For AI in GRC Success, Build on the Basics.
Sponsored by MetricStream
Marc Levine from Metricstream shares seven fundamentals for AI success in GRC, explaining why strong leadership, culture, and governance matter more than technology alone.
If there’s something I hear almost every few minutes, it’s the word “AI.” It comes up in every customer conversation, analyst briefing, board discussion, and team meeting. As the CEO of a GRC SaaS company, I’m immersed in it. I’m genuinely excited about what AI makes possible for our industry and the world as a whole. Talking about it is fun, inspiring, exciting and scary all at the same time.
But at the end of the day, AI is a technology and a tool. If it’s not grounded in the right fundamentals, it won’t be a success. It will amplify what’s already happening – good or bad. Like the old saying says: “Garbage in, garbage out.”
For AI in GRC to succeed and deliver to its promise, it needs to be built on the basics. That means that it’s a cultural transformation as much as it is a technical one.
Like allow us, I’m learning every day. But here’s what I’ve seen that enables AI success in GRC.
1. Start with Leadership Basics — They Never Go Out of Style
There’s a hardware store near where I grew up. The owner knew every product in that store — not because he read the catalog, but because he genuinely cared about helping customers solve problems. He led by example every single day. People came from miles away, not just for the products, but because they trusted him and the very “human” solutions he provided.
That kind of leadership is what drives culture. It’s not about titles or org charts. It’s about showing up with integrity, being honest when things are hard, and holding yourself to the same standards to which you hold others. In a world of AI hype and constant change, I believe those basics matter more than ever.
GRC leaders especially know this. You’ve spent your careers building programs based on trust, transparency, and accountability. It is important not to let the excitement around AI distract you or your organization from those core principles. Lead with them.
2. Role-Model AI Use — Tone at the Top Isn’t Just a Compliance Concept
We talk a lot in business about “tone at the top.” It’s the idea that culture flows from leadership; that what executives do, tolerate, and reward shapes what the organization becomes. It’s true for ethics. It’s true for compliance. And it’s 100% true for AI adoption.
If you want your teams to embrace AI tools thoughtfully and responsibly, you have to do it first. Use the tools yourself. Talk openly about what’s working and what isn’t. Share what you’ve learned. Ask your teams to show you how they’re using AI in their day-to-day work.
When leaders visibly engage with new technology, it signals that experimentation is safe, expected, and valued. You can’t ask your teams to transform if you’re not willing to transform alongside them.
3. Reward Innovation — Create Space for Experimentation
One of the fastest ways to kill innovation is to punish failure. If people are afraid to try new approaches because a misstep will define their careers, they won’t try. They’ll stick to what they know. Your AI initiatives will go nowhere.
The best cultures I’ve seen actively celebrate experimentation, including honest post-mortems when things don’t work. They create forums where people can share ideas without judgment. They recognize and reward team members who tried something bold, even if it didn’t pan out, because the learning matters.
Psychological safety is a business requirement for innovation. If your culture doesn’t feel safe, the best ideas will stay locked inside people’s heads.
4. Embed AI Into Everyday Work — Make It Ordinary, Not Optional
One of the mistakes I see organizations make is treating AI as a “project” — something that lives in a pilot program or a center of excellence, separate from how work gets done. That approach almost never scales.
Real adoption happens when AI becomes part of the daily fabric. It’s in the tools your teams use, the processes they follow, the conversations they have in team meetings. Share best practices across the organization. Celebrate wins. Normalize AI.
In GRC specifically, this might mean using AI to accelerate risk assessments, streamline compliance workflows, or identify early warning signals. The goal is to perform better, faster, and with greater confidence.
5. Invest in Continuous Learning — Static Training Doesn’t Work
AI is not a one-time training event. The tools are evolving. The use cases are changing. The regulatory landscape around AI, especially in GRC, is actively being written as we speak.
What works is continuous, participatory learning. Not a mandatory e-learning module that people click through to get credit, but real conversations: what are you seeing in your work? What’s changed since last quarter? What do we need to understand better? How can we take that manual process and use AI to automate it?
Involve people at every level. Your front-line risk and compliance practitioners often have the clearest view of where AI can help — and where it falls short. Build a learning culture that flows in both directions: from leadership down and from the front lines up.
6. Keep Your Eyes on Outcomes — Not The Technology
Here’s the test I believe should be applied to every AI initiative: what problem are we solving? What outcome are we trying to achieve? If the answer is “we want to use AI,” that’s not good enough.
The best GRC outcomes I’ve seen — cleaner audits, faster risk identification, stronger board reporting, more confident compliance posture — didn’t start with technology. They started with a clear articulation of the problem and the outcome. The technology was in service of that.
Outcomes first thinking is important to embed.
7. Build Governance That Enables, Not Just Constrains
In GRC, we know better than anyone that governance is necessary. But there’s a version of governance that acts as a brake on everything. Something that makes people feel like every new idea requires a committee and a policy before it can be tried. That version kills innovation and stifles fresh thinking.
The governance structures that work for AI are the ones that establish clear principles and guardrails, then give people room to operate within them. Think of it like a sandbox: defined boundaries, but freedom to experiment inside. People know what’s in bounds, what needs escalation, and what’s a red line.
Flexible, principle-based governance gives your teams the confidence to try new things without unknowingly introducing unacceptable risks. And it positions your GRC function as an enabler of progress — not a barrier to it.
Technology Will Keep Changing. These Fundamentals Won’t.
I started my career when “transformation” meant something very different from what it means today. Every generation of technology brings a new wave of excitement, a new set of tools, and a new round of questions about what it means for how we work.
What I’ve learned — and what I see confirmed every day in how MetricStream’s customers succeed — is that the organizations that win aren’t the ones with the best technology. They’re the ones with the strongest cultures, the clearest values, the most accountable leaders, and the most empowered teams.
AI is genuinely exciting. It will change GRC permanently, for the better, in ways we’re just beginning to understand. Start with the basics, and success will follow.
About The Author
Marc Levine is the CEO of MetricStream, the global leader in GRC SaaS. He is focused on helping organizations build the culture, capabilities, and technology foundation needed to turn governance, risk, and compliance into a strategic advantage.
Featured in: AI / Artificial Intelligence