Riding The Wave Of Capability And Strategy Changes In The GRC Industry

Throughout 2026, a significant volume of public announcements and press releases across the governance, risk and compliance (GRC) software market has signalled that the industry is undergoing a period of transformation. In the first blog of this three-part series, we discussed this trend and how the industry is embracing a evolving approach to risk (see Verdantix The Evolution Of The GRC Industry Signals A Shift From Authority-Based Compliance To Evidence Driven-Understanding).

In this second instalment, focused on the ongoing changes in the GRC landscape, we examine two key elements of these announcements. First, they point to new milestones in technological development – primarily linked to varying levels of AI adoption – reflecting substantial investment across the market. Second, taken together, they risk creating confusion among buyers as vendors reposition their offerings and narratives.

AI enhancements: extending existing GRC functions

With AI mania taking over the tech world at large, adding AI‑labelled capabilities to established GRC workflows is the flavour of the month for vendors. The opportunities are too good to miss out on – especially as this could entail losing competitive advantage and market share. The benefit for users is huge, too. That said, buyers need to develop their own AI skills swiftly to fully understand the changes to GRC solutions, what these mean for their own roles.

Significant examples of these new developments span:

• LogicGate’s introduction of Config Newton.
  Positioned as an “agentic GRC engineer”, Config Newton is intended to assist with workflow configuration, reporting and evidence collection through automation and AI‑assisted decision support layered onto LogicGate’s existing platform.
• MetricStream’s latest release of AI‑powered features.
  MetricStream has introduced a range of new AI features, highlighting improved user experience, automation and analytics – but without materially altering the underlying GRC model of controls, risks and compliance obligations.
• Origami Risk’s new and enhanced platform solutions.
  This announcement follows a comparable pattern, emphasizing AI‑powered insights and operational efficiency within its established risk platform rather than introducing a fundamentally new governance approach.
• Optro’s launch of AI‑powered GRC capabilities in March 2026.
  Optro explicitly references AI governance, cyber risk and continuous control monitoring. While notable in its attempt to address AI both as a tool and as a risk domain, the announcement still centres on extending coverage areas rather than redefining how GRC decisions are validated or challenged. Optro also acquired Midship, an AI-SOX automation solution, in early May 2026. This move seeks to increase Optro’s capability to automate high-volume, repetitive processes to support audit teams facing budgetary constraints.
• Workiva’s reimagining of its GRC platform.
  This announcement focuses on breaking down data silos across audit, risk and compliance functions. Workiva aims to improve executive visibility with a unified data layer, all powered by AI technology.
• NAVEX and OneTrust’s recent materials also fall into this category.
  Both emphasize platform breadth and lifecycle coverage, suggesting that customer demand continues to favour consolidation over specialist tools. These moves imply that organizations remain more concerned with managing complexity and workflow fragmentation than with adopting fundamentally new risk models.

For other vendors, recent announcements indicate strategic reassessment rather than feature innovation:

• Diligent’s acquisition of 3rdRisk is best understood as a structural move to deepen third‑party risk management capabilities through AI technology. The rationale is scale and integration, not a departure from established third‑party risk practices.
• Aravo’s introduction of the ‘Aravo Advantage’ similarly reflects a strategic refocusing on third‑party risk programmes, packaging services, technology and expertise under a single offering. The announcement signals prioritization of a specific risk domain rather than a change in methodological approach.