CoreStream GRC hosted community events, with industry risk and compliance leaders, in London and New York across a variety of sectors including retail, banking, technology and defense, to ask the key questions:
- How are you measuring success in your GRC programs?
- What is slowing you down in risk and compliance?
- Where do advancements like AI fit into your GRC plans?
“The best ideas come from the community. When we get everyone in a room, you see the value immediately, and we take that straight into what we build next.”
Rich Eddolls, Chief Product Officer, CoreStream GRC
The survey insights outlined below are used to help inform our product roadmap owned by our Chief Product Officer, Rich Eddolls, who emphasizes the importance of listening and getting feedback from the community.
Let’s dive into the feedback…
1. What does success look like in GRC right now?
Most organizations are still cautious and focused on defensive outcomes.
Across both the United Kingdom and the United States, the dominant success metrics were predictable.
- Risk reduction was the top measure at around 33%.
- Regulatory compliance followed at around 27%.
- In contrast, only 1 in 5 respondents said their program was directly tied to business value creation.
This shows that in 2025 many teams are still anchored in protection. They focus on reducing exposure and meeting obligations because these are the metrics their leadership teams monitor most closely. What fewer organizations are doing is linking governance activity to performance. The shift from defensive GRC to value based GRC is happening, but it is still early.
One UK participant summed it up simply.
“We need clearer value metrics, not just activity logs.”
This insight has shaped CoreStream GRC’s GRC product roadmap 2026 focus. If most teams are being measured on defensive outcomes, our job is not only to help them hit those targets but to show the value behind them.
In 2025 we launched our value-based GRC step-by-step guide and workshops, led by our GRC Strategy Director, Paul Cadwallader. These sessions help teams map their GRC program to the objectives the business actually cares about. As Paul puts it:
“It’s not about avoiding the downside. It’s about driving better business outcomes.”
Paul Cadwallader, Strategy Director, CoreStream GRC
At CoreStream GRC we already provide best practice dashboards as standard, but we still want to go further. Every business has its own priorities and its own questions, so we expanded the platform to include fully self-built dashboards. This gives leaders the freedom to customize views, connect risks and controls to strategic goals and surface the insights that matter most to them. It moves reporting from lists of activity to clear evidence of value.
One client put it simply:
“Being able to customize the view to suit each user has made a real difference to how efficiently our team works.”
In 2026 we will build on this theme with more value based GRC content, workshops and platform support. From activity to impact, readers can book a value-based GRC workshop now to start the new year on the front foot.
Want to see how this shift toward value based GRC is playing out across the wider community?
At #RISK Europe 2025 value was top of the agenda
2. The execution gap: why teams struggle to deliver
Ambition is high across the GRC community. The friction sits in execution.
When we compared survey results from CoreStream GRC users and non users, the contrast was clear. Across the wider market, the top barriers showed up consistently:
- 62% cited resource constraints (compared to 17% of CoreStream GRC users)
- 48% cited siloed systems and data (compared to 0% of CoreStream GRC users)
- 40% cited lack of executive buy in (compared to 0% of CoreStream GRC users)
McKinsey research backs this same execution gap at a global level, with 57% of companies saying their IT and GRC systems are lagging or need improvement, and around 45% placing the importance of their risk and compliance leaders below executive level.
As one non-CoreStream GRC user put it;
“We are not short on ideas; we are short on capacity.”
When teams work across disconnected platforms, they spend more time managing processes than generating insight. It becomes harder to elevate governance from an operational task to a strategic function.
These numbers also reflect what we heard repeatedly at #RISK Europe: teams know what good looks like, but their tools and processes slow them down.
However, when we isolate CoreStream GRC users, the pattern shifts.
For example, among CoreStream GRC customers in the survey:
- Confidence levels were significantly higher among CoreStream GRC users, with the majority of users rating themselves “very confident” in their ability to support strategic decision making.
- Among non-customers, none were very confident. Most were only somewhat confident, and almost half were not confident at all.
This creates a simple contrast:
The execution gap is industry wide, but CoreStream GRC users are already closing it.
Why is the gap smaller for CoreStream GRC users?
Users attributed faster execution to:
- The platform’s adaptability to how they work.
- The ability to consolidate several systems into one.
- Tailored workflows configured by the CoreStream GRC team
- Faster onboarding and real time support
- UI/UX that makes their GRC processes more usable and transparent
Further solving that execution gap is central to our 2026 roadmap. We are improving performance across the platform and cutting unnecessary steps so users can complete tasks in fewer clicks. We are simplifying configuration, giving teams the ability to adjust solutions quickly without relying on vendor intervention. We are strengthening connectivity and expanding integrations, so the platform becomes a true single source of truth for governance data.
This is where our brand values come to life:
We simplify.
We flex.
We deliver.
3. How AI fits into modern GRC programs
The verdict on AI in GRC was high curiosity, uneven adoption and a clear gap between awareness and action.
According to our survey data, AI stood out as an area of both excitement and uncertainty.
- Around 20% said they have already embedded AI into their GRC programs.
- Around 38% said AI is an important next step.
- Almost 45% are exploring possibilities and learning.
- Only 7% said AI is not relevant to them.
The takeaway is simple. Interest is strong, but most teams are still in early stages. They are working out practical use cases and testing what AI can do for their day-to-day operations.
This is exactly why CoreStream GRC has taken an AI agnostic approach. In other words, we have top of the range of AI integrations available to our users, and also the option to use your own AI access directly inside the platform.
AI tools CoreStream GRC users can benefit from include Xapien, Signal AI and Black Kite.
Check out the explanation of how Black Kite will benefit our third-party risk management users from our community showcase:
In summary at CoreStream GRC, the experience is built on trust and clarity, not a hidden model you cannot control.
As Rich explains in the CoreStream GRC AI Strategy paper,
“We do not introduce technology for the sake of it. We focus on considering innovation that delivers real value, in a way that works for our clients.”
Rich Eddolls, Chief Product Officer, CoreStream GRC
In the community forum, it was set out that AI in 2026 will not be about introducing complexity. It will be about practical insight and faster decisions. And if a client does not want to use AI at all, the platform remains just as fast, flexible and reliable.
If unsure, we recommend booking in with our GRC Strategy Director, Paul Cadwallader, to map out how you want to embed AI into your program effectively.
Interested in a value based GRC and AI planning workshop?
4. Why GRC teams want more control and self-build
Across the wider GRC market, confidence in existing tools is mixed.
At our US and UK events, around 50% of non-users of CoreStream GRC described themselves as somewhat confident in their current GRC platform, while only 20% said they were very confident. Most felt their tools covered the basics but did not deliver much strategic value. By comparison, CoreStream GRC clients were split evenly, with 50% very confident and 50% somewhat confident.
The same frustrations surfaced again and again from non-clients:
- Weak documentation and onboarding
- Limited ability to self-build
- Too much reliance on vendor support
As one participant put it, their current platform’s “documentation and training are not very good, so it is difficult to onboard new staff.” Another said they had no “ability to self-build within the platform.”
This market insight directly informed several key components of our 2026 roadmap, designed to give CoreStream GRC users even more ownership and a smoother, faster experience:
- Fully customizable dashboards
- Custom grid level tabs
- Live documentation inside the platform
- Short explainer videos for self-learning
- Faster configuration with fewer dependencies
These improvements strengthen self-service and reduce friction, giving teams the independence and confidence they need to understand, adjust and scale their system on their terms.
5. What CoreStream GRC users value most and what the GRC community wants in 2026 and beyond
When we speak to our clients, the message is consistent. They value the platform, but they also value the partnership, expertise and community that comes with CoreStream GRC. Users told us they appreciate a flexible, intuitive UI, configurability that adapts to how they work and personal, knowledgeable support when they need it.
As one client said, “The flexibility and adaptability of the system” is what makes CoreStream GRC fit their world.
Another highlighted the “personal service we receive from Paul and Lucy” and shared that CoreStream GRC is becoming their “single source of truth.”
It goes deeper than capability. GRC teams want a sounding board. They want access to experts. They want clarity when the landscape moves fast. And they want to feel part of something bigger than their own internal program.
That theme came through strongly at our US and UK events. Around 60% of participants said they want better best practice sharing. They want real examples of how others are tackling the same challenges, more transparency, more peer insight and stronger networks they can learn from. Peer insight matters. It makes governance feel less isolated and more strategic.
How CoreStream GRC is responding in 2026
This feedback shaped one of the major pillars of our 2026 roadmap: community.
We are introducing in platform community forums, a secure space where teams can ask questions, like and comment on posts, follow threads and share solutions without leaving the platform. Contributor badges and recognition will help build engagement and support cultural adoption.
As Rich explained;
“The new community feature will work a bit like a secure internal social network, where users can like, comment or follow threads on compliance topics.”
Rich Eddolls, Chief Product Officer, CoreStream GRC
Alongside this, our Inside CoreStream GRC sessions will bring clients together to share examples, swap templates and tap into expert insight. It is a modern, practical way to learn from each other and strengthen GRC programs through real collaboration.
Our 2026 roadmap builds on exactly what users, and the wider community told us they value: more flexibility, more self-service, more support and a stronger network to help them deliver better governance every day.
Want to hear more about CoreStream GRC’s Chief Product Officer on building with customers, not for them?
GRC is changing and at CoreStream GRC so are we.
Across industries, GRC is shifting from compliance to value creation. Teams now need systems that work with them, not against them. Systems that cut the execution gap, make insight faster and embed governance directly into culture.
Our 2026 roadmap is built to support that shift.
- More self-service
- More flexibility
- More clarity
- More community
- More power in the hands of users
Because our belief remains the same. Technology should be an enabler, not a barrier. And GRC should be something that drives performance, not something people fear or avoid.
CoreStream GRC is here to make that possible in 2026.
FAQ on what’s coming for GRC leaders in 2026
GRC leaders told CoreStream GRC that their top priorities for 2026 are risk reduction, regulatory compliance and building programs that deliver measurable business value. Many teams want to move from defensive activity to value based GRC, supported by dashboards that connect risks, controls and decisions to strategic goals.
Survey data collected by CoreStream GRC identified three consistent blockers across the wider GRC market:
62% said resource constraints
48% said siloed systems and data
40% said lack of executive buy in
These challenges make it hard to scale governance, risk and compliance without modern GRC software.
Teams using CoreStream GRC reported far fewer blockers than the wider market:
Only 17% cited resource constraints
0% cited siloed systems
0% cited lack of executive buy in
CoreStream GRC users also showed higher confidence in their ability to support strategic decision making. This demonstrates the impact of an integrated, configurable GRC platform.
CoreStream GRC’s survey shows uneven but growing AI adoption:
20% already use AI in GRC workflows
38% say AI is their next step
45% are exploring use cases
CoreStream GRC takes an AI-agnostic, integration-led approach. This allows organisations to use their chosen AI models, maintain control over data and embed AI safely into their GRC processes.
CoreStream GRC recommends measuring outcomes rather than activity. Strong GRC metrics include:
How risks and controls support strategic objectives
Control effectiveness
Time saved through automation
Speed and quality of reporting
Executive confidence in decisions
CoreStream GRC’s dashboards make it easier to track these indicators in real time.
