Metricstream Logo

AI-First Connected GRC

Drive a Connected GRC Program for Improved Agility, Performance, and Resilience

webinar

MetricStream Ranked #1 in Operational Risk and Audit Categories

Learn More

Discover Connected GRC Solutions for Enterprise and Operational Resilience

Learn about the EU’s Digital Operational Resilience Act (DORA) and how you can prepare for it.

Learn about the EU’s Digital Operational Resilience Act (DORA) and how you can prepare for it.

Learn More

Explore What Makes MetricStream the Right Choice for Our Customers

Robert Taylor from LSEG shares his experience on implementing an integrated GRC program with MetricStream

Robert Taylor from LSEG shares his experience on implementing an integrated GRC program with MetricStream

Learn More

Discover How Our Collaborative Partnerships Drive Innovation and Success

Watch Lucia Roncakova from Deloitte Central Europe, speak on how the partnership with MetricStream provides collaborative GRC solutions

Watch Lucia Roncakova from Deloitte Central Europe, speak on how the partnership with MetricStream provides collaborative GRC solutions

Learn More

Your Insight Hub for Simpler, Smarter, Connected GRC

Download this report to explore why cyber risk is rising in significance as a business risk.

Explore the forces reshaping governance, risk, and compliance in 2026

Download the eBook

Learn about our vision and mission

Gurjeev Sanghera from Shell explains why they chose MetricStream to advance on the GRC journey

Gurjeev Sanghera from Shell explains why they chose MetricStream to advance on the GRC journey

Learn More
search
Contact Us Request Demo
×
Hit enter to search or ESC to close
Blogs

What 200+ GRC Leaders Agreed On: 7 Key Themes from the GRC Summit London 2026

GRC-SUMMITBANNERNEW
6 min read

Introduction

This past June 2nd and 3rd, MetricStream hosted the GRC Summit 2026 at the Royal Garden Hotel, London. With more than 200 attendees from 50+ organizations, the event brought together risk, compliance, audit, and cybersecurity leaders for two days of candid conversation, real-world case studies, and forward-looking debate.

The theme this year, Experience the Power of AI and Resilience, set the tone from the opening sessions to the multiple conversations in the room.

The opening keynotes were set by three standout voices:

  • Gaurav Kapoor, Co-Founder and Vice Chairman of MetricStream, opened with a keynote that cut straight to the heart of AI-first GRC as a practice. He addressed the top questions from the GRC community, including the most important question of ‘What does it actually look like to orchestrate human judgment and AI insight together, at scale, in the real world?’ He used a powerful metaphor, a murmuration of starlings, that struck us all in the audience. Just as the starlings all coordinate and fly together, so must we in GRC as the industry shifts and changes dramatically.
  • Marc Levine, CEO of MetricStream, followed with a forward-looking vision for where MetricStream is headed, anchored in customer experience, radical simplicity, and the relentless pursuit of strategic outcomes that matter.
  • Parmy Olson, award-winning technology journalist and author, joined Gaurav for a wide-ranging fireside chat that brought the outside world in. They explored AI's real-world implications for business, governance, and accountability with the sharpness you'd expect from one of tech journalism's most respected voices.

From there, the summit moved into a full day of executive panels and in-depth discussions, with active audience Q&A woven throughout. Topics ranged from AI in risk and internal controls, cyber risk's growing role in enterprise GRC strategy, and the metrics that matter most to boards and regulators, to navigating UK Corporate Governance, DORA, and NIS2 through a unified controls program, the future of operational risk management, and what it truly takes to make GRC transformation stick. 

Get full access to the presentations of the sessions.

What emerged across both days went deeper than technology. GRC practitioners had serious questions about what AI in GRC should do, who stays accountable, and how to make GRC transformation stick.

Here are the top themes that defined the conversation.

1. AI Governance Must Precede AI Adoption

One message cut across almost every session: organizations that allow AI to embed itself in GRC processes before establishing a control standard are creating a governance vacuum. While enthusiasm for AI is real, organizations will need to lay the foundations first as they try to balance experimentation with control and costs.

2. AI Is Shifting from Feature to Operating Model

The conversation has moved well beyond AI as a bolt-on capability. The ambition that was discussed at GRC Summit London 2026 is to make AI the core operating model for GRC, delivering speed, scale, and trust across the enterprise.

GRC practitioners also discussed an emerging three-tier agent ecosystem: first-party agents built by vendors, second-party agents built by customers, and third-party agents built by partners and system integrators — all running on a single trusted platform, governed from the same core, and audit-ready by design. It was also noted that platforms that can support third-party agents will get stickier over time.

3. ROI on AI Is Real, But Still Being Earned

There is genuine enthusiasm in the GRC market for AI as a strategic opportunity. But practitioners were clear-eyed: the business case in practice is still being worked out. Buyers want AI ROI that is measurable and meaningful, not just demos or features that don’t add true business value.

Zurich Insurance's case study session demonstrated this live. The team walked through live AI-powered GRC use cases, including regulation-to-obligation mapping and policy impact on controls, sparking real interest from others in the room, and proving that the ROI of AI in GRC is quantifiable.

Contact us to get a recording of the session.

4. Human Accountability Remains Non-Negotiable

Across keynotes, panels, and workshops, one principle held firm: AI handles data gathering, cleansing, and insight generation, but people (the human-in-the-loop) must provide the final judgment. Organizations implementing AI in GRC are demanding transparency, explainability, and clear lines of accountability across risk, audit, and compliance.

On the other hand, the human element was also identified as the biggest bottleneck in GRC transformation. The skill gap is real, and organizations investing in AI-powered GRC need to invest equally in upskilling their people, or the transformation will stall at the human layer.

5. GRC Shifts from a System of Record to System of Action

The broader shift defining this moment in GRC is the move from storing data to acting on it. GRC leaders want platforms that help them sense risk, interpret signals, and respond continuously.

This means connecting regulation to obligation, obligation to policy, policy to control, control to test, and finding to remediation. It means GRC data that flows into board ready insights and predictive signals. If AI cannot reason across connected entities and dependencies, it isn't operating with the depth required for next-generation GRC.

6. Board-Level Expectations are Raising the Bar

Boards in 2026 want context behind the GRC metrics, not just the numbers. They want to understand what is driving performance, where exposure is growing, and what decisions are required now.

The panels on board accountability made clear that the GRC function's job now requires enabling confident, informed decisions at the highest level of the organization.

7. AI GRC Transformation is an Organizational Challenge

Perhaps the most grounding theme of the summit was that organizations that treat GRC or AI in GRC as a software implementation will stall. The ones making real progress are treating it as an organizational transformation. One that requires culture change, stakeholder alignment, and a genuine commitment to outcomes over activities.

Deep Dives: Workshops That Got into the Detail

Alongside the main stage, Day 1 featured four workshops that gave attendees the space to go deeper on the topics that matter most.

Michael Rasmussen of GRC 20/20 Research led two sessions. The first tackled the UK Corporate Governance Code's Provision 29 — widely described as the most significant shift in UK risk and control expectations in over a decade — offering a structured blueprint for designing internal control frameworks that meet the expectations of boards, regulators, and investors. His second session, AI in GRC by Design, moved from principles to practice, exploring how organizations can embed AI across governance, risk, and compliance programs with the guardrails needed for responsible, explainable use.

Manoj Kulwal, Chief Risk and AI Officer at RiskSpotlight, explored where generative and agentic AI are adding genuine value across core risk activities today and put a sharper lens on the Top 10 Emerging AI Risks that risk leaders need on their radar in 2026.

MetricStream's own product session, led by Shreyank Kamat, took attendees inside the most significant enhancements across the Risk and Regulatory Compliance suites, covering the Euphrates II UI/UX uplift, new functional capabilities, and the latest AI features helping teams cut through complexity and stay ahead of regulatory change.

Celebrating the GRC Community

The GRC Journey Awards returned for 2026, recognizing MetricStream customers and partners who are shaping the future of governance, risk, and compliance. The awards honor organizations and individuals demonstrating exceptional vision, execution, and impact in advancing risk-aware cultures and driving operational resilience.

We congratulate all the winners.

Read the Press Release for more details.

What's Next

GRC Summit London 2026 made one thing clear. The GRC community is asking the right questions. The appetite for AI is strong, but so is the commitment to getting it right through the right governance, accountability structures, and foundations in place.

The journey continues. Watch this space for more details.

Access session presentations from GRC Summit London 2026.

simrin

Simrin Jhangiani Associate Director, Marketing at MetricStream

Simrin Jhangiani is the Product Marketing Lead for MetricStream’s ESGRC product. As a former NYU student with a minor in Corporate Social Responsibility, Simrin is passionate about helping businesses make risk-aware business decisions around ESG. Simrin has an extensive business and marketing background having worked as a strategy consultant at KPMG and being a business owner of a sustainable fashion brand. She has lived on 3 different continents, and has travelled to over 50+ countries around the world, resulting in a comprehensive understanding of why ESG is important on a global scale. She believes that ESG is fundamental to the growth of businesses in the present day and is ardent about bringing awareness of the ever-changing regulations around Environmental, Social, and Governance.

 

Related Resources

Blog
Blog
6 mins
Simrin Jhangiani
What 200+ GRC Leaders Agreed On: 7 Key Themes from the GRC Summit London 2026