1.0 Introduction

CoreStream GRC rarely publishes targeted strategy documents. But then there are rarely moments like the current adoption of Artificial Intelligence (AI) that have the potential to revolutionize the way we work, and even how we live our lives.

This guide intends to outline CoreStream GRC’s strategy for adopting Artificial Intelligence across the various GRC processes we digitize for clients. How we (safely) adopt AI for internal operations, or our AI GRC offering that helps clients manage the risks of their wider AI adoption, are not considered. How we use AI internally is governed by a dedicated policy.

There is no doubt that the correct adoption of AI has the potential to make our clients more efficient and effective, but it is also inherently risky and potentially puts data, processes , and even decision-making at risk. That risk is increased if adoption is not controlled effectively. CoreStream GRC blends advice and technology to ensure our clients and partners achieve the benefits of technology whilst minimizing the risks.

2.0 How we set our GRC Platform strategy

The objectives of the CoreStream GRC Platform have been a constant since our inception. We aim to be the preferred and trusted GRC platform for enterprises worldwide by delivering intuitive, flexible solutions that drive efficiency and value, their way.

Whilst these objectives are truly unobtainable (we can always be more flexible, more intuitive), we aim to move a little closer each day. We achieve this by listening. We listen to clients, partners, and employees to understand what developments they believe move us in the right direction.

Setting our AI strategy has been no different. We have listened to the market and responded accordingly. We have heard that clients want to adopt best of breed AI, but in a way that mitigates the potential risk and ultimately protects their organization.

Prior to setting our AI strategy, we consulted with our client, analyst, and partner community to understand their views on the direction of AI.  The consultation aimed to gain insight into how they would utilize AI across their GRC programs and how their IT function (or similar governance groups) viewed AI within GRC tooling. 

Something as polarizing as AI meant there was a wide spectrum of responses, but the general theme was that where an organization was mature enough (78% of organizations are now using AI regularly according to Forbes in 2025) to use AI and embed it within their (GRC) processes, there was still a reluctance to have the AI built into Software-as-a-Service (SaaS) solutions in general.  

The basis for this reluctance is the increased scrutiny required to effectively evaluate AI models when procuring SaaS solutions. This is both in terms of the AI’s ability to deliver the target benefits, and to understand and mitigate the risks associated with its usage. Clients and partners also cited wanting to be able to select the AI they were to adopt rather than have it determined by their choice of GRC platform.

A number of organizations with this articulation have invested in AI, built their own environments, put in place their own models or ringfenced Large Language Models (LLMs) on their own network.  There was a resounding preference for us to use this form of AI as they had already invested in implementing, securing and maturing (“teaching”) their models. In this way, their use of AI could potentially become their own competitive advantage through leveraging unique benefits not available to their competitors.

3.0 CoreStream GRC’s use of AI to date

It is not an objective of CoreStream GRC to follow the herd and do what others technology vendors are doing, simply due to technological advancement. This implies introducing technology for technology’s sake rather than prioritizing based on actual business benefits. At CoreStream GRC, we challenge and practice ‘considered’ innovation, ensuring it has a purpose and is always aligned with serving our clients with what they want, their way.

In 2022, CoreStream GRC acquired Atreides Ltd, an AI company with a capability to assess how controls were defined. This automated assessment of the “What, When, How and Who” provided demonstrable value to clients utilizing CoreStream GRC. It helped manage and implement local instances of their control frameworks and provided automated feedback on the effectiveness of decentralized controls within their businesses. It was the benefits of this that were important, not simply because it was using AI.

The next milestone was our integration with ChatGPT to demonstrate how AI could be utilized by CoreStream GRC to short-cut tasks and aid idea generation. Developed in the typical CoreStream GRC (flexible) way, the feature uses text provided by the end user to provide a series of suggestions. One example is the suggestion of actions or controls for a given risk description. Another suggests testing steps based on a control description.

This implementation was about showing existing and prospective clients our direction of travel. We did not expect clients to be comfortable submitting their data to ChatGPT for it to make such suggestions. However, this laid the foundations for future usage, given the generic style of implementation, as we were able to apply it to different use cases and implement it with different AI models. In 2024, the ChatGPT element was replaced by a client-specific Azure OpenAI instance for a specific implementation. This alleviated data privacy concerns and unlocked new possibilities for the client to safely integrate AI into their CoreStream GRC Platform use cases.

At this point, it is important to note that the AI integrations carried out to date have been configured for specific use cases (as requested by our clients) and not embedded into the core platform. The use of AI is an option, and those clients wishing to ringfence CoreStream GRC from AI capabilities are still able to do so. Delivering on our promise as the GRC platform that truly works for you!

4.0 CoreStream GRC’s AI strategy

• We are AI agnostic, preserving the platform’s flexibility that defines our client experience.
• We integrate best-in-class AI technologies based on client preferences, partner insights, and our own market research.
• We deliver the benefits of a wide range of AI models and stay aligned with their rapid evolution.
• We design our platform without fixed AI components to make onboarding more efficient and to give clients control over if and when they adopt AI.

As Winston Churchill said, “the farther backward you can look, the farther forward you are likely to see”.

The CoreStream GRC AI strategy is aligned with our origins and the heart of who we are. We named ourselves CoreStream GRC because:

Core: the part of something that is central to its existence

Stream: run or flow in a continuous current in a specified direction OR transmit or receive (data) as a steady, continuous flow.

As is evident in the success of our Third-Party Risk Management (TPRM) strategy, clients value CoreStream as the backbone of their GRC ecosystem. Our focus has been on making CoreStream GRC easy and seamless to integrate with, whether the system we are connecting to is a modern API powered technology or a legacy application that requires file-based integrations. The reasons for the success align with the benefits section below, but ultimately, it has allowed true flexibility to clients and has meant that adopting CoreStream GRC has not required them to move away from other trusted providers, such as those providing data (adverse media, sanctions list, financial information, cyber vulnerabilities) for their TPRM programs. Instead, CoreStream GRC can integrate with those data providers to automate checks that were previously performed manually and centralize the repository of third parties, assessed across multiple risk domains.

Our AI strategy is aligned with this. Using the power of our integration capability, we are looking to continue to be the “GRC backbone”, integrating with AI services from best-of-breed partners and those favored by clients for their specific use cases. Where CoreStream GRC is the provider of that AI (such as our control evaluation capability), this too is provided as an external service that a given client instance of CoreStream GRC may choose to integrate with. This ensures that AI is not “baked in” to each client instance and avoids the additional information security, data privacy and wider AI risk assessment rigor.

In adopting this strategy, AI becomes an integration and interface solution to CoreStream GRC, rather than a race to provide the best of breed AI ourselves. It allows us to focus on our core competencies and do what we do best. We trust that those we partner with in AI will do the same.

There are multiple benefits associated with the “GRC backbone” strategy, a number of which are ratified by the success in our data-provider-agnostic Third Party Risk Management approach. These are now considered in the context of AI.

4.1 Ensuring we continue to deliver best of breed

This is critical to CoreStream GRC. We strive to deliver best-of-breed in everything we do, but doing so by independently delivering the full GRC ecosystem is an almost impossible task. AI-focused organizations are specialists, investing billions of dollars each year. This is not something we can or should compete with. Instead, we should ensure we are in a position to easily, rapidly, and seamlessly integrate with the services they are providing. This helps ensure our client base can continue to benefit from best-of-breed, even in an area as competitive as AI.

We also recognize that what is considered best of breed is somewhat subjective; data providers, clients, and partners have opinions on what they consider best of breed for their specific use case. Being AI-provider-agnostic allows us to flex to these preferences to ensure that we’re the GRC platform that truly works for you. GRC without compromise.

4.2 Accelerated delivery

The pace of change and the level of investment in AI are unparalleled. What was revolutionary only a year ago may now be dated. Integrating AI in the way described allows us to respond to developments in the market, seamlessly replacing one AI capability with another through menu-driven configuration. This accelerates delivery considerably when compared to an approach where we are attempting to develop the AI itself.

4.3 Making AI optional

Whilst the benefits of AI are well recognized, there are also considerable risks. From our client and partner conversations, it is evident that the preference is not to have AI “baked in” to the GRC Platform. This approach would require additional scrutiny from information security, data privacy and IT risk teams, even where the AI is not utilized by a given client. It is important that we offer AI services but that we can ringfence the platform from it for clients who have a heightened risk posture.

4.4 Support for partner and client AI models

CoreStream GRC works with some of the largest organizations in the world, many of which have their own internal AI teams, delivering models specifically trained and refined on their data. Our approach allows for these models to be rapidly integrated with CoreStream GRC. In addition to those provided or sourced by clients and partners, CoreStream GRC will continue to evaluate what is available to ensure that we remain well placed to advise our community. Where the perceived value is high, or the user experience is different to existing usage, we will continue to deliver proof of concepts in this space to demonstrate value.

4.5 Continued focus on core competencies

Alongside quality, CoreStream GRC is best known for the flexibility and intuitiveness of our solutions, delivering rapid time to value. This is largely due to our relentless focus on these differentiators since our inception.

Adopting an integration-based approach to providing AI allows us to retain our focus on these core competencies. The challenge becomes how easily we can integrate and how intuitive we can make the user experience, rather than a challenge to develop and train the AI itself. We firmly believe this is what we are best at, and it is why clients choose to work with us.

4.6 Organizations require more than generic AI

The major AI companies are recognizing the need to support AI adoption with the appropriate digital transformation.  Commoditized AI models will not solve the challenges and deliver the value demanded by Enterprises.  As a result, they are setting up services businesses to fine-tune models and embed them effectively into workflows.

This move demonstrates that a one-size-fits-all approach to AI is not what enterprise organizations require.  They require the right AI for their use case, and how their processes are operating, and the systems they use.  They need it set up the way they want it to work.

CoreStream GRC has grown through blending advice and technology, and our AI strategy enables us to continue on this path. We are able to analyze a given client requirement and provide advice on the combination of how (and which) AI best aligns with the optimal workflow. We offer expert-led workshops in this, where we review your current program, confirm your objectives, and map out your roadmap ahead.

4.7 Retaining the option to provide CoreStream GRC AI

Deploying an architecture that uses AI as an external service means that we are an agnostic, external AI provider and retain the ability to “plug in” any AI functionality provided by CoreStream GRC in the future. This is important to future-proof our approach, in case we identify specific use cases that are not currently provided by the plethora of specialist AI companies.

5.0 The AI use cases

“AI is more profound than electricity or fire.” Google, CEO, Sundar Pichai.

CoreStream GRC has already established a number of partnerships with AI providers, but in the spirit of remaining AI-agnostic, this strategy paper considers use cases we have identified, rather than which specific provider may enable them. These use cases are based on our ideas from our expert-led team, as well as extensive conversations with clients and partners. Needless to say, the AI providers we work with will be held to the standards we hold ourselves to in the areas of quality, security, and benefit realization.

Given the importance of information and decision-making associated with GRC content, it is our view that AI is most appropriate when used to make human activities and decision-making more efficient and effective. This includes automating previously burdensome tasks, prompting users to consider options they may not have considered, and identifying insights. As AI matures (and, perhaps more importantly, GRC professionals’ confidence in it increases), this may change, but at this stage, AI supplements human activity rather than replacing it. Our aim has always been to help GRC professionals move away from the cumbersome manual tasks and instead give them time back to focus on strategic value-based GRC activities and outputs. AI is a helpful tool to enhance this.

Due to the configurable nature of the CoreStream GRC platform and the range of GRC processes we support, the use cases are wide and varied. 
Examples include:

#	Use case	Target benefit	Most applicable processes
1	To evaluate the effectiveness of a control description	Efficiency	Controls, Risk
2	To utilize a control description to form a test plan	Efficiency	Controls, Risk, Audit
3	To suggest actions or controls based on a risk description	Idea generation	Risk
4	To suggest remedial and improvement actions based on an incident description	Idea generation	Incident, Risk
5	To review an audit scope and return objectives	Idea generation	Audit
6	To upload documentation (policy, procedure, process) to automatically complete due diligence questionnaires	Efficiency	Third Party Risk
7	To upload documentation and automatically assess compliance with standards across a range of risk domains	Efficiency	Third Party Risk, Compliance
8	Query existing content for suggestions (e.g. ask a question to form a response based on policies and procedures)	Efficiency, Insights	Policy, Regulation
9	Scenario modelling based on a digital twin representation of organization and GRC architecture	Insights	Integrated GRC Architecture

6.0 Feedback

As with everything we provide at CoreStream GRC, feedback is invaluable. It helps us improve in ways that are meaningful to our clients and partners. Please do contact us to discuss anything outlined in this strategy paper, or anything else CoreStream GRC related, for that matter!

About Rich Eddolls

Richard is a co-founder and the Chief Product Officer at CoreStream GRC, where he’s redefining the way organizations approach governance, risk, and compliance. With 20 years of experience in business-driven GRC system design and a background at Deloitte, Richard is all about challenging the status quo and delivering technology that actually works. As the visionary behind the CoreStream GRC platform, he’s committed to building solutions that don’t just promise change but deliver it.

Frequently asked questions