AI Is Rewriting GRC Jobs

Simon Carver

Welcome back to The Human Workforce Podcast. I'm Simon Carver.

Lachlan Reed

And I'm Lachlan Reed. [warmly] Today we're poking at one of those corners of business people used to think was safe as houses: governance, risk, and compliance.

Simon Carver

Yeah. GRC had this reputation for being too messy, too regulated, too human-dependent to really automate. You had policy reviews, evidence collection, audit prep, control mapping, exception handling. It looked like a world built for patient people with giant spreadsheets and very strong coffee.

Lachlan Reed

[laughs softly] And maybe a sore neck from staring at twelve tabs at once. That's how it felt, though, right? Like, surely a machine couldn't handle all the nuance. Surely you still needed teams chasing screenshots, downloading logs, emailing people three times for the same document.

Simon Carver

Exactly. But I think that belief was less a law of nature and more a habit. Organizations got used to the friction. So they mistook manual effort for necessary effort. That's an easy trap. If a process has always been painful, you start to assume the pain is part of the value.

Lachlan Reed

That's good. Bit like an old ute door you have to shoulder-check to close. After a while you stop asking whether the hinge should just be fixed. You just say, "Nah, that's how she works." GRC was a bit like that. Clunky, manual, slow—and everyone treated that as normal.

Simon Carver

And now AI is blowing up that assumption. Not in theory—in actual workflow. It can gather evidence at scale, monitor activity continuously, run compliance checks across systems, and flag issues in real time. The old cycle of waiting for an audit window, then scrambling to assemble proof, starts to look very dated very fast.

Lachlan Reed

Yeah, that's the shift. It's not just "Here's a smarter spreadsheet." It's more like the spreadsheet has been shoved out of the driver's seat. The old model was periodic and manual: pull reports, compare records, chase documents, update trackers. The newer model is always on. Systems watch systems. Controls get checked as work happens, not weeks later when someone's already forgotten what went wrong.

Simon Carver

And that changes the emotional rhythm of the work too. Under the old model, compliance often meant bursts of panic. Quiet, quiet, quiet, then suddenly everybody's hunting for evidence. With machine oversight, the pattern becomes continuous observation instead of periodic reconstruction.

Lachlan Reed

Which sounds cleaner because, well, it is cleaner. But also a bit confronting. Because once a company sees that monitoring can happen all the time, and evidence can be gathered automatically, the question stops being, "Can we automate some of this?" It becomes, "Why are we still paying people to do admin the machine now handles before smoko?"

Simon Carver

[thoughtful] Right. And we should be careful here. The point isn't that every single part of GRC disappears. It doesn't. But the layer built around repetitive collection, reconciliation, and checking? That layer is under real pressure. AI doesn't get tired of reviewing logs. It doesn't lose track of version seven of a policy file. It doesn't need reminders to keep watching.

Lachlan Reed

And that's why the old safety myth is cracking. People thought complexity protected the job. Turns out complexity often just protected the inefficiency. Once tools got good enough—maybe not perfect, but good enough at scale—the whole thing started shifting. Fast.

Simon Carver

So if someone is still imagining GRC as a protected island of white-collar work, I think that's already outdated. The fortress wasn't made of stone. It was made of process debt.

Lachlan Reed

[dryly] Yeah, and some of those processes are so overbuilt, a sleepy tradie with a tape measure could spot the waste before the board does. That's the uncomfortable bit. AI isn't arriving in GRC because the work was simple. It's arriving because a lot of the admin was structured enough to industrialize.

Simon Carver

And once that happens, the role of the human starts moving up the stack. Not gone. But repositioned. Which brings us to the harder question: if the admin work shrinks, what exactly is left for people?

Lachlan Reed

This is where it gets real for actual workers, not just strategy decks. If AI is gathering evidence, checking controls, and watching for deviations all day long, then the entry-level role built around collecting and formatting that stuff gets squeezed. Same with a chunk of mid-level analyst work that was basically review, routing, and follow-up.

Simon Carver

Yes. And "squeezed" may even be too gentle in some organizations. Some roles compress. Some get redesigned. Some just quietly vanish through attrition. No big dramatic announcement—just fewer openings, fewer stepping-stones, fewer chances to learn the discipline by doing its basic tasks.

Lachlan Reed

That's the sneaky part. People look at AI and think about replacement at the top end, like some robot chief risk officer. But often the first hit lands lower down, where work is more repeatable. Entry-level jobs disappear first, mid-level jobs narrow next, and suddenly the path into the profession looks like a ladder with the bottom rungs missing.

Simon Carver

And that's dangerous for more than individual careers. It's dangerous for the organization itself. If you remove the junior work without rebuilding a development path, where do future leaders come from? You don't magically produce experienced judgment. People usually earn it by seeing edge cases, making mistakes, being corrected, understanding why a control matters in the first place.

Lachlan Reed

Exactly. You can't just harvest senior thinkers off a shelf at Bunnings. Well, you can't harvest much there except sausage sandwiches and regret about buying one extra drill bit set. But you get my point. If companies cut the training ground, they cut their own future capability.

Simon Carver

So what remains human? A lot, actually—but it's different. Judgment. Ethics. Context. Accountability. Those aren't decorative extras. They're the core of the next layer of value. A system can surface an anomaly. A person still has to ask what it means, what tradeoff is acceptable, who is affected, and who is responsible if the machine is wrong.

Lachlan Reed

Yeah, because a flagged risk isn't the same as an understood risk. A rule firing isn't the same as wisdom. Sometimes the machine's technically correct and practically useless. Sometimes it's missed the business context completely. That's where people still matter—interpreting, challenging, and owning the outcome.

Simon Carver

I like that word: owning. Because accountability becomes more valuable as automation spreads. When a process is manual, responsibility is diffused through activity. When a process is automated, responsibility sharpens. Someone has to govern the system, validate its outputs, and decide when not to trust it.

Lachlan Reed

So the human job shifts from "do the checking" to "oversee the checking system." Less spreadsheet wrangling, more critical thinking. Less evidence chasing, more asking whether the evidence means what the model thinks it means. It's a higher bar, to be honest.

Simon Carver

It is. And leaders have a choice here. They can use AI as a cost-cutting weapon: reduce headcount, strip out labor, report efficiency, move on. A lot of firms will do exactly that. Or they can use AI to build resilient capability—to free people from administrative drag and invest in stronger judgment, better oversight, and healthier talent pipelines.

Lachlan Reed

One path makes the numbers look tidy this quarter. The other gives you a workforce that can still think when the system does something odd at 2 a.m. and everyone's fancy dashboard is glowing red. I'd argue that's the better bargain.

Simon Carver

I would too. Because the real question isn't whether AI can absorb compliance admin. It can, or at least a growing share of it. The real question is what organizations choose to build after that. Thinner staffing and more fragility? Or stronger human capability around more powerful tools?

Lachlan Reed

And if you're listening from inside one of these roles, maybe the takeaway is simple, even if it's not comforting: don't cling to the admin. Build the judgment the admin used to hide. That's the bit worth protecting.

Simon Carver

Well said. Alright, Lachlan, let's leave it there for today.

Lachlan Reed

Too easy. Good chat, Simon.

Simon Carver

Good chat. We'll talk again soon.