Recent research from AutoBandit reveals that the most advanced organizations are six times more likely to leverage AI across multiple governance, risk, and compliance (GRC) functions to manage some of the most critical risks they face.
This finding highlights a fundamental transformation across industries: compliance is no longer merely a reactive process designed to meet regulatory minimums. Instead, forward-thinking organizations are discovering that strategic GRC implementation becomes a competitive advantage, enabling them to innovate faster while maintaining robust risk management and regulatory adherence.
This shift signals a new era where governance frameworks actively support business objectives rather than constrain them. Organizations that successfully bridge this gap position themselves to capitalize on emerging technologies while building stakeholder trust and operational resilience.
Sahil Dhir, Senior Risk and Security Manager at Amazon and architect of Illinois’ Digital Transformation Act program, offers unique insights into how businesses close this compliance gap. With over 14 years of experience implementing enterprise-wide GRC platforms, Dhir has witnessed firsthand how organizations transform compliance challenges into strategic opportunities.
His perspective draws from Fortune 100 enterprise experience and public sector innovation, providing a comprehensive understanding of how businesses can align GRC with fast-moving AI innovation to achieve sustainable competitive advantages.
Conversations with Sahil Dhir
Q: What is compliance in a business setting? What is the role of GRC in this?
Sahil Dhir: Compliance in a business setting refers to the organizational commitment to operate within the boundaries of legal, regulatory, and internal policy requirements. In my work, it means ensuring that every technology created and implemented meets applicable standards set by government bodies, industry groups, or internal corporate governance rules. When compliance functions well, it not only protects an organization from costly fines and reputational damage but also reinforces trust with stakeholders and partners.
GRC is an integrated framework that integrates oversight, risk assessment, and compliance monitoring into a unified system. Through GRC, we ensure compliance is not an isolated or reactive task but one integrated throughout decision-making and operational processes.
Q: Why is this important in the context of AI implementation?
Sahil Dhir: The stakes for compliance are heightened in the context of AI implementation because AI introduces unique complexities and risks. AI systems often make autonomous decisions, process vast quantities of sensitive data, and evolve through machine learning, factors that can easily lead to regulatory breaches if not tightly governed. For example, AI can inadvertently introduce algorithmic bias, violate privacy laws, or generate outcomes that challenge explainability and auditability.
A strong GRC framework becomes essential as organizations deploy AI at scale. GRC offers clear risk assessment and monitoring protocols during the AI development lifecycle, from model training to deployment and ongoing refinement. It ensures compliance requirements—such as transparency, fairness, and accountability—are built into the foundation of AI initiatives, not retrofitted after problems arise.
Q: What is the compliance gap that organizations fill today? How was it different from before?
Sahil Dhir: Today’s compliance gap fundamentally differs from what we faced five years ago. Historically, the gap was primarily about keeping up with established regulations; organizations knew what the rules were, they just struggled with implementation due to resource constraints, manual processes, or organizational silos. It was a matter of catching up to known requirements.
Today’s compliance gap is far more complex and dynamic. Organizations are dealing with emerging technologies like generative AI, quantum computing, and distributed cloud architectures that evolve faster than regulatory frameworks can address them. The gap isn’t just about implementing known standards; it’s about operating in a space where the rules themselves are still being written.
Another critical difference is the nature of the risks themselves. Traditional compliance gaps typically involved data breaches, financial reporting errors, or privacy violations, risks we understood and had established mitigation strategies for. Today’s compliance gaps include algorithmic bias, AI explainability, model drift, and ethical considerations around automated decision-making. These are fundamentally new risk categories that require entirely different approaches to governance and oversight.
Q: What challenges do organizations face when aligning GRC with AI deployments?
Sahil Dhir: What makes this particularly challenging is the speed of technological adoption. Before, organizations had time to assess, plan, and implement compliance measures. Now, business units deploy AI-powered tools in weeks or even days, often before compliance teams know these technologies are in use.
The problem is that many AI models operate as black boxes, making explainability and auditability difficult. Organizations are also often unprepared for the risk of algorithmic bias and evolving privacy requirements.
Q: How do you overcome these challenges to achieve successful GRC implementation?
Sahil Dhir: Overcoming the challenges of aligning GRC with rapid AI deployments requires a strategic, structured, and collaborative approach. First and foremost, organizations must embed GRC into the innovation process from the earliest stages, not as an afterthought once systems are live.
This starts with cross-functional engagement: leadership must sponsor the initiative, while legal, audit, compliance, and technology teams should work together to ensure new AI models and applications meet regulatory expectations and ethical standards. It’s critical to establish clear governance protocols and risk checkpoints during every phase of AI development, data sourcing, model design, deployment, and ongoing monitoring, so accountability and auditability are built in.
Q: Drawing from your experience at Amazon and Illinois’ Digital Transformation Act program, what strategies have proven effective in closing this compliance gap?
Sahil Dhir: I’ve learned from large-scale projects, like Illinois’ Digital Transformation Act program and global initiatives at Amazon, that successful GRC implementation means starting with pilot projects to demonstrate value and refine processes before scaling. Robust role-based training addresses knowledge gaps and enables stakeholders to understand their obligations.
Leveraging automation is also essential: advanced tools for continuous monitoring and real-time compliance alerts would allow organizations to keep pace with fast AI iteration, flagging risks before they escalate. Above all, adaptability is key. GRC frameworks must be living systems, reviewed and improved as technology and regulations evolve, so that governance actually enables innovation instead of holding it back.
Q: How did you measure the success of these strategies?
Sahil Dhir: At Illinois, we benchmarked success with audit pass rates, risk incident reduction, and stakeholder survey feedback. Before modernization, only 23% of agencies could provide comprehensive risk profiles; coverage rose to over 85% after implementing standardized controls. At Amazon, audit duration per business unit dropped by 30% after rolling out an enterprise-wide GRC platform and introducing automated compliance alerts.
We tracked not just adoption, but recurring policy adherence, the volume of proactively flagged risks, and reductions in time required to close compliance gaps. These outcome-driven metrics made improvement tangible for leadership and reinforced stakeholder buy-in across business functions.
Q: How did Illinois agencies’ compliance and security metrics change after implementing the Digital Transformation Act program
Sahil Dhir: Through the Illinois Digital Transformation Act program, each agency received customized modernization roadmaps that addressed their specific operational needs while aligning with statewide security objectives. This approach provided standardized and flexible GRC policies that led to consistent oversight while accommodating diverse operational requirements.
The transformation also led to comprehensive training programs that address skill gaps across different agencies. These role-based trainings ensured that personnel at all levels understood their responsibilities within the new framework, fostering a culture of accountability and shared ownership in risk management.
Q: What are the immediate benefits when businesses fill these compliance gaps?
Sahil Dhir: Organizations that proactively address gaps in their GRC frameworks lower their vulnerability to costly incidents, regulatory penalties, and data breaches. Real-time monitoring, automated controls, and standardized procedures mean security risks and compliance issues are detected and resolved faster, minimizing financial exposure and reputational harm.
With the Illinois Digital Transformation Act program, stakeholders experience more seamless workflows, reduced bottlenecks, and faster approvals for new projects and technologies, allowing innovation to progress without unnecessary delays. This has resulted in improved retention rates, easier market access, and smoother audit processes.
Q: What could be the cost/s when organizations deploy AI without adequate GRC frameworks?
Sahil Dhir: The costs of deploying AI without a robust GRC framework are substantial and multifaceted. Recent data shows that 81% of IT leaders report that data silos not only create operational inefficiencies but also weaken critical security functions such as threat detection and incident response. Perhaps more alarming, 70% of organizations experiencing significant data silos suffered a security breach directly attributable to fragmented oversight and a lack of unified governance.
From a financial perspective, non-compliance with AI-related regulations can be profoundly expensive. Under the EU Artificial Intelligence Act, penalties for violations are severe: organizations can face fines of up to 35 million euros, or 7% of global annual turnover, for the most serious infractions. Even less critical failures, such as neglecting to follow required compliance procedures, might result in fines reaching 15 million euros or 3% of global turnover.
Beyond legislative risk, there are significant operational costs—so-called “shadow AI” deployments, where business units deploy tools without proper compliance oversight, often result in technical debt that costs three to five times more to fix retroactively than if governance had been integrated from the beginning.
Ultimately, the price of neglecting GRC isn’t only measured in fines and breaches, but in lost trust, mounting remediation costs, and missed opportunities for safe, sustainable innovation.
Q: What are some common misconceptions organizations have about GRC in the age of AI?
Sahil Dhir: One of the biggest misconceptions is that GRC slows down or hinders innovation, when in reality, a well-implemented GRC program often accelerates it by providing organizations with the clarity and confidence to move quickly and responsibly. Far from being just a regulatory hurdle, GRC can lead to sustainable innovation, risk-aware decision-making, and long-term value creation.
Many organizations also mistakenly believe that GRC systems, once set up, are static. In reality, continuous review, testing, and refinement are essential to ensure frameworks keep up with new technologies and shifting regulations. Organizations that fail to make GRC an established process end up exposed, either missing critical risks or finding themselves out of step with fast-changing expectations.
Q: How can organizations balance the need for innovation speed with regulatory compliance and risk management?
Sahil Dhir: Organizations should embed compliance principles into the lifecycle of their AI solutions, from ideation through design, development, deployment, and continuous monitoring, so safety and transparency are not afterthoughts but core features. This means conducting early and ongoing risk assessments, incorporating privacy by design, and prioritizing explainability and fairness in AI models.
Collaboration across technical, legal, and compliance teams is also critical; innovation and risk management cannot exist in isolation. Without broad input, risks inevitably fall through the cracks. Clear governance frameworks, tiered by risk level, allow organizations to accelerate low-risk projects while applying intensive oversight to sensitive initiatives.
Automation and real-time compliance tools help keep pace with technology and flag potential issues before they escalate. Instead of waiting for perfect clarity in regulations, agile organizations build frameworks that adapt as the business and regulatory landscapes shift.
Q: What advice would you give to organizations just beginning to align their GRC strategy with AI-driven transformation?
Sahil Dhir: Start now and start small. Pilot GRC controls in one business unit, learn and adapt, then scale organization-wide. There’s no advantage in waiting for perfect regulations or frameworks; agility and continuous improvement are vital in AI.
GRC Implementation Redefined
Consistency is not only essential for compliance. It elevates risk management to a strategic, transformative function. Organizations that invest in reliable and sustainable GRC today are safeguarding their future, securing stakeholder confidence, and setting the pace for responsible growth in a digital world where the stakes have never been higher.
Guided by the experience and foresight of leaders like Sahil Dhir, organizations are reimagining compliance not as an obstacle but as a foundation for responsible and resilient innovation. Rigorous and adaptable GRC, shaped by practical wisdom and automated precision, will close the compliance gap for tomorrow’s digital enterprises.
