In this episode, we sat down with Richa Kaul, Founder and CEO of Complyance, the AI-native enterprise GRC platform that recently raised a $20M Series A led by Google Ventures and counts Dropbox, Major League Soccer, CVS Health, and other Fortune 500 brands as customers.
Richa brings a rare blend of perspectives to this conversation. She started her career on the policy side at McKinsey and the Commonwealth of Virginia, working on everything from drone privacy to autonomous vehicle policy, then moved into tech as Chief Strategy Officer at a legal tech company where she felt firsthand the impact of the regulations she had helped shape.
Complyance is her answer to the question of how you let companies meet their regulatory obligations without burning the resources that should be going toward real security work.
Prefer to Listen?
Be sure to leave a review and subscribe!
Why the GRC market has a wide-open white space in the upper-right corner of the matrix, where enterprise customers meet truly agentic AI, and why the legacy incumbents and the modern startup-focused platforms have both missed it
The legacy GRC practices still running by default in large enterprises today, and why even with agents in production, mature enterprises still want a final human check before the auditor sees anything
How AI is letting enterprises leapfrog the technological waves they sat out, including the cloud-native, API-first, and automation eras that GRC largely missed
Why the GRC workforce conversation should not be about replacement, including a customer anecdote from Northeast Georgia Health System where AI agents are letting the security leader hire more junior analysts because the agents themselves carry the domain expertise and train the team
How Complyance navigates the SOC 2 commoditization and rubber-stamp crisis by drawing a hard commercial line, never selling external audits, never pushing audit partners, and never letting their agents touch the external assessment of controls
The “pane of glass” model for the auditor relationship, where internal AI agents and external assessor AI agents operate independently on each side, with humans signing off on both
What agentic GRC actually unlocks beyond the prior wave of integration-based continuous monitoring, including qualitative human-like assessments that catch scope drift, incomplete evidence, and gaps that red light / green light integration checks will never find
How Complyance architects against hallucination by running a multi-agent design where each agent has blinders on and operates only on the micro use case it has been assigned, with tight inputs producing tight outputs
A new approach to framework sprawl that flips the model, where instead of being reactive to thirty overlapping frameworks, organizations get proactive about their actual policies and let the agent map evidence into the relevant controls automatically
Richa’s five-year vision for the industry, and why she calls agentic AI the biggest transformation GRC has ever seen, with teams finally shifting from reactive fire drills toward building security culture and getting a real grasp of organizational risk
