It’s the last day of 2025, which means it’s time to wrap season one. When Troy and I piloted this series, we didn’t expect thousands of you to tune in, and certainly didn’t expect to pickup the wonderfully smart Kendra to join our crew.

With that, we want to thank you for encouraging us to keep this series going. We’ll be back for season 2 soon, and are taking in new pitches for episodes now. To wrap the year, we conducted a AMA on the current state of GRC. We pulled questions from Reddit and LinkedIn and tackled them live in conversation.

Are we “anti–GRC automation tools”?

Short answer: no. Long answer: automation isn’t the problem. It’s misuse, blind trust, and compromised audit integrity are.

Cheap SOC 2s and bundled audits

Why budget startups often don’t have a real incentive to avoid low-cost, bundled auditors, and what you give up when you go that route.

SOC 2 pentesting vs PCI DSS

Why SOC 2 allows weak or missing pentests, why PCI doesn’t, and how automated scans differ from real manual testing.

Conflicts of interest in the GRC ecosystem

Platforms, auditors, and vCISOs all partner, so where does objectivity break down, and is it even possible to keep it clean?

Who’s really at fault: tools or auditors?

A blunt discussion on incentives, accountability, and why low-quality audits keep winning.

Offshoring and the race to the bottom

When cost-cutting leads to offshoring, what should clients actually be worried about and what’s just noise.

The future of audits and AI

Will AI replace auditors? Where automation helps, where humans still matter, and what happens if we stop caring about independent assurance altogether.

Hosted on Acast. See acast.com/privacy for more information.

In this episode, the crew digs into a messy but necessary topic: what does ethical auditing even mean in a market overrun with automation shortcuts, low-effort SOC 2 audits, and firms that self-declare “quality” without proving it?

With Troy actively auditing today and Kendra working with auditors in real time, the team breaks down where rigor actually shows up, where the system is broken, and why SOC 2’s value is slipping as fast as demand for speed is rising.

03:00 – “Quality theater” and firms self-labeling as high quality

04:10 – Who defines quality—auditors or customers?

05:00 – The four-hour SOC 2 audit example

06:00 – The danger of “better than the worst” logic

07:00 – What thorough auditing actually looks like (Kendra’s experience)

09:30 – SOC 2 inconsistency across auditors and firms

11:00 – Should audit firms be objectively measured?

15:00 – Kendra’s “secret shopper auditor” idea

19:20 – Automation platforms producing shallow “green checkmark” results

22:00 – Drive-by auditors rubber-stamping automated data

26:00 – Peer review and “enhanced oversight” gaps

33:00 – Why the industry isn’t incentivized to fix the quality problem

39:00 – Ethical auditors exist—but the system doesn’t reward them

Hosted on Acast. See acast.com/privacy for more information.

This episode dives deep into the messy, absurd, and sometimes hilarious world of SOC 2 audits and compliance frameworks. Wiz CISO Expert Zlatko Unger joins the crew to talk about the expanding “acronym soup” of frameworks, the blurred lines between automation and assurance, and why finding an auditor who vibes with your team might matter more than the name on the certificate.

The crew also debates the future of SOC 2 — from fast-track “15-hour audits” to the rise of AI-generated reports — and whether the entire model needs a ground-up rebuild.

Guest: Zlatko Unger, CISO Expert at Wiz

Hosts: Troy Fine, Kendra Cooley, Elliot Volkman

00:03 — Framework overload

00:07 — Auditor “vibe check”

00:11 — SOC 2’s fall from grace

00:16 — TPRM and audit fatigue

00:25 — SOC 2 for robots

00:36 — Reform or rebuild?

Hosted on Acast. See acast.com/privacy for more information.