Ten Predictions for Where Security and GRC Are Headed

Every few years I like to capture a snapshot of where I think our industry is going. The goal isn’t clairvoyance; it’s documenting the patterns that seem durable and revisiting them later to see which ones held up. These aren’t moonshots or sci-fi scenarios. They are practical shifts already forming in the market and inside engineering teams.

Here are my top ten predictions for the next two to three years.

1. AI becomes embedded in everything

AI stops feeling like a separate tool. It becomes part of every workflow, service, and platform. Most people will interact with AI through the products they already use rather than dedicated chat interfaces.

2. GRC becomes an engineering function

The separation between GRC and engineering narrows. Compliance controls move into pipelines, infrastructure modules, and platform services. GRC engineering becomes the normal way companies operate.

3. Fewer vendors; more in-house automation

AI-driven automation reduces the need for sprawling vendor ecosystems. Companies rely more on internal agents, internal pipelines, and custom logic rather than dozens of SaaS tools that exist solely to shuffle evidence and screenshots.

4. A partial pivot back to data centers

Cloud remains dominant, but cost pressure and predictable workloads push some organizations back toward on-prem compute. Specialized hardware for AI inference and control over data locality make hybrid strategies more appealing.

5. Security engineering collapses into platform engineering

Platform teams absorb a significant portion of application security. IAM baselines, ingress patterns, policy-as-code, and hardened deployment paths ship as features of the internal developer platform. AppSec evolves from “approve and review” to “provide secure defaults that cannot be bypassed without intent.”

6. Compliance frameworks evolve toward automation evidence

SOC 2, ISO, NIST CSF, PCI, and emerging AI-specific regulations shift toward system-generated evidence. Control maturity is measured by continuous signals rather than static documents.

7. Agentic workflows replace traditional dashboards

Teams move from dashboards filled with findings to autonomous agents running playbooks. Agents triage issues, file tickets, verify fixes, and escalate exceptions. Humans oversee prioritization and judgment instead of doing manual triage.

8. Data becomes the new perimeter again

As compute shifts closer to on-prem and more models run locally, the control plane around data becomes more important than the one around networks. Lineage, classification, entitlements, and context-aware access policies become central.

9. Audit cycles shorten

With continuous evidence exports, audits happen in smaller increments. Auditors pull from real-time data rather than scheduling long annual fieldwork cycles. Teams operate closer to continuous readiness.

10. Vendor consolidation pressures the large suites

Demand for unified data models pushes major platform vendors to simplify and consolidate their security and GRC tools. Customers want fewer dashboards, deeper integration, and consistent data models that feed cleanly into AI systems.

Looking Ahead

Whether all ten predictions land isn’t the point. What matters is that the industry is clearly moving toward tighter alignment between engineering, automation, and risk management. The lines between security, GRC, and platform teams are already blurring. AI accelerates the trend, but the fundamentals remain the same: context, good design, and simplicity win.

I look forward to revisiting this in a few years to see what aged well and what didn’t.