We’re glad to announce that The Forrester Wave™: Governance, Threat, And Compliance Platforms, Q2 2026, is now stay. We’ve evaluated 12 distributors on this iteration and are grateful to all of them for his or her participation within the course of. Immediately’s governance, danger, and compliance (GRC) platforms market faces many headwinds. Many GRC platforms nonetheless require an excessive amount of handbook knowledge entry, solely provide primary workflow automation, and are too complicated, unwieldy, and costly for the perform they carry out as we speak. And sadly, clever integration of AI into the platform isn’t coming to assist quickly, mirrored in tepid suggestions from clients on their adoption plans for it.
But the GRC platforms market goes to essentially reform its goal over the subsequent 18 to 24 months with distributors specializing in changing into orchestrators of outcomes and motion for danger professionals. Listed below are some vital market developments we encountered through the analysis:
- Automation will rework GRC platforms from a system of report to a system of motion. GRC platforms have lengthy been a system of report, recording the outputs of varied danger administration, compliance, and inside audit workflow outcomes. GRC distributors are in search of to intelligently associate with specialist danger knowledge suppliers, regulatory content material suppliers, and danger area specialists, reasonably than search to construct these capabilities themselves. The platform stays an information repository of report however makes use of orchestration and automation of a broader ecosystem of danger applied sciences to ship outcomes and motion, not simply static knowledge.
- AI is offering minimal worth for purchasers as we speak however should change rapidly. GRC distributors have aggressively leaned in to the agentic AI future, and if they’re to be believed, it’s already right here. However our Wave evaluation found that this isn’t but the case, as a lot of the present AI performance boosts present capabilities reasonably than the promised transformational change. Clients assume so, as properly, citing practical limitations and a excessive monetary price as limitations to adoption. GRC suppliers should flip the AI advertising hype into worth by supporting probably the most in-demand outcomes akin to considerably accelerating processing instances for danger assessments and compliance evaluations.
- For now, steady controls monitoring is within the embryonic stage and too audit-focused. Steady controls monitoring (CCM) confirmed up as the one weakest present providing criterion within the Wave analysis. Many GRC platforms implement CCM purely as a mechanism for gathering audit proof for inside auditors. Whereas it is a present ache level, this use case is just not a very powerful one. As a substitute, CCM finished proper permits steady efficiency monitoring of controls effectiveness, coverage enforcement, and, in some circumstances, a set off level for management remediation. To unlock the worth of this use case, GRC platforms distributors should construct not solely technical integrations to enterprise techniques of information (e.g., ERP techniques) but in addition wealthy libraries of management efficiency monitoring use circumstances and generally used effectiveness thresholds.
- GRC platforms will collect an excessive amount of knowledge until distributors deal with particular use circumstances. The safety analytics market initially centered on gathering as a lot knowledge as potential and generated pointless storage prices with restricted safety worth. Safety analytics instruments drove higher worth by later leveraging the MITRE ATT&CK framework to develop a tighter set of monitoring and risk use circumstances that narrowed the scope of knowledge wanted. Likewise, CCM will exponentially improve the amount of knowledge. However as GRC engineering capabilities develop into extra widespread, clients and distributors should work collectively to construct libraries of controls-performance-monitoring use circumstances to assemble solely the required knowledge.
- Restricted consensus exists about the way to value AI, making comparability laborious. There’s widespread variability for pricing AI inside GRC platforms. This additionally extends to pricing for the AI governance functionality inside GRC platforms. AI for GRC is targeted on delivering AI functionality throughout a complete GRC platform, whereas AI governance is targeted on serving to danger groups handle their AI governance applications and use circumstances. Clients usually find yourself needing to pay for each, relying on the seller. We noticed every little thing from no extra costs to fixed-price package deal additions to consumption-based pricing primarily based on the variety of AI use circumstances ruled. Reference clients additionally have been confused with the pricing approaches, with clients ceaselessly citing the dearth of readability over the worth for cash from their funding in AI capabilities.
GRC platforms are a core enabler of all points of the Forrester Steady Threat Administration Mannequin. These platforms solely develop into extra necessary because the monitoring of danger selections, controls effectiveness, and danger posture transitions from point-in-time assessments to steady assurance. Learn the most recent Wave outcomes and request a steerage session or inquiry from us to debate our findings in regards to the market in additional element.
