The Bhairav Show

IT GRC, DORA, Compliance Automation, and AI Agents with Julian Schwarzkopf

With Julian Schwarzkopf

Episode 20PodcastJuly 8, 2026
IT GRC, DORA, Compliance Automation, and AI Agents with Julian Schwarzkopf cover image
See on YouTube

Episode Summary

In this episode of The Bhairav Show, Suhas Bhairav speaks with Julian Schwarzkopf, Founder of a stealth IT GRC startup, former Trade Republic CISO, and former KPMG security and compliance expert, about IT GRC, DORA, ISO 27001, audit readiness, compliance automation, security risk management, and the role of AI agents in regulated companies. The conversation begins with Julian’s journey across consulting, banking, security leadership, and entrepreneurship. His experience at KPMG and Trade Republic gives him a practical view of how compliance works inside regulated environments, and why many teams still experience governance, risk, and compliance as a painful administrative burden rather than as a useful operating system for security and resilience. A central theme of the episode is the classic audit deadline problem. Many organizations treat compliance as a last-minute project. As an audit approaches, teams stop their normal work, collect screenshots, chase evidence, update spreadsheets, search through policies, and try to prove that controls were performed. Julian and Suhas discuss why this pattern keeps repeating inside regulated companies, especially when compliance tools are disconnected from real systems, workflows, and operational evidence. The episode explores the idea of continuous compliance. Instead of waiting until an annual audit to assemble proof, companies can design systems where evidence, control status, ownership, risk decisions, and audit readiness are maintained continuously. This requires better workflows, clearer ownership, integrations with operational systems, and tooling that reflects how security and compliance work actually happen. Continuous compliance is not simply about storing documents. It is about making compliance a byproduct of day-to-day operations. Julian and Suhas also discuss what it takes to build an Information Security Management System from scratch in a fast-growing regulated company. An ISMS is not just a collection of policies. It requires risk management, control design, roles and responsibilities, evidence processes, leadership alignment, security awareness, monitoring, review cycles, and continuous improvement. The conversation highlights the danger of creating a document factory where teams produce policies and evidence for auditors but fail to improve real security outcomes. The episode then moves into DORA and regulatory pressure in Europe. DORA has increased attention on ICT risk management, operational resilience, incident reporting, third-party risk, testing, governance, and oversight for financial and regulated companies. Julian and Suhas discuss what DORA changes for security, IT, compliance, and leadership teams, and why the transition from previous regulatory frameworks such as BAIT to DORA can be difficult for organizations. Regulatory change is not only a legal or documentation challenge. It affects operating models, vendor management, incident processes, resilience planning, executive accountability, and how technology risk is managed across the organization. Another major theme is why existing GRC tools often disappoint teams. Many tools are designed around policy storage, manual evidence upload, static control libraries, and audit workflows rather than the real operating needs of security, engineering, compliance, and leadership teams. They may help create a central repository, but still leave teams chasing evidence manually, duplicating work, and operating disconnected from the systems where controls actually run. Julian explains why modern IT GRC needs to be more integrated, workflow-oriented, and useful for operating teams rather than only serving auditors. The conversation then explores where AI agents and automation can genuinely help in IT GRC. AI can assist with evidence collection, control mapping, policy summarization, gap analysis, risk assessment support, audit preparation, vendor review, and explaining compliance status to different stakeholders. For example, an AI-assisted compliance system could gather evidence from cloud systems, identity providers, ticketing tools, document repositories, and vendor records, then summarize what is missing or outdated. However, Julian and Suhas also discuss where teams need to be careful. In regulated workflows, AI should not independently approve controls, make final compliance decisions, classify serious incidents without review, accept vendor risk, or write policies that go into effect without human oversight. AI should support judgment, not replace accountability. Evidence collection is examined as one of the most concrete pain points in compliance. Much of audit work involves proving that something happened: access reviews were performed, incidents were handled, vendors were assessed, risks were reviewed, controls were tested, and policies were approved. AI and automation can reduce friction by connecting to source systems, identifying relevant evidence, summarizing changes, and flagging gaps before audit time. This can make compliance less painful and allow security teams to focus more on risk and less on repetitive documentation. The episode also covers security risk management. Julian and Suhas discuss how companies can make risk management practical rather than theoretical. Security risk management should not be a static spreadsheet exercise. It should help teams prioritize work, communicate trade-offs, understand impact, assign ownership, and make better decisions. Frameworks such as ISO 27005 and NIST can provide structure, but the value comes from using risk management to guide action rather than merely satisfying a compliance checklist. Third-party vendor risk is another important topic. Regulated companies increasingly depend on cloud platforms, SaaS tools, outsourcing providers, AI vendors, and external technology partners. This creates risks around data protection, concentration, resilience, subcontractors, access, compliance posture, incident response, and business continuity. Julian and Suhas discuss how regulated companies should evaluate vendor risk in a world where external technology providers are deeply embedded in business operations. The conversation also connects GRC with business continuity and operational resilience. Compliance is not only about passing an audit. It is also about ensuring that critical services can continue during disruption. Business continuity, incident response, resilience testing, dependency mapping, and third-party oversight are now central concerns for regulated organizations, especially under frameworks such as DORA. The episode explores how the role of the CISO changes as a company grows from startup stage into a heavily regulated financial institution. Security leaders must balance speed and control, communicate risk to leadership, build scalable processes, support product and engineering teams, prepare for audits, and avoid becoming a blocker. This requires both technical depth and organizational skill. Julian and Suhas also discuss compliance as product. Instead of treating compliance tooling as a repository for policies and evidence, modern GRC systems should be designed around user workflows, collaboration, integrations, status visibility, audit readiness, and decision support. Good compliance tooling should help teams work better, not only help auditors review documents. The episode concludes with a discussion about how regulated companies should approach AI adoption. Organizations in financial services and other regulated sectors already face heavy requirements around security, auditability, outsourcing, data protection, and operational resilience. AI adoption therefore requires careful governance, clear use cases, risk assessment, human oversight, access control, monitoring, and accountability. The strongest message of the episode is that compliance should become less of a last-minute burden and more of a continuous, useful, and operationally embedded discipline. AI agents and automation can help reduce manual work and improve visibility, but in regulated environments, human responsibility, governance, and trust remain essential.

IT GRCDORAISO 27001Compliance AutomationContinuous ComplianceAudit ReadinessInformation Security Management SystemAI Agents in ComplianceEvidence CollectionSecurity Risk ManagementThird Party Vendor RiskOperational ResilienceResponsible AI in Regulated Workflows