Скачать или смотреть AMA: GRC, SOC 2, and the State of Audits

It’s the last day of 2025, which means it’s time to wrap season one. When Troy and I piloted this series, we didn’t expect thousands of you to tune in, and certainly didn’t expect to pickup the wonderfully smart Kendra to join our crew.

With that, we want to thank you for encouraging us to keep this series going. We’ll be back for season 2 soon, and are taking in new pitches for episodes now. To wrap the year, we conducted a AMA on the current state of GRC. We pulled questions from Reddit and LinkedIn and tackled them live in conversation.

What we covered

Are we “anti–GRC automation tools”?
Short answer: no. Long answer: automation isn’t the problem. It’s misuse, blind trust, and compromised audit integrity are.

Cheap SOC 2s and bundled audits
Why budget startups often don’t have a real incentive to avoid low-cost, bundled auditors, and what you give up when you go that route.

SOC 2 pentesting vs PCI DSS
Why SOC 2 allows weak or missing pentests, why PCI doesn’t, and how automated scans differ from real manual testing.

Conflicts of interest in the GRC ecosystem
Platforms, auditors, and vCISOs all partner, so where does objectivity break down, and is it even possible to keep it clean?

Who’s really at fault: tools or auditors?
A blunt discussion on incentives, accountability, and why low-quality audits keep winning.

Offshoring and the race to the bottom
When cost-cutting leads to offshoring, what should clients actually be worried about and what’s just noise.

The future of audits and AI
Will AI replace auditors? Where automation helps, where humans still matter, and what happens if we stop caring about independent assurance altogether.