• Why trust collapses faster than it builds

• How to govern AI tools without killing innovation

• The shift in third-party risk evaluation for AI vendors

• Why you should embed AI pods inside business functions

• How to democratize GRC engineering without hiring software engineers
  
  

Episode resources: 

• Mike Britton on LinkedIn: https://www.linkedin.com/in/mrbritton/ 

• Abnormal AI Website: https://abnormal.ai/ 

• Adam Markowitz on LinkedIn: https://www.linkedin.com/in/markowitzadam 

• Drata Website: https://drata.com/ 

Highlights:

• 00:00 Introduction

• 01:07 From CISO to CIO

• 02:54 Defining Trust and Why It’s Expensive to Regain

• 04:37 How AI Pushes Trust Into a New Frontier

• 07:35 AI-Native Operations

• 09:35 AI Transformation Without Touching Customer Data

• 12:57 Governance That Doesn’t Block

• 16:36 The Emerging Third-Party Risk

• 19:22 Why Trust Centers Don’t Replace Human Trust

• 27:27 Hiring for the AI Era

• 29:58 The Rise of the GRC Engineer

• 32:28 SecOps vs. GRC Divide

• 35:04 What CEOs Should Ask Their CIO/CISO

• 35:49 Books That Shaped Mike’s Approach
  
  

Quotes:

1. “Trust is one of these attributes where anytime you've broken trust, it's always so much harder to regain trust. It can be lost in a second, and it takes years to regain. Even small things that damage trust, the level of effort that it takes to regain that is monumental versus how easy it is to lose it.”
2. “Right now, we want AI tools to be assistance and facilitators, but if that's only where we go, then we've missed the mark of really the age of AI and the true potential of it. We're looking at where we can identify routine mundane tasks and expand a role's potential through context, automation, and agentic things to help them see more and pull in more context faster.”
3. “Four and a half, five years ago, customers weren't really asking AI questions because they probably didn't understand it. Now, we have an AI addendum and an AI council that we have to go through. The market has swung too far in one direction, but I look at SOC 2 Type II and ISO certification as a minimum playing field, not necessarily a seal of approval.”
4. “I want every single GRC person to be a GRC engineer. The beauty of Claude Code and ChatGPT is it democratized a skill set that wasn't there or was exclusively reserved to developers. You don't have to be a Python developer. You just have to have an idea, know what bad is and what good is, and AI can help you solve it.”
   
   

• How to define trust operationally and use a practical framework to assess security risks
  
  
• Why shadow AI is the new shadow IT challenge and how to strike the balance between managing AI risk and enabling productivity 
  
  
• The real timeline for AI governance maturity and why expecting mature AI risk frameworks within months (not years) is unrealistic
  
  
• How to build a trust dashboard that speaks to executives using FAIR methodology 

• Which skill sets your GRC team actually needs in 20265

• How AI is already freeing up your team for strategy and where the next productivity breakthrough lies 

1. "You can't build anything without trust. I think quite simply, it means you've assessed the other party to be a safe place where you can open up or be vulnerable, with the things that you value, whether that's possessions or thoughts or even feelings.”
2. "The skill set is certainly changing. We have worked with our team to make sure that everybody is taking baseline AI training to understand how models work, how LLMs work, how the engagement context engines work. We've been hiring people with backgrounds in ML and people that understand this at one layer deeper than a GRC team has ever had to engage before."
3. "Everything feels huge when you're younger - everything feels like a big mistake or a big compliance deficiency. How you manage the relationships with people throughout the way is far more impactful than fixing every individual problem."
4. "It is a myth that you can get a SOC 2 in twenty days for five thousand dollars. You can spend twenty days and $5,000 and get a SOC 2, but it is impossible to do that well - to do a quality job and get anything done in terms of security or actual risk management. It's not gonna happen in twenty days."
   
   

• How to reframe security's role from blocker to enabler - the "department of know"
  
  
• The critical gap between certification and continuous trust

• The skill set that actually matters in an AI-native GRC world

• How to evaluate whether an AI tool is trustworthy, going beyond just vendor legitimacy

• Why questionnaires, policies, and vendor reviews are your fastest onboarding accelerators

• The hidden risk no one's talking about: permission creep with AI agents

1. “When the early days of knowing and figuring out what it was like to break into sites and do certain things, they painted such a unique picture of how storied and how whimsical and all these things that go with hacking things in the reality. It's not as fun or sexy, but tinkering, hacking, the communities that are out there, it is a very colorful environment of people and characters.”
2. "Being a leader as someone that has an opportunity and I'm blessed to be able to go into these startups and build, but also work with founders and feel the value that goes in and the outcomes that actually occur. When you share those sort of ambitions together in that pace, it can lead to an amazing thing."
3. "If you're too nice, if you leave too many doors open, I think a lot of folks will take advantage of that, and being too polite can actually be to your detriment. It's a hard balance between being direct and being rude, but you have to know your worth by knowing your boundaries."
4. "You have to know your worth by knowing your boundaries. That, to me, changed everything in how I operate and where I'm at today. It's not just about being protective—it's about being strategic in how you allocate your most valuable resource: your time."

• How to define trust in an interconnected world and why it’s the measure of due diligence in today’s day and age
  
  
• The three AI risk buckets that demand different strategies: AI usage, AI security and AI safety 
  
  
• Why use cases and trust are inseparable and how to enable flexibility 
  
  
• How to build your “trust dashboard” across the organization
  
  
• Why compliance and security have stopped fighting and have become more synergetic The hidden cost of fast AI adoption that boards aren’t seeing 

• How to reframe GRC as a business growth engine, instead of a peripheral checklist department

1. "If you break it down, the way I look at it is you have AI usage, you have AI security, and then you have AI safety, and they're all kind of three distinct buckets. From the organization's perspective, if you're going to allow AI, you wanna make sure you're protecting corporate data.”
2. "How can I measure trust without having a measuring stick to gauge that? That's kind of where compliance helps merge that and bring it all together. Every company is gonna have to tweak it a bit given their industry or sector, but there's definitely table stakes that every company should have in a trust dashboard."
3. "When a company adopts emerging tech faster, one of the things that gets overlooked is the additional security or IT budget needed to maintain that tech. You might get some efficiencies in operations, but to manage and secure that tech, there's gonna be other investments needed, and I think that level of ROI isn't happening yet across industry.
4. “When you're always trying to provide value, you should never stagnate because then you can be phased out, so learning is super important."