Governance, risk, and compliance teams face a fundamental paradox: they operate in a discipline built on certainty, manual processes, and clear checklists, yet they’re being asked to embrace AI tools that are inherently probabilistic. The challenge isn’t just technological. GRC has evolved into an art form rather than a standardized practice, with some organizations gravitating toward compliance-heavy approaches while others focus on risk, creating inconsistent frameworks that make AI integration even harder. Meanwhile, enterprise GRC teams burn countless hours on redundant tasks—asking employees what they’re doing, collecting screenshots, and building endless workflows that ultimately just trigger more human work. The question isn’t whether AI can help, but how to introduce uncertainty and automation into a field that has always demanded black-and-white answers.
In this episode, Yair Kuznitsov, CEO at Anecdotes, explains how his platform uses data-driven AI agents to automate GRC activities while maintaining the traceability and trust that auditors require. Joining him are Andrea Bergamini, CIO at Orbia, and Brett Conlon, CISO at American Century Investments.
Want to know:
- Why is integrating AI tools into GRC still such a persistent challenge?
- What GRC activity wastes the most human hours, and how can agents eliminate it?
- Where do humans step in when AI agents handle GRC tasks?
- How do you manage the complexity of multiple agents operating across your environment?
- What enterprise data do agents need access to, and how is least privilege maintained?
- What part of today’s GRC team disappears in three years, and what roles become more important?
- How do you ensure resilience when data sources break, APIs change, or accounts go out of scope?
Check out the episode for the answers you need.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Anecdotes
Full Transcript
[Voiceover] Connecting security solutions with security leaders. Security You Should Know starts now.
[Rich Stroffolino] Welcome to Security You Should Know. I’m your host Rich Stroffolino. Today, we’re talking with Anecdotes and what they’re doing in the wide world of GRC. Now the problem that they’re addressing is integrating AI tools into GRC, the two big titans that are trying to come together.
I don’t think we’ve come to a quorum about what that looks like here. But helping us get answers to why we’re still struggling with this are Andrea Bergamini, the CIO at Orbia, and Brett Conlon, CISO at American Century Investments. Andrea, let me start with you.
Why is integrating AI tools into GRC still something we haven’t figured out yet?
[Andrea Bergamini] Well, it’s a very traditional discipline, isn’t it? It’s one of those disciplines that like manual things, like certainty, like black and white, like to check their boxes. With a discipline like that which is ingrained both in the industry that we have as well as the ecosystem around it right with the audit environment and the way those things work, you try to put in something that has tremendous potential, right?
AI can be a tremendous force multiplier, a great way to help and yet it’s probabilistic in nature as such, right? That uncertainty combined with the potential of it and the traditional environment, I think, makes it a very hard problem to solve.
[Rich Stroffolino] I like that, maybe more of a structural cultural problem that’s the hold up here. Brett, do you agree with that? Is there any other thing that’s holding us up here?
[Brett Conlon] Yeah, I think the other thing I would add is I’m not advocating for this, but I think it’s a problem is GRC has become an art form. So, we’re not really standardized around how we approach it. I’ve been in different shops where GRC’s become very compliance-heavy or audit-heavy and sort of gravitated away from risk.
You have some who are very focused on risk but then also forget the auditable pieces that you need when the auditors come in. So with that in mind, I think that it just makes it hard when you’re bringing in agents how do you standardize that approach because we do look at it very differently unfortunately.
[Rich Stroffolino] All right. Well, today we’re going to be talking with Yair Kuznitsov, the CEO at Anecdotes. Now to start out, we need the answers to our trio of essential questions. So Yair, how do I explain the value of what you’re doing to my CEO?
What does your solution do? What does it not do? Help us get the scope here. What is the pricing model? Can you give us these preliminaries?
[Yair Kuznitsov] Yeah, absolutely. If you need to explain what we do to the CEO, that would be I’m the GRC manager. I’m leading GRC. You want me to focus on risk. I need to be able to monitor my risks and understand when changes happen so that we are all aligned on our actual risk.
This cannot happen with more headcount and more people. We need different technology, different solutions. We need data and AI. What Anecdotes does is a GRC platform for enterprise GRC teams. We are not a sock to shop that you just come and get your document.
The pricing is very simple. It really correlates with our approach. Frameworks, risks, everything is unlimited in the license of the Anecdotes platform. Since data is the core value, data chunks are priced with a very clear ROI on how we present and use the data.
[Rich Stroffolino] Fantastic. All right. I have a pretty clear understanding. Anytime we can hear the word ROI right off the bat here, that’s a rarity, a unicorn in and of itself. But for our panelists here, you’ve got a little bit of a taste here. I’m sure you have a lot of questions.
Brett, I want to start with you. What questions do you have for Yair and for Anecdotes?
[Brett Conlon] Sure. So obviously, you’ve seen a lot of the GRC platforms are claiming now automation and intelligence. What is one GRC activity enterprises spend the most wasted human hours on today that you see, and how do your agents eliminate that?
[Yair Kuznitsov] So the one thing we constantly see the GRC teams and departments wasting time on is figuring out what’s going on in the organization. This is simple. You can either ask people what do you do? What did you do yesterday? Can you take me a screenshot of your system?
Or you can either look on data that’s reflecting the business process. So what we’re doing is we provide data sets that reflect business processes, and we feed these data sets to agents that can make specific decisions based off the data.
[Rich Stroffolino] Andrea, for you, what other questions do you have for Anecdotes?
[Andrea Bergamini] Yeah, kind of linking to my opening comment, right, you know what you’re trying to play with, right, and you know how important it is to be a trustworthy solution in this space and so that you have traceability and you can trust, right, essentially what you’re presenting.
What measures have you put in place to build that trust, whether they’re technical in nature or whether they are more ecosystem in nature, if you will?
[Yair Kuznitsov] So that’s a great point and actually two very accurate domains of trust. Let’s start with the ecosystem. It took us years to take the data infrastructure and data catalog of Anecdotes and make sure that the existing ecosystem, the Big Four and the top audit firms in the States actually trust the outputs of Anecdotes.
So that’s the guardrails around the business enablement for the data. But then in the product, this is not just because we have nice friends at the Big Four. It’s actually because of the way we’ve built the technology. So everything is traceable, everything is hashed and has different layers of immutable data sets.
Practically, Anecdotes does not change anything or does not hide anything from the auditor.
[Rich Stroffolino] I would ask, just follow on to that. So where do you feel that humans step in in this process?
[Yair Kuznitsov] I think right now, let’s divide what’s happening today and what’s going to be in the next one to two years. I think today, the human beings in the GRC, all of us are still focused on let’s just get over with the redundant tasks that we have to do.
So right now, these people bring the strategy and the technology to really let the agents do the bare minimum. Every GRC team in every enterprise has a list of tasks that were performed last week, last month, last quarter that can be automated with the right data in very specific agent that will make decisions.
I believe that in the future, and again, not looking five years from now. I have no idea how to predict five years, but we actually are going to see every GRC function has headcount and each person, each GRC manager has agents. I think they will manage teams of GRC agents.
[Rich Stroffolino] Yeah, that’s interesting. It’s a bit of like I have always mixed reactions I have to say to that, right, because on one side, I love the concept, right? I do think you’re, by the way, quite right about that. What kind of gets me tingling on my back is that you need to manage that complexity that arises from it of having many agents including within your own solutions or beyond your solutions, right?
Of course, then you want these agents to be able to do remediations activities. So essentially, maybe my question back to you is to say how do you enable CISOs or GRC teams to manage that complexity that will potentially increase over time and build the confidence in letting the agents do their job come well?
[Yair Kuznitsov] It’s a tough question. I think it starts with guardrails for the agents. So first, an agent needs to know its limitations. So we need to understand that if you adopt an agent, they’re not going to perform actions outside their boundaries.
That’s one piece of technology. The other piece is we have agents executing actions on behalf of human beings. I believe that agents’ identity is not an independent identity in the void. It’s an agent operating on behalf of a GRC manager that holds the accountability for these actions.
So, we need to be able to trace this so that it can fully be tracked in the future. I think these two aspects and these two philosophies will hopefully allow CISOs to adopt agents to call actions.
[Rich Stroffolino] So can I follow up on that a little bit? Because if I’m understanding how the product works today, the agent is sort of has the ability to go into these different repositories and pull these samples, so where the auditor or your risk person may not have that access, right?
Someone goes into their tool, takes their screenshot or provides their download and puts it in there. So, in the security-minded world, what enterprise data do your agents require access to, and how am I making sure that we’re following the least privilege model so that we’re not cutting across that customer data?
[Yair Kuznitsov] All right, so the inception of Anecdotes was data. We are not selling agents without context. The only reason why we’re bringing agents to GRC is because of the data. So we have to reframe, I think, the question because once we have data flowing in, what is this data?
These are not screenshots. These are accurate full data sets from different operating systems that are within my risk or compliance scope. I then feed the specific data set to the specific agent to make a decision. So logically, we can’t really enable agents without the data.
This is the paradox that we’re seeing.
[Rich Stroffolino] Yeah, but I guess I’m going to double down on that a little bit. So maybe there is nothing to worry about here, but I think the quantity is okay. Well, that then makes this solution, right, like how it always happens in security as a potential point of failure compromise.
How are you essentially trying to minimize the risk, right? But again, you also introduce a risk when we introduce these kind of solutions in an environment. But I know you’re aware of that.
[Yair Kuznitsov] So that was one of the first considerations that actually we addressed when we founded the company. Even before building infrastructure for agents, we built infrastructure for collecting data. We knew that this is going to be potentially a concern for every security organization.
So our customers actually have the ability to delegate the data and the secrets to be stored back on their perimeter. This is one measurement that we allow our customers to take. So the data is being processed on Anecdotes but fully stored and controlled by the customer.
Therefore, every investment that a CISO have made on securing their data perimeter remains valuable.
[Rich Stroffolino] Can I ask you, in terms of… Like you said, data is key and what we do with it and what we learn from it is also key. I know if I buy Anecdotes, I’m never going to leave. But if I do, how much of it comes with me and how much stays with you when the subscription turns off?
[Yair Kuznitsov] The data is yours. Basically, in just a couple of clicks, you can export the definitions of your program if you want to take this with you. I would assume you would want to take your risk register and controls across your entire environment.
But that’s not the big thing that you own. You actually own the data. You own the evidence that were collected throughout the subscription. That’s on your infrastructure.
[Rich Stroffolino] Three years from now, what part of today’s GRC team disappears, and what role becomes more important, using Anecdotes, of course?
[Yair Kuznitsov] Okay, that’s a big one. What I see nowadays in the enterprise GRC teams is there is still massive investment in workflows. People build workflows and workflows and workflows, and these workflows just trigger us human beings to work for the workflow.
I think that three years from now, this piece will be eliminated, not because we don’t need the workflows, because we’ll be able to transform the execution of pieces of workflows into the technology. I believe that these people have the opportunity to be part of this transformation.
[Rich Stroffolino] When it comes to data, there is like a pattern, right? First, they help you understand context. Then it helps you automate and then it helps you potentially predict and prescribe. Where are you on that journey with Anecdotes? Can Anecdotes help a company now, not know that they’re in compliance today but predict that they may be three months from now and things don’t change, so some predictive ability or prescriptive ability.
How far are you in that journey?
[Yair Kuznitsov] We’re not yet in the prediction business. We try to… If there is a spectrum from only looking into the past, and that is the screenshot, the static approach to historical GRC, our core focus is continuous motion of GRC programs, continuous visibility to your risk, to your compliance, to assurance processes, to policies implementation.
I think that the jump that needs to happen for being able to predict certain aspects is not just on the technology aspect. It’s a lot to do with culture.
[Rich Stroffolino] So can I sort of build on that just a little bit? But you bring Anecdotes in day one. You’re in a company that has fragmented tooling and inconsistent controls. How does Anecdote help? What does that look like?
[Yair Kuznitsov] So day one, we ask ourselves and our users which systems are in scope. We actually build GRC programs or rebuild GRC programs bottom up. We don’t do top-down approach. So which processes are part of your risk and compliance regime translates to which systems are in scope.
We integrate to these systems. We extract data. On day one, there’s a lot of value just by integrating to this. Why? Because we have existing experience with enterprises. We helped us to shape the data pipelines of Anecdotes. On day two, we import the controls environment.
We import the risk registers, and we’re using AI to map them to the data artifacts. So this is a very short process, and we’re actually very proud that when we onboard a client, it takes a matter of weeks. It’s not a 18 months project to establish your GRC program on a new tool.
[Rich Stroffolino] The environment is not static that Anecdotes plays in a company. Sources disappear, APIs break, things can go wrong in a number of ways, just like it happens in SecOps, for example. What mechanism did you put in place to essentially ensure that you’re not misrepresenting the picture because of those and you have a traceability almost like on the resiliency of your own sources?
It has nothing to do with what you’re gathering. It’s just the infrastructure behind it is naturally changing and crumbling. So you need to be resilient to that.
[Yair Kuznitsov] So the origins of Anecdotes is actually cyber security. We’re a bunch of people that did cyber security before this. That was actually very intriguing for us to ensure that whenever a data source is plugged out, whenever a account is out of scope, having the ability to let the GRC managers first be notified that part of what they’re assuming is not functioning the way it functioned before.
It has multiple layers, whether the specific integration doesn’t work, whether specific artifacts are not flowing in anymore. So we created these mechanisms to hopefully help GRC managers that are technical that understand you have to take care of your sources and pipelines first because that’s the way to ensure that it’s really working and we’re not missing anything.
[Rich Stroffolino] Yair, what’s one thing we didn’t ask about that we need to know?
[Yair Kuznitsov] Everyone asked about audits, audits, audits, audits. I’m so glad that no one here asked about can you guarantee that to pass my audit? But I think it’s a valid question just to share with our audience what exactly enterprise teams are looking at.
Audits are byproducts. They’re great. They need to have enough confidence that I can pass an audit, but audits are not the north star in enterprise GRC programs. So I really hope that whoever is listening to this, PCI, ISO, whatever you have, don’t worry.
Risk management and actual control of your risk posture, this is big, much bigger.
[Rich Stroffolino] Well, that’s just about it for this episode of Security You Should Know. To learn more, head on over to anecdotes.ai. If you have any feedback about this show, send it to us, feedback@CISOseries.com. Thanks to Andrea and Brett for helping us learn more about what Anecdotes is all about.
Thanks to you, Yair, for your time and being game to answer all of these questions. Thank you for listening to Security You Should Know.
[Voiceover] That wraps up another episode of Security You Should Know. If you like this program, please subscribe, tell your friends, and leave us a review. All companies showcased on this program are sponsors of CISO Series. If your company would like to be spotlighted and interviewed by our security leaders, go to our contact page on CISOseries.com or just email us at info@CISOseries.com.
Thank you for listening to Security You Should Know, connecting security solutions with security leaders.