The AI Governance Playbook You Need with Tolga Erbay

The Death of Traditional GRC - Navigating the AI Revolution with Olivia Rose

In today’s age of technological disruption, there’s no point in shying away from AI any longer. In fact, it’s detrimental to do so. In this episode of When Trust Meets AI, host and CEO of Drata, Adam Markowitz welcomes Olivia Rose, a veteran CISO and virtual CISO advisor, to explore how AI is reshaping the GRC landscape, workflows, and trust.  What You’ll Learn: * How AI is collapsing the boundary between personal and professional risk * Why your industry's tech debt determines your AI success more than your AI strategy * The framework for AI enablement before AI security * How GRC has transformed from a compliance checkbox into a revenue-protecting function * Why CISOs are burning out at scale and what actually supports them * The non-negotiable skill for surviving AI disruption in GRC * How to stop undermining yourself as a woman in tech Olivia is a veteran cybersecurity executive and virtual CISO with over 24 years of industry experience, including two tenures as a Chief Information Security Officer. As the Founder of a successful executive advisory boutique, she brings deep expertise in AI enablement, trust architecture and the evolving intersection of personal and professional cybersecurity. Her insights on navigating tech debt, vendor risk assessment and the human elements of compliance make her an important voice for security leaders and GRC professionals seeking to position their teams as strategic enablers rather than operational blockers. EPISODE RESOURCES:  * Olivia Rose on LinkedIn: https://www.linkedin.com/in/oliviarosecybersecurity/ [https://www.linkedin.com/in/oliviarosecybersecurity/]  * Rose CIO Group Website: https://www.rosecisogroup.com/ [https://www.rosecisogroup.com/]  * Adam Markowitz on LinkedIn: https://www.linkedin.com/in/markowitzadam [https://www.linkedin.com/in/markowitzadam]  * Drata Website: https://drata.com/ [https://drata.com/]  HIGHLIGHTS: * 00:00 Introduction  * 01:03 From CISO to Virtual Advisor * 02:15 How AI Is Blurring Personal and Professional Trust * 05:18 AI’s Biggest Use Cases and Surprises  * 08:38 Tech Debt Is Your Real AI Bottleneck, Not Strategy * 14:35 What It Means to Be a CISO Today * 18:00 Why GRC Is Now a Revenue-Protecting Strategic Function * 27:09 What Keeps CISOs Up at Night & Being an Unsung Hero * 29:51 A Quote That Changed Olivia’s Life * 32:39 The Power of Authentic Listening in Leadership * 34:38 Women Leaders Need to Stop Self-Sabotaging  * 41:09 GRC Can’t Afford to Ignore AI Any Longer  * 43:05 Key Takeaways & Closing Thoughts  QUOTES: 1. With this influx of AI, the lines between your personal and your professional life are very blurred now, and I've started to really emphasize the importance of trust on a personal level as well." 2. “AI doesn't pretty stuff up. It shines a big old flashlight on what you're doing wrong, and industries that have high levels of tech debt typically are gonna have the hardest time moving forward with AI." 3. "GRC people have it really tough, and it's underestimated how difficult it is to be a GRC person. But with the introduction of AI, you're having a lot of these tasks where you would be pestering and asking for evidence over and over again, or you don't even need to ask for it at all - it just automatically appears." 4. "Ten years ago, it was all spreadsheets with inaccuracies and manual updates. But the rate of efficiency and innovation we're about to see with AI is nothing compared to what we saw before. Within two to three years, the whole landscape is going to look completely different." When Trust Meets AI is handcrafted by our friends over at: fame.so [https://www.fame.so/?utm_medium=podcast&utm_source=bcast&utm_campaign=masters-of-community-with-david-spinks?utm_medium=podcast&utm_source=bcast&utm_campaign=fame-client]

Your AI Policy Might Be Putting Your Company at Risk with Courtney Hans

Your AI policy isn’t something you can afford to delay working on, and this episode of Where Trust Meets AI unpacks why. Tune in as host and Drata CEO, Adam Markowitz, welcomes Courtney Hans, Vice President of Cyber Services at ANV for a breakdown of why implementing AI without intentional safeguards is like deploying any new technology without brakes. What You’ll Learn: * How to implement "trust but verify" in a remote-first world * Why AI implementation without guardrails is a business risk masquerading as efficiency * The three critical questions every organization must ask before adopting an AI tool * How to position GRC as a revenue driver, not a cost center * Why continuous learning is non-negotiable for security professionals in the AI era * How to translate technical risk into business impact so executives actually care This episode is a reminder that the “trust but verify” approach looks completely in an AI-powered world; but it must continue to exist, nonetheless.  Episode resources:  Courtney Hans on LinkedIn: https://www.linkedin.com/in/courtney-hans/ [https://www.linkedin.com/in/courtney-hans/]  AmTrust Financial Services Website: https://amtrustfinancial.com/ [https://amtrustfinancial.com/]  Adam Markowitz on LinkedIn: https://www.linkedin.com/in/markowitzadam [https://www.linkedin.com/in/markowitzadam]  Drata Website: https://drata.com/ [https://drata.com/]  Highlights: 00:00 Introduction & Meeting Courtney Hans  00:04 How Courtney Went from English Major to Security Leader 02:15 Why You Should Stop Blocking Tools Without Guardrails 08:45 AI Adoption: Three Critical Questions Every Security Leader Must Ask 18:30 AI Automation for Administrative Work & GRC for Offensive Security 24:00 Why Translating Security Risk Into Business Impact is Non-Negotiable  35:15 Build a Career Pyramid, Not a Ladder 45:30 AI is Not Set It and Forget It 52:00 Key Takeaways & Closing Thoughts  When Trust Meets AI is handcrafted by our friends over at: fame.so [https://www.fame.so/?utm_medium=podcast&utm_source=bcast&utm_campaign=masters-of-community-with-david-spinks?utm_medium=podcast&utm_source=bcast&utm_campaign=fame-client]

Deepfakes, AI Governance, and the Rise of the GRC Engineer with Mike Britton

Trust is the currency of modern security, and AI is about to stress test it. In this episode of When Trust Meets AI, host and CEO of Drata, Adam Markowitz, sits down with Mike Britton, Chief Information Officer at Abnormal AI, to unpack what trust really means when deepfakes can blur reality, SaaS vendors ship surprise AI features overnight, and governance has to move at the speed of product. Mike also shares how Abnormal AI is becoming AI-native internally without touching customer data, why they built AI transformation pods, and how lightweight governance can still enforce real controls. What You’ll Learn: * Why trust collapses faster than it builds * How to govern AI tools without killing innovation * The shift in third-party risk evaluation for AI vendors * Why you should embed AI pods inside business functions * How to democratize GRC engineering without hiring software engineers Mike Britton is the Chief Information Officer at Abnormal AI, where he leads enterprise IT, cybersecurity, and the company's AI-native transformation initiatives. With nearly five years at Abnormal and a 30-year career in cybersecurity, including previous roles at Fortune 500 companies and financial services, Mike brings deep expertise in building trust through responsible AI adoption, third-party risk management, and modernizing GRC from a compliance burden into a competitive advantage. EPISODE RESOURCES:  * Mike Britton on LinkedIn: https://www.linkedin.com/in/mrbritton/ [https://www.linkedin.com/in/mrbritton/]  * Abnormal AI Website: https://abnormal.ai/ [https://abnormal.ai/]  * Adam Markowitz on LinkedIn: https://www.linkedin.com/in/markowitzadam [https://www.linkedin.com/in/markowitzadam]  * Drata Website: https://drata.com/ [https://drata.com/]  HIGHLIGHTS: * 00:00 Introduction * 01:07 From CISO to CIO * 02:54 Defining Trust and Why It’s Expensive to Regain * 04:37 How AI Pushes Trust Into a New Frontier * 07:35 AI-Native Operations * 09:35 AI Transformation Without Touching Customer Data * 12:57 Governance That Doesn’t Block * 16:36 The Emerging Third-Party Risk * 19:22 Why Trust Centers Don’t Replace Human Trust * 27:27 Hiring for the AI Era * 29:58 The Rise of the GRC Engineer * 32:28 SecOps vs. GRC Divide * 35:04 What CEOs Should Ask Their CIO/CISO * 35:49 Books That Shaped Mike’s Approach QUOTES: 1. “Trust is one of these attributes where anytime you've broken trust, it's always so much harder to regain trust. It can be lost in a second, and it takes years to regain. Even small things that damage trust, the level of effort that it takes to regain that is monumental versus how easy it is to lose it.” 2. “Right now, we want AI tools to be assistance and facilitators, but if that's only where we go, then we've missed the mark of really the age of AI and the true potential of it. We're looking at where we can identify routine mundane tasks and expand a role's potential through context, automation, and agentic things to help them see more and pull in more context faster.” 3. “Four and a half, five years ago, customers weren't really asking AI questions because they probably didn't understand it. Now, we have an AI addendum and an AI council that we have to go through. The market has swung too far in one direction, but I look at SOC 2 Type II and ISO certification as a minimum playing field, not necessarily a seal of approval.” 4. “I want every single GRC person to be a GRC engineer. The beauty of Claude Code and ChatGPT is it democratized a skill set that wasn't there or was exclusively reserved to developers. You don't have to be a Python developer. You just have to have an idea, know what bad is and what good is, and AI can help you solve it.” When Trust Meets AI is handcrafted by our friends over at: fame.so [https://www.fame.so/?utm_medium=podcast&utm_source=bcast&utm_campaign=masters-of-community-with-david-spinks?utm_medium=podcast&utm_source=bcast&utm_campaign=fame-client]

The AI Governance Playbook You Need with Tolga Erbay

In this episode of When Trust Meets AI, Tolga Erbay, Head of GRC at Dropbox, confirms that it IS possible to build trust in the age of AI while optimizing productivity in the workplace. Tune in as host and CEO of Drata, Adam Markowitz, sits with Tolga for a deep dive into the real state of AI governance frameworks, the concrete metrics (like trust-influenced ARR) that finally prove security and compliance drive revenue, and everything in between.  What You’ll Learn: * How to define trust operationally and use a practical framework to assess security risks * Why shadow AI is the new shadow IT challenge and how to strike the balance between managing AI risk and enabling productivity  * The real timeline for AI governance maturity and why expecting mature AI risk frameworks within months (not years) is unrealistic * How to build a trust dashboard that speaks to executives using FAIR methodology  * Which skill sets your GRC team actually needs in 20265 * How AI is already freeing up your team for strategy and where the next productivity breakthrough lies  If you're caught between moving fast and staying safe, this conversation gives you the tools to safeguard yourself from third-party AI risk.  Episode resources:  Tolga Erbay on LinkedIn: https://www.linkedin.com/in/tolgaerbay/ [https://www.linkedin.com/in/tolgaerbay/]  Dropbox Website: https://www.dropbox.com/ [https://www.dropbox.com/]  Adam Markowitz on LinkedIn: https://www.linkedin.com/in/markowitzadam [https://www.linkedin.com/in/markowitzadam]  Drata Website: https://drata.com/ [https://drata.com/]  Highlights: 00:00 Intro: Welcome to Trust Meets AI with Tolga Erbay, Head of GRC at Dropbox 02:38 Define Trust Operationally: Safe Places for Vulnerable Data 04:59 Shadow AI is the New Shadow IT: Balancing Risk and Productivity 08:15 AI Governance Maturity Takes Years, Not Months 11:30 The Security Landscape is Figuring Out the Gold Standard 12:55 Tolga’s Retrospective: The Evolution of AI, Trust & Governance 15:51 How Dropbox Does Trust: Scorecards & Dashboards  16:48 Measure Trust as Revenue: Connect Assurance to Business Growth 18:12 Upskill Your GRC Team in AI Fundamentals, Then Hire Deeper Expertise 19:50 Reject the SOC 2 Quick-Fix Myth: Raise the Bar on Compliance Quality 21:41 Questions Every CEO Should Ask Their GRC Leader 23:06 Influential Lessons from 20 Years in Security and GRC 25:52 AI in Personal Life: From Travel Planning to Family Adventures 26:55 Key Takeaways: Trust, AI Governance, and the Future of GRC Quotes: 1. "You can't build anything without trust. I think quite simply, it means you've assessed the other party to be a safe place where you can open up or be vulnerable, with the things that you value, whether that's possessions or thoughts or even feelings.” 2. "The skill set is certainly changing. We have worked with our team to make sure that everybody is taking baseline AI training to understand how models work, how LLMs work, how the engagement context engines work. We've been hiring people with backgrounds in ML and people that understand this at one layer deeper than a GRC team has ever had to engage before." 3. "Everything feels huge when you're younger - everything feels like a big mistake or a big compliance deficiency. How you manage the relationships with people throughout the way is far more impactful than fixing every individual problem." 4. "It is a myth that you can get a SOC 2 in twenty days for five thousand dollars. You can spend twenty days and $5,000 and get a SOC 2, but it is impossible to do that well - to do a quality job and get anything done in terms of security or actual risk management. It's not gonna happen in twenty days." When Trust Meets AI is handcrafted by our friends over at: fame.so [https://www.fame.so/?utm_medium=podcast&utm_source=bcast&utm_campaign=masters-of-community-with-david-spinks?utm_medium=podcast&utm_source=bcast&utm_campaign=fame-client]

Switch From the Department of No to the Department of Know with Ty Sbano

“What even is trust?” asks Ty Sbano, CISO, Webflow, in the latest episode of Where Trust Meets AI. Tune in as host and CEO, Drata, Adam Markowitz, welcomes Ty for a deep dive into what your ideal security program should look like. What You’ll Learn: * How to reframe security's role from blocker to enabler - the "department of know" * The critical gap between certification and continuous trust * The skill set that actually matters in an AI-native GRC world * How to evaluate whether an AI tool is trustworthy, going beyond just vendor legitimacy * Why questionnaires, policies, and vendor reviews are your fastest onboarding accelerators * The hidden risk no one's talking about: permission creep with AI agents Hit play to explore how organizations can harness AI's acceleration while maintaining the fundamentals that actually matter: consistency, transparency, and human judgment. Episode resources:  Ty Sbano on LinkedIn: https://www.linkedin.com/in/tysbano/ [https://www.linkedin.com/in/tysbano/]  Webflow Website: https://webflow.com/ [https://webflow.com/]  Adam Markowitz on LinkedIn: https://www.linkedin.com/in/markowitzadam [https://www.linkedin.com/in/markowitzadam]  Drata Website: https://drata.com/ [https://drata.com/]  Highlights: 00:00 Introduction and Meeting Ty Sbano  02:57 From Banking to Startups: 20 Years Building Security Programs 05:01 Redefining Trust in an AI World 06:55 Why AI Magnifies Old Risks Faster 09:47 From "Department of No" to "Department of Know" 13:44 AI in Practice: Workflows, Superpowers and the Responsibility Gap 18:11 SOC 2 Is Table Stakes Now: The Evolution of Vendor Trust Over 15 Years 22:17 Continuous Compliance: Building Trust Centers That Drive Growth 24:38 The Trust Center as Growth Enabler: Positioning Security as Strategic 27:32 Fundamentals First: Why AI Automation Can't Replace Risk Management Skills 32:38 The Skills That Matter in a GRC World 34:50 Making Security Documentation AI-Ready 36:14 What CEOs Should Ask CISOs: Uncovering Blind Spots and Hidden Risks 38:19 Most Influential Reads, Podcasts, and People in Ty's Career 41:01 Know Your Worth: Boundaries, Integrity and Career Longevity 42:36 Final Thoughts: The Future of Compliance and Continuous Assurance Quotes: 1. “When the early days of knowing and figuring out what it was like to break into sites and do certain things, they painted such a unique picture of how storied and how whimsical and all these things that go with hacking things in the reality. It's not as fun or sexy, but tinkering, hacking, the communities that are out there, it is a very colorful environment of people and characters.” 2. "Being a leader as someone that has an opportunity and I'm blessed to be able to go into these startups and build, but also work with founders and feel the value that goes in and the outcomes that actually occur. When you share those sort of ambitions together in that pace, it can lead to an amazing thing." 3. "If you're too nice, if you leave too many doors open, I think a lot of folks will take advantage of that, and being too polite can actually be to your detriment. It's a hard balance between being direct and being rude, but you have to know your worth by knowing your boundaries." 4. "You have to know your worth by knowing your boundaries. That, to me, changed everything in how I operate and where I'm at today. It's not just about being protective—it's about being strategic in how you allocate your most valuable resource: your time." When Trust Meets AI is handcrafted by our friends over at: fame.so [https://www.fame.so/?utm_medium=podcast&utm_source=bcast&utm_campaign=masters-of-community-with-david-spinks?utm_medium=podcast&utm_source=bcast&utm_campaign=fame-client]