The RTJ Bridge is the new premium version of The RiskTech Journal, delivering fast-moving, strategically relevant insights for risk leaders navigating today’s digital business landscape.
Designed as the link between editorial commentary and in-depth research, The RTJ Bridge offers exclusive access to:
High-frequency insight notes on market shifts, regulatory signals, and emerging technologies
Executive briefings and editorial series including “The Risk Ignored”
Strategic previews of IRM Navigator™ research, including upcoming Risk Landscape Reports
Whether you're monitoring vendor moves, tracking governance shifts, or preparing for regulatory disruption, The RTJ Bridge equips you with actionable foresight.
The RTJ Bridge - The Premium Version of The RiskTech Journal
Subscribe to get access now
The RTJ Bridge Subscription is a premier resource for executives and professionals focused on the intersection of risk management and technology. It provides subscribers with access to a curated collection of articles and expert insights designed to enhance risk management strategies through technological innovation. With its online format, The RTJ Bridge offers flexible access to critical information, helping leaders make informed decisions and stay competitive.
Signals from Emerging IRM Players: Week 41 includes AI for evidence, CMMC conformance, and TPRM intake
Activity among non-IRM50 vendors clustered around three themes. First, AI is being attached to concrete, auditable jobs such as cyber compliance documentation and procurement intake, where outcome claims are easiest to verify. Second, regulated-supplier conformance remained a priority, with releases framed around CMMC and FIPS requirements. Third, niche consolidation advanced in regulated reporting and AML, evidenced by a targeted acquisition. For buyers, the takeaway is to pilot for outcomes not features, demand exportable evidence, and ensure data lineage into your IRM system of record.
ServiceNow announces “AI Experience” as a front end for agentic workflows
ServiceNow announced AI Experience, a conversational interface that sits across Now Platform workflows. The company describes five elements: AI Lens for screen-aware actions, AI Voice Agents, AI Web Agents, AI Data Explorer, and an AI-governance layer via AI Control Tower. ServiceNow says AI Lens is available now. Voice Agents, Web Agents, and Data Explorer are targeted for availability by the end of 2025.
IRM50 OnWatch: Signals Include Governance Pressure, AI Adoption Proof Points, and Human-in-the-loop Design
Governance risk moved to the foreground as an activist investor disclosed a roughly 2 percent stake in Workiva and called for board and capital allocation changes. AI adoption signals remained strong, anchored by a visible at-scale activation of watsonx with ESPN and a sell-side upgrade that reframed ServiceNow’s near-term AI execution. Product direction indicators surfaced at Archer with Evolv portfolio additions and an explicit human-in-the-loop design stance, while OneTrust reported dated momentum markers that should be treated as viability signals pending customer corroboration.
IRM50 OnWatch: Signals Include Embedded AI Controls with ServiceNow, IBM and Hyperproof
AI moves from pilots to embedded controls. ServiceNow, IBM, and Hyperproof advanced AI features that directly support evidence collection, model governance, and remediation, signaling a shift from productivity to verifiable compliance outcomes.
Third-party risk converges into unified stacks. SecurityScorecard’s acquisition of HyperComply combines questionnaire automation with ratings, showing buyers should expect integrated TPRM platforms over the next two to three quarters.
Resilience, ESG, and privacy institutionalize further. Everbridge, Workiva, EcoOnline, and OneTrust reinforced ESG disclosure, personal safety integration, and AI governance, aligning risk practices with board-level assurance expectations.
Identity threats remain systemic. Microsoft, Cloudflare, and law enforcement dismantled a phishing-as-a-service network targeting Microsoft 365, underscoring identity proofing and MFA as structural controls in IRM workflows.
Provision 29 and the Trust Deficit: How UK Boards Can Convert a High-Stakes Declaration into Credible Assurance
Provision 29 of the UK Corporate Governance Code 2024 requires boards to monitor and review the company’s risk management and internal control framework, then state in the annual report how that review was performed, declare whether the company’s material controls were effective at the balance sheet date, and describe any material controls that were not effective and the remediation taken or planned. The Provision applies for financial years beginning on or after 1 January 2026 and covers material controls across financial, operational, reporting and compliance domains. There is no mandatory external assurance, and the requirement operates on a comply or explain basis.
The EU’s AI Code of Practice: Compliance, Operating Implications, and the Role of Integrated Risk Management
The EU AI Act entered into force on 1 August 2024 and will be fully applicable on 2 August 2026, with key provisions already active. Prohibitions and AI literacy duties have applied since 2 February 2025. Obligations for providers of general purpose AI, including transparency and copyright requirements, began on 2 August 2025. A voluntary General Purpose AI Code of Practice published on 10 July 2025 operationalizes how model providers can demonstrate compliance until harmonized standards arrive. The European Commission also issued guidelines clarifying scope and a mandatory template for the public summary of training content. Enforcement by the Commission for general purpose obligations begins in 2026, and models placed on the market before 2 August 2025 have until 2 August 2027 to comply. Maximum fines can reach 35 million euros or 7 percent of worldwide turnover for certain violations.
The Strategic Blind Spot: Closing the Boardroom Gap in AI Risk Oversight
Our recent research on audit committees revealed a stark reality: boards are most concerned about oversight gaps in cybersecurity, privacy, and AI, yet few have the structures to address them effectively. The 2025 Audit Committee Survey Insights showed that nearly half of audit committees see AI oversight as an unresolved gap, while only a fraction claim primary responsibility. The conclusion was clear—AI has moved into the boardroom agenda, but governance has not caught up.
This companion note builds directly on that finding. Where the audit committee analysis highlighted AI as part of a broader oversight deficit, here we focus on AI risk oversight itself. Drawing on new data from Infosys’s global survey of 1,500 executives, we examine why AI oversight remains fragmented, how the gap manifests in practice, and what boards and senior executives must do to close it.
Technology Risk at Machine Speed: Why Integrated Systems Demand Integrated Risk Management
Jaguar Land Rover’s cyber incident shows how modern enterprises operate inside an interconnected matrix of risk. Technology assets and operational processes are closely linked, so a disruption in one tier quickly spreads across production sites, suppliers, dealers, and customers.
On September 2, 2025, JLR confirmed a cyber intrusion and proactively shut systems to contain the impact. By September 6, production was halted in the United Kingdom, Slovakia, Brazil, and India. West Midlands suppliers sent thousands of staff home. Dealer platforms, including the electronic parts catalogue, were inaccessible. Analysts estimate losses of £5 million per day, and insiders indicate recovery will take weeks rather than days. A group calling itself Scattered Lapsus$ Hunters claimed responsibility.
Audit Committees Signal a Mandate for Unified IRM, Not Just GRC
Audit committees in 2025 are under growing pressure to oversee risks that are more complex, interconnected, and fast-moving than ever before. KPMG’s survey of 85 U.S. audit committee members (February–May 2025) highlights systemic oversight gaps in cybersecurity, privacy, AI, and third-party resilience. While only one-quarter of respondents describe their risk management as holistic and forward looking, the survey reveals that committees are struggling less with awareness and more with execution. The IRM Navigator™ Maturity Curve confirms that most organizations remain in the early to mid stages of maturity. However, the five functional layers of Autonomous IRM offer a more practical blueprint for closing these oversight gaps and absorbing workload without restructuring committees.
This research note interprets the KPMG findings through the lens of both frameworks: the Maturity Curve, which shows where audit committees are today, and the five functional layers, which define how they can progress toward unified, assurance-driven oversight.
Agentic AI in Risk Management Consulting: A Field Report on the Road to Autonomous IRM
This field report builds on the IRM Navigator™ Vendor Compass for RMC (July 2025). While the Vendor Compass positioned consulting firms in terms of integration breadth and AI enablement, this follow-on examines how those claims are translating into field activity. It reflects a moment in time: as platforms mature and deployments expand, these placements will continue to evolve.
The Risk Ignored, Part II Chapter 5: The Academic Reckoning
In Part I of The Risk Ignored, we followed the rise and fall of GRC. Born in the aftermath of the Sarbanes-Oxley Act, it was codified by Archer, PwC, and Michael Rasmussen, and quickly became the acronym that defined a market. Yet by the late 2000s, GRC was collapsing under its own weight. The very acronym that promised coherence came to mean everything and, in practice, nothing at all.
The story of The Risk Ignored Part II: The Seeds of Integration begins here. The collapse of GRC and the inadequacy of compliance-first ERM created a void. The question, for both scholars and practitioners, was what comes next.
Workiva’s Q2 Surge Underscores IRM Integration Strategy
Workiva’s second quarter 2025 results reaffirmed the company’s strategic pivot toward an integrated risk and compliance platform, highlighting a promising yet incomplete transformation. The company delivered robust 21% year-over-year revenue growth, driven by strong subscription growth (up 23%), sparking a noteworthy 32% post-earnings stock surge. This positive investor reaction underscores early confidence in Workiva’s evolution from a compliance-centric financial reporting tool toward broader capabilities encompassing ESG, audit, financial disclosure, and integrated risk management (IRM).
Identity's Moment of Reckoning: What Palo Alto Networks' Acquisition of CyberArk Means for the IRM Market
Palo Alto Networks announced the strategic acquisition of identity security leader CyberArk for approximately $25 billion on July 30, 2025, reshaping the competitive landscape for Integrated Risk Management (IRM). Leveraging insights from Wheelhouse’s proprietary IRM Navigator™ Model and the IRM Navigator™ Viewpoint Report (2025 Edition), this note analyzes critical implications for IRM, IRM-adjacent, and legacy Governance, Risk, and Compliance (GRC) providers. IRM vendors and service providers must decisively respond to accelerating consolidation trends driven by cybersecurity leaders expanding into integrated risk management domains.
How IRM Can Protect Cyberinsurers from Cyberattacks
Cyberinsurance providers face a unique irony in today's risk landscape. Despite their role in safeguarding others against cyber threats, they have become prime targets for cybercriminals. Recent high-profile breaches, including attacks on Allianz Life, CNA Financial, and Philadelphia Indemnity, vividly illustrate this growing vulnerability. These incidents underscore not only the attractiveness of insurers as targets—given the extensive sensitive client data they hold—but also reveal substantial weaknesses in their ability to manage third-party risks, respond to incidents, and comply with tightening regulations.
If cyberinsurance companies fail to adopt a holistic, integrated approach to risk management, the resulting breaches may significantly damage their reputations, compromise their operational integrity, and erode market trust. It is therefore imperative to rethink their approach to cybersecurity risk management.
ServiceNow and the Autonomous IRM Era: IRM50 Market Leader Signals a Legacy GRC Extinction
ServiceNow is emerging as a flagship IRM50 Market Leader in the 2025 Integrated Risk Management (IRM) landscape, exemplifying the cross-domain orchestration and AI-native capabilities that define the shift toward Autonomous IRM. This research note draws on the 2025 IRM Navigator™ Viewpoint Report to profile how ServiceNow’s approach – integrating risks across enterprise silos with intelligent automation – is setting the pace in an industry undergoing transformative change . Recent statements by ServiceNow CEO Bill McDermott underscore this seismic shift: he warns that advanced AI platforms will spur an “extinction-level event” for legacy software vendors stuck in siloed, compliance-centric models. This analysis connects those remarks to broader industry signals, arguing that traditional Governance, Risk, and Compliance (GRC) providers face accelerated obsolescence absent urgent innovation.
NAVEX’s Big Deal: Goldman Sachs and Blackstone Bet on IRM
The July 2025 agreement for a Goldman Sachs-led consortium to acquire a majority stake in NAVEX marks a milestone for the Integrated Risk Management (IRM) technology market¹. Long viewed as a niche segment, IRM tech is now receiving institutional validation on a grand scale. With Goldman Sachs Alternatives and Blackstone joining forces—alongside BC Partners retaining a minority stake and Vista Equity Partners fully exiting—the deal signals that IRM software has firmly come of age.
From a high-level thesis perspective, the NAVEX acquisition conveys institutional confidence in the long-term growth of IRM. It suggests that large-cap investors believe the market will continue consolidating and expanding, with platforms like NAVEX One poised to capture increasing enterprise spend. The participation of firms like Goldman and Blackstone is more than just capital—it is an endorsement of the market’s strategic relevance, particularly as organizations face rising regulatory obligations, complex supply chains, and evolving digital risks.
When Everyone’s a Leader, No One Is: Why IDC’s Latest GRC Report Misses the Mark
Analyst reports, such as IDC’s MarketScape, have long promised clarity in crowded software markets. But clarity requires more than graphics. It requires relevance. It requires structure. And most importantly, it requires alignment with how risk is managed in today’s enterprise. The newly released IDC MarketScape: Worldwide Governance, Risk, and Compliance Software Vendor Assessment 2025 falls short on all three fronts. It presents a visually familiar layout, but surrounds it with inconsistent definitions, outdated assumptions, and scoring criteria that obscure more than they illuminate.
From Scripting to Studio: Diligent’s ACL AI Bet
Diligent’s launch of ACL AI Studio—an AI-powered extension to its long-standing audit analytics suite—comes at a time of increasing scrutiny over the practical value of artificial intelligence in risk and compliance software. Unveiled during this week’s IIA International Conference, the product promises to empower audit, compliance, and risk professionals to run advanced analytics through natural language rather than traditional scripting. But beneath the surface-level innovation lies a more complex story about legacy adaptation, GRC market pressures, and the widening gap between analytics potential and real-world IRM needs.
Ideagen Acquires ConvergePoint, Advancing Policy-Centric Compliance Within Microsoft 365 Ecosystems
Ideagen’s latest acquisition of ConvergePoint reflects more than just another M&A milestone—it underscores a deeper shift in how organizations are operationalizing risk and compliance. Based in Texas, ConvergePoint delivers policy, contract, and incident management capabilities natively within Microsoft 365 and SharePoint Online. This acquisition not only expands Ideagen’s North American presence but also strengthens its ability to meet growing demand for embedded, user-centric compliance solutions.
When One Link Breaks the Chain
UNFI, Whole Foods, and the Broader Crisis of Single-Point Fragility in the Age of Integrated Risk
A silent node in the North American supply chain collapsed on June 7, 2025. Its name: United Natural Foods Inc. (UNFI), the primary distributor for Whole Foods and a dominant force in food logistics. A cyberattack forced UNFI to take its systems offline. Overnight, deliveries halted. Shelves emptied. Shares fell. And just like that, a backend dependency became a front-page disruption.
But this isn't a grocery story. It's a structural parable. When a single upstream dependency goes dark, every industry—from manufacturing to finance, healthcare to logistics—learns the same hard lesson: concentration breeds collapse.
The era of just-in-time is colliding with the era of just one point of failure. And unless risk leaders elevate Integrated Risk Management (IRM) from a compliance afterthought to a strategic command center, the next outage won't just break continuity—it will break companies.