The RiskTech Journal
The RiskTech Journal is your premier source for insights on cutting-edge risk management technologies. We deliver expert analysis, industry trends, and practical solutions to help professionals stay ahead in an ever-changing risk landscape. Join us to explore the innovations shaping the future of risk management.
The Fraud Market Is Funding Its Way Toward Autonomous IRM
CB Insights just mapped more than 200 companies building the next generation of fraud and trust infrastructure. The pattern in the funding is worth sitting with. The platforms pulling in the most capital have stopped selling single tools. They sell one system that handles risk decisioning, case management, and compliance at once. CB Insights calls it the integrated stack. Fraud detection drew three and a half times the equity capital in 2025 that it raised the year before, and the orchestration platforms that fold identity, monitoring, and compliance into one system post the highest average company-health scores anywhere on the map. Sardine, SEON, and Feedzai lead that group, and they are the ones that have absorbed the most functions.
The Agent Sprawl Problem Is an IRM Problem
FICO’s chief information officer told The Wall Street Journal this week that his company’s 3,500 employees are creating dozens of new AI agents every single day. DaVita’s employees have created more than 10,000. GitLab’s CIO says their existing governance guardrails are “holding the line” — which is another way of saying the pressure is real and building. The Wall Street Journal is calling this “AI agent sprawl.” Risk professionals should recognize it by a different name: a governance failure in progress.
The mechanism is not complicated. Platforms like Claude Cowork and open-source orchestration tools have made it trivially easy for nontechnical employees to spin up independent AI agents. That accessibility is, by design, a feature. The problem is that features do not come with governance structures. When every employee at every tier of an organization can create an agent that writes briefs, manages data sets, or executes workflows, the organization does not have an AI strategy. It has an AI population.
The NC State ERM Summit Just Proved the COSO Survey Right
Last week, more than 110 enterprise risk management practitioners gathered at NC State's Poole College for the 2026 ERM Roundtable Summit. The case studies they shared were compelling. The programs they described were mature, relationship-driven, and genuinely effective at connecting risk functions across large, complex organizations. They also illustrated, with striking precision, exactly why the COSO/Crowe survey published earlier this year found that only 7 percent of ERM programs are seen as strategic partners by the business.
That is not a criticism of the practitioners. It is a diagnosis of where most ERM programs sit on the maturity curve, and what the next investment must accomplish to move beyond it.
Why Your ERM Program Cannot Get a Seat at the Strategy Table
Every chief risk officer reading this knows the conversation. The CEO asks what the top three strategic risks are this quarter. The answer comes from a quarterly risk register refresh and a heat map. The CEO nods, thanks the CRO, and moves on. Nothing changes.
The new COSO/Crowe practitioner guide, From Guidance to Action: Exploring Practical Enterprise Risk Management, just put a number on how widespread this pattern is. Ninety-three percent of enterprise risk management programs are stuck on the wrong side of the strategy conversation, and the reason is not what most risk leaders have been told.
What ServiceNow Just Announced Is Bigger Than a Security Story
ServiceNow announced Autonomous Security and Risk on Tuesday morning, integrating its recent acquisitions of Armis and Veza into the ServiceNow AI Platform under what the company calls the AI Control Tower. The press release framed the launch as a way to govern every AI agent, identity, and connected asset across the enterprise. I am writing from Knowledge ’26 in Las Vegas, where the announcement landed in the opening keynote and where the architectural ambition behind it has been on display all week.
The first-wave coverage is reading the announcement as a security story. The Armis acquisition closed two weeks ago, the Veza integration extends identity controls to the AI agents now operating inside enterprises, and a new generation of what ServiceNow calls AI specialists handles vulnerability remediation and security operations end to end. Those elements are real, and the security framing is not wrong. It is incomplete. What ServiceNow has actually announced is the first complete commercial architecture for governing the autonomous enterprise. We have been writing about the emergence of this category, autonomous integrated risk management (IRM), in The RiskTech Journal (RTJ) since October 2024.
Why Risk Technology Is More Exposed to the Systems of Record Shift Than Other Software Categories
Between December 2025 and February 2026, venture commentary converged on an architectural argument: traditional systems of record are losing primacy as agentic AI takes over execution, and value is migrating from the systems that record state to the systems that capture reasoning. Sarah Wang at Andreessen Horowitz, Jamin Ball at Clouded Judgement, and Jaya Gupta and Ashu Garg at Foundation Capital each made a version of the case in pieces published within two weeks of one another.
The venture commentary drew its examples from sales, support, and finance. Those domains can tolerate lossy decision capture. Risk technology cannot. Audit, compliance, and assurance are not optional use cases bolted onto risk platforms. They are the reason the platforms exist, and each of them requires the ability to answer why something was allowed to happen.
The IRM50 AI Disruption Risk Index measures vendor-level exposure across fifty IRM and GRC platforms. The gap between tier one and tier five is not incremental. It is the difference between absorbing the shift and being absorbed by it.
The IRM Vendor Market: What the Major Analyst Firms Won’t or Can’t Tell You
The IRM vendor market spans five segments — GRC, ERM, ORM, TRM, and Risk Management Consulting — but no major analyst firm covers all five in a single research program. Gartner focuses exclusively on Assurance Leaders. Forrester and IDC treat GRC and cybersecurity as separate tracks. The 2025-2026 IRM Navigator™ Vendor Compass from Wheelhouse Advisors is the only research series that evaluates vendors across all five IRM segments using a consistent methodology. This article explains how buyers, investors, and vendors can use the free interactive Vendor Compass Segment Summary to answer the market questions that traditional analyst research leaves unanswered.
Chasing the Certificate: How AI Hype Is Putting Vendors, Buyers, and Investors at Risk
The Agentic GRC market has a sequencing problem. AI agents that autonomously collect evidence, monitor controls, and generate audit-ready documentation are real capabilities, and they are being deployed at scale before the compliance programs underneath them are mature enough to make them trustworthy.
The Delve case, in which a Y Combinator-backed platform allegedly let its agents generate auditor conclusions rather than supporting independent auditors who drew their own, is the most visible proof point of that dynamic. But the more important question is not what Delve did. It is what conditions made it possible, and whether those conditions are specific to one startup or structural to the segment.
Who is responsible when an Agentic GRC platform collapses the auditor-client boundary?
What does a buyer's procurement process need to ask to detect that collapse before it produces legal exposure?
And what does investment diligence look like for a platform category where the core product is trust itself?
The IRM Navigator Curve, developed by Wheelhouse Advisors, establishes that Foundational program integrity is not optional preparation for agentic deployment. It is the architectural prerequisite without which agentic compliance capabilities are structurally unstable.
The IRM50 AI Disruption Risk Index provides the second dimension: a structured framework for evaluating which platforms in the compliance automation segment are built on durable integrity architecture and which are carrying the kind of artifact-production dependency that the Delve allegations represent at their extreme.
This article examines the Delve case through both lenses, raises the specific questions each constituency needs to answer, and explains why the AI disruption frenzy has made all of them harder to ask and more expensive to ignore.
Professional Services Firms Admit AI Is an Existential Risk
PwC just announced PwC One, an AI platform that delivers tax, audit, and consulting services directly to clients without a PwC professional in the loop. CEO Paul Griggs warned this week that partners who resist are "not going to be here that long." Accenture said something similar earlier this month.
Two of the largest professional services firms in the world have now publicly acknowledged that AI threatens their core business model. But the bigger question is not what happens to PwC and Accenture.
It is what happens to the technology vendors who depend on them.
Subscribe free to The RiskTech Journal to learn more.
Thoma Bravo’s Investor Meeting Sends a Warning RiskTech Cannot Ignore
Orlando Bravo did not mince words at Thoma Bravo’s annual investor meeting in Miami yesterday. Speaking exclusively with CNBC’s Leslie Picker on the floor of the event, the firm’s founder and managing partner addressed the AI disruption narrative head-on – and drew a sharp line between the software companies his firm owns and the ones it would not touch. “There are many, many software companies in the public markets that will be disrupted from AI,” Bravo told Picker. “Those companies were going to be disrupted anyway. AI will create that disruption a lot faster, and some of the decreases in their valuations are very warranted.”
Thoma Bravo manages over $183 billion in assets across roughly 80 enterprise software companies, making it the largest investment firm with concentrated exposure to the software sector. That portfolio visibility – into customer contracts, renewal rates, and the operating fundamentals of dozens of companies – gives Bravo’s assessment unusual weight. This was not a market prediction. It was a practitioner’s observation. The RiskTech industry should take it seriously.
Wheelhouse Advisors Launches the IRM Knowledge Hub for Boards, Executives, Practitioners, and IRM Market Investors
Integrated Risk Management (IRM) is entering a new phase. Market conditions and operating realities are shifting at the same time, and the organizations best positioned to navigate that shift are the ones that have already built a coherent, shared foundation for how they define, measure, and manage risk. Wheelhouse Advisors built the IRM Knowledge Hub to provide exactly that foundation.
The Hub is a public reference destination designed to standardize how organizations define, communicate, and operationalize Integrated Risk Management. It consolidates IRM fundamentals, maturity progression, and technology market structure into a single, navigable location so stakeholders can align on what IRM is, what complete looks like, and how capability should evolve as risk becomes more digital, more interconnected, and more time-compressed.
At its core, the Hub defines IRM as a disciplined, organization-wide approach to identifying, assessing, and managing risk in explicit alignment with business strategy and performance, treating risk as a shared strategic asset rather than a set of isolated functional problems. It also frames IRM as the unification of four historically fragmented domains: ERM, ORM, TRM, and GRC.
We Scored 50 IRM Vendors on AI Disruption Risk. Six Market Leaders Landed in Five Different Tiers.
The IRM market runs on two assumptions that deserve harder scrutiny. The first: that market leadership reflects structural durability. The second: that “integrated” platforms deliver the integration that enterprises actually need. This month, Wheelhouse Advisors publishes two companion research notes on The RTJ Bridge that challenge both assumptions directly.
The Integration Trap for GRC examines seven major GRC and IRM vendors and surfaces a structural pattern the market has not confronted honestly. The IRM50 AI Disruption Risk Index extends that analysis across the full IRM50 ecosystem and assigns every vendor a disruption exposure tier based on where AI will compress monetized work first. Together, they deliver a new lens for evaluating vendor durability that buyers, boards, and vendors themselves should read carefully.
This article previews both studies. The full research, including individual vendor assessments, tier assignments, and the analytical framework behind them, is available exclusively on The RTJ Bridge.
How Integrated Risk Management Enables Cyber-ERM Convergence
Recent research from the American Productivity & Quality Center reveals a sobering reality: only 41% of organizations have achieved meaningful integration between cybersecurity and enterprise risk management, and just 23% have unified third-party risk management. This gap persists despite widespread GRC platform adoption, revealing that compliance-first architectures cannot deliver the risk-first integration that cyber-ERM convergence requires. Integrated Risk Management provides the essential infrastructure to bridge this divide through its four-pillar framework: Performance, Resilience, Assurance, and Compliance.
The IRM Navigator™ Curve: A Faster Way to Classify Vendors and Clarify Your Risk Technology Roadmap
Most organizations still evaluate risk technology using surface features or maturity labels that do not reveal where a solution truly fits in the broader risk ecosystem. The IRM Navigator™ Curve provides a more reliable assessment. It combines the five IRM maturity levels with the four underlying investment domains to show how organizations advance from Risk Dysfunction to Risk Agency. This article introduces the curve in plain terms and provides a quick test that allows buyers to slot any vendor on the curve in less than two minutes.
AWS Outage, What Happened And How To Prepare With Integrated Risk Management
On Monday, October 20, a fault in Amazon Web Services’ US-EAST-1 region disrupted Domain Name System (DNS) resolution for the Amazon DynamoDB regional endpoint. The failure propagated into other AWS subsystems that rely on that endpoint and produced widespread service degradation across many internet applications. AWS reported that services stabilized by late afternoon Pacific time, with some services clearing backlogs afterward. These facts are supported by AWS service updates and independent internet measurement reports.
When Tokens Turn Toxic: How the Salesforce Supply Chain Breach Exposed the SaaS Domino Effect
A coordinated campaign has exploited a popular integration between Salesloft, Drift, and Salesforce, resulting in unauthorized access across some of the world’s most trusted enterprises. Palo Alto Networks, Zscaler, Cloudflare, and Proofpoint have all confirmed impacts to their Salesforce environments, while Okta reported blocking the attack through network restrictions.
The GRC Blind Spot: What the SharePoint Cyberattack Reveals About Risk Management Vulnerabilities
This past weekend, Microsoft confirmed that attackers exploited a critical zero-day vulnerability in on-premises SharePoint servers—a breach that quickly escalated into a global cybersecurity incident. Governments, universities, energy providers, and private enterprises were affected. At least 85 servers were confirmed compromised within 48 hours, with analysts warning that tens of thousands remained at risk.
The IRM50 All-Stars Take the Field
Wheelhouse Advisors Releases 2025 Lineup on MLB's Biggest Stage
On the same day baseball's best step up to the plate at the 95th MLB All-Star Game in Atlanta, Wheelhouse Advisors has released its all-star roster: the 2025 IRM50.
And just like the Midsummer Classic, this announcement celebrates top-tier talent, position-specific excellence, and strategic versatility—only this time, the field is Integrated Risk Management (IRM), not Truist Park. Wheelhouse's IRM50 recognizes the 50 most influential technology and consulting providers driving the future of IRM. The timing isn't just symbolic—Wheelhouse Advisors is also headquartered in Atlanta, and this year's report marks the broadest, most globally representative IRM50 to date.
From Permit to Platform—How CTRL WRK Turns Lockout/Tagout into an Autonomous IRM Use Case
A high-risk, paper-bound safety workflow finds new life on the ServiceNow platform—signaling a broader shift toward AI-enabled operational risk intelligence.
What was once a clipboard-bound safety task has now become a signal of something larger: the acceleration of Autonomous Integrated Risk Management (Autonomous IRM) through purpose-built, domain-native micro-apps. On June 2, CTRL WRK—a GenAI-powered “Control of Work” (CoW) application focused on lockout/tagout (LOTO) permitting—launched on the ServiceNow Store. While its function is precise, the implications are far-reaching.
This is more than digitization. It’s the embodiment of a broader market shift: from static compliance toward dynamic, AI-enabled risk management embedded directly into operational workflows.
Beyond the Firewall - Why Integrated Risk Management Is the Missing Layer in Cyber Defense
The recent revelation that Marks & Spencer—one of Britain’s most iconic retailers—suffered a cyberattack that could cost it up to £300 million in annual operating profit is a reminder that no amount of cybersecurity spending can fully inoculate a company from human error. The attack, reportedly traced to a third-party vendor and facilitated by social engineering, underscores a hard truth: cybersecurity is necessary, but not sufficient.
Despite boosting its cyber investment by 75% and quadrupling its team over the past two years, M&S was not spared. Nor were other well-known retailers like Harrods and the Co-op grocery group. These incidents reflect a deeper problem in the digital defense playbook—one that requires a broader, integrated approach to risk.