The Risk Wheelhouse Podcast
The Risk Wheelhouse is the podcast dedicated to exploring how RiskTech is reshaping the future of risk management. Hosted by our experts, Ori Wellington and Sam Jones, each episode delves deep into Integrated Risk Management (IRM), offering insights into the latest trends, technologies, and strategies. Join us to stay ahead in the ever-evolving risk landscape and empower your organization with actionable knowledge.
S7E4: Your Company Just Hired 10,000 Invisible Interns
10,000 invisible autonomous AI agents working inside a single enterprise sounds like a productivity dream until you realize no one can explain who chartered them, what data they touch, or what decisions they are quietly making. We take on the popular “AI agent sprawl” narrative head-on and argue for a sharper label: a governance failure in progress that can undermine integrated risk management from the inside out.
S7E3: Why ERM Keeps Getting Ignored
93% is not a rounding error, it’s a warning flare. When enterprise leaders ask for guidance on the biggest strategic risks ahead, many risk teams respond with a quarterly risk register and a heat map. That’s not “wrong,” it’s simply what a compliance-first system is designed to produce. The result is an asymmetric exchange: executives need a radar, and the organization hands them a snapshot from the past.
We walk through new practitioner research from COSO and Crowe alongside John A. Wheeler’s analysis in the RiskTech Journal to explain why the ERM strategy gap persists. Our core claim is straightforward: the failure of ERM is largely structural, not behavioral. When ERM gets fused with GRC under the same reporting line, tooling, and audit committee cadence, uncertainty gets treated like a defect. That destroys psychological safety, suppresses early warning signals, and leaves strategy teams flying blind.
S7E2: The Autonomous IRM Enterprise and The AI Control Tower
You can feel the shift happening when you stop picturing “AI tools” and start picturing “AI workers.” From the floor of ServiceNow Knowledge 26 in Las Vegas, we zoom out from the shiny security headlines and explain what John A. Wheeler argues is the real story: autonomous integrated risk management (IRM) is the first credible blueprint for governing an enterprise where non-human identities execute the majority of actions.
S7E1: The Delve Collapse And The New Rules Of Enterprise Trust
A $300 million compliance darling collapsed not because regulators caught it, but because an anonymous Substack writer found a publicly accessible Google spreadsheet. Delve promised SOC 2 in days instead of months, raised a $32 million Series A from Insight Partners, and signed more than 1,000 enterprise clients across 50 countries. Then the whistleblowers alleged the product fundamentally didn't work as described — that Delve's agents were generating auditor conclusions before client data was even reviewed, and routing the output through offshore mills to rubber-stamp the results.
In the Season 7 premiere, Ori Wellington and Sam Jones dissect the anatomy of the failure and argue it is not an isolated fraud story. It is the predictable outcome of a market that rewards the announcement of agentic GRC capabilities while ignoring the program maturity that makes those capabilities trustworthy.
S6E9: Why Legacy Risk Platforms Break Under AI Pressure
A slick AI demo can make any risk platform look like the future, but architecture is destiny. We unpack the dangerous boardroom illusion where leaders treat radically different “AI GRC” products as interchangeable, then we map what is actually changing under the hood in governance, risk, and compliance technology. If you are a CRO, CISO, chief compliance officer, or audit leader signing multi-year renewals, this conversation is about avoiding the most expensive misread of the AI disruption curve.
We walk through the three tiers of enterprise software that shape risk outcomes: system of record, system of engagement, and the emerging system of action. From there, we explain why classic workflow automation is so vulnerable: it is rigid, stateless, and provides no cognitive value once generative AI agents can read unstructured evidence directly, synthesize context, and update the compliance record without a human-friendly interface.
S6E8: 2026 VC Sonar™ for Performance and Resilience
The second wave of IRM investment has arrived — and it's not about better dashboards. It's about eliminating the lag between detecting a risk signal and acting on it. In 2026 IRM Navigator™ VC Sonar for Performance and Resilience, Wheelhouse Advisors founder and CEO John A. Wheeler maps the emerging vendor layer purpose-built for this shift: augmentation tools that sit atop existing platforms like ServiceNow and Archer to deliver real-time threat intelligence, automated remediation workflows, and — critically — immutable evidence of every action taken. From Dataminr's real-time event detection to Sayari's deep supply chain graph intelligence, the report profiles ten emerging vendors across five functional layers of what Wheeler calls Autonomous IRM. But the report's most consequential argument isn't about the tools — it's about sequencing, accountability, and a concept called evidence closure that separates organizations that can defend their AI-driven decisions from those that simply can't. Access the full report →
S6E7: AI Upends GRC - From Clipboards To Control Planes
What happens when the firm that helped define integrated risk management turns a critical lens on the category's foundations?
In this episode, analysts Ori Wellington and Sam Jones preview two major Wheelhouse Advisors research publications: The Integration Trap for GRC and the IRM50 AI Disruption Risk Index. The data reveals a surprising finding: when 50 IRM vendors are scored on structural exposure to AI disruption, market leadership and market durability turn out to be very different things.
At the heart of the analysis is what Wheelhouse calls the Integration Trap. Many established platforms excel at compliance documentation and assurance reporting but were never architected for real-time operational control. That distinction matters now more than ever. Agentic AI does not need dashboards or user interfaces. It needs APIs and control planes. Vendors with deep operational DNA are naturally positioned for this shift, while those built primarily around human workflows face difficult architectural decisions.
S6E6: Board Priorities 2026 - The Integration Trap
Growth used to win every boardroom vote. Now the data says something different: directors are prioritizing technology adoption and integration as the top 2026 investment, even as they admit their weakest expertise sits in AI, cybersecurity, and geopolitics. We unpack that paradox and show how uninformed speed turns “integration” into a superhighway for risk, unless you pair it with decision rights, embedded controls, and verifiable assurance.
S6E5: 2026 Convergence - Risk Management Must Be Integrated
The ground rules of risk have changed, and waiting for the next headline won’t save the balance sheet. We take you inside “The 2026 Convergence: Integrated Risk Management in a New Era” and map how cyber, AI, third parties, geopolitics, and reputation have fused into one risk surface. Instead of chasing alerts, we focus on disruption economics: what a breach costs per minute, which processes bleed first, and how quickly you can recover without compounding fines. Cyber stops being an IT story and becomes a CFO story.
S6E4: Avoiding The RiskTech Buyer Trap
Shiny demos are everywhere, but what if that “next-gen SaaS” risk platform is still a construction zone under the hood? We unpack the Risk Tech Buyer Trap and show how modern UIs and AI buzz can disguise where vendors really are on the path to true integration maturity. Our conversation breaks down a clear four-stage transformation sequence—SaaS foundation, experience reset, object model stabilization, and finally productized integration—so you can pinpoint a platform’s real readiness and avoid inheriting the vendor’s rebuild risk.
AI raises the stakes. As non-human identities proliferate and SaaS-to-SaaS connections multiply, trust becomes the new currency. We explore how data boundaries, continuous assurance, and identity governance reshape due diligence, and why vague claims about “secure cloud” and “powerful AI” no longer cut it. Using Archer’s Evolv journey as a transparent case study, we illustrate the signals of staged modernization and the common gap between marketing momentum and operational maturity
S6E3: The IRM Navigator™ - Turning Risk Into A Strategic Operating Model
Risk work that lives in reports but not in decisions is a hidden tax on performance. We tackle that problem head-on by unpacking the IRM Navigator™, an operating model that connects standards and roles to the real systems and moments where choices are made. Instead of treating risk as a sidecar, we show how to embed it into approvals, planning, and daily operations so decision velocity and decision quality rise together.
S6E2: Rethinking Integrated Risk, From ROI To Dividends
Integrated Risk Management (IRM) is repeatedly underfunded for a structural reason: leaders keep forcing IRM into an ROI construct that demands a single, auditable chain of causality, while IRM is designed to distribute value across multiple domains at once. In this episode, Ori Wellington and Sam Jones explain why ROI framing collapses into assumption-stacked narrative under CFO scrutiny, and why risk leaders need a finance-compatible alternative that remains decision-grade.
The episode’s answer is a disciplined shift: evaluate IRM with cost/benefit analysis, and label the benefit streams as dividends. Dividends are distributed outcomes that improve enterprise performance and resilience without requiring false precision in a single attributable cash-flow line.
S6E1: NVIDIA CES 2026 - The Blueprint for Autonomous IRM
Season 6 opens with a clear message for Technology Risk Management leaders: autonomy is no longer constrained by model capability, it is constrained by infrastructure discipline and auditable management controls.
In S6E1, Ori Wellington and Sam Jones translate NVIDIA’s CES 2026 signals into a practical blueprint for Autonomous IRM, defined as continuous, AI-enabled verification and response loops that operate within explicit policy boundaries and generate audit-grade evidence by design. As inference costs fall, “always-on” control validation becomes economically viable at enterprise scale. That shift forces a new operating model: humans stop chasing evidence and start adjudicating pre-enriched exceptions with decision provenance, context, and rollback paths already assembled.
S5E9: ServiceNow Buys Armis, Telemetry Meets Workflow for IRM
ServiceNow’s planned $7.75B all-cash acquisition of Armis (targeted to close in H2 2026) is easy to misfile as “just another cybersecurity deal.” In this episode, Wheelhouse Advisors’ Ori Wellington and Sam Jones explain why it is actually a defining IRM market signal, one that raises the standard for what “risk management at scale” should mean going into 2026 procurement cycles.
S5E8: 2025 ERM Vendor Compass, The New Enterprise Decision Layer
ERM has a perception problem, and in 2025 it becomes a performance problem. Many programs still optimize for completeness, annual reporting cycles, and beautifully formatted board packs. Boards increasingly optimize for something else: faster, defensible decisions under volatility. The market’s new standard is measurable and uncompromising: time to decision and time to evidence. If your ERM platform depends on manual synthesis to tell the story, the story arrives late, and leadership is forced to decide on partial facts.
In this episode, we unpack the 2025 IRM Navigator™ Vendor Compass for Enterprise Risk Management (ERM) and explain why ERM must operate as the enterprise decision layer. That means converting risk appetite into quantified thresholds and escalation logic, sustaining a living scenario portfolio that can be refreshed and reused, and reusing verified evidence from ORM, TRM, and GRC to produce board-grade outputs with traceability.
S5E7: Stop Buying Better Silos: How the IRM Navigator™ Curve Exposes RiskTech Hype
In this episode of The Risk Wheelhouse, Ori Wellington and Sam Jones tackle one of the most expensive mistakes in risk management today: buying impressive tools that quietly deepen silos instead of advancing your program. If you have ever sat through a RiskTech demo and wondered whether you are truly moving forward or just spending more, this conversation is your roadmap.
Ori and Sam unpack the IRM Navigator™ Curve, a visual model that traces the journey from fragmented Risk Dysfunction to unified Risk Agency, where human and machine agency work together inside validated guardrails. They explain the five maturity levels and four investment domains, then show why you cannot simply “skip ahead” by buying an advanced TRM or AI platform before your GRC, ERM, and ORM foundations are in place.
S5E6: Build An Emerging Risk Reflex Before The Next Shock Hits
The conversation centers on a stubborn truth: most boards are well briefed on emerging risks, yet few translate insight into movement. The research shows 76 percent receive comprehensive risk reports, 42 percent engage meaningfully, and just 22 percent act. That collapse at the decision point is the “funnel of inaction.” The hosts argue that leaders chase the wrong fix by investing in problem precision using hyper-detailed probabilities and impact ranges. This approach only provides a marginal, statistically insignificant uplift in action. Precision invites skepticism, shifts attention to model assumptions, and implies costly, multi-year programs that boards rationally defer. The better path is to reframe conversations around solution options that emphasize low regret actions, the cost of delay, adjustments to existing programs, and clear pacing across quarters.
S5E5: Why GRC Stabilized And IRM Took The Lead
The latest episode of The Risk Wheelhouse tackles one of the strangest sights in this year’s risk technology landscape. The “2025 Gartner Magic Quadrant for Governance, Risk, and Compliance” arrives with an empty Visionaries quadrant. No challengers, no upstarts, just silence where innovation used to live. Rather than treating this as a warning sign, Ori Wellington and Sam Jones explain why the quiet is a signal that GRC has finally stabilized into what it was always best suited to be: the institutional assurance backbone that proves what happened, preserves the evidence, and keeps auditors, regulators, and boards on solid ground.
S5E4: Unified IRM - AI Governance, Acquisitions and Alliances
We dive into why AI governance is now table stakes for any serious IRM platform, what an effective AI registry and dynamic risk assessment look like, and how automated compliance mapping to the NIST AI RMF, ISO 42001, and the EU AI Act changes daily work. Along the way, we unpack recent moves like AuditBoard’s AI-focused acquisition and its expanded alliance with a major consultancy, illustrating why services plus software has become the adoption formula. On the ESG front, partnerships that link board reporting with carbon accounting signal a deeper integration of climate and sustainability data into operational risk and financial performance.
S5E3: 2025 ORM Vendor Compass - The Enterprise Resilience Engine
Resilience isn’t a binder anymore. It’s a live system that has to perform under pressure. We pull apart the 2025 IRM Navigator™ Vendor Compass for Operational Risk Management (ORM) to show how ORM moved from back-office compliance to the execution engine of enterprise resilience. The stakes are massive. They include billions in spend, tighter regulations across the US, UK, and EU, and a rising demand for continuous, auditable proof that controls actually work when services fail.