Metricstream Logo

AI-First Connected GRC

Drive a Connected GRC Program for Improved Agility, Performance, and Resilience

webinar

MetricStream Ranked #1 in Operational Risk and Audit Categories

Learn More

Discover Connected GRC Solutions for Enterprise and Operational Resilience

Learn about the EU’s Digital Operational Resilience Act (DORA) and how you can prepare for it.

Learn about the EU’s Digital Operational Resilience Act (DORA) and how you can prepare for it.

Learn More

Explore What Makes MetricStream the Right Choice for Our Customers

Robert Taylor from LSEG shares his experience on implementing an integrated GRC program with MetricStream

Robert Taylor from LSEG shares his experience on implementing an integrated GRC program with MetricStream

Learn More

Discover How Our Collaborative Partnerships Drive Innovation and Success

Watch Lucia Roncakova from Deloitte Central Europe, speak on how the partnership with MetricStream provides collaborative GRC solutions

Watch Lucia Roncakova from Deloitte Central Europe, speak on how the partnership with MetricStream provides collaborative GRC solutions

Learn More

Your Insight Hub for Simpler, Smarter, Connected GRC

Download this report to explore why cyber risk is rising in significance as a business risk.

Explore the forces reshaping governance, risk, and compliance in 2026

Download the eBook

Learn about our vision and mission

Gurjeev Sanghera from Shell explains why they chose MetricStream to advance on the GRC journey

Gurjeev Sanghera from Shell explains why they chose MetricStream to advance on the GRC journey

Learn More
+1-650-620-2955
+1-650-620-2955 Contact Us Request Demo
×
Hit enter to search or ESC to close
Blogs

AI, Risk, and the Future of GRC: Key Takeaways from the XTech Podcast with Gaurav Kapoor

airisk-blog-banner
5 min read

Introduction

Gaurav Kapoor, Vice Chairman and Co-Founder of MetricStream, recently sat down with Debbie Forster, MBE on the XTech Podcast, to talk all things GRC and AI. Drawing on decades of experience — from launching one of India's first internet-based consumer remittance products in the mid-90s to leading an AI-first transformation at MetricStream today — Gaurav shares candid insights on the evolving GRC landscape, AI's role in risk management, cybersecurity threats, and what it really means to govern AI itself.

The XTech Podcast brings together leading voices from across the global tech community to cut through the complexity of today's most pressing innovations.

Listen to the podcast.

Key Takeaways :

1. Crisis Has Always Been the Catalyst for GRC Innovation

Gaurav's career is a masterclass in turning disruption into opportunity. From 9/11 and the Enron scandal to the 2008 financial crisis and COVID-19, each major crisis exposed the same fundamental problem: siloed organisations where critical risk data wasn't being shared across functions.

"One part of the organisation wasn't talking to the other part. If you can bring all this together, the opportunity for the organisation to see risk holistically changes the paradigm."

The lesson? The organisations that thrive are the ones that treat crisis not as an anomaly, but as a signal to act on what they already knew needed fixing.

2. AI Adoption in GRC Has Reached a Tipping Point

For years, GRC lagged behind other functions like sales and finance in adopting AI and for understandable reasons. As Gaurav explains, a 90% accuracy rate is fine in marketing; it's not acceptable in risk management, where a missed signal can mean a billion-dollar regulatory fine.

But the landscape has shifted. The canvas of risk has expanded dramatically. It now spans cyber threats, geopolitical shifts, supply chain vulnerabilities, and the risks introduced by AI itself. The volume and complexity of risk information have simply become too great to manage manually. AI is no longer optional; it's essential.

3. The Real Pain Points Are Overload and Administration

Gaurav explains how MetricStream's AI-first strategy wasn't driven by technology for technology's sake. It was grounded in a clear-eyed diagnosis of what GRC professionals actually struggle with every day:

  • Overload — thousands of people across organisations filling out risk and control assessments, security questionnaires, and audit forms repeatedly and manually
  • Administration burden — managing and maintaining large enterprise GRC programmes requires enormous ongoing effort

MetricStream's response was to use AI to automate the rote work, freeing practitioners to focus on higher-value, domain-specific thinking. The new company tagline says it plainly: "GRC Simplified. Outcomes Amplified."

4. AI Will Augment GRC Professionals, Not Replace Them

Will AI replace GRC professionals? Gaurav's answer is nuanced. He shared the perspective of a Chief Auditor at one of the world's largest oil and gas companies, who said he would actually need more auditors in an AI-enabled world.

Why? Because, according to him, his auditors are the brain trust of the organisation. With AI handling sample testing and routine execution, they could move to 100% population testing and explore risks that were previously invisible.

Gaurav's framework: Assist Augment Delegate. GRC AI is moving through these phases progressively, with full delegation still some way off as models become more reliable. The professionals who will thrive are those who deepen their domain expertise and embrace AI as a force multiplier.

5. Governing AI Requires Ethics, Answerability, and Tone from the Top

As AI takes on more of the work of governance, who governs the AI? Gaurav highlights three critical dimensions:

  • Answerability and traceability — regulators will not just scrutinise the outputs of AI-driven models; they will demand to understand how those models were built and how conclusions were reached
  • Ethics and bias — domain experts are essential for evaluating whether model outputs reflect bias, inappropriate profiling, or imbalanced data inputs
  • Culture — perhaps most importantly, the tone set by leadership determines how seriously ethical considerations are embedded across the organisation. A CEO who demands rigorous ethical scrutiny creates a fundamentally different culture than one who simply pushes for efficiency at speed

6. Third-Party Risk Is Now the Biggest Cyber Vulnerability

On cybersecurity, Gaurav made a striking observation: the fortresses have strengthened, but the ecosystems have weakened. Attackers have adapted, shifting from targeting organisations directly to infiltrating their extended partner and supply chain networks.

His example was pointed: one of the world's largest payment networks — with world-class cybersecurity — was breached via a compromised small retailer in Indonesia, a breach that could have threatened the stability of the entire financial system.

"It could come from anywhere."

Third-party and supply chain risk management is no longer a secondary concern. It sits at the heart of enterprise resilience.

7. Anti-Fragility Is the Right Mental Model for Today's Risk Environment

When asked what he's reading, Gaurav pointed to Nassim Nicholas Taleb's The Black Swan and Antifragile — books he has returned to with renewed appreciation. The core idea: build systems that don't just survive shocks, but get stronger from them, by deliberately simulating disruptions before they happen.

In a world where the next crisis could arrive on a Tuesday rather than a distant horizon, building anti-fragile organisations is a strategic imperative.

The Bottom Line

GRC is undergoing a fundamental transformation. The combination of expanding risk complexity, accelerating regulatory pressure, and maturing AI capabilities means that the old model of manual, reactive, and siloed risk management is no longer fit for purpose. The organisations that will lead are those that embed AI into Connected GRC frameworks — not just for efficiency, but for the foresight and strategic risk intelligence that drives growth.

Ready to Explore What AI-First Connected GRC Looks Like in Practice?

Discover how MetricStream is helping organisations simplify governance, strengthen resilience, and amplify outcomes with Connected GRC.

Explore MetricStream’s AI-first Connected GRC. Request a demo.

M_Logo_1.0

MetricStream Team

Meet the MetricStream a collective of seasoned professionals who are at the forefront of Governance, Risk, and Compliance (GRC) expertise. Our team brings together individuals from diverse backgrounds, spanning operational risk management, enterprise risk management, regulatory compliance, cyber risk management, and more. This deep expertise enables us to offer comprehensive insights into industry best practices, emerging trends, and regulatory requirements, equipping organizations with the tools they need to navigate the increasingly interconnected landscape of risk and compliance. Join us as we explore the evolving landscape of GRC.

 

Related Resources

Blog
Blog
5 mins
MetricStream Team
AI, Risk, and the Future of GRC: Key Takeaways from the XTech Podcast with Gaurav Kapoor