The RTJ Bridge - The Research Platform Created by the Publishers of The RiskTech Journal
The RTJ Bridge is an independent research platform delivering institutional-grade IRM market intelligence, vendor competitive assessments, and strategic risk technology analysis. Built by the analyst who created the Integrated Risk Management category at Gartner, The RTJ Bridge gives risk leaders, technology executives, and solution providers the same caliber of competitive intelligence that major analyst firms charge $25,000 to $50,000+ per year to access.
Subscribers to The RTJ Bridge receive full access to:
IRM50 OnWatch Vendor Assessments — Competitive analysis of leading IRM vendors as market events unfold, covering platform strategy shifts, M&A impact, earnings signals, and positioning changes.
Autonomous IRM and AI Governance Research — Original research on how agentic AI is reshaping risk management operating models, from production deployment patterns to the structural implications for vendor platforms and enterprise programs.
Analyst Firm and Market Critiques — Independent assessments of research from Gartner, Forrester, and other major analyst firms, viewed through the IRM Navigator Model to identify gaps, validate signals, and challenge conventional positioning.
Board Governance and Audit Committee Intelligence — Research on oversight effectiveness, emerging risk response gaps, audit committee workload challenges, and the disconnect between risk reporting and executive action.
M&A and Strategic Alliance Analysis — Same-week analysis of acquisitions, partnerships, and PE investment moves reshaping the IRM competitive landscape, with implications for buyers, vendors, and investors.
Regulatory, ESG, and Sustainability Risk — Research on how evolving regulatory frameworks (SEC cyber disclosure, EU CSRD/CSDDD, AI regulation) affect enterprise risk programs and technology requirements.
IRM Navigator™ Market Intelligence — Strategic previews and deep dives from the IRM Navigator Model, the only independent model built specifically to evaluate integrated risk management maturity and vendor alignment.
Cyber Risk, Insurance, and Third-Party Risk — Analysis of cyber risk quantification, insurance market dynamics, and the convergence of third-party risk management into enterprise IRM programs.
Subscribe to get access now
The RTJ Bridge is an independent IRM research platform published by Wheelhouse Advisors. Subscribers receive ongoing access to vendor competitive assessments, AI disruption analysis, M&A and partnership impact research, and IRM Navigator™ market intelligence. This is the only research platform built and led by the analyst who created the Integrated Risk Management category, a market now valued at over $61 billion and projected to reach $133 billion by 2031.
The Compliance Illusion: Agentic Hype and the Integrity Gap
The Agentic GRC category now includes every major compliance platform in the market, and most of them have announced autonomous capabilities within the last twelve months. The announcements are not the problem. The gap between what the announcements describe and what the architectures underneath can actually support is the problem. When a well-funded, Y Combinator-backed, Insight Partners-led compliance platform allegedly generates auditor conclusions before client data is reviewed, and a whistleblower finds the evidence in a publicly accessible spreadsheet, the question stops being about one vendor. It starts being about a structural failure mode the market has not priced.
The Compliance Illusion is the condition produced when AI disruption pressure rewards the announcement of agentic capabilities and ignores the program maturity that makes those capabilities trustworthy. Where does agent automation end in any given platform, and where does independent verification begin? How did SOC 2 certification go from procurement gate to AI-speed signal to legal liability in under twenty-four months? Which IRM50 tiers carry the highest structural integrity exposure, and why is that invisible to standard SaaS diligence? This research note applies the IRM Navigator™ Model, the IRM Navigator™ Curve, and the IRM50 AI Disruption Risk Index to answer those questions and to name the sequencing rule the market has ignored.
The Three Questions Everyone Is Asking About Agentic AI
Enterprise AI agent deployment has outrun governance by a wide margin. Ninety-one percent of organizations are deploying agentic AI. Ten percent have any form of agent governance in place. The three questions that the Okta CEO derived from 40 enterprise customer meetings — where are my agents, what can they connect to, and what can they do — are now being posed in boardrooms and investment committees with no clear answer in sight. The IRM Navigator™ Model provides the analytical structure to answer them: each question maps to a distinct risk domain, each domain requires a distinct governance response, and the full loop closes at ERM where the aggregate risk state is measured against enterprise risk appetite. The question this note answers is whether any platform architecture currently running in production can close that loop continuously — and what happens to the organizations and vendors that cannot.
The cybersecurity industry has built a rigorous answer to the second question. Access governance, privilege management, and identity threat detection are mature capabilities, and the Okta blueprint represents the most structured articulation of their extension to agent identities. But the identity security layer enforces the rules that the governance layer establishes. When those rules are absent, outdated, or misaligned with the organization's actual risk posture, identity security enforces the wrong rules with precision. The IRM50 AI Disruption Risk Index Compression Boundary describes exactly where the structural gap opens: vendors above it have platform architectures capable of accelerating toward continuous risk governance; vendors below it are structurally dependent on human-paced workflows that agents will simply outrun. This RTJ Bridge research note examines what it takes to answer the three questions at enterprise risk level — and which vendors and organizations are architecturally positioned to do it.
NemoClaw and the Trillion-Dollar Tailwind for Autonomous IRM
At GTC 2026, Nvidia CEO Jensen Huang announced at least $1 trillion in purchase orders for its next-generation AI chip platforms through 2027, declared that every SaaS company will become an AGaaS company, and launched NemoClaw, an enterprise-secure agentic platform built on the viral OpenClaw framework. For IRM leaders, none of these announcements can be read in isolation. Taken together, they constitute the most consequential single-day shift in the infrastructure conditions for Autonomous IRM in the market's history.
The IRM Navigator™ Model maps the path from Workflow Automation through Agentic GRC to Autonomous IRM as an architectural progression, not a feature roadmap. What does a trillion-dollar infrastructure commitment do to the economics of that progression? Does NemoClaw dissolve the security objection that has most reliably slowed enterprise agentic deployment? And what does Huang's explicit framing of governance, security, privacy, and compliance as the primary AGaaS battleground mean for IRM50 vendors whose entire business is built in exactly those domains?
The Integration Trap for GRC: Why "Integrated GRC" Platforms Create Visibility Without Control
Every major GRC vendor claims integration as a core capability. The claims hold up. They also stop short. The gap between what these platforms integrate and what organizations actually need creates a structural vulnerability Wheelhouse Advisors calls The Integration Trap for GRC. Seven vendors examined. Five trap patterns identified. Twelve evaluation questions to expose integration gaps before deployment. Available now to RTJ Bridge subscribers.
IRM50 OnWatch: Diligent Says Boards Put “Integration” at the Top of 2026 Capital Priorities
Diligent Institute and Corporate Board Member data indicates directors are prioritizing “technology adoption and integration” as the leading 2026 capital investment focus. This is not a routine modernization signal, it is a board-level acknowledgment that fragmentation has become a constraint on execution. The same dataset also indicates meaningful board expertise gaps in AI, cybersecurity, and geopolitical risk, creating a mismatch between integration ambition and the enterprise’s ability to interpret, manage, and act on fast-moving risk signals.
IRM50 OnWatch - Wolters Kluwer Acquires StandardFusion and Signals Audit Plus GRC Convergence Trend
Wolters Kluwer Corporate Performance & ESG (CP and ESG) signed and completed the acquisition of StandardFusion on January 9, 2026 for approximately €32 million in cash. StandardFusion is a Vancouver-based provider of cloud GRC software, and Wolters Kluwer states it will be integrated into TeamMate to create a more unified audit plus GRC offering.
IRM50 OnWatch - Diligent Acquires 3rdRisk, Signaling a Faster IRM Convergence of GRC and AI-Native Third-Party Risk
On January 14, 2026, Diligent announced its acquisition of 3rdRisk, a Netherlands-based, AI-native third-party risk management (TPRM) platform. Diligent positioned the deal as an expansion of its Diligent One Platform toward “AI-native third-party risk management at scale,” emphasizing automated vendor profiling, assessment workflows, and AI-driven document analysis to compress audit readiness timelines.
This transaction is not simply module expansion. It is a strategic signal that TPRM has moved from being a compliance-adjacent workflow into a board-visible risk domain that must operate continuously, particularly as regulatory expectations for supply chain and digital dependency oversight intensify.
IRM50 OnWatch - What the ServiceNow Armis Deal Signals for IRM
ServiceNow’s announced agreement to acquire Armis for $7.75 billion in an all-cash transaction (expected to close in the second half of 2026) is not just a cybersecurity expansion move. It is a market signal that “risk management at scale” is shifting toward a unified operating model where (1) real-time technology and asset intelligence, (2) prioritization logic, and (3) remediation and verification workflows increasingly sit on the same platform spine.
For IRM leaders, this matters because it tightens the linkage between technology risk signals and enterprise risk action, and it changes what “continuous monitoring” should mean in buyer evaluations.
Does GRC Need Finishing School? The IRM Navigator™ View on Forrester’s GRC ‘Grad School’ Story
Forrester's recent blog “GRC Platforms Enter Their Grad School Era” contains a notable admission. The analysts describe GRC as "old enough to be in grad school," yet still struggling to prove it can act as the workhorse technology for modern risk professionals. After roughly 20 years of formal coverage, the firm suggests that GRC is not yet fully ready for the “real world” of risk and now needs a kind of graduate-level evolution, built on continuous controls monitoring, quantification, and AI. This observation raises an obvious question. Does GRC really need finishing school after decades of market evolution, or have we been asking the category to do the wrong job?
The 22 Percent Problem: Why Boards Hear the Risks but Still Do Nothing
If your board is hearing more emerging risks than ever and still doing almost nothing, you are not alone. Gartner data shows seventy-six percent of boards receive emerging risk reports, but only twenty-two percent are likely to act on what they hear. This IRM Navigator™ research note explains why that gap exists and how GRC-centric investment quietly builds oversight while starving your organization of reflex. If you are tired of “noted” being the only outcome, this is the playbook for turning emerging risk insight into action.
ServiceNow Q3 2025 Through an IRM Market Lens
ServiceNow’s Q3 2025 performance is a clear demand signal for platform-centric Integrated Risk Management. The company reported subscription revenue of 3.299 billion dollars, up 21.5 percent year over year, with strong large-deal activity and a raised full-year subscription outlook. These results, combined with the AI Control Tower launch and continued Now Assist upgrades, indicate that buyers are consolidating GRC, technology risk, and assurance workflows on a single operating platform that can also govern AI models, agents, and evidence. This is an accelerant for IRM programs that seek unified taxonomies, end-to-end traceability, and continuous control monitoring across ERM, ORM, TRM, and compliance functions.
Reinventing Risk Management Through Integrated Risk, A PwC and OneTrust Perspective
PwC and OneTrust have published a concise eBook that advocates for a unified, digital operating model for risk, and positions their alliance to deliver it. The document highlights pressure on risk and compliance teams, presents recent PwC survey signals on funding and prioritization gaps, and outlines an “IRM ecosystem mindset” anchored in OneTrust’s modular platform and PwC’s implementation services.
Bridging the Divide: How ServiceNow’s AI Experience Could Unify TRM and IRM
ServiceNow’s latest innovation, AI Experience, introduces a unified conversational interface that could redefine how organizations manage risk. Far from being another “AI assistant,” this platform-level integration embeds natural language and multimodal intelligence across workflows, connecting Technology Risk Management (TRM) with Integrated Risk Management (IRM) in ways that make risk management feel less like a process and more like a conversation. This commentary explores how AI Experience extends ServiceNow’s TRM and IRM capabilities, why it represents a major shift toward unified risk intelligence, and how it aligns with the Performance, Resilience, Assurance, and Compliance (PRAC) objectives of the IRM Navigator™ Model.
Audit Committees Signal a Mandate for Unified IRM, Not Just GRC
Audit committees in 2025 are under growing pressure to oversee risks that are more complex, interconnected, and fast-moving than ever before. KPMG’s survey of 85 U.S. audit committee members (February–May 2025) highlights systemic oversight gaps in cybersecurity, privacy, AI, and third-party resilience. While only one-quarter of respondents describe their risk management as holistic and forward looking, the survey reveals that committees are struggling less with awareness and more with execution. The IRM Navigator™ Maturity Curve confirms that most organizations remain in the early to mid stages of maturity. However, the five functional layers of Autonomous IRM offer a more practical blueprint for closing these oversight gaps and absorbing workload without restructuring committees.
This research note interprets the KPMG findings through the lens of both frameworks: the Maturity Curve, which shows where audit committees are today, and the five functional layers, which define how they can progress toward unified, assurance-driven oversight.
Workiva’s Q2 Surge Underscores IRM Integration Strategy
Workiva’s second quarter 2025 results reaffirmed the company’s strategic pivot toward an integrated risk and compliance platform, highlighting a promising yet incomplete transformation. The company delivered robust 21% year-over-year revenue growth, driven by strong subscription growth (up 23%), sparking a noteworthy 32% post-earnings stock surge. This positive investor reaction underscores early confidence in Workiva’s evolution from a compliance-centric financial reporting tool toward broader capabilities encompassing ESG, audit, financial disclosure, and integrated risk management (IRM).
How IRM Can Protect Cyberinsurers from Cyberattacks
Cyberinsurance providers face a unique irony in today's risk landscape. Despite their role in safeguarding others against cyber threats, they have become prime targets for cybercriminals. Recent high-profile breaches, including attacks on Allianz Life, CNA Financial, and Philadelphia Indemnity, vividly illustrate this growing vulnerability. These incidents underscore not only the attractiveness of insurers as targets—given the extensive sensitive client data they hold—but also reveal substantial weaknesses in their ability to manage third-party risks, respond to incidents, and comply with tightening regulations.
If cyberinsurance companies fail to adopt a holistic, integrated approach to risk management, the resulting breaches may significantly damage their reputations, compromise their operational integrity, and erode market trust. It is therefore imperative to rethink their approach to cybersecurity risk management.
NAVEX’s Big Deal: Goldman Sachs and Blackstone Bet on IRM
The July 2025 agreement for a Goldman Sachs-led consortium to acquire a majority stake in NAVEX marks a milestone for the Integrated Risk Management (IRM) technology market¹. Long viewed as a niche segment, IRM tech is now receiving institutional validation on a grand scale. With Goldman Sachs Alternatives and Blackstone joining forces—alongside BC Partners retaining a minority stake and Vista Equity Partners fully exiting—the deal signals that IRM software has firmly come of age.
From a high-level thesis perspective, the NAVEX acquisition conveys institutional confidence in the long-term growth of IRM. It suggests that large-cap investors believe the market will continue consolidating and expanding, with platforms like NAVEX One poised to capture increasing enterprise spend. The participation of firms like Goldman and Blackstone is more than just capital—it is an endorsement of the market’s strategic relevance, particularly as organizations face rising regulatory obligations, complex supply chains, and evolving digital risks.
When Everyone’s a Leader, No One Is: Why IDC’s Latest GRC Report Misses the Mark
Analyst reports, such as IDC’s MarketScape, have long promised clarity in crowded software markets. But clarity requires more than graphics. It requires relevance. It requires structure. And most importantly, it requires alignment with how risk is managed in today’s enterprise. The newly released IDC MarketScape: Worldwide Governance, Risk, and Compliance Software Vendor Assessment 2025 falls short on all three fronts. It presents a visually familiar layout, but surrounds it with inconsistent definitions, outdated assumptions, and scoring criteria that obscure more than they illuminate.
When One Link Breaks the Chain
UNFI, Whole Foods, and the Broader Crisis of Single-Point Fragility in the Age of Integrated Risk
A silent node in the North American supply chain collapsed on June 7, 2025. Its name: United Natural Foods Inc. (UNFI), the primary distributor for Whole Foods and a dominant force in food logistics. A cyberattack forced UNFI to take its systems offline. Overnight, deliveries halted. Shelves emptied. Shares fell. And just like that, a backend dependency became a front-page disruption.
But this isn't a grocery story. It's a structural parable. When a single upstream dependency goes dark, every industry—from manufacturing to finance, healthcare to logistics—learns the same hard lesson: concentration breeds collapse.
The era of just-in-time is colliding with the era of just one point of failure. And unless risk leaders elevate Integrated Risk Management (IRM) from a compliance afterthought to a strategic command center, the next outage won't just break continuity—it will break companies.
Can AI Be Governed?
The Governance Paradox
The question of whether artificial intelligence can be governed may seem philosophical. But in 2025, it has become operational—and urgent. Just reference our recent article on Builder.ai to learn about the escalating risks driven by AI. As generative AI, autonomous agents, and foundation models accelerate their integration into critical systems, the pace of innovation is rapidly outstripping the scaffolding of rules, oversight, and control.
“Governance” in this context is often mistaken for static oversight: policy frameworks, codes of conduct, or aspirational principles. But as defined in the discipline of integrated risk management (IRM), governance is the rule-setting subset of management—the top of the pyramid. True risk control comes from marrying that governance with relentless operational execution: identification, assessment, mitigation, and continuous monitoring.
So: Can AI be governed? The answer is yes—but only if organizations recognize that compliance checklists and PR-friendly charters are no substitute for enterprise-wide, integrated, and adaptive risk management.