Most AI Compliance Work Is Still Script Work and GRC Teams Need to Know the Difference

GRC platforms existed before AI, and the work they automated was structured: apply rules to structured data, integrate with systems, and check whether controls pass or fail. That work is script work. It is valuable, high-volume, and repetitive, and it does not require a language model. Most of what gets labeled "AI-powered compliance" today is still doing exactly that. The distinction matters because organizations that cannot tell the difference will either overpay for automation that a script handles better or underinvest in the places where AI actually changes what GRC teams can deliver.

Jai Sisodia is Managing Director of Cybersecurity, Privacy, and AI at Cycore, a cybersecurity, privacy, and AI governance consultancy. He holds CISSP, CISA, and CDPSE certifications and has led SOC 2, ISO 27001, HIPAA, and GDPR compliance programs across startups, SMBs, and enterprise clients, including Fortune 500 organizations. His prior roles include advisory work at Deloitte, global IT audit management at Baxter International, and SVP of IT and AI Audit at a UK-based fintech. He approaches GRC as a risk-based discipline rather than a certification exercise.

"A compliance calendar turns policy from documents into a live execution system with tasks, owners, and frequency," Sisodia says. "If you are able to perform the specific activities based on that calendar, you should be good."

Scripts still do most of the work

Sisodia draws a clear line between what scripts handle and where AI earns its cost. "A majority of the work can still be done by scripts because scripts can focus on structured data," he says. "We already know the rules. You just apply those rules in the form of scripts and assess compliance against any framework." Scripts test. They give a pass or fail. That covers most repeatable, high-volume controls.

AI changes the equation when the evidence is messy. "When part of the evidence comes from screenshots, another from a document, another from a link, this is where AI truly stands out," Sisodia says. "It is able to bring all these things together, set up a context, and answer a much more subjective question: are we compliant?"

But AI without company-specific context creates more human review instead of less. Sisodia uses a background-check example: AI flags four employees as non-compliant because they lack completed checks. Without context, a human reviewer has to manually verify that those employees are in Hong Kong, where background checks are banned by law.

"AI actually did not add any value because the human had to review all the things again," Sisodia says. The fix is building company-specific memory into the system: meeting minutes, emails, Slack messages, deliverables, and client-specific processes that give the model the context to apply rules the way the organization actually operates.

Execution breaks without ownership

The more persistent GRC failure is not tooling. It is execution. Organizations download templates, change the company name, and treat compliance as finished. "I've reviewed these policies, and it kind of makes sense. I understand 10% and 90% is theoretical," Sisodia says. "But compliance is not a one-time activity. These things have to be performed on an ongoing basis."

Sisodia's operational fix is a compliance calendar that translates policy into a task matrix with specific activities, owners, and frequency across the full year. Paired with a RACI model that assigns clear accountability for each task, the calendar prevents the pattern where everybody owns compliance in theory, but nobody owns it when work needs to be done. Monthly 30-minute governance meetings with all stakeholders keep execution visible. "If you are not meeting the threshold, you know about it now, not as a surprise at the end of the year," Sisodia says.

Power shifts to whoever understands the technology

As AI agents and automation enter every department, Sisodia sees the cross-functional coordination between GRC, SecOps, legal, and privacy becoming mandatory rather than aspirational.

"If we think about AI agents, they don't just have to be secure. They also have to follow privacy regulations. They may have legal risk because terms and conditions created using AI may have hallucinated," he says. Engineering is no longer siloed in a dedicated department. Every function now has engineers automating its processes, writing code, and deploying agentic workflows.

That shift changes who holds power in the organization. "If you, as a legal professional, or I, as a GRC professional, don't understand those technology risks and the changing domains," Sisodia says, "the power will shift. Whoever understands it, the power will shift to them."