In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Sheron Chakalakal, Head of GRC at UiPath, to explore why the future of GRC looks far more like systems engineering than traditional audit management.

Drawing from his experience at Salesforce, Deloitte, and UiPath, Sheron explains why point-in-time audits and checkbox compliance are failing modern engineering organizations — and why risk-driven, continuously monitored GRC programs are becoming essential. The conversation dives into AI governance, continuous risk monitoring, customer assurance, GRC engineering, AIUC-1, and how security, compliance, and engineering teams must evolve together.

This episode reframes GRC as a technical reliability function that helps companies reduce operational risk continuously instead of simply passing audits once a year.

Key Takeaways:

• Modern GRC programs must evolve from audit functions into engineering-driven reliability functions.
• Risk—not compliance—should be the central language for communicating with leadership teams.
• Continuous controls monitoring is essential because point-in-time audits create “checkbox theater.”
• AI governance requires technical evaluations, agent testing, and continuous assurance beyond traditional frameworks.
• Future GRC leaders will need technical depth, business context, and the ability to bridge engineering with executive leadership.

What You’ll Learn:

• Why Sheron believes compliance should be designed into products from day one
• How UiPath approaches continuous risk monitoring and GRC engineering
• Why AIUC-1 introduces a fundamentally different approach to AI assurance
• How GRC teams can become the “translation layer” between business and engineering
• Why future GRC practitioners must develop technical and systems-thinking skills

This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.com

Watch more episodes: https://www.compliancecow.com/podcast

Connect With Our Guest:
Sheron Chakalakal | Head of GRC | UiPath
Connect on LinkedIn: https://www.linkedin.com/in/sheronpaulc/

Rate, review, and share if you enjoyed the show!

Subscribe to Security & GRC Decoded wherever you get your podcasts:

Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683

Apple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450

In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Jasmine Kaur, Principal of Security & Assurance Engineering at CoreWeave, to explore how AI-native infrastructure is fundamentally reshaping GRC.

Drawing from her experience at companies like SAP, Google, and now an AI hyperscaler, Jasmine explains why traditional GRC models are failing in high-velocity, ephemeral environments—and what needs to replace them. From “GRC as infrastructure” to the rise of agentic GRC, this conversation dives into how compliance must evolve from a reactive audit function into a real-time assurance capability embedded directly into systems.

Key Takeaways:

• Traditional GRC models break in AI environments because systems are ephemeral and disappear before audits can validate them.
• Compliance should be treated as a byproduct of strong risk modeling and control design—not the end goal.
• GRC must evolve into an infrastructure-level capability that continuously emits assurance signals.
• Agentic GRC is the next evolution beyond automation and CCM, enabling decision-capable systems with human oversight.
• Future GRC teams must operate more like engineering and reliability functions rather than audit teams.

What You’ll Learn:

• Why AI infrastructure makes traditional audits ineffective
• What “GRC as infrastructure” actually means in practice
• How to move from point-in-time audits to continuous assurance
• The difference between automation, CCM, and agentic GRC
• How to position GRC as a proactive, business-critical function

This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.com

Watch more episodes: https://www.compliancecow.com/podcast

Connect With Our Guest:
Jasmine Kaur | Principal of Security & Assurance Engineering | CoreWeave
Connect on LinkedIn: https://www.linkedin.com/in/jask31/

Rate, review, and share if you enjoyed the show!

Subscribe to Security & GRC Decoded wherever you get your podcasts:

Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683

Apple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450

In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Val Dobrushkin, Director of GRC at Tricentis, to challenge one of the most overlooked failures in modern security programs: third-party risk management. Drawing from his experience building GRC programs at ForgeRock, NoName Security, and beyond, Val explains why most organizations are still stuck in compliance theater and how GRC teams can evolve into true business enablers.

This conversation dives into the disconnect between frameworks and reality, the limits of SOC 2, the role of GRC in revenue and M&A outcomes, and why solving for today while building for the future is the key to long-term success.

Key Takeaways:

• Third-party risk management is fundamentally broken due to over-reliance on questionnaires and weak enforcement of meaningful controls.
• SOC 2 is too flexible and inconsistent to be relied on as a true indicator of security maturity.
• GRC has a unique advantage over security in directly demonstrating business value and revenue impact.
• “Solve for now, build for later” is critical for startups and fast-growing companies preparing for IPO or acquisition.
• Strong GRC programs can directly influence company valuation by identifying contractual and compliance gaps early.

What You’ll Learn:

• Why questionnaires and annual vendor reviews fail to capture real third-party risk
• How GRC teams can prove revenue impact through customer trust and assurance
• The hidden role of GRC in M&A, IPO readiness, and contract validation
• Why most GRC metrics fail and what meaningful measurement should look like
• How to implement a “solve now, build for future” strategy in fast-growing companies

This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.com

Watch more episodes: https://www.compliancecow.com/podcast

Connect With Our Guest:
Val Dobrushkin | Director of GRC | Tricentis
Connect on LinkedIn: https://www.linkedin.com/in/dobrushkin/

Rate, review, and share if you enjoyed the show!

Subscribe to Security & GRC Decoded wherever you get your podcasts:

Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683

Apple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450