The Modern CISO’s Compliance Stack: Frameworks, Automation and AI webinar 

Introduction: What should a modern CISO compliance stack actually look like?

CISOs are being asked to protect the business across more frameworks, more regulatory expectations and more third-party assessments than many compliance programs were built to handle. 

The pressure is not theoretical. PwC’s Global Compliance Survey 2025 found that 85% of respondents said compliance requirements have become more complex in the last 3 years.  

At the same time, regulators are sharpening their focus on cyber resilience, operational disruption and third-party oversight. The SEC’s 2026 examination priorities, for example, include operational resiliency and supervision of third-party/vendor-provided services, while UK regulators have introduced new operational incident and third-party reporting requirements for financial services firms. 

Yet many compliance programs still rely on manual evidence gathering, spreadsheets, repeated questionnaires and point-in-time reviews. That model may have worked when compliance was slower and more contained. It is harder to defend when controls, vendors, frameworks and risks are changing faster than teams can manually assess them. 

That is why CoreStream GRC is bringing together Paul Cadwallader, Anders Söberg and Tom Cornelius for a candid discussion on what actually works in modern compliance. 

This is not another AI marketing webinar. It is a practical conversation about the modern CISO’s compliance stack: the frameworks, automation and AI capabilities that can help teams reduce duplication, improve defensibility and focus on higher-value compliance work. 

Why are traditional compliance programs under pressure? 

Traditional compliance programs are under pressure because the job has changed. 

CISOs and compliance leaders are no longer managing a neat set of isolated requirements. They are managing overlapping obligations across cyber, privacy, operational resilience, third-party risk and sector-specific regulation.  

Each framework may have its own language, but the underlying work often points back to the same question: can the organization prove that the right controls are in place, operating and supported by current evidence? 

That proof burden is getting heavier; 

• The World Economic Forum’s Global Cybersecurity Outlook 2026 found that 65% of large organizations rank third-party and supply chain vulnerabilities as their greatest cyber concern. 
• A 2026 Data Breach Investigations Report also reported that third-party supply chain breaches now account for 48% of total breaches, up from 30% the year before. 

Regulators are responding to the same reality. The UK Financial Conduct Authority’s 2026 operational incident and third-party reporting rules set out new requirements for reporting operational incidents and material third-party arrangements. The direction is clear: firms are expected to understand where critical dependencies sit, how controls operate and when issues need to be escalated. 

This is where tick-box compliance starts to break down. A completed questionnaire, a mapped framework or an approved policy may show activity, but it does not always show control effectiveness. For CISOs, that gap matters. If an assessment cannot be traced back to evidence, reviewed by the right people and defended under scrutiny, it is not enough. 

The issue is whether the way organizations manage frameworks, evidence and assessments is still fit for purpose. 

What is the Secure Controls Framework? 

The Secure Controls Framework, or SCF, is described in the webinar as

“the heartbeat of compliance.” 

That is because SCF gives organizations a common controls foundation for managing overlapping security, privacy and compliance requirements. Instead of treating every framework as a separate project, SCF helps teams bring those requirements into 1 unified control architecture. 

The Secure Controls Framework describes itself as the Common Controls Framework and a free cybersecurity and data privacy metaframework.  

It maps;  

• 1,400+ controls across 200+ laws,  
• regulations and industry frameworks, including;  
• ISO 27001,  
• NIST CSF,  
• PCI DSS, SOC 2,  
• GDPR and  
• HIPAA. 

For CISOs, that matters because compliance work often overlaps. The same control evidence may support multiple obligations, but without a shared structure, teams can end up collecting, testing and reviewing the same information again and again. 

SCF changes the starting point. It supports the idea of assessing once, then understanding where that assessment maps across multiple requirements. 

It also brings a stronger approach to framework mapping. SCF uses Set Theory Relationship Mapping, based on NIST IR 8477, to define the relationship between requirements and controls. Each mapping uses 1 of 5 relationship types and a strength score, giving teams a clearer way to explain coverage, gaps and overlap. 

For compliance leaders, that is the difference between saying “we think this maps” and being able to show how and why it maps. 

What is SANNOS AI? 

SANNOS AI is the intelligence layer in the modern compliance stack. 

It is designed to help teams analyze real evidence, support assessment work and reduce manual review. In other words, it is not generic AI sitting outside the compliance process. It is evidence-led AI built for GRC, audit and assurance work. 

The CoreStream GRC, SANNOS and SCF combination enables organizations to assess controls once and automatically map them across 200+ regulations and frameworks, including ISO 27001, NIST, DORA and PCI DSS. It also says SANNOS AI evaluates evidence, identifies gaps and delivers real-time compliance insights, helping reduce duplication and manual effort. 

That matters because CISOs do not just need faster answers. They need answers that can be reviewed, challenged and defended. 

The webinar will explore how SANNOS AI can analyze large volumes of vendor evidence in minutes, accelerate assessment work and reduce the manual effort that slows down third-party risk, compliance and assurance teams.  

This can be seen in measurable outcomes, including up to 80% reduction in time and cost, 95% acceleration in TPRM assessments and testing against 3,000+ pages of SCF compliance documentation with zero false positives. 

The core point is simple: speed only matters if the output is explainable, reviewable and defensible. That is where evidence-led AI becomes useful for compliance teams. 

Where does CoreStream GRC fit? 

If SCF provides the common controls architecture, and SANNOS AI supports evidence analysis and assessment acceleration, CoreStream GRC provides the platform layer that turns that work into a managed process and effective reporting. 

That means workflows, ownership, evidence, reporting and assurance activity all sit in one place. Compliance work does not stay trapped in documents, inboxes or one-off assessments. It becomes something teams can assign, track, review and report. 

That matters because AI on its own does not solve compliance complexity. A faster assessment is only useful if the output can move into the operational GRC process: who owns the gap, what evidence supports the assessment, what needs remediation, what has been reviewed and what can be shown to leadership, auditors or regulators. 

The CoreStream GRC and SANNOS partnership was built around that connection. It combines SANNOS’ evidence-based compliance automation with CoreStream GRC’s enterprise governance and workflow platform, helping teams accelerate framework assessments, reduce manual assurance work and deliver audit-ready outputs with traceable evidence. 

CoreStream GRC has also been recognized for this approach.  

In 2025, CoreStream GRC won Michael Rasmussen’s GRC Innovation Award for Enterprise Integrated GRC Architecture & Platforms, recognizing its flexible, no-code platform and enterprise GRC architecture. 

That is the value of the stack. AI connected to controls, evidence, ownership, workflow and reporting, the way compliance work actually gets done and truly works for your business. 

What is Set Theory Relationship Mapping and why does it matter? 

One of the standout elements of the webinar is the first public demonstration of Set Theory Relationship Mapping, or STRM. 

Compliance mapping has often been treated as subjective. Teams compare frameworks, identify overlap and make judgment calls about which requirements relate to which controls. That work is important, but it can also become opaque. When a board, auditor, customer or regulator asks why 1 requirement maps to another, teams need more than a best guess. 

STRM brings a more transparent and defensible approach to that problem. 

The Secure Controls Framework explains that STRM uses the NIST IR 8477 methodology for every SCF crosswalk. Each mapping uses 1 of 5 relationship types, including subset, superset, equal, intersects with and not related. This gives teams a clearer way to describe how requirements overlap, where they differ and how strong the relationship is. 

For CISOs, that matters because framework mapping is not just a back-office compliance exercise. It affects how teams explain coverage, identify gaps, prioritize remediation and defend their approach under scrutiny. 

STRM helps move compliance mapping from “we think this aligns” to “here is the relationship, here is the weighting and here is why it matters.” 

Who will feature on this modern CISO webinar? 

This webinar brings together 3 perspectives across GRC strategy, control framework design and AI-powered compliance. 

Paul Cadwallader, GRC Strategy Director, CoreStream GRC 

With over 25 years of experience in the GRC space, and a background as a former Deloitte Partner, Paul brings deep expertise in helping organizations define what they need from their GRC platform and how to make it work in practice. 

In this webinar, Paul will bring the CoreStream GRC perspective: how CISOs and compliance leaders can move beyond fragmented processes and build a more connected, operational approach to compliance. 

Tom Cornelius, Secure Controls Framework 

As Senior Partner at ComplianceForge, Tom has extensive experience helping organizations strengthen their security and compliance programs through practical control guidance, documentation and framework alignment. 

Through SCF, Tom focuses on reducing duplication across overlapping regulatory and industry requirements, giving compliance, risk and security teams a clearer foundation for defensible control mapping and assessment. 

In this webinar, Tom will bring the framework perspective: why common control architecture matters, how SCF helps reduce duplication across overlapping requirements and why defensible mapping is becoming increasingly important for CISOs and compliance teams. 

Anders Söberg, Co-Founder and CEO, SANNOS 

With experience across governance, risk and compliance transformation, including as a former Chief Risk Officer, Anders brings a practitioner-led perspective to the role of AI in modern compliance programs. 

At SANNOS, Anders focuses on helping organizations move beyond manual assessments and fragmented evidence reviews by using domain-built intelligence to support faster, more consistent and more defensible compliance outcomes. 

In this webinar, Anders will bring the AI and assessment perspective: how evidence-led intelligence can help organizations move beyond manual assessments, fragmented evidence reviews and slow compliance processes, while keeping outputs explainable, reviewable and defensible. 

Who should attend? 

• This webinar is designed for leaders who are expected to manage more compliance work, with more scrutiny, without adding more manual process. 
• It will be especially relevant for: 
• CISOs managing growing security and compliance expectations. 
• Compliance leaders responsible for multiple frameworks. 
• GRC teams looking to reduce repeated assessment work. 
• Third-party risk teams reviewing large volumes of vendor evidence. 
• Internal audit teams looking for stronger evidence and traceability. 
• Risk leaders exploring AI, but concerned about hype, defensibility and oversight. 

If your team is trying to modernize compliance without losing control of evidence, ownership or assurance quality, this session is built for you. 

What will the webinar cover? 

 The discussion will focus on what a modern compliance stack should look like in practice, not just in theory. 

You can expect the panel to cover: 

• Why CISOs need to rethink the compliance stack. 
• Whether tick-box compliance frameworks are still delivering value. 
• How SCF supports common control mapping. 
• How SANNOS AI can accelerate evidence review and assessment work. 
• How CoreStream GRC connects workflows, evidence, ownership and reporting. 
• Why STRM could change how teams compare and defend framework mapping. 
• What practical AI-powered GRC looks like beyond sales promises.

The aim is simple: give CISOs, compliance teams and risk leaders a clearer view of what works, what does not and where AI can genuinely support better GRC outcomes. 

Conclusion: Modern compliance needs more than another framework 

CISOs need a compliance stack that connects controls, evidence, automation, workflow and defensible reporting. They need tools that reduce repeated work, but still give teams the visibility and control they need to explain decisions under scrutiny. 

That is where SCF, SANNOS AI and CoreStream GRC come together. SCF provides the common controls foundation. SANNOS AI supports evidence-led assessment. CoreStream GRC brings that work into a managed platform layer, where teams can assign owners, track remediation, manage evidence and report with confidence. 

This webinar is for teams that want a practical view of what modern compliance can look like in 2026 and beyond. 

Frequently asked questions about SANNOS, SCFR and CoreStream GRC