Governance, Risk, and Compliance (GRC)

Governance, Risk, and Compliance (GRC) - OpenPages

Intended for IBM OpenPages and IBM FIRST Risk Case Studies customers to interact with their industry peers and communicate with IBM product experts.


#OpenPages-Governance,Risk,andCompliance(GRC)
ย View Only

  • 1.  Rethinking GRC in the age of AI: are we ready for what's next?

    Posted Thu October 23, 2025 10:37 AM
    Edited by JULIE BELLINGER Thu October 23, 2025 10:42 AM

    As GRC professionals, we're no strangers to transformation. Regulatory landscapes shift, risk profiles evolve, and technology continues to reshape how we manage complexity. But with the rise of generative AI, we've entered a new era- one that challenges not just our tools, but our mindset.

    ๐Ÿ”ฎ From Reactive to Proactive to Predictive

    Historically, GRC has been reactive, responding to incidents, audits, and regulatory changes. Automation and real-time monitoring made us proactive. Now, AI is pushing us into the predictive era, where trust must be built before risk surfaces.

    This raises critical questions:

    • How do we govern AI without stifling innovation?
    • Can we trust AI to make risk-based decisions?
    • Is our current GRC approach ready for this shift?

    These aren't just technical questions, they're ethical, strategic, and deeply human. At IBM, we're exploring how to integrate AI responsibly into OpenPages, with explainability, auditability, and governance at the core. But we know this journey isn't one-size-fits-all. That's why we want to hear from you.

    ๐Ÿ’ฌ Let's Talk

    We'd love to hear from you:

    • Is Gen AI still "new" in your organization, or already part of your GRC strategy?
    • What's your biggest hope, or concern, about AI in GRC?
    • Have you started using AI in your risk or compliance workflows? What's working, and what's not?
    • What would help you feel confident using Gen AI in your risk or compliance processes?

    Drop your thoughts below๐Ÿ‘‡. Let's spark a conversation that moves the industry forward!



    ------------------------------
    Julie Bellinger
    Senior Product Manager, IBM OpenPages
    jmelamud@us.ibm.com
    ------------------------------



  • 2.  RE: Rethinking GRC in the age of AI: are we ready for what's next?

    Posted Sun October 26, 2025 02:13 PM

    Julie, thank you for raising such a timely and interesting topic. As an IBM partner, we're keen to contribute to the discussion.
    We are presenting the first use cases you've shared, fully aware that they aren't strictly examples of generative AI. Our goal is to stimulate potential customer needs while also proposing a gradual approach to the use and integration of AI into Risk & Compliance Management, before fully embracing generative AI.

    We've received strong interest from clients, who have high expectations given the potential of AI and the future benefits it could bring across various sectors. At the same time, there is considerable concern about the limitations of AI, the challenges in controlling its outcomes, and the constraints imposed by internal policies on its use.

    We agree that the challenges in generative AI projects are not just technical but also cultural, procedural (in terms of responsibility), and tied to the quality of data provided to the AI.

    That said, some concerns have emerged, particularly regarding the OpenPages โ€“ Watson AI architecture, which we'd like to address:

    1. Performance
      If we understand correctly, the architecture requires OpenPages to export data to Watson AI, which then processes and returns the results. However, as we move towards more generative processing, where greater value is expected from AI, OpenPages will need to send more data to ensure reliable responses (e.g., data from numerous interconnected logical entities, historical data, personal records, etc.).
      Could this scenario significantly impact performance, both in terms of response times and the costs associated with using AI through OpenPages?

    2. Completeness and Quality of AI Responses
      In the proposed use cases, the AI's role was more "supportive" to the user (e.g., helping to make associations, checking text, and summarizing information). It's likely that the risk of errors would be limited and instead result in "limited" assistance (which could encourage the user to provide clearer and more complete descriptions). It's conceivable that by adjusting the confidence level and conducting some testing, the company could gain confidence in the AI's effectiveness and accuracy. But as we move further into generative AI... how can we mitigate the risks of receiving inadequate or incomplete suggestions? How can we minimize this risk?



    ------------------------------
    Gabriele Meneguzzi
    ------------------------------

    Original Message


  • 3.  RE: Rethinking GRC in the age of AI: are we ready for what's next?

    Posted Sun October 26, 2025 07:08 PM

    Hi Gabriele,

    Thank you for your considered response and for raising such pertinent points around the integration of AI into Risk and Compliance workflows. Your reflections on both performance and response quality are very much aligned with the conversations we're having across the industry.

    Performance Considerations

    As we move towards more generative use cases, the volume and complexity of data exchanged between OpenPages and Watson AI will naturally increase. To mitigate performance risks, we're focusing on several key strategies:

    โ€ข Effective Prompt Management: By refining prompt structures and context windows, we reduce unnecessary data transfer and improve response efficiency.

    โ€ข Refined Retrieval-Augmented Generation (RAG) Patterns: These allow OpenPages to retrieve only the most relevant data, minimising payload size while maximising relevance.

    โ€ข Small Language Models (SLMs): For many domain-specific tasks, SLMs offer faster, more cost-effective responses with sufficient accuracy, making them a valuable complement to larger models.

    These approaches help ensure that AI remains scalable and responsive, even as use cases become more sophisticated.

    Quality and Hallucination Risks

    Your concerns about the reliability of generative outputs are well founded. This is precisely where governance becomes essential, and IBM watsonx.governance provides robust support through:

    โ€ข Real-Time Guardrails: These enforce policy constraints and usage boundaries dynamically, helping to prevent inappropriate or low-confidence outputs.

    โ€ข Ongoing Monitoring: We continuously track model behaviour, flag anomalies, and assess output quality to ensure consistency and trustworthiness.

    โ€ข Improved Model Output Quality: Through confidence scoring, feedback loops, and curated training data, we're enhancing the reliability and clarity of generative responses.

    These governance capabilities are designed to help organisations build trust in AI-assisted decision-making while maintaining compliance and accountability.

    Thanks again for your engagement. I'd be happy to arrange a deeper technical session to explore these governance mechanisms in more detail if that would be helpful.

    Best regards,

     

    Ian Francis
    Principal Product Manager
    watson    x.governance 


    IBM Data and AI

    Mobile: +447854127709
    E-mail:     ianfrancis@uk.ibm.com  

     

    Unless otherwise stated above:

    IBM United Kingdom Limited
    Registered in England and Wales with number 741598
    Registered office: Building C, IBM Hursley Office, Hursley Park Road, Winchester, Hampshire SO21 2JN



    Original Message


  • 4.  RE: Rethinking GRC in the age of AI: are we ready for what's next?

    Posted 6 days ago

    Hi Julie, 

    One of the biggest challenges that come up in my conversations with business leaders is that GRC is the lack of awareness and training for employees. GRC is often viewed as a "unit or department or function" that is inherently separate and isolated from those who do the "real work." The opportunity to make GRC skills an integral and essential component of employee onboarding is something I frequently think about. Thank you!



    ------------------------------
    Uma Gupta
    ------------------------------

    Original Message


  • 5.  RE: Rethinking GRC in the age of AI: are we ready for what's next?

    Posted 5 days ago

    I completely agree. GRC truly is everyone's responsibility, and that awareness should start the moment an employee joins the organization. When people understand why GRC exists and how their individual role contributes to protecting the overall IT universe, it changes how they approach their daily work.

    Even in roles that may seem far from governance or compliance, the documentation, processes, and decisions we handle directly support organizational reliability and risk reduction. Integrating this understanding into onboarding would help employees see the bigger picture from day one.



    ------------------------------
    Kimberly Avery
    ------------------------------

    Original Message


  • 6.  RE: Rethinking GRC in the age of AI: are we ready for what's next?

    Posted 4 days ago

    We have an opportunity to make GRC a part of every corporate conversation and initiative. Business leaders understand the risks, but it is not easy to make it an enterprise-wide conversation and training (not "watch this video" kind of training, but training that is engaging and delivers rewards). 

    How do we make it happen? How can we create materials that are engaging, free, and role-focused that delivers rewards? I emphasize rewards because time is in short supply. 

    Thank you!

    Uma



    ------------------------------
    Dr. Uma Gupta
    Fulbright Scholar & Director, Business Analytics
    University of South Carolina Upstate
    ugupta@uscupstate.edu
    https://www.linkedin.com/in/uma-gupta-phd/

    ------------------------------

    Original Message


Related Content