Compliance isn’t “paperwork”—it’s the last line between your customers and the next Equifax-level mess.
But GRC teams are stuck chasing screenshots and questionnaires instead of reducing real risk—and AI is about to change that.
In this episode of Legitimate Cybersecurity, hosts Frank Downs and Dustin Brewer sit down with Richa Kaul, CEO & Founder of Compliance (an AI-native enterprise GRC platform), right after her company’s $20M raise led by Google Ventures.
We dig into:
Why GRC gets hated (and how to stop being the “business blocker”)
What real AI in compliance looks like vs. “LLM sticker on legacy software”
The uncomfortable truth: audits shouldn’t disappear—and why incentives matter
How to reduce hallucination risk with tight inputs/outputs + guardrails
Third-party risk management (TPRM): the questionnaire nightmare… and the path out
Media/interview: admin@legitimatecybersecurity.com
Audio: https://legitimatecybersecurity.podbean.com/
Chapters:
00:00 – Compliance is the job (and also… you wanted to be an astronaut)
01:20 – Meet Richa Kaul + the “privacy nut” origin story
02:11 – $20M from Google Ventures: why GRC is getting real investment
02:52 – Quick GRC explainer (governance, risk, compliance)
03:35 – “Compliance is broken”: why everyone hates the process
04:49 – The real pain: chasing evidence vs. reducing risk
07:00 – What “AI-powered” actually means (and why most vendors are faking it)
09:31 – Force multipliers: where AI should increase capability, not just save time
11:25 – Completeness problem: you can’t protect what you don’t know exists
13:09 – Example: encryption checks → automation + AI completeness/accuracy criteria
15:58 – The future: continuous monitoring, audits, and what should change
17:24 – Why audits shouldn’t go away (incentives + independence)
20:07 – Gatekeeping, CMMC, and “audit industry” friction
23:58 – TPRM hell: questionnaires, insurance, and repetitive evidence requests
27:05 – Why Richa cares: privacy, consumer harm, and the mission behind GRC
28:46 – Equifax as the “spark” (without breach-shaming)
31:52 – Hallucinations: how to build AI you can trust in compliance workflows
35:24 – “Do you use compliance to ensure compliance?” (dogfooding)
36:00 – Outro: “Keep on cyberin’”
#GRC #Compliance #Cybersecurity #AI #RiskManagement #Audit #ThirdPartyRisk #DataPrivacy #Governance #securityculture #legitimatecybersecurity
