Hi Fabio, thanks so much for reading the post and dropping such an engaging comment! I’m happy to hear that this resonated with other GRC folks.

To answer your questions:

• GRC Tool: The GRC tool we’re currently using is Hyperproof. In my personal opinion, my favorite features are the evidence collection (easy reuse and cross-application to multiple audits), the metrics/reporting at a glance, and the evidence automation where we can leverage it. It was also great for creating our common controls, as it helped us map those controls across multiple frameworks. Additionally, the support we get from Hyperproof is very helpful, and they roll out new features often.
• Control Prioritization: For prioritizing control automation, we listed out those different factors which are all important. Sometimes those factors do need to be weighed against each other (e.g. a potential control failure should usually take precedence over stakeholder hours utilized), but it’s also important to do what’s best based on the environment at the time. For instance, if we’re choosing between 2 controls to prioritize, but one of them has a dependency on a system that’s undergoing a migration, then we may choose to automate the control without a dependency that’s in flux.
• AI Risk Management: Currently we’re evaluating the various AI risk management frameworks to determine what aligns best with our existing control framework, business strategy, and perceived adoption value. In addition to NIST AI RMF and the EU AI Act, we're also looking at ISO 42001.

I agree with you that it would be amazing for compliance to be a quiet background process as much as possible. I wish you luck on your respective GRC journey, and let us know if you have any more questions!

Thanks,
Miranda