Closing the Trust Gap: Governance, Risk, and Remediation in the Age of AI

This transcript has been  edited for readability and to remove filler words.

Rajeev Raghunarayan:

Good morning. Good afternoon. Welcome everyone. Thank you for joining us. Today’s session is called Closing the Trust Gap: Governance, Risk, and Remediation in the Age of AI. My name is Rajeev Raghunarayan and I’ll be moderating today’s conversation.

A couple of quick housekeeping notes. The session is being recorded. Feel free to drop your questions in the Q&A panel and we’ll cover whatever we can towards the end of the webinar.

Today’s topic is increasingly important. As organizations adopt more AI and automation, AI continues to drive more features and product velocity for most companies. But it’s also continuing to drive risk for a lot of leaders. So if you’re being asked to demonstrate success and risk reduction, not just visibility, how do you connect governance, risk, and remediation? That’s becoming increasingly important to maintain trust in the current environment.

I’m excited to be joined by Laura Sawka. Laura is the founder of Sawka Advisory Group where she advises startups as well as large enterprises on various aspects of governance and risk. She was also the SVP of Security GRC at Salesforce, where she led global governance and risk programs through years of rapid scale.

Laura, welcome and thank you for being here.

Laura Sawka:

Thank you. Looking forward to the conversation today.

Rajeev Raghunarayan:

Absolutely. So Laura, I’m going to start with a straightforward question. You spent a lot of years leading governance, risk, and compliance, more than a decade at Salesforce. What inspired you to get started with Sawka Advisory Group and what type of challenges are you helping organizations handle today?

Laura Sawka:

Great question, and that’s a question I get very frequently. After many years in enterprise roles, an opportunity presented itself to assist high-growth clients with scaling their GRC programs. I’m a values-driven leader, and starting my own company allowed me to use my leadership passion and expertise to help organizations scale and align their GRC capabilities to drive measurable value and turn their GRC programs into a competitive advantage.

The clients I’m helping are all going through some phase of growth, and that growth drives the need to improve maturity and scalability in their GRC programs. That growth may look like expansion into regulated markets to support revenue increases. It could be an IPO, funding round, or acquisition that requires maturation of governance and risk processes.

It could also be organizations that have gone through a lot of acquisitions and may have multi-stack chaos going on with their technology stacks. Or they may simply be high growth and looking for a clear GRC strategy that will scale and support business growth.

The theme across these clients is that they’re looking for a clear GRC strategy that enables growth and supports business objectives.

Rajeev Raghunarayan:

Makes sense. So everyone from a startup to an enterprise, someone just starting out, to someone getting ready for an IPO, to someone acquiring a company. All care about GRC, and GRC is critical from a business standpoint too. A lot of customers ask about compliance standards and how you meet them.

We talk about the trust gap. For those hearing the term for the first time, what does that represent inside an organization and what are some of the early signals that a trust gap exists?

Laura Sawka:

All organizations need to take on risk when pursuing business objectives. Connecting to the internet is taking on a risk. And that risk always includes cybersecurity risk. Depending on where they are in their life cycle, and the industry they’re in, organizations will have different willingness to take on risk.

But when the amount of risk an organization is undergoing, or their security posture, differs from the amount of risk they’re willing to take on, that’s where the trust gap starts to emerge.

This can take the form of many things. It could be immaturity in security controls. It could be lack of coverage in security controls. Maybe you have controls on one product or one part of your technology stack, but not throughout the entire environment. It could also be lack of visibility into control effectiveness, meaning you’re operating without visibility into how those controls are working on an ongoing basis.

That’s why we have risk management programs, to help close this gap. Risk management helps you understand what risks exist, what investments would help remediate them, and how those investments bring you closer to the desired risk appetite.

Sustainable controls are also critical. It’s not just new investments, it’s also running the business consistently and doing foundational controls well. Cyber hygiene is a term that gets used here. That includes knowing what your assets are, how you’re doing configuration management, change management, vulnerability management, access management, and other key foundational controls that need to be done really well to align to the risk appetite you’re aiming for.

Rajeev Raghunarayan:

Very interesting. So everything from standard things like vulnerability management. And we’ve got this vulnerability going around, React2Shell, creating some noise. Upgrades cause problems, and we’ve seen cases where providers have gone down because upgrades stopped services. Are those the kinds of situations where the trust gap shows up?

Laura Sawka:

Yeah. Whenever your actual posture differs from your desired posture.

Rajeev Raghunarayan:

Desired posture. Makes sense.

Now, Laura, you’ve written about teams working hard. It’s not like companies aren’t trying to improve. But teams feel like they’re working harder than ever, and governance adds pressure in terms of meeting standards. In governance and risk, what does that feeling indicate when teams are working hard but still feel like they aren’t moving the needle?

Laura Sawka:

A lot of teams can relate to this. The hamster-on-a-wheel analogy resonates, and I’ve felt this in my own career.

Leaders and teams have a lot on their plate, and one thing that can get missed day to day is connecting back to business priorities. What is the business trying to achieve? How does my function support that? The cybersecurity program overall, and more specifically, your particular discipline in cybersecurity.

Teams can get lost in the nuance. That’s where having a clear strategy is key, because it connects back to what the business is trying to achieve, what the approach is, and how you measure whether it’s having the impact you need.

So: clear strategy, bringing risk into that strategy so you’re prioritizing based on risk, investing in controls and activities with the greatest impact, and having clear accountability and reporting. A lot of organizations don’t have as much maturity as they would like in KPIs and showing they’re improving controls and reducing risk.

Rajeev Raghunarayan:

When you talk about clarity over effort, how does that translate? How does it apply to how organizations govern risk today?

Laura Sawka:

It’s easy for organizations to get overwhelmed trying to address everything: the threat landscape, regulatory landscape, business priorities, team changes. There are so many facets of complexity.

Pausing, stepping back, and reevaluating is key. Reflect on where you’re going, where the organization is going, and how you realign. The forest and the trees. Are you stuck in the trees, or can you see the whole forest?

Stopping, pausing, reevaluating, and going back to the strategy. Is it still relevant? Do you need to adjust it based on changes in the business, threat landscape, or regulatory landscape? Then use that as the guiding point for the organization to hit its goals. That applies to large organizations and also to me running my own company.

Rajeev Raghunarayan:

Makes sense. It’s about tying security strategy and GRC strategy back to business priorities and business risk.

You led GRC transformation at Salesforce during a period of rapid growth. What did you learn about maintaining trust and transparency at that scale?

Laura Sawka:

A couple things. First, tone at the top is key. Prioritization of security and compliance has to start at the top and trickle down.

Second, the cybersecurity strategy has to connect to the business strategy. It can’t be on an island. CISOs need to clearly communicate how cybersecurity connects to business strategy and how mitigating cybersecurity risk helps mitigate business risk.

Security and compliance is also not a standalone function. It has to be integrated into the business. Integrate controls into business processes so they become part of the standard momentum of the company, not bolted on. You don’t want this to feel like a tax.

And partnership is critical. You need partners across engineering, finance, legal, and beyond. You have to work together to be successful.

Rajeev Raghunarayan:

Any specific examples you can share?

Laura Sawka:

I did a post recently that’s relevant. If you’re trying to influence someone who owns the execution but not the priorities, you may not get traction. You need to connect to the person who owns the priorities and explain why the fix will make their life better, or the customer’s life better. Once that business impact is clear, alignment happens.

Rajeev Raghunarayan:

We hear that on the vulnerability management side too. It’s not enough to say “fix this vulnerability.” If you explain the risk and impact, it changes the conversation.

Laura Sawka:

Absolutely. Risk should be the conversation starter, not “you have to do this for compliance.” Explain the operational impact if you don’t do it.

Rajeev Raghunarayan:

Operations is changing. AI and automation are changing what operations looks like. How is governance and assurance evolving in that context, and what does that mean for GRC leaders?

Laura Sawka:

The business is moving faster than ever. There’s pressure to adopt technology quickly so companies don’t feel left behind.

Security and compliance leaders need to support the business in achieving goals, while advising on risk. AI is a technology. We’ve gone through technology evolutions before: the internet, cloud computing. AI has unique risks, but the core approach is the same: use risk management and governance processes and adapt them to the technology.

Clarity on risks, how those risks change required controls, documenting those controls, embedding them into processes, and monitoring effectiveness on an ongoing basis. None of that is AI specific.

You also need a risk culture so you can have trade-off conversations. The business should make risk-based decisions, with security leaders advising on the risk.

I see GRC evolving into a strategic advisor to the business, helping the business achieve goals securely and compliantly.

Rajeev Raghunarayan:

I’ll use a recent example. The Anthropic case is a negative example of how AI is changing the speed of attacks and automation. What lessons can we take from a security and GRC perspective? Attackers are adopting AI. How do you change processes when the other side is moving faster?

Laura Sawka:

That campaign validated that the threat landscape is changing. People expected it, but seeing it happen, and at that speed and sophistication, really lowered the barrier to entry for highly sophisticated attacks.

Things we might have thought would take days or weeks to exploit can happen in a fraction of the time at machine speed.

This requires leaders to rethink security controls and risk management processes. It reiterates the importance of preventative controls: make it more challenging to get in, move laterally, and escalate privileges.

On the detection side, it underscores the importance of automation. Manual processes won’t keep up with machine speed attacks.

And underlying everything is risk management: incorporate changes in the threat landscape into prioritization, and rethink long-standing controls where needed.

Rajeev Raghunarayan:

It’s interesting you talk about preventative and detective controls. That balance is becoming more crucial. Getting ahead of the problem and fixing issues to the left of the breach becomes critical. Do you agree?

Laura Sawka:

Yes. Detection controls are critical, and there are many attackers trying a single organization. But preventative controls are also critical to slow things down and get ahead of it. Finding the right balance is important.

Rajeev Raghunarayan:

Risk reduction is the goal. Many organizations are strapped for people, but boards and regulators still want evidence of risk reduction. How do leaders build assurance models that demonstrate progress without slowing innovation?

Laura Sawka:

I don’t think they are polar opposites.

First, communicate business impact. Leaders often communicate technical jargon that isn’t tied to the business, so it gets lost. You need to communicate how security investments support business objectives.

Second, if controls are built into processes, guardrails are integrated, and controls are automated, that enables faster innovation. It may require more upfront work, but once you have a solid foundation, those controls support innovation over time.

The crux is integrating controls into business processes. It’s not one or the other. It’s both.

Rajeev Raghunarayan:

So more automation, potentially more AI, and integrating tools into workflows to speed decision making.

Laura Sawka:

Yes. It may have a short-term slowdown, but a long-term speed-up.

Rajeev Raghunarayan:

If AI is taking on more decision making and operationalization, how does that change accountability and oversight?

Laura Sawka:

I don’t think it changes accountability. The business is still accountable for goals and objectives. Back-end functions support that.

Clarity on who owns what and who makes risk decisions helps. Then define requirements and guardrails, which may change over time as posture changes. Provide oversight on whether technology aligns to those requirements. That’s where continuous assurance comes in. But accountability and responsibility remain.

Rajeev Raghunarayan:

Guardrails could mean ensuring the right code gets into the system without expanding attack surface, or ensuring developers don’t change configurations that open new risk. Even with automation, you still need oversight.

Laura Sawka:

Yes, and or checks in those processes to ensure enforcement. Preventative controls can flag and potentially block those situations.

Rajeev Raghunarayan:

How can governance create clarity for security and engineering teams to focus on the right risks, given overwhelming volume?

Laura Sawka:

It can be overwhelming. Vulnerability findings, third-party libraries, compliance issues, external requests. It’s hard to know what to prioritize.

The common theme should be risk management. Use a consistent approach to assess risk across vectors. Tie it back to business objectives. Some investments reduce more risk than others, and sequencing matters. Fixing root causes can be better than applying many band-aids.

Measurement matters too. Did it have the impact you expected? Are you hitting goals?

Doing this at scale is complex. Tools like Averlon that cut through noise and provide clarity on prioritization can help.

Rajeev Raghunarayan:

Programs can also lose traction between identifying risk and fixing risk. Where does that typically happen, and can governance tighten that loop?

Laura Sawka:

A common issue is: something gets identified, it goes into a ticketing system, but the owner is wrong and it sits. Or teams are overwhelmed by volume and unclear what to prioritize.

Governance can tighten this with clear expectations for risk assessment, clarity and reporting to maintain momentum, accountability, and a feedback loop with the business on friction points.

Technology can reduce friction by providing context, threat modeling insights to help prioritize, and validating remediation effectiveness.

Rajeev Raghunarayan:

That’s a perfect segue to a quick plug for Averlon. Identifying owners takes time. Getting context and modeling threats is hard. We help teams go from discovery to remediation and reduce the back-and-forth by delivering fixes closer to the developer workflow.

So: how can organizations ensure vulnerability management and remediation efforts align with governance priorities to truly reduce risk?

Laura Sawka:

There’s a clear linkage. Vulnerabilities are opportunities for threats to be exploited. Vulnerability management should be a top control for every organization.

You need clarity on outstanding vulnerabilities, the risks they present, the speed you can close them, and how long the window is open where threats can be exploited. Those are critical metrics to report, and they should be highlighted to leadership.

Rajeev Raghunarayan:

We started with trust gap, so we have to come back to it. How do you measure closing the trust gap?

Laura Sawka:

I’ll come back to risk. Communicate the organization’s risk appetite and current risk posture to leadership and the board. Communicate proposed investments and their impact on security posture.

Also show how things change over time as the threat landscape changes, and whether that accelerates changes needed in investments or control design.

Risk management is not an annual assessment. It’s continuous risk management. That includes assessing risk and threat modeling, and also evaluating control effectiveness. Over time, are controls mitigating risk effectively? Do they need redesign? Are they operating effectively? You need visibility into both the risk and the control effectiveness.

Rajeev Raghunarayan:

That’s a great point. Reporting communicates risk and helps leadership understand where to invest.

Risk management is a continuous process. Too often it becomes about producing a report for an upcoming audit. But risk management needs to operate as a daily business function. Controls can become ineffective over time. For example, moving from on-prem to cloud changes the risk narrative and control effectiveness.

Laura Sawka:

And you’re not doing these activities to check the box. That is not the intended outcome. You’re doing them to help the organization meet business objectives while managing risk to align to those objectives. That creates an ecosystem where you can demonstrate sustainable trust to customers and stakeholders. That’s what strategic GRC enables.

Rajeev Raghunarayan:

Startups are often hyper-focused on building, but customers ask: how do you manage my data? How do startups build minimum viable governance?

Laura Sawka:

It’s critical. Many organizations get caught focusing only on delivering a SOC 2 report to unlock an enterprise deal. But governance and risk management matter too.

It’s a big mistake to say “we’ll deal with that later.” Early is the time to prioritize foundational governance and risk so you set the right foundation.

That foundation includes a security program rooted in risk management, integrating risk into decision making, clarity of roles and responsibilities, and governance and oversight with key metrics.

From a technology standpoint, embed controls early into processes and CI/CD pipelines. Automate and continuously monitor control effectiveness, including automated evidence collection.

And the narrative matters. You’re doing this to create sustainable customer and stakeholder trust that supports long-term revenue growth. Strategic investments now set you on a better trajectory than trying to fix everything later.

Rajeev Raghunarayan:

Customer trust can be a competitive moat.

Last question. For GRC leaders looking to modernize GRC, what mindset shift do you recommend to build trust in an AI-driven world?

Laura Sawka:

GRC leaders should think of themselves as strategic advisors. Help the organization build security and compliance guardrails, and provide continuous assurance and visibility that the organization is meeting business goals to support sustainable customer trust.

A strategic approach to GRC, rooted in a clear strategy connected to the business, supports sustainable growth that scales with business needs. That’s a shift away from check-the-box compliance. Embracing it sets you on the right trajectory.

Rajeev Raghunarayan:

Fantastic. Appreciate that, Laura. I’m going to wait a moment to see if there are questions.

There are a couple questions that came in. First: do you see governance and risk functions getting equally prioritized within large enterprises at the same level as compliance? If not, how do you recommend GRC leaders make the case?

Laura Sawka:

It depends on the organization: industry, compliance certification needs, product complexity.

Risk management and governance are foundational pillars that support compliance outcomes and need to be invested in. You can’t have a three-legged stool with one leg missing. It all has to work together.

Governance and risk support compliance outcomes. Sometimes compliance is a driver to invest, but you’re not doing governance and risk just for compliance. You’re doing it for better outcomes overall.

There’s also a technology investment needed. If you embed controls into processes, you get good governance, good risk management, and the compliance outcomes an organization is looking for.

Rajeev Raghunarayan:

A point you made there was the three-legged stool: governance, risk, and compliance. If one leg is too long or missing, the stool doesn’t work effectively. And governance and risk feed into compliance. Compliance isn’t standalone, even though many people focus on SOC 2.

Second question: what’s the potential for AI to enhance governance and risk functions, much like it has for evidence collection and evaluation? How does AI enhance that?

Laura Sawka:

There are many use cases for AI and automation throughout GRC. I think about it in two parts: the control environment, and how GRC operates on that control environment.

There’s a strong use case for control automation: implementing controls, monitoring them, and proving they operate on an ongoing basis.

On the GRC operations side, AI can help with policy creation, enforcement, and compliance mapping across regulations. There are many use cases.

This is critical data, so the data used needs to be clean and governed. And for critical decisions, you want a human in the loop.

Technology will enable GRC teams to become strategic advisors instead of being caught in administrative burden.

Rajeev Raghunarayan:

Thanks. And I think that’s all we have time for today. Laura, thank you so much for sharing your experience and perspectives. Thank you to everyone who joined us today.

At Averlon, our focus is helping teams go from discovery to remediation and close that loop as quickly as possible so organizations can reduce risk faster and gain more transparency in the age of AI.

Laura, I appreciate you spending time with us and helping deliver this webinar. If today’s discussion was useful, we’d love for you to stay connected with Averlon. Laura also has Sawka Advisory Group. Follow her for more insights.

Once again, thank you Laura, and thank you everyone for joining today. Have a great day and happy holidays.

‍