The RiskTech Journal
The RiskTech Journal is your premier source for insights on cutting-edge risk management technologies. We deliver expert analysis, industry trends, and practical solutions to help professionals stay ahead in an ever-changing risk landscape. Join us to explore the innovations shaping the future of risk management.
Why Risk Technology Is More Exposed to the Systems of Record Shift Than Other Software Categories
Between December 2025 and February 2026, venture commentary converged on an architectural argument: traditional systems of record are losing primacy as agentic AI takes over execution, and value is migrating from the systems that record state to the systems that capture reasoning. Sarah Wang at Andreessen Horowitz, Jamin Ball at Clouded Judgement, and Jaya Gupta and Ashu Garg at Foundation Capital each made a version of the case in pieces published within two weeks of one another.
The venture commentary drew its examples from sales, support, and finance. Those domains can tolerate lossy decision capture. Risk technology cannot. Audit, compliance, and assurance are not optional use cases bolted onto risk platforms. They are the reason the platforms exist, and each of them requires the ability to answer why something was allowed to happen.
The IRM50 AI Disruption Risk Index measures vendor-level exposure across fifty IRM and GRC platforms. The gap between tier one and tier five is not incremental. It is the difference between absorbing the shift and being absorbed by it.
What Risk Leaders Need to Know About AI Infrastructure
Risk leaders are sitting in vendor briefings where the presenter uses the words "agentic," "MCP," "orchestration," and "autonomous" in the same sentence, often without defining any of them. Most audiences nod along. A growing number are starting to ask harder questions. The ones who understand the infrastructure layer underneath the marketing claims are getting better answers.
This is not a technology article. It is a procurement and governance article. The AI infrastructure concepts that matter for risk leaders are not technical curiosities. They determine whether a vendor's agentic AI claims are architecturally real or a chat interface with a new label. They determine whether your organization's AI agents will operate within auditable guardrails or outside them. And they determine how exposed your technology investments are as AI reshapes the economics of risk and compliance delivery.
This article tells you what you need to know.
The IRM Vendor Market: What the Major Analyst Firms Won’t or Can’t Tell You
The IRM vendor market spans five segments — GRC, ERM, ORM, TRM, and Risk Management Consulting — but no major analyst firm covers all five in a single research program. Gartner focuses exclusively on Assurance Leaders. Forrester and IDC treat GRC and cybersecurity as separate tracks. The 2025-2026 IRM Navigator™ Vendor Compass from Wheelhouse Advisors is the only research series that evaluates vendors across all five IRM segments using a consistent methodology. This article explains how buyers, investors, and vendors can use the free interactive Vendor Compass Segment Summary to answer the market questions that traditional analyst research leaves unanswered.
Chasing the Certificate: How AI Hype Is Putting Vendors, Buyers, and Investors at Risk
The Agentic GRC market has a sequencing problem. AI agents that autonomously collect evidence, monitor controls, and generate audit-ready documentation are real capabilities, and they are being deployed at scale before the compliance programs underneath them are mature enough to make them trustworthy.
The Delve case, in which a Y Combinator-backed platform allegedly let its agents generate auditor conclusions rather than supporting independent auditors who drew their own, is the most visible proof point of that dynamic. But the more important question is not what Delve did. It is what conditions made it possible, and whether those conditions are specific to one startup or structural to the segment.
Who is responsible when an Agentic GRC platform collapses the auditor-client boundary?
What does a buyer's procurement process need to ask to detect that collapse before it produces legal exposure?
And what does investment diligence look like for a platform category where the core product is trust itself?
The IRM Navigator Curve, developed by Wheelhouse Advisors, establishes that Foundational program integrity is not optional preparation for agentic deployment. It is the architectural prerequisite without which agentic compliance capabilities are structurally unstable.
The IRM50 AI Disruption Risk Index provides the second dimension: a structured framework for evaluating which platforms in the compliance automation segment are built on durable integrity architecture and which are carrying the kind of artifact-production dependency that the Delve allegations represent at their extreme.
This article examines the Delve case through both lenses, raises the specific questions each constituency needs to answer, and explains why the AI disruption frenzy has made all of them harder to ask and more expensive to ignore.
Professional Services Firms Admit AI Is an Existential Risk
PwC just announced PwC One, an AI platform that delivers tax, audit, and consulting services directly to clients without a PwC professional in the loop. CEO Paul Griggs warned this week that partners who resist are "not going to be here that long." Accenture said something similar earlier this month.
Two of the largest professional services firms in the world have now publicly acknowledged that AI threatens their core business model. But the bigger question is not what happens to PwC and Accenture.
It is what happens to the technology vendors who depend on them.
Subscribe free to The RiskTech Journal to learn more.
Thoma Bravo’s Investor Meeting Sends a Warning RiskTech Cannot Ignore
Orlando Bravo did not mince words at Thoma Bravo’s annual investor meeting in Miami yesterday. Speaking exclusively with CNBC’s Leslie Picker on the floor of the event, the firm’s founder and managing partner addressed the AI disruption narrative head-on – and drew a sharp line between the software companies his firm owns and the ones it would not touch. “There are many, many software companies in the public markets that will be disrupted from AI,” Bravo told Picker. “Those companies were going to be disrupted anyway. AI will create that disruption a lot faster, and some of the decreases in their valuations are very warranted.”
Thoma Bravo manages over $183 billion in assets across roughly 80 enterprise software companies, making it the largest investment firm with concentrated exposure to the software sector. That portfolio visibility – into customer contracts, renewal rates, and the operating fundamentals of dozens of companies – gives Bravo’s assessment unusual weight. This was not a market prediction. It was a practitioner’s observation. The RiskTech industry should take it seriously.
Wheelhouse Advisors Launches the IRM Knowledge Hub for Boards, Executives, Practitioners, and IRM Market Investors
Integrated Risk Management (IRM) is entering a new phase. Market conditions and operating realities are shifting at the same time, and the organizations best positioned to navigate that shift are the ones that have already built a coherent, shared foundation for how they define, measure, and manage risk. Wheelhouse Advisors built the IRM Knowledge Hub to provide exactly that foundation.
The Hub is a public reference destination designed to standardize how organizations define, communicate, and operationalize Integrated Risk Management. It consolidates IRM fundamentals, maturity progression, and technology market structure into a single, navigable location so stakeholders can align on what IRM is, what complete looks like, and how capability should evolve as risk becomes more digital, more interconnected, and more time-compressed.
At its core, the Hub defines IRM as a disciplined, organization-wide approach to identifying, assessing, and managing risk in explicit alignment with business strategy and performance, treating risk as a shared strategic asset rather than a set of isolated functional problems. It also frames IRM as the unification of four historically fragmented domains: ERM, ORM, TRM, and GRC.
We Scored 50 IRM Vendors on AI Disruption Risk. Six Market Leaders Landed in Five Different Tiers.
The IRM market runs on two assumptions that deserve harder scrutiny. The first: that market leadership reflects structural durability. The second: that “integrated” platforms deliver the integration that enterprises actually need. This month, Wheelhouse Advisors publishes two companion research notes on The RTJ Bridge that challenge both assumptions directly.
The Integration Trap for GRC examines seven major GRC and IRM vendors and surfaces a structural pattern the market has not confronted honestly. The IRM50 AI Disruption Risk Index extends that analysis across the full IRM50 ecosystem and assigns every vendor a disruption exposure tier based on where AI will compress monetized work first. Together, they deliver a new lens for evaluating vendor durability that buyers, boards, and vendors themselves should read carefully.
This article previews both studies. The full research, including individual vendor assessments, tier assignments, and the analytical framework behind them, is available exclusively on The RTJ Bridge.
How Integrated Risk Management Enables Cyber-ERM Convergence
Recent research from the American Productivity & Quality Center reveals a sobering reality: only 41% of organizations have achieved meaningful integration between cybersecurity and enterprise risk management, and just 23% have unified third-party risk management. This gap persists despite widespread GRC platform adoption, revealing that compliance-first architectures cannot deliver the risk-first integration that cyber-ERM convergence requires. Integrated Risk Management provides the essential infrastructure to bridge this divide through its four-pillar framework: Performance, Resilience, Assurance, and Compliance.
Board Priorities 2026: The Integration Trap
Boards are entering 2026 with a materially different capital allocation posture. For the first time in more than a decade, growth through mergers and acquisitions has been displaced as the dominant investment priority. In its place sits technology adoption and integration.
This shift is not cosmetic. It reflects a board-level acknowledgment that fragmented systems, inconsistent data, and disconnected workflows have become binding constraints on execution. However, new research reveals a dangerous paradox. Boards are prioritizing integration at the same time they report their largest expertise gaps in artificial intelligence, cybersecurity, and geopolitical risk.
The result is a growing integration trap: organizations accelerating the flow of data and automation without the corresponding ability to interpret signals, assign decision rights, or execute timely responses. Integration, pursued without integrated risk management discipline, amplifies risk rather than containing it. This article examines the forces driving the board pivot, the structural risks embedded in the integration-first mindset, and the implications for risk, audit, compliance, and technology leaders navigating 2026.
Reality Check: The “Always On” Enterprise Can Burn Itself Out
The market is falling in love with the idea of the “homeostatic enterprise,” an organization that continuously senses drift and continuously corrects. It sounds like the end of quarterly risk theater and the start of real-time resilience.
But here is the uncomfortable truth. Many organizations are already “always on,” and they are not stable. They are exhausted.
They survive through constant adaptation, nonstop escalation, and a culture that rewards heroic recovery over engineered stability. Over time, that chronic strain becomes a structural condition. In stress science, the cumulative wear and tear is called allostatic load. In organizations, it shows up as chronic rework, exception overload, control debt, and a widening gap between effort and outcomes.
The risk for leaders is obvious: you can modernize sensing and orchestration and still make the enterprise worse by accelerating the machine that is already burning people and processes down.
The 2026 Convergence: Integrated Risk Management In a New Era
The 2026 global risk survey cycle marks an inflection point in how risk is understood, prioritized, and operationalized by large organizations. For the first time in several years, leading surveys from Aon, Allianz, the World Economic Forum, Protiviti, PwC, Marsh, Zurich, and Eurasia Group are not merely aligned on top risks, they are aligned on why those risks are proving so difficult to manage with legacy approaches.
Cyber remains the top-ranked risk globally. Geopolitical volatility has become a structural operating condition rather than a periodic shock. Artificial intelligence has moved decisively from emerging concern to material enterprise exposure. Third-party dependency is now treated as a first-order risk category. Across these themes, one signal is clear: risk is no longer behaving as a set of discrete domains. It is behaving as an interconnected system of dependencies, amplifiers, and cascading impacts.
This convergence explains why Integrated Risk Management (IRM) is shifting from an architectural aspiration to an execution requirement.
IRM Navigator: The Operating Model for Integrated Risk Management
Many organizations have adopted ERM standards and clarified accountability, yet risk still fails to shape planning, capital allocation, and operational decisions. The gap is not conceptual. It is operational. Most programs have guidance on what effective risk management should achieve and who should perform key activities, but they lack an operating model that specifies how risk work is unified across domains and instrumented through business processes and technology.
WEF Claims AI Governance is a Growth Strategy
The recent World Economic Forum argument that “effective AI governance” is now a growth strategy is directionally correct, and also incomplete in a way that will matter for buyers in 2026. The claim is correct because governance reduces friction, clarifies accountability, and increases repeatability as AI moves from pilots to enterprise scale. The claim is incomplete because many organizations are calling the entire operating model “AI governance,” when the value is realized only when governance is translated into management execution.
RiskTech Buyer Trap - When “Next Gen SaaS” Signals Foundation Rebuild, Not Integration Maturity
The GRC and broader RiskTech platform landscape is in a visible transition cycle. Several large vendors are rebranding portfolios, introducing AI capabilities, and emphasizing SaaS-first delivery and modern user experiences. Buyers often interpret these moves as a direct signal of near-term integration maturity, faster operational embedding, and “out of the box” IRM outcomes.
That interpretation can be costly.
The more reliable buyer lens is to recognize that platform modernization usually follows a sequenced transformation path, and integration maturity tends to become repeatable only after the new baseline stabilizes across SaaS delivery, experience, and extensibility.
Why DORA Metrics Belong in the Risk Committee Packet
Boards increasingly receive dashboards showing deployment speed, incident counts, and technology uptime. What is often missing is the recognition that software delivery performance is now a primary driver of enterprise risk. Every material change to products, services, data flows, and controls is executed through software delivery pipelines.
DORA metrics were created to measure delivery performance, but when viewed through an integrated risk lens, they function as early-warning indicators of change risk, operational resilience, and assurance quality. Boards that treat these metrics as engineering detail miss one of the clearest signals of whether risk controls are embedded or cosmetic.
Governance and Management: The Distinction That Determines Risk Effectiveness
Executives often use “governance” and “management” interchangeably, but they are distinct disciplines. Without a clear line between them, policies never translate into behavior.
The difference is structural. Governance defines expectations. Management delivers outcomes.
This is the biggest blind spot in AI. Companies mistake principles and checklists for control. But governance is only the guardrails. It cannot catch model drift or detect bias. That is the job of management.
Governance does not scale by adding more rules. Management does not scale by adding more meetings.
[Read the full article to stop confusing documentation with execution.]
The IRM Navigator™ Curve: A Faster Way to Classify Vendors and Clarify Your Risk Technology Roadmap
Most organizations still evaluate risk technology using surface features or maturity labels that do not reveal where a solution truly fits in the broader risk ecosystem. The IRM Navigator™ Curve provides a more reliable assessment. It combines the five IRM maturity levels with the four underlying investment domains to show how organizations advance from Risk Dysfunction to Risk Agency. This article introduces the curve in plain terms and provides a quick test that allows buyers to slot any vendor on the curve in less than two minutes.
Why Data Streaming Is the Hidden Backbone of Autonomous IRM
Data streaming has become a foundational capability for modern enterprises. As organizations move away from periodic reporting and manual control cycles, the emphasis has shifted to continuous sensing, real time telemetry, and rapid mitigation. These operational patterns depend on data in motion, not data at rest. Streaming architectures now sit at the center of this shift.
The acquisition of Confluent announced today by IBM reinforces this point. Confluent is the leading commercial platform built on Apache Kafka, one of the most widely adopted streaming technologies worldwide. The acquisition signals that streaming has moved from a niche data engineering function to a strategic capability that enables AI operations, continuous controls, and integrated risk programs. Enterprises are recognizing that autonomous risk management depends on steady, reliable streams of operational signals that can be sensed, analyzed, and acted upon in real time.
GRC Without Visionaries: What the 2025 Gartner® Magic Quadrant™ Reveals About the Future of Risk
The release of the “2025 Gartner® Magic Quadrant™ for Governance, Risk and Compliance (GRC) Tools, Assurance Leaders” marks an important turning point in the evolution of enterprise risk technology. For the first time in nearly two decades of coverage, Gartner has explicitly defined the GRC category around assurance leaders rather than enterprise risk or governance audiences.
Equally significant is the visual structure of the 2025 quadrant, which contains an entirely empty Visionaries section. While some may interpret this as a sign of stagnation, it more accurately reflects a market that has entered its integration phase. The GRC segment has reached functional maturity and operational stability, creating the foundation upon which the next generation of Integrated Risk Management (IRM) and Autonomous IRM capabilities will develop.
Here, we analyze the implications of the 2025 Magic Quadrant through the lens of the IRM Navigator™ Model and the recent IRM Navigator™ Vendor Compass for Governance, Risk and Compliance (GRC) - 2025 Edition. Our research concludes that the absence of Visionaries does not indicate a failure of innovation, but rather the outcome of successful specialization. GRC has become the operational core of enterprise assurance, while IRM now defines the broader architecture of enterprise confidence and decision intelligence.