Samantha "Sam" Jones 6/3/26 Samantha "Sam" Jones 6/3/26

Cyber Regret at the Gartner Security & Risk Management Summit: From Risk Dysfunction to Risk Agency

The Gartner Security and Risk Management Summit is running this week at National Harbor in Washington, DC, and the theme is "Smarter, Faster, Stronger... Together." Almost every session points in one direction, which is speed. The opening keynote called the next eighteen months a compressed decision cycle where the cost of waiting keeps rising. The Day 1 sessions covered how to secure AI agents before they act on their own, how to scale AI in cybersecurity while proving a return, and where security skills and tools will be by 2030. The message to the CISOs in the room is simple. Move faster, especially on AI.

One session says the opposite, and it is the one to watch. Gartner has a name for it now, cyber regret. The research describes a reckoning building in boardrooms over the cybersecurity money spent in recent years.

John A. Wheeler 5/15/26 John A. Wheeler 5/15/26

The NC State ERM Summit Just Proved the COSO Survey Right

Last week, more than 110 enterprise risk management practitioners gathered at NC State's Poole College for the 2026 ERM Roundtable Summit. The case studies they shared were compelling. The programs they described were mature, relationship-driven, and genuinely effective at connecting risk functions across large, complex organizations. They also illustrated, with striking precision, exactly why the COSO/Crowe survey published earlier this year found that only 7 percent of ERM programs are seen as strategic partners by the business.

That is not a criticism of the practitioners. It is a diagnosis of where most ERM programs sit on the maturity curve, and what the next investment must accomplish to move beyond it.

John A. Wheeler 5/14/26 John A. Wheeler 5/14/26

Why Your ERM Program Cannot Get a Seat at the Strategy Table

Every chief risk officer reading this knows the conversation. The CEO asks what the top three strategic risks are this quarter. The answer comes from a quarterly risk register refresh and a heat map. The CEO nods, thanks the CRO, and moves on. Nothing changes.

The new COSO/Crowe practitioner guide, From Guidance to Action: Exploring Practical Enterprise Risk Management, just put a number on how widespread this pattern is. Ninety-three percent of enterprise risk management programs are stuck on the wrong side of the strategy conversation, and the reason is not what most risk leaders have been told.

Samantha "Sam" Jones 4/21/26 Samantha "Sam" Jones 4/21/26

What Risk Leaders Need to Know About AI Infrastructure

Risk leaders are sitting in vendor briefings where the presenter uses the words "agentic," "MCP," "orchestration," and "autonomous" in the same sentence, often without defining any of them. Most audiences nod along. A growing number are starting to ask harder questions. The ones who understand the infrastructure layer underneath the marketing claims are getting better answers.

This is not a technology article. It is a procurement and governance article. The AI infrastructure concepts that matter for risk leaders are not technical curiosities. They determine whether a vendor's agentic AI claims are architecturally real or a chat interface with a new label. They determine whether your organization's AI agents will operate within auditable guardrails or outside them. And they determine how exposed your technology investments are as AI reshapes the economics of risk and compliance delivery.

This article tells you what you need to know.

Ori Wellington 4/16/26 Ori Wellington 4/16/26

The IRM Vendor Market: What the Major Analyst Firms Won’t or Can’t Tell You

The IRM vendor market spans five segments — GRC, ERM, ORM, TRM, and Risk Management Consulting — but no major analyst firm covers all five in a single research program. Gartner focuses exclusively on Assurance Leaders. Forrester and IDC treat GRC and cybersecurity as separate tracks. The 2025-2026 IRM Navigator™ Vendor Compass from Wheelhouse Advisors is the only research series that evaluates vendors across all five IRM segments using a consistent methodology. This article explains how buyers, investors, and vendors can use the free interactive Vendor Compass Segment Summary to answer the market questions that traditional analyst research leaves unanswered.

Ori Wellington 4/9/26 Ori Wellington 4/9/26

Chasing the Certificate: How AI Hype Is Putting Vendors, Buyers, and Investors at Risk

The Agentic GRC market has a sequencing problem. AI agents that autonomously collect evidence, monitor controls, and generate audit-ready documentation are real capabilities, and they are being deployed at scale before the compliance programs underneath them are mature enough to make them trustworthy.

The Delve case, in which a Y Combinator-backed platform allegedly let its agents generate auditor conclusions rather than supporting independent auditors who drew their own, is the most visible proof point of that dynamic. But the more important question is not what Delve did. It is what conditions made it possible, and whether those conditions are specific to one startup or structural to the segment.

Who is responsible when an Agentic GRC platform collapses the auditor-client boundary?

What does a buyer's procurement process need to ask to detect that collapse before it produces legal exposure?

And what does investment diligence look like for a platform category where the core product is trust itself?

The IRM Navigator Curve, developed by Wheelhouse Advisors, establishes that Foundational program integrity is not optional preparation for agentic deployment. It is the architectural prerequisite without which agentic compliance capabilities are structurally unstable.

The IRM50 AI Disruption Risk Index provides the second dimension: a structured framework for evaluating which platforms in the compliance automation segment are built on durable integrity architecture and which are carrying the kind of artifact-production dependency that the Delve allegations represent at their extreme.

This article examines the Delve case through both lenses, raises the specific questions each constituency needs to answer, and explains why the AI disruption frenzy has made all of them harder to ask and more expensive to ignore.

Professional Services Firms Admit AI Is an Existential Risk

Ori Wellington 3/20/26 Ori Wellington 3/20/26

Preview

Professional Services Firms Admit AI Is an Existential Risk

PwC just announced PwC One, an AI platform that delivers tax, audit, and consulting services directly to clients without a PwC professional in the loop. CEO Paul Griggs warned this week that partners who resist are "not going to be here that long." Accenture said something similar earlier this month.

Two of the largest professional services firms in the world have now publicly acknowledged that AI threatens their core business model. But the bigger question is not what happens to PwC and Accenture.

It is what happens to the technology vendors who depend on them.

Subscribe free to The RiskTech Journal to learn more.

Ori Wellington 3/18/26 Ori Wellington 3/18/26

Thoma Bravo’s Investor Meeting Sends a Warning RiskTech Cannot Ignore

Orlando Bravo did not mince words at Thoma Bravo’s annual investor meeting in Miami yesterday. Speaking exclusively with CNBC’s Leslie Picker on the floor of the event, the firm’s founder and managing partner addressed the AI disruption narrative head-on – and drew a sharp line between the software companies his firm owns and the ones it would not touch. “There are many, many software companies in the public markets that will be disrupted from AI,” Bravo told Picker. “Those companies were going to be disrupted anyway. AI will create that disruption a lot faster, and some of the decreases in their valuations are very warranted.”

Thoma Bravo manages over $183 billion in assets across roughly 80 enterprise software companies, making it the largest investment firm with concentrated exposure to the software sector. That portfolio visibility – into customer contracts, renewal rates, and the operating fundamentals of dozens of companies – gives Bravo’s assessment unusual weight. This was not a market prediction. It was a practitioner’s observation. The RiskTech industry should take it seriously.

Samantha "Sam" Jones 1/21/26 Samantha "Sam" Jones 1/21/26

WEF Claims AI Governance is a Growth Strategy

The recent World Economic Forum argument that “effective AI governance” is now a growth strategy is directionally correct, and also incomplete in a way that will matter for buyers in 2026. The claim is correct because governance reduces friction, clarifies accountability, and increases repeatability as AI moves from pilots to enterprise scale. The claim is incomplete because many organizations are calling the entire operating model “AI governance,” when the value is realized only when governance is translated into management execution.

John A. Wheeler 1/20/26 John A. Wheeler 1/20/26

RiskTech Buyer Trap - When “Next Gen SaaS” Signals Foundation Rebuild, Not Integration Maturity

The GRC and broader RiskTech platform landscape is in a visible transition cycle. Several large vendors are rebranding portfolios, introducing AI capabilities, and emphasizing SaaS-first delivery and modern user experiences. Buyers often interpret these moves as a direct signal of near-term integration maturity, faster operational embedding, and “out of the box” IRM outcomes.

That interpretation can be costly.

The more reliable buyer lens is to recognize that platform modernization usually follows a sequenced transformation path, and integration maturity tends to become repeatable only after the new baseline stabilizes across SaaS delivery, experience, and extensibility.

Ori Wellington 12/15/25 Ori Wellington 12/15/25

Governance and Management: The Distinction That Determines Risk Effectiveness

Executives often use “governance” and “management” interchangeably, but they are distinct disciplines. Without a clear line between them, policies never translate into behavior.

The difference is structural. Governance defines expectations. Management delivers outcomes.

This is the biggest blind spot in AI. Companies mistake principles and checklists for control. But governance is only the guardrails. It cannot catch model drift or detect bias. That is the job of management.

Governance does not scale by adding more rules. Management does not scale by adding more meetings.

[Read the full article to stop confusing documentation with execution.]

John A. Wheeler 12/8/25 John A. Wheeler 12/8/25

Why Data Streaming Is the Hidden Backbone of Autonomous IRM

Data streaming has become a foundational capability for modern enterprises. As organizations move away from periodic reporting and manual control cycles, the emphasis has shifted to continuous sensing, real time telemetry, and rapid mitigation. These operational patterns depend on data in motion, not data at rest. Streaming architectures now sit at the center of this shift.

The acquisition of Confluent announced today by IBM reinforces this point. Confluent is the leading commercial platform built on Apache Kafka, one of the most widely adopted streaming technologies worldwide. The acquisition signals that streaming has moved from a niche data engineering function to a strategic capability that enables AI operations, continuous controls, and integrated risk programs. Enterprises are recognizing that autonomous risk management depends on steady, reliable streams of operational signals that can be sensed, analyzed, and acted upon in real time.

Samantha "Sam" Jones 10/10/25 Samantha "Sam" Jones 10/10/25

Petri and the Rise of Autonomous Risk Auditing

On October 6, 2025, Anthropic introduced Petri, the Parallel Exploration Tool for Risky Interactions, an open-source auditing agent that automatically probes large-language models to detect and score risky behaviors. The release, while modest in presentation, may prove pivotal in how enterprises manage risk across autonomous systems.

Petri represents the maturation of AI safety research into a tangible, operational capability that bridges technology risk, assurance, and governance. More importantly, it signals the emergence of autonomous auditing as a new functional layer within Integrated Risk Management (IRM).

Wheelhouse Advisors 5/7/25 Wheelhouse Advisors 5/7/25

Introducing The RTJ Bridge—A Premium Subscription Delivering Strategic Insights for Risk Leaders

Wheelhouse Advisors announces the formal launch of The RTJ Bridge, the new premium subscription service from The RiskTech Journal. Positioned strategically between our daily industry commentary and comprehensive quarterly IRM Navigator™ research reports, The RTJ Bridge delivers weekly insights, executive briefings, and exclusive deep-dive editorial series.

Alongside this premium offering, the standard edition of The RiskTech Journal is now fully open-access, including unrestricted browsing of our past content library.

This tiered content strategy ensures risk leaders and senior executives receive timely and actionable insights at a fraction of the cost associated with traditional analyst firms such as Gartner and Forrester.