Role Definition
| Field | Value |
|---|---|
| Job Title | GRC Analyst (Governance, Risk, and Compliance) |
| Seniority Level | Mid-Level (3-6 years) |
| Primary Function | Manages compliance frameworks (SOC 2, ISO 27001, NIST, GDPR, HIPAA, PCI-DSS). Conducts risk assessments and maintains risk registers. Develops and maintains security policies and procedures. Manages audit preparation and evidence collection. Tracks regulatory changes and assesses impact. Coordinates with legal, security, and business teams to ensure compliance. Operates GRC platforms (ServiceNow GRC, OneTrust, Archer). |
| What This Role Is NOT | NOT a Cybersecurity Risk Manager (52.9, senior strategic role that owns risk strategy and makes risk acceptance decisions). NOT a Security Auditor (44.4, exercises independent professional judgment and signs attestation opinions). NOT a Compliance Manager (senior role that sets organisation-wide compliance strategy and bears regulatory accountability). The GRC Analyst EXECUTES compliance programs and risk assessments at the operational level — preparing evidence, maintaining registers, and tracking remediation rather than setting strategy or signing attestation. |
| Typical Experience | 3-6 years in cybersecurity, compliance, or information security. Certifications: CISA, CRISC, CCSK, ISO 27001 Lead Implementer, CompTIA Security+. 49% hold a bachelor's degree, 45% hold a master's degree (Salary.com). |
Seniority note: A junior GRC analyst (0-2 years) doing evidence collection and ticket management would score deeper Yellow or borderline Red (~20-25). A Senior GRC Manager or Compliance Manager with strategic scope and regulatory accountability would score Green (Transforming, ~48-55).
Protective Principles + AI Growth Correlation
| Principle | Score (0-3) | Rationale |
|---|---|---|
| Embodied Physicality | 0 | Fully digital, desk-based. All work in GRC platforms, spreadsheets, and virtual meetings. |
| Deep Interpersonal Connection | 1 | Coordinates with legal, security, and business teams. Manages audit preparation with external auditors. Requires organisational navigation but relationships are transactional, not trust-IS-the-value. |
| Goal-Setting & Moral Judgment | 1 | Interprets compliance requirements and maps controls to frameworks. Some judgment in ambiguous regulatory situations. But primarily executes within established frameworks and standards rather than setting organisational risk appetite or defining what SHOULD be done. |
| Protective Total | 2/9 | |
| AI Growth Correlation | 1 | EU AI Act (fully applicable August 2026), NIST AI RMF, ISO/IEC 42001 create new compliance requirements. AI governance is net new GRC work. But AI simultaneously automates traditional compliance tasks — evidence collection, gap analysis, continuous monitoring. Net weak positive. |
Quick screen result: Protective 2 + Correlation 1 — likely Yellow Zone. Proceed to quantify.
Task Decomposition (Agentic AI Scoring)
| Task | Time % | Score (1-5) | Weighted | Aug/Disp | Rationale |
|---|---|---|---|---|---|
| Compliance evidence collection & management | 20% | 4 | 0.80 | DISPLACEMENT | Drata and Vanta automate continuous evidence collection from cloud infrastructure, identity providers, and endpoints. AI agents pull screenshots, configs, and logs against control requirements. Human validates exceptions and handles non-standard evidence. AI output IS the initial evidence package. |
| Risk assessment & risk register maintenance | 15% | 4 | 0.60 | DISPLACEMENT | GRC platforms (ServiceNow, Archer, OneTrust) automate risk scoring, heat map generation, and risk register updates. AI agents correlate threat intelligence with asset inventories to produce quantified risk scores. Human reviews output but the workflow is agent-executable. |
| Policy & procedure development/maintenance | 15% | 3 | 0.45 | AUGMENTATION | AI generates policy drafts from templates and regulatory requirements, maps controls to framework clauses, and identifies policy gaps. Human customises to organisational context, interprets ambiguous regulatory language, and ensures policies reflect actual business operations rather than generic templates. |
| Audit preparation & coordination | 15% | 2 | 0.30 | AUGMENTATION | Scheduling walkthroughs, coordinating control owners, managing auditor requests, facilitating interviews, resolving findings. AI prepares evidence packages and tracks remediation items. But the human manages the relationships — negotiating timelines with auditors, coaching control owners on evidence presentation, resolving disputes over findings. |
| Regulatory change tracking & impact analysis | 10% | 3 | 0.30 | AUGMENTATION | AI monitors regulatory feeds (NIST, ISO, EU, GDPR updates), identifies relevant changes, and maps impact to existing controls. Human interprets novel regulations (EU AI Act application to specific AI deployments, cross-framework conflicts), assesses organisational impact, and recommends remediation. Human leads; AI handles sub-workflows. |
| Gap analysis & remediation tracking | 10% | 4 | 0.40 | DISPLACEMENT | AI maps existing controls against framework requirements, identifies gaps, generates remediation recommendations, and tracks progress. Drata, Vanta, and Anecdotes AI perform cross-framework gap analysis end-to-end. Human reviews output but does not need to be in the loop for every step. |
| Stakeholder communication & cross-team coordination | 10% | 2 | 0.20 | AUGMENTATION | Presenting compliance status to leadership, coordinating between legal, IT, security, and business units. Translating technical compliance requirements into business language. Influencing teams to prioritise remediation. AI generates dashboards and summaries but the human IS the coordination layer. |
| GRC platform administration & reporting | 5% | 4 | 0.20 | DISPLACEMENT | Configuring dashboards, generating compliance reports, managing workflow automations within GRC platforms. Structured, repeatable, tool-driven. AI agents can execute platform administration tasks end-to-end. |
| Total | 100% | 3.25 |
Task Resistance Score: 6.00 - 3.25 = 2.75/5.0
Displacement/Augmentation split: 50% displacement, 50% augmentation, 0% not involved.
Reinstatement check (Acemoglu): AI creates new tasks for this role — AI governance compliance (EU AI Act risk classification, ISO/IEC 42001 implementation), validating AI-generated evidence, auditing AI system documentation, managing AI vendor risk assessments, and ensuring AI transparency requirements. These are genuine reinstatement mechanisms that expand the GRC Analyst's scope into AI governance territory. However, the new tasks are themselves partially automatable by the same AI tools.
Evidence Score
| Dimension | Score (-2 to 2) | Evidence |
|---|---|---|
| Job Posting Trends | 0 | BLS projects 29% growth for information security analysts 2024-2034. ISC2 reports 4.8M unfilled cybersecurity positions globally. But "GRC Analyst" specific postings fragment across GRC Analyst, Compliance Analyst, Risk Analyst, IT Auditor, and Security Compliance Specialist — making isolated trend analysis unreliable. City Security Magazine names GRC specialists among most in-demand for 2026. Stable overall, not surging for this specific title. |
| Company Actions | 0 | No companies cutting GRC analyst roles citing AI. However, massive investment in compliance automation platforms — Drata raised $200M+, Vanta raised $150M+, Anecdotes AI targeting enterprise GRC. Companies investing in the compliance FUNCTION through platforms, not necessarily in GRC analyst HEADCOUNT. One analyst plus Drata replaces a compliance team of three. No clear net direction. |
| Wage Trends | -1 | Salary.com: $100,936 average, median declined from $109,398 (2023) to $105,846 (2025) — a 3.3% nominal decline, worse in real terms. Glassdoor: $139,516 average (likely senior-weighted). ZipRecruiter: $70,006 average (likely junior-weighted). Mid-level (2-4 years) earns $101,373. The declining median is an early signal of supply-demand softening at the operational GRC level. |
| AI Tool Maturity | -1 | Drata, Vanta, Anecdotes AI, ServiceNow GRC, OneTrust, and Archer are all production-ready. 72% of companies using AI in GRC (NAVEX/Cyber Sierra). These tools automate evidence collection, continuous control monitoring, gap analysis, risk scoring, and compliance reporting — 50% of core GRC analyst task time. Strong tools in production performing core tasks with human oversight. |
| Expert Consensus | 1 | Broad consensus: transformation, not displacement. Scrut: "AI is designed to complement, not replace, GRC analysts." Cyber Sierra: "AI won't replace GRC workers. GRC workers using AI will replace GRC workers who don't." Onspring: "The Future of GRC: AI Enabled, Human Led." Diligent: compliance professionals will "move into more strategic roles." Consensus points to role elevation, not elimination — but specifically notes operational/tactical GRC faces more pressure than strategic GRC. |
| Total | -2 |
Barrier Assessment
Reframed question: What prevents AI execution even when programmatically possible?
| Barrier | Score (0-2) | Rationale |
|---|---|---|
| Regulatory/Licensing | 1 | No strict licensing required. Professional certifications (CISA, CRISC, CCSK) are expected but not legally mandated. SOC 2 attestation requires a CPA — but that's the auditor's role, not the GRC analyst's. Compliance frameworks expect documented human oversight of risk management processes but don't require specific credentials for the analyst executing them. |
| Physical Presence | 0 | Fully remote-capable. All work in digital platforms and virtual meetings. |
| Union/Collective Bargaining | 0 | No union representation typical in cybersecurity/compliance roles. At-will employment standard. |
| Liability/Accountability | 1 | Moderate consequences if compliance gaps lead to regulatory fines or data breaches. But the GRC analyst does not personally sign attestation opinions or bear named regulatory accountability — that falls on the Compliance Manager, CISO, or external auditor. The analyst maintains the program; leadership bears the liability. Shared, not personal. |
| Cultural/Ethical | 0 | Industry actively embracing AI for GRC operations. 72% of companies already using AI in GRC. No cultural resistance to AI performing compliance evidence collection, gap analysis, or risk register maintenance. Boards don't expect a human GRC analyst by name — they expect compliance to be maintained. |
| Total | 2/10 |
AI Growth Correlation Check
Confirmed at 1 (Weak Positive). The EU AI Act (fully applicable August 2026), NIST AI RMF, and ISO/IEC 42001 create genuinely new compliance requirements that expand the GRC analyst's scope. Gartner predicts AI regulation will quadruple to 75% of world economies by 2030, driving $1B in AI governance platform spending. This creates new compliance work — AI risk classification, transparency documentation, conformity assessments. However, the new compliance work is itself partially automatable by GRC platforms. The GRC analyst specialising in AI governance compliance occupies a growing niche; the GRC analyst running traditional SOC 2 evidence collection is being leveraged by Drata and Vanta. Not Accelerated Green — the role predates AI and traditional GRC work isn't growing BECAUSE of AI.
JobZone Composite Score (AIJRI)
| Input | Value |
|---|---|
| Task Resistance Score | 2.75/5.0 |
| Evidence Modifier | 1.0 + (-2 × 0.04) = 0.92 |
| Barrier Modifier | 1.0 + (2 × 0.02) = 1.04 |
| Growth Modifier | 1.0 + (1 × 0.05) = 1.05 |
Raw: 2.75 × 0.92 × 1.04 × 1.05 = 2.763
JobZone Score: (2.763 - 0.54) / 7.93 × 100 = 28.0/100
Zone: YELLOW (Green >=48, Yellow 25-47, Red <25)
Sub-Label Determination
| Metric | Value |
|---|---|
| % of task time scoring 3+ | 75% |
| AI Growth Correlation | 1 |
| Sub-label | Yellow (Urgent) — >=40% task time scores 3+ |
Assessor override: None — formula score accepted. Score sits 16.4 points below the Security Auditor (44.4), reflecting the GRC Analyst's weaker barriers (2/10 vs 6/10) and lower task resistance (2.75 vs 3.20) — the analyst executes compliance programs while the auditor exercises independent professional judgment and signs attestation. Score sits 24.9 points below the Cybersecurity Risk Manager (52.9), reflecting the gap between operational compliance execution and strategic risk ownership.
Assessor Commentary
Score vs Reality Check
The 28.0 JobZone Score places the GRC Analyst in Yellow, 3.0 points above the Red boundary and 20.0 points below Green. The score is NOT barrier-dependent — barriers contribute only a 4% boost (1.04 modifier). If barriers were removed entirely, the score would drop to 26.9, still Yellow. The real story is the 50/50 displacement-augmentation split: half the role's task time (evidence collection, risk register maintenance, gap analysis, platform admin) is being directly displaced by production-ready AI tools, while the other half (audit coordination, policy interpretation, regulatory analysis, stakeholder communication) remains human-led but AI-accelerated. The neutral evidence score (0/10) reflects genuine market uncertainty — demand signals are mixed, not directional.
What the Numbers Don't Capture
- Function-spending vs people-spending. Compliance automation platforms (Drata $200M+ raised, Vanta $150M+, Anecdotes AI) represent massive investment in the compliance FUNCTION while potentially reducing per-organisation headcount. One GRC analyst plus Drata replaces a compliance team of three. The market for compliance grows; the headcount per company may not.
- The AI governance tailwind is real but time-limited. EU AI Act compliance, ISO/IEC 42001, and NIST AI RMF create a surge in GRC demand now. But once organisations build their AI governance frameworks and achieve initial compliance, the ongoing maintenance workload is smaller and more automatable than the initial build. This is a 2-4 year window, not a permanent uplift.
- Salary decline signal. Salary.com reports a median decline from $109,398 (2023) to $105,846 (2025) — a 3.3% drop in nominal terms, worse in real terms. This is early evidence of supply-demand softening at the operational GRC level, even as the broader cybersecurity market grows. The decline may reflect platform leverage reducing the premium for operational compliance skills.
- Title rotation masks trajectory. "GRC Analyst" is fragmenting into specialised titles — AI Compliance Analyst, Privacy Analyst, Third-Party Risk Analyst, Cloud Compliance Specialist. The generalist GRC Analyst title may decline while the underlying work migrates to more specialised (and potentially higher-scoring) roles.
Who Should Worry (and Who Shouldn't)
If you are a GRC Analyst whose primary value is "collecting evidence and maintaining the risk register" — running Drata or Vanta, pulling screenshots, populating risk matrices, generating compliance reports from templates — you face the most direct displacement pressure. These are exactly the tasks that compliance automation platforms were built to replace. The 2-3 year window for the purely operational GRC analyst is real.
If you are a GRC Analyst who interprets novel regulations, coordinates complex audit engagements, manages cross-team remediation programs, and serves as the bridge between technical security teams and business leadership — you are closer to the Compliance Manager trajectory (Green) than the label suggests. Your stakeholder relationships and regulatory interpretation skills are what AI cannot replicate.
The single biggest separator: whether you operate the GRC platform or whether you interpret what the GRC platform tells you. The platform operator is being automated. The compliance advisor who translates platform output into business decisions has a clear path to the surviving version of this role.
What This Means
The role in 2028: The surviving GRC Analyst is a compliance advisor who specialises in emerging regulatory domains — AI governance (EU AI Act, ISO/IEC 42001), cross-border data privacy, or supply chain security compliance. They spend less time collecting evidence (platforms handle that) and more time interpreting regulatory requirements, coordinating audit engagements, and advising business units on compliance strategy. The generalist "maintain the SOC 2 evidence locker" GRC Analyst is absorbed into platform-driven workflows managed by fewer, more senior compliance professionals.
Survival strategy:
- Specialise in AI governance compliance. EU AI Act risk classification, NIST AI RMF, ISO/IEC 42001 — this is net new regulatory territory entering the GRC domain. The GRC analyst who becomes the AI compliance specialist occupies the highest-growth niche in the compliance field.
- Master compliance platforms, don't compete with them. Drata, Vanta, ServiceNow GRC, and OneTrust are force multipliers. One analyst plus platforms replaces a team. Be the person who orchestrates the platforms and interprets the output, not the person whose evidence collection they automate.
- Build the advisory layer. Move from compliance executor to compliance advisor. Develop stakeholder communication skills, learn to translate regulatory requirements into business language, and position yourself as the person leadership consults on compliance risk — not the person who populates the risk register.
Where to look next. If you're considering a career shift, these Green Zone roles share transferable skills with this role:
- Cybersecurity Risk Manager (AIJRI 52.9) — Risk assessment methodology, framework knowledge, and compliance expertise transfer directly to strategic risk management with higher autonomy and accountability
- Compliance Manager (AIJRI 48.2) — GRC operational experience is the primary pathway to senior compliance leadership with strategic scope and regulatory accountability
- AI Auditor (AIJRI 64.5) — Compliance framework knowledge, evidence evaluation, and regulatory interpretation skills transfer directly to auditing AI systems for risk, bias, and regulatory conformity
Browse all scored roles at jobzonerisk.com to find the right fit for your skills and interests.
Timeline: 3-5 years for significant transformation. AI compliance platforms are already in production and actively displacing operational GRC tasks. The AI governance regulatory wave (EU AI Act August 2026) provides a temporary demand boost but does not change the fundamental automation trajectory for operational compliance work.
