The final of three reports from Grant Thornton’s Digital Transformation survey — which gathered insights from more than 550 cross-functional senior executives across industries — revealed that embedding cybersecurity, resilience and real-time compliance into technology strategies can help organizations stay agile and innovate.
According to the data from the final installment of the survey, the positive impact of compliance and resilience isn’t lost on business leaders. When respondents were asked to rank the top priorities for their organizations’ technology enhancements, 57% chose cybersecurity and risk management as one of their top three technology objectives.
“Compliance and resilience don’t reduce agility,” Ethan Rojhani, a partner in the risk advisory practice for Grant Thornton Advisors, said. “They increase agility because they enable people to understand their bounds and parameters, so they make the most effective use of their time and resources.”
Striking the Right Balance Between Governance and Innovation
The survey also found that 60% of executives identified governance, risk and compliance (GRC) tools and processes as a top three tactic for mitigating technology risks.
Controls that are redundant or too strict can stifle creativity and productivity. At the same time, experimentation without proper restraint can unleash risks that can put an organization in jeopardy. With each technology implementation, it’s important to strike the right balance between governance and innovation.
According to Johnny Lee, a partner in the risk advisory practice for Grant Thornton Advisors, the proper balance lies in developing guardrails for technology transformations, which protect the organization from intellectual property infringement claims, preserve confidential data and ensure the quality of products and services — as well as the customer experience.
“That’s what unfolds for every technology transformation,” Lee said. “Don’t ruin the business model. Don’t send confidential information where it shouldn’t go. And once you’ve built the walled garden and the sandbox is safe, foster and encourage experimentation to challenge the status quo. Later, we can have a conversation about ROI, once we know what is reasonable and meaningful to measure.”
Compliance Gets an AI Makeover
Additional findings revealed 49% of executives ranked regular risk assessments as another top three approach for mitigating technology risks.
Derek Han, the cybersecurity and privacy leader for Grant Thornton Advisors’ risk advisory practice, explained risk assessments are the roots of strong resilience and compliance — and large organizations might have several of these processes in place to effectively manage their risks. Where these processes were once performed manually with the help of workflow tools, companies now are implementing artificial intelligence (AI) to assist with these objectives.
“The AI models need to be trained with defined relevant risk data and response rates, but companies are finding that the tools ultimately improve speed and accuracy at a modest cost,” Han said. “Additional AI tools for resilience and compliance include third-party risk management applications and regulatory horizon scanning apps that alert management to changes in rules or laws that need to be addressed through compliance activities.”
Han added that organizations are especially focused now on improving their data to enable successful AI use. “Data has been the core challenge — but also the opportunity — for many organizations in their AI adoption. For some, it’s going to be a real journey to make sure their data is high in quality and widely usable for training large language models within organizational boundaries,” he said.
Incident Response Emerges as a Cyber Priority
The survey also found that executives are prioritizing cybersecurity tools: 68% of respondents named cybersecurity as one of the top five technologies they’re investing in this year. AI applications for cybersecurity can probe for vulnerabilities in defenses, review audit logs for potential breaches and instantly remediate risk issues or vulnerabilities.
According to Han, companies that use these tools need to evaluate their comfort level with augmenting human capabilities for such a vital activity — and evaluate the impact on their workforce. “The risks of overreliance on AI in cybersecurity have to be considered,” he said. “If we start using AI to simply replace humans to monitor, respond to, and mitigate security risks, the human foundation for cybersecurity could be diminished. It’s important to strike a balance between the use of AI tools and continuing developing the expertise and critical thinking of the human security team.”
For employees throughout the organization, AI tools should not diminish the importance of regular training and embedding strong cybersecurity awareness practices throughout your workforce. Meanwhile, the need for thorough, cross-functional incident response playbooks and resilience drills is still growing.
“Where the real resilience starts to show up is in comprehension,” Lee said. “You can’t have comprehension without clarity. You can’t have clarity without people knowing what their role is when the ‘bad day’ happens, and you genuinely can’t know that without practice.”
Han added that even in resilience drills, AI tools can play multiple roles. “AI can create simulation scenarios to test incident response capabilities,” he said. “In addition, where written response playbooks can be lengthy and complicated to execute, the people on the response team can use AI to more quickly discern their responsibilities and take decisive action.”
Moving Toward Real-Time Monitoring and a Culture of Compliance
As laws evolve and risks emerge, continuous monitoring is becoming essential. In fact, 53% of executives now rank data privacy compliance among their top three cybersecurity concerns. The next frontier in compliance and resilience is real-time monitoring — driven by advancements in robotic process automation and AI, which can quickly detect anomalies or red flags.
According to Rojhani, companies are increasingly investing in tools that allow management to identify and correct financial reporting and IT issues long before third-party audits.
“Management is doing it upfront to make sure everything is clean,” Rojhani said. “Over time, we’ll see fewer material misstatements in financial audits and fewer IT violations from a SOC perspective. Real-time monitoring is the future.”
But technology alone isn’t enough. Compliance must be embedded in the organization’s culture and supported by leadership. According to the data, just over one in four executives cited compliance lapses or security issues as a top reason past technology initiatives failed.
“Strong compliance and resilience are built when companies appoint risk champions across business units and promote cross-functional knowledge sharing,” Rojhani said. “It’s not just tone at the top; it’s about providing the resources to embed that mindset into the organization.”
