Every vendor on every panel right now is saying “agentic.” But most can’t explain what actually changes when you stop treating GRC like a filing cabinet and start treating it like a live system.
Maril Vernon, a former red teamer turned GRC engineering evangelist at Anecdotes, has been on both sides. She spent years breaking the controls that GRC teams swore were working — same findings, same gaps, different quarters. Now she’s building agents to fix that cycle.
What makes an agent different from old-school automation? Three things: it acts on conditions instead of schedules, it works against your program’s actual state instead of last quarter’s screenshot, and it chains decisions together instead of dumping rows into a report.
Vernon walks through a concrete example using Anecdotes Agent Studio. Say you want to monitor ISO 27001 control A.8.5 for MFA enforcement. You write the instruction in plain English — the agent checks your identity provider for current MFA policy, compares it to your baseline, and if any group has fallen out of enforcement, it opens a finding and assigns remediation to the IAM owner. Each step lands in a timestamped execution log.
That log is the key. It captures the trigger, the data read, the comparison run, the decision reached, and the action taken. It’s reconstructable, auditable, and doesn’t require taking the agent’s word for anything.
The hard part isn’t the tech. It’s trust. Give agents least privilege, gate consequential actions behind humans, and plan for the model being wrong — because a non-deterministic model sometimes will be.
