automation, starting with specific pain points and expanding based on success. Rather than attempting full-scale implementations, they begin with focused modules like evidence collection, vendor management, or policy administration.

This creates interesting dynamics in vendor offerings, with many now structuring their platforms as collections of semi-independent modules that can be adopted incrementally. Companies typically start with evidence collection automation or questionnaire automation before expanding to control monitoring and eventually risk management capabilities.

Data-first architecture

The most successful implementations are those that focus on data quality and completeness first, building automation and workflows on top of a solid data foundation. These organizations invest heavily in establishing clean data models, consistent taxonomies, and reliable data sources before attempting to automate processes or generate insights.

By ensuring high-quality inputs, they avoid the "garbage in, garbage out" problem that plagues many GRC implementations and build programs that deliver genuine security insights rather than merely documenting compliance activities.

From compliance to trust: the revenue-driven transformation

The evolution of compliance from a checkbox exercise into a critical business enablement function represents perhaps the most significant shift in the GRC landscape. This transformation has fundamentally altered both how organizations approach security assurance and what they expect from their GRC tools.

Trust Centers have emerged as the visible face of this transformation. What began as simple security documentation repositories have evolved into sophisticated platforms that actively demonstrate security posture to customers and partners. These modern trust centers provide real-time evidence of control effectiveness, automate responses to security questionnaires, and serve as the primary interface between an organization's security practices and external stakeholders.

The strategic importance of this trend is evident in recent market consolidation. Drata's acquisition of SafeBase and Vanta's purchase of TrustPage signal a clear convergence of compliance automation and trust demonstration capabilities. These acquisitions make strategic sense: while Trust Center platforms drive significant revenue, they have limited upside as standalone products. Their true value emerges when they function as a central interface connecting internal security controls with external third-party risk management processes.

This connection between internal compliance and external trust demonstration is driving what I call "continuous trust demonstration" - the practice of transforming compliance evidence into powerful trust signals. Organizations now recognize that the same data points collected for internal compliance can serve as compelling security assurances for customers and partners. This realization is driving investment in continuous evidence collection, automated verification, and real-time monitoring systems that can simultaneously satisfy compliance requirements and build customer trust.

The vendors who can effectively monetize this trend while maintaining strong gross margins are seeing expansion rates well above industry averages. By addressing both compliance efficiency and sales enablement within a single platform, these solutions represent one of the most promising growth vectors in the broader security market - transforming GRC from a cost center into a revenue enabler.

Market implications of the sticky segmentation

The segmentation we're seeing in the GRC market creates distinct implications for different stakeholders. Let's examine what this means in practice.

For vendors, the key strategic question isn't about building the most comprehensive platform - it's about choosing which segments to serve effectively. The vendors showing the most interesting growth patterns are those who've recognized that excellence in one segment is more valuable than mediocrity across all of them. Consider how this plays out in the real world: Anecdotes has found its success by narrowing down on data needs for more established GRC programs, while Vanta has effectively captured the startup segment by optimizing for speed to value. These aren't just different go-to-market strategies - they're fundamentally different businesses solving different problems.

The enterprise segment presents a particularly thorny challenge for vendors. Each large organization has evolved highly customized GRC processes, often predating modern platforms entirely. The subjectivity and organizational context embedded in these legacy programs makes them exceptionally difficult to standardize or automate. This is why so many vendors find it more efficient to capture companies earlier in their compliance journey - establishing themselves as the foundation that scales with the organization.This "grow with your customers" approach creates a compelling dynamic: vendors establish connection parity and integration capabilities that become discussion points as companies scale. By the time an organization reaches enterprise scale, their platform is already embedded in processes and workflows, making displacement by enterprise-focused solutions significantly more difficult.

For enterprises, this segmentation means the end of the "one platform to rule them all" dream. The future isn't about finding a single vendor who can do everything - it's about choosing the right combination of specialized solutions that integrate effectively. This mirrors what we've seen in the broader security market, where best-of-breed solutions continue to thrive despite platform consolidation efforts.

The future state of GRC: predictions that will shape the industry

Looking ahead, several patterns become clear:

First, trust platforms will likely supersede traditional certifications. Vendors will build end-to-end trust management platforms that circumvent traditional certifications like SOC 2, providing real-time control verification and direct assurance through Trust Centers. While compliance automation focuses on internal efficiency, trust management addresses the external demonstration of security posture. This shift would fundamentally change how organizations demonstrate security posture to customers, replacing point-in-time attestations with continuous verification. The vendors who recognize and optimize for this distinction will create more value than those trying to blur the lines between compliance and trust.

Second, segment-specific GRC platforms will emerge as the norm. The market will fragment further into highly specialized solutions for each segment rather than continuing the one-size-fits-all approach. We'll see dedicated enterprise data platforms, mid-market hybrid solutions, and SMB compliance accelerators each with features and capabilities specifically designed for their target segments. Integration capabilities will become the key differentiator in this specialized landscape - the winners won't be those with the most features, but those who can best integrate with segment-specific workflows and tools. For enterprise vendors, this means deep integration with existing GRC platforms. For startup-focused vendors, this means seamless connectivity with cloud infrastructure and development tools. This specialization will allow vendors to better address the unique challenges of each market segment instead of attempting to serve everyone with compromise solutions.

Third, continuous compliance will replace point-in-time audits, though adoption will vary significantly by market segment. The traditional annual audit cycle will increasingly shift toward continuous compliance verification, with certifications evolving into more dynamic instruments. Startups and mid-market companies will lead this transformation—something automation vendors are already trying to implement through Trust Centre integrations. Enterprises and regulated industries will follow a slower adoption curve, likely maintaining formal point-in-time assessments with major consulting firms while gradually incorporating continuous monitoring elements. While API-driven continuous verification works well in cloud-native environments, enterprises face substantial challenges implementing similar approaches across their complex ecosystem we discussed earlier. This shift will require fundamental changes to audit methodologies and certification standards, but will ultimately provide more meaningful security assurance. As continuous verification becomes the norm, data will become the primary battlefield. The ability to provide complete, accurate, and actionable compliance data in real-time will matter more than feature checklists or user interfaces. This is particularly true in enterprise and regulated segments where data quality directly impacts audit outcomes and risk management effectiveness.

These trends point to a future where GRC becomes more specialized, more data-driven, and more embedded in business operations rather than functioning as a separate compliance exercise. Organizations that recognize and adapt to these changes will gain significant advantages in both security effectiveness and operational efficiency.

Two generations of AI-powered GRC solutions

Given that AI is the new buzz, it is worth briefly discussing the role AI plays in GRC. It should deserve its own piece altogether as with 2025 being the year of AI Agents, MCP adoption growing quickly and models becoming a commodity, we should see a lot of interesting movements in the market. Although all vendors claim to be “AI-enabled”, in reality there are two generations of AI-powered GRC solutions.

First generation: AI as a feature

Most current GRC platforms have bolted AI onto existing solutions, primarily as context enhancers. These implementations offer improved search capabilities, basic document analysis, template-driven policy generation, and control mapping assistance. They deliver incremental efficiency but rarely transform core GRC processes. The main value-add is decision support.

Emerging generation: AI-driven GRC

A new wave of vendors is building platforms with AI at their core. These include GRC Agents that autonomously collect evidence and validate controls, adaptive workflows that respond to changing compliance requirements, predictive risk analytics based on continuous monitoring, and cross-system intelligence that enhances decision-making.

For startups and SMBs, AI primarily serves as an efficiency play - automating basic evidence collection and validation. These customers care less about sophisticated AI capabilities and more about concrete outcomes: faster certification and reduced manual effort.

Enterprise customers approach AI differently. They need solutions that can handle complex compliance requirements while providing clear audit trails for all automated decisions. This has created an interesting market dynamic where vendors must balance automation capabilities with transparency and control.

The challenge for organizations isn't finding vendors who mention AI, but identifying those who deliver meaningful compliance improvements through intelligent automation rather than just adding another layer of technology complexity.

Strategic considerations moving forward

For anyone operating in or evaluating the GRC market, several strategic considerations emerge:

• The compliance automation wave isn't over - it's evolving. Early entrants focused on basic automation for startups. The next wave will focus on solving more complex compliance challenges for mid-market and enterprise customers. This creates opportunities for both new entrants and existing players expanding their capabilities. As we've seen in the three market segments, each requires fundamentally different approaches to automation that align with their specific needs and technical realities.

• Regulated industries remain underserved by current solutions. While this segment is harder to penetrate, the combination of large budgets, high retention rates, and substantial barriers to entry makes it attractive for investors with longer time horizons. Recent innovations in FedRAMP automation (Paramify on the documentation front and RegScale who has been an automation vendor targeting FedRAMP) are starting to reduce the cost and complexity of achieving compliance in highly regulated environments. Companies developing solutions that can automate the production and maintenance of complex compliance documentation while ensuring the rigor these industries require will find significant opportunities in this underserved segment.

Guidance for key stakeholders

In closing, I wanted to share some guidance for people reading this article.

For vendors: Focus on excellence in your target segment rather than attempting to serve all markets equally. Your data capabilities and integration approach should align with the specific needs of your chosen segment – whether that's speed-to-compliance for startups, scalable automation for mid-market, or data integrity for enterprises.

For practitioners: Evaluate solutions based on your organization's specific market segment and needs. Don't be swayed by marketing claims of universal capabilities. Instead, seek vendors with proven success in organizations similar to yours and integration capabilities that match your technical environment.

For investors: Look beyond surface-level growth metrics to understand which segment a vendor is actually serving successfully. The most attractive opportunities may be in companies that have established dominance in a specific segment rather than those claiming broad market coverage.

To learn more about the industry

If you’re interested in what the biggest vendors have to say about some of the most heated topics in our industry, such as compliance commoditisation and selling to enterprise customers, check out the GRC Engineering Automation Vendors Roundtable where we gathered executives from all the biggest players in the industry.

This article is a guest contribution from Ayoub Fandi. Ayoub is the founder of the GRC Engineer newsletter, host of the GRC Engineering Podcast, and a Staff Security Assurance Engineer at GitLab. He recently brought together executives from seven leading GRC automation platforms for a first-of-its-kind industry roundtable.

If you like my blog, please subscribe & share it with your friends. I do this in my free time, so seeing the readership grow helps me to stay motivated and write more. I don’t send anything except my writing and don’t sell your data to anyone as I have better stuff to do.

If you are a builder - current or aspiring startup founder, security practitioner, marketing or sales leader, product manager, investor, software developer, industry analyst, or someone else who is building the future of cybersecurity, check out my best selling book, Cyber for Builders.

If your company is interested in sponsoring Venture in Security, check out Sponsorships. Thank you!

Share