#583 Continuous Compliance Is Coming: Richa Kaul on AI Agents, Data Risk, and the End of Manual GRC

Mehmet: [00:00:00] Hello and welcome back to an episode of the CT O Show with Mead today. I'm very pleased joining me, Richa Kaul. She is the founder and CEO of Complyance. I'm very, you know, humbled. I'm very honored to have you with me here today, Richa, we're gonna talk about, as people can imagine from the name about compliance, but of course from from enterprise perspective, we're gonna talk about data risk.

We're gonna talk also about. The mix with AI in, in, in this era. And as my audience knows, I don't like to steal much from my, um, guest time. So, Richard, tell us a bit more about you, your journey and how did you start Complyance, and then we can start the conversation from there. So the floor is yours. Hm.

Richa: Thanks meme. Thank you so much for having me on the show today. Uh, what, what can I say I guess from a professional perspective? You know, I started my career more on the regulation side of the house. I worked in public sector first at McKinsey, and then for the government in the state of Virginia and the US.

And I'm really focused [00:01:00] on how to spur innovation and grow the tech sector by balancing regulation and policies with investments and incentives in the growth of tech. And so I kind of, you know, came at this more from the regulation side of, uh, governance risk and compliance. Um, and so now I'm obviously kind of bridging the gap on the other end, you know, being part of the tech sector that, uh, needs to innovate and also respect certain data privacy and security regulations.

While we do so. From a personal perspective though, which I think is more interesting, I am a huge data privacy nut, and that's actually why I started Complyance with a Y. So I have a bit, I'm a bit obsessed with making sure that my data, my personal data is not being used in, you know, unnecessary ways by whether it be governments or software that I put my data into and.

I realized back, do you remember the Equifax breach that happened way back? I think it was 20 17, 20 18? 

Mehmet: Yeah. [00:02:00] Around 

Richa: that 

Mehmet: time 

Richa: around that. It was kind of a turning point for me personally because I basically realized that, you know, no matter how much we as individuals really put in privacy, configurations and security at the individual level, at the end of the day, it is about the enterprises who we trust with our data.

They are really the. The folks who determine whether our data is safe or not. And it kind of led me down this path of saying, how do I help make sure that enterprises are the most secure? And that brought us to Complyance with the Y, which is an entirely security GRC focused company. Uh, we help, you know, the largest companies around the world really manage all of their, uh, security compliance.

There are potential risks, there are third party risks and so on. 

Mehmet: Great, and thank you again Richa for being here with me today. It's an interesting story, you know, and thank you for sharing this. Like why you decide to this, because you know, this is my. Traditional first question, but how your experience, you know, on the other side [00:03:00] of the table shaped also the way you wanted.

I'm sure like you have a CTO and you have like a team with you. Oh 

Richa: yeah. 

Mehmet: But I'm sure you know like all this background and you know, you work for McKinsey also as well. How this shaped your vision, let's say for the company and you know. How did you wanted to, I would say let enterprises understand the importance of compliance, and I'm with you a hundred percent because also I'm a big fan of compliance and regulations in, in, in, in the, you know, what you are offering.

Richa: Yeah, of course. Thank you for asking that question, because I so rarely get to talk about some of the links from my past life into what we do now. I think, um, the overarching point that I would make meme is that it's. It's important to make it easy for businesses to be compliant because if we put up a bunch of regulation and then it's not easy to be compliant, it's, you know, it's not [00:04:00] gonna make business sense for those companies to actually, uh, do more than check the box and to actually, you know, be secure and not just be able to, you know, check off the list and say, yep, we're secure.

And so everything we do at our company is about how do we make it easy for an enterprise to be secure. Um, and, and going back to why that links, you know, and the vision and, and my experiences. Maybe I'll give you a quick anecdote. When I was, uh, working for the state of Virginia, I was sitting on a committee that determined, uh, drone privacy regulation.

Mm-hmm. So, again. Thinking about this, right? Like the drone industry was taking off at the time, it was in its nascency, and it started to raise privacy questions. If you're flying a drone above a neighborhood and you're looking down on people's backyards, what if you see them in position? Like they didn't wanna be seen in, right?

It's their personal space, it's their private property. So how do you start to create privacy regulations for drone usage? And then we would go back to. Um, you know, these drone companies [00:05:00] in the state and talk to 'em about that. And what it showed me was just this, this balance, this delicate balance that needs to exist between the privacy and security regulations that benefit everyday people.

And the, you know, the. The burden on the company, you know? And, and that starts to open the question of, okay, well if we want those types of protections for everyday people and for consumers, then the answer is not to get rid of them. The answer is to make it easy to comply with them. And that is literally the vision and the basis for Complyance with the why, as we call it, um mm-hmm.

The, the name of the company, because it's the, what is the why behind Complyance. It's to make it, you know, it's to protect consumers and make it easy for companies to do so. So that's the kind of the, the na, the story in, in a nutshell. 

Mehmet: Great. You mentioned. An important event in my opinion, which is the Equifax event.

Uh, of course we can go open and search plenty of other, um mm-hmm. [00:06:00] You know, data leaks that's happened and we discover, you know, what happened afterwards. Um. I work with, you know, as an IT guy back in the days and we used to take care of cybersecurity and of course in cybersecurity, data governance and privacy is, is an important factor in this.

Later on, I work with different vendors as well now and even after I left there and I started, you know, for the part three is talking to, you know, founders and you know, executives like yourself, rich. We always talked about how still somehow governance, risk and compliance is seen as a cost center, similar to anything related to cybersecurity or technology, right?

So let's say fact now with the interest of AI and generative AI and you know, everything. So now I would say the formula started to change. So. In your opinion, [00:07:00] how enterprises in the AI era can think about having this governance risk and compliance as a asset and asset rather than just, oh, we need to pay this and we just need to pay someone to come and audit us and, you know, show that we are compliant rather than that, like, think in a way that no, actually this would help our business to maybe generate more money.

Like I, I like to hear your opinion on this. 

Richa: Yeah, thank you. Top line is that AI has brought GRC to the boardroom, front and center, and thank goodness for that. To be honest, I. Right now what's happening is that AI is something that is so easy for people to understand the risks about that. All of a sudden, I think the collective fluency in the language of risk has increased dramatically in the last, you know, even just six months.

Why is that? Because I think [00:08:00] we all intuitively understand that when we're putting all this information into, you know, AI tools, what it and what it's doing with them, we all very implicitly understand, oh shoot, you know, this is a lot of risk that's being posed, and that's the first time that's really happened.

I think we all use software all the time, and we don't necessarily link directly in a layman's mind to all the risks that are being posed with the data that we're putting into a software. Um, much of it is the same by the way. But I think that the intelligence of AI really brings that to the forefront.

And I think what that does is it starts to make it easier for GRC leaders and security leaders to go into boardrooms and say, look, this is the business cost of not focusing on security compliance. This is the business cost of doing nothing. This is the quantified risks. That you can, you know, actually tangibly see, hear, understand.

And this is the risk of actually being proactive about it. This is the risk of, you know, this is the probability times, [00:09:00] uh, impact, risk of doing nothing about it. Okay, now people start to engage with that a little bit more deeply. And especially if you have good tooling like we offer, you know that, that those types of quantifications become automated and become informed by what's happening in the market and in peers and so on.

And you can start to have that conversation with the level of specificity to a audience that actually seems to understand it more than we've ever had before. Um, and that's just not even putting aside that, that's not even talking about the fact that, you know, AI security, AI governance is bringing those other elements to the boardroom as well.

So we're hearing so much from our clients right now about how they can use and speak about the tools that we offer in their board meetings. I think it's a really exciting change. 

Mehmet: It is definitely an exciting change. Now you, you. Position the company Complyance as an ai, an AI native GRC platform, right?

Not just like set of AI features. Now, I gotta ask you maybe, and sorry for doing this sometime with my guests, like I don't intend to make [00:10:00] the question harder or make it loaded, but how that, you know, work in, in, not on a technical level, but you know, what distinct, I would say, um, you are offering from what's around there because GRC has been.

With us for a long time knowing that Richa and I have seen, you know, and I always like the same way you said, like you are nuts about compliance are also nuts about people who still do things manually as well. Now I'm sure you see it also even in probably like, uh, I would not say Fortune 500, but I would say like big, big enterprises because I, I've seen it myself where everything is still manual.

So how. AI can help here and how you differentiate yourself in the marketplace. 

Richa: Yeah, absolutely. So of course, I mean, it, it's funny because I think sometimes folks say that AI feels, you know, um, like, oh, okay, [00:11:00] enterprise doing things manually. How can they jump to ai? And I almost find that to be, you know, an inaccurate premise because, you know, AI is actually easier for them to jump to then the integrations that have been kind of the norm of the last few years.

Right. Like we've talked about. Kind of went through the manual phase and then to automation, and then to AI automation, and then to agentic ai. Those are kind of the steps that I see, and people think about it as, you know, how can you get to agentic if you haven't gone through the steps? But it's the automation that's hardest for some of these enterprises because their tech stacks are old and it's difficult to integrate with those and all of that.

And so they, they kind of gotten stuck a little bit on some of that automation, but AI allows them to leapfrog that, you know, because AI is less, is less restricted by preset API, um, points and, and so on. And so you kind of get like a, an effect of saying, okay, well, with the data that we have access to in a much more open way, um, than [00:12:00] we've ever had before.

How do we monitor, um, compliance? How do we actually do some of this work that replaces some of the really manual administrative work that GRC folks do, and also expands visibility and expands control beyond what a human could ever do. Pairing those two things together. And from our perspective, we're so unique in the market because we've actually cracked this.

Like we have been working on agents since 2023, uh, since we first started as a company. And that seems crazy. And we didn't have the word agent to describe it then. Mm-hmm. We, we didn't know what to call it. It's funny, like we released our first agent in 2023, but we called it a feature 'cause we didn't have the word agent.

And so. While other folks are releasing their first agents, we are working on the orchestration layer for agents, uh, in GRC for enterprise. And so it's a very different conversation. Like we have, you know, we have 18 agents in our platform today. Our competitors have one or two, [00:13:00] um, and we're having a completely different conversation than they are.

And so I think clients really see that. They feel that and they feel comforted that we've been, you know, deploying AI for Fortune 500 companies for three years now. 

Mehmet: Cool. Now Rich, I'm happy you brought the discussion to the agent tech ai and you know, agents, it's, 

Richa: yeah, 

Mehmet: in my opinion, 2026. Since the start, it showed that it's the year of AI agents with no doubt like this.

At least me as someone who've been around for a long time, I see it and. It's, it's gonna like grow more and more. 'cause every single, you know, founder, even like established, um, companies I talk to, they are going this direction now. Do you see agents have full autonomy in operating GRC? Why? I'm asking you this question because.

Also like people who are building in different spaces. Like I've talked to people building in travel tech. I spoke with people building in, um, you know, like, [00:14:00] uh, uh, co-working spaces, technologies, and so on and so on. You know, I can give you bunch of of examples. So always when we talked about the agents, we said like, we need to have the human in the loop.

And very interestingly, three weeks ago, but the episode is released now. I spoke with Betsy Atkins and she mentioned something very interesting, which I don't know, maybe I saw it and I forget. There was this research by, uh, entropic, the company behind Claude about when they, you know, left the agents. Of course, not as a compliance perspective, but you know, they started after a while to blackmail, you know, people, so they don't shut them down Now.

I am not like, kind of fancy podcaster who's after, you know, like these fancy things. But because I remember 2018 still, there was no Chad G pt, nothing. I was like following the trends and what, at that time, um, DeepMind and you know, the other companies were doing. And I [00:15:00] said, okay, it looks like we're gonna go.

I was working in sales, so. It's like, look like a robot gonna be selling to a robot. Now I'm gonna ask you here, are we going to see an AI agent doing compliance regulation and making sure that there's a data privacy on another AI agents? Like I know it's kind of a, again, like loaded question, but love to hear your, uh, your feedback on this.

Richa: I think we are going to see that. Me, honestly, and I think that the question is going to be when I think that there's going to be. Uh, realignment of, you know, which resources and which titles, um, get kind of moved over to a more ai agentic model and there's gonna be creation of new roles, new titles that really humans will fill.

And I think a number of them will be around kind of digital innovation for, you know, the previous. You know, team name that was, you know, used for [00:16:00] humans to be staffed up on. I think that's a really crazy world that we're headed towards. But I think that everything that I am seeing, everything that I am reading tells me that we are getting to it faster than I think most people necessarily appreciate.

Mehmet: Yeah. So as you said, like it's about when, not if it'll happen. There's no doubt on this. You talked about, you know. The, the risks of, um, you know, leaking data. And so if I want to, so if I'm speaking to a compliance officer, right? So, or whatever your best persona would be in the enterprise. Like I, I believe it's, it's like IT governance or like sometime the CEO also as well.

Richa: It's the, 

Mehmet: if I want to, yeah. So if I want to put this into the balance sheet of a company. To quantify, you know, the risk of what I call it, the data risk, [00:17:00] right? 'cause it's, it's like the most invisible liability. How that would, would on average, in your opinion, would turn in terms of, of money value. 

Richa: Yeah. So I mean, you're basically asking as like, how do we, how do we define what, 

Mehmet: define 

Richa: the value, right?

Of RC to a ciso? Is that right? Right? 

Mehmet: Yes, correct. 

Richa: GRC agents. Yeah. There there's three very specific levers, uh, that we use, at least when we talk about value delivery to a ciso. The first one is, and I'm sure you know, it's not a surprise to you. The first one is just simply time savings. Mm-hmm. I mean, oftentimes.

You know, GRC teams have strategic initiatives that they need to do, but their urgent manual work is the first 30 items in their to-do list. And it's always, everything else is always getting deprioritized. 'cause that first chunk of work is always increasing 'cause it's so manual. And so the reality is that we tell, we tell CISOs like, look, you want your GRC team to focus on building a security compliance culture.

[00:18:00] You want, you know, these things that humans. Do for humans, right? You can't have AI agents building a culture in your organization, that's for sure. Um, well maybe one day, but not yet. And so if you can remove these tasks, the time that is saved is immeasurable, and you immediately see that time returned back to you for your strategic work that CISOs want to see get done.

That's one. The second one is cost savings, and it's very tangibly related to things like reduction external consultant spend, even reduction sometimes like legal spend from a compliance perspective, security compliance perspective. Um, reduction in, you know, of course, like, uh, you know, risk prevention, right?

So there's sort of like those steps and I have visibility. You don't have to take, spend as much money on certain measures you may have been putting in place before. And the last one though is risk visibility, and that's, interestingly, it's the least quantitative and it's the most important. That's what CISOs, I would say, really, really want.

At the end of the day, these CISOs are going into the boardroom [00:19:00] quarter after quarter, and being asked to. Basically make a presentation on what are the biggest risks to the business? Well, it is so hard to get a complete and accurate picture of risks to your business. It is harder to then quantify them.

It is harder to then rank order them and say, look, these are the ones we should focus on. It is impossible to do all of those things without ai. How is it? Even it is not even capable of a GRC team, a human GRC team to go and know every single risk that's happening in the business. They can't monitor controls all the time, even if they can.

All the control failings, everything that's happening needs to be risen at the right level, needs to be quantified. No human can do that. And so what agents do is they create a picture, a complete and accurate picture of risk. And now the CISO is armed with the information that he or she needs to actually say, okay, then these are the most important risks.

The CISO can use their judgment to decide, you know, within these top 25, here are [00:20:00] the 10 I'm gonna float up. And now they have the confidence in the boardroom to say, these are the risks that I had. This is the picture that I've had, and this is what we should do next. And that is actually invaluable.

Mehmet: Absolutely. Absolutely. It's invaluable. Now I'm gonna ask you also something, Richard, because you know, when I went on the website, I've seen you covered large number of frameworks and we know like these regulations also are evolving mm-hmm. Globally and you are a, a global company. So. How are you seeing enterprises like, are, are, are they seeing it's challenging to keep, you know, updated with these multiple regulatory frameworks, especially sometime across different jurisdictions also as well, so I know for a fact I work with multinational companies also as well, so we have a data privacy law.

Let's say we know the famous ones in the US usually we have GDPR in, in, in, in Europe. Um, of course you have like the [00:21:00] additional ones like P-C-I-D-S-S for financials and so on and so forth. So how do you help organizations in adopting and also at the same time, keeping up to the latest of these different frameworks across different locations?

Richa: You know, I think that's really a pain point that folks have felt for many years. I'm happy to say that it's implicitly solved in our platform and people don't need to worry about it so much anymore. So not only do we keep up with regulations, you know, as they come up and add them to our platform, but if there's a new version of an existing regulation, we cross.

From the previous version to the new version. And so it becomes a really seamless transition. Uh, which kind of goes back to what I was saying also about like cost saving as the second lever of value for the CISOs, because previously they have to maybe spend money on external consultants or lawyers sometimes, um, to kind of like understand and diagnose the difference between.

Old [00:22:00] version of regulation, a new version, and we just do that once for all of our clients at scale. Um, so it's pretty, pretty easy and becomes kind of a, a foregone, uh, concern for our clients, which is great. 

Mehmet: Absolutely. Now I gotta ask you something more related, uh, to, to, to the. Company being a startup and building, you know, in the space of compliance and cybersecurity.

I know it for a fact. It's not the easiest thing if you want to do, like, it's, uh, it's very hard. Yeah. Uh, what were like some, and, and congratulations by the way. You said like you started building in 2023, like just in three years time. Fantastic. You know, uh, milestones achieved and, and great results. I, I saw also like some of your customers you shared on, on your website.

What was some of, you know, what were some of the unique challenges building in this space, especially? It's a highly regulated market. [00:23:00] 

Richa: Patience, I think. I think, you know, it is really unusual for a startup to come out the gate targeting enterprises, right? A lot of startups target, you know, other startups or SMBs coming out the gate because it's a lot faster of a sales cycle.

So you get revenue in the door quickly and you basically are able to build using that revenue, get, you know, VC money and so on and so on. We were. Lucky that, you know, from day one, the vision was enterprise GRC. It was never startup GRC. Um, and you know, at the very beginning of the journey, um, I raised a pre-seed round, like before, before there was even a product.

It was just me and my PowerPoint deck going around to investors and, uh, most of them said. You know, you shouldn't build your vision. You should build Vanta for Europe. That's what they said. Like you should build basically like a startup focused, um, GRC [00:24:00] company. I was like, absolutely not. That's not what I want to do.

That's not, that's not what I, that's not what I'm interested in doing. Um, you know, there's a lot of people trying to copy Vanta, trying to build something else, trying to build something new. Trying to build an AI powered enterprise GRC platform and. Conviction. You know, as a founder you have to have unhinged conviction.

I like to say you have to really, really believe that what you are, you know, putting forward as your vision is correct, and then you have to actually build it. And the patience that it takes to build an enterprise product is not the same. Instant gratification of what it is to build a startup product. I know that.

I know that. And in those first months, you know, you really feel it. You want to bring in more clients for your team, for yourself, for your investors. Like you want that to work. Um, but it takes some time and I think patience is hard in those moments, but now. You know, it's really paid off and I think the long arc rewards that patients, uh, we now serve Fortune 500 companies and household [00:25:00] names like Major League Soccer and Dropbox and CVS Health, and I think that's, um, really amazing.

Mehmet: That's really amazing and congratulations on that, rich. It takes people, they, they see usually only the success, uh, because I work with founders also as well, so I know exactly what you're talking about. And by the way, I've seen, like recently, not long time ago, you raised, uh, a $20 million round also as well.

Um. So when invest, okay, so let's thee drought. I know how it felt, you know, I know, you know, like I know all the nos that you, you were getting. But when you, when you, when you start to show the attractions, Isha, uh, Richa, so, and you know, you start to talk to them, what signal convince them that the company can become really a category leader in your opinion?

Richa: In the pre-seed or in the Series A? 

Mehmet: In the Series A? 

Richa: The series A. Um, I think honestly my, maybe the best part of the series A story is that Google Ventures [00:26:00] actually approached us. So they had actually done a review of the market because they wanted to make a bet in, you know, enterprise GRC and they actually came to us.

So we didn't have to make a pitch or do a big, um, you know, do, do kind of the typical, uh, VC roadshow. We, uh. We got lucky to get such an amazing investor kind of knocking on our door. And why was that? Was I think two reasons. Like one is that they saw that we had AI agents actually out there live in use by enterprise companies.

That's very rare. As I sort of started the, started this, this conversation and I said, you know, we started building agents in 2023. That means that we deployed our agents in 2023 and 2024. So we've had enterprise clients using agents for like almost 24 months now. Our agents, and they, you can see their increase in usage.

You can see the customer value and. It's hard to find other companies who have done that. And so that was one. And then the second [00:27:00] piece is, I think, you know, I think is that we have the most amazing team. I'm just one part of a big team that is amazing. Our CTO Hugo could not have had a better CTOI could not have dreamed up a better CTO to be honest, but he, um.

The product that he has built and the consistency and the rigor and the stability and the security that he has built into the product is really second to none. And, uh, doing that alongside innovation, you know, how hard of a task that is. Um, and so the product really, really speaks for itself in addition to the, of course, initial or, you know, really great traction that we've been able to get.

Mehmet: Absolutely. You know, it takes, you know, it's a teamwork indeed. It's your vision also as, as founder. Um. I've seen it, you know, like when, when you are up to something that people really want, like it's, I will tell people it looks easy, but it's not, you know. We, when we go and start to advise, [00:28:00] you know, startup founders, we tell them, yeah, you need to build something that people would pay for.

Mm-hmm. It looks easy on, on, on paper, but when you go and try to do it in practice, you know, finding this product market fit, and then have this, um, I would call it, you know, the, the, the engine that start to, to push the company, you start to have the revenue. You start to, to have these large enterprise. So this is really something that.

Takes a lot of time and effort and sleepless night, I'm, I'm sure you, you, you work more than maybe 18 hours a day at some stage, maybe, which I'm just guess guessing. It's, it's not easy. And again, congratulations on that. Now, if you want to look again to the, to the market, you know, do you see like other opportunities where the company compliance, you can also innovate in adjacent market to what you're currently offering.

Richa: Uh, these are great questions, mama. You're getting to the heart of it, I think. Yes, absolutely. I mean, I think right now we're really focused on expanding, uh, [00:29:00] across our core modules. So for example, you know, we support clients with compliance or controls management, which includes audit, prep, risk management, third party risk management, policy management, and customer trust.

And we have really like end to end, um. Automated with AG agentic, the TPRM process. So third party risk. We are now working on controls and risks simultaneously and really creating an end-to-end stack of agents for those two. And then last, but certainly not least, will be policy and trust. And then I think we'll start looking at adjacencies and there's different ways to think about those adjacencies, but that's kind of where we are, um, right now.

Mehmet: Cool. Um, do you see a lot of. Because I'm seeing it in other domains. So whenever a new company comes up and innovate and create a new category similar to what you're doing, rich, so we see the status quo. I call them the [00:30:00] incumbent. They try to just stuff thing and say, Hey, like we have an AI thing now. Are you seeing this also in your domain?

As well. Yes. 

Richa: The number of AI powered companies in our domain is so funny in every domain. I think a lot of marketing teams are putting that on the website right now. Um, yeah, and it's interesting because you know the difference between. Real AI native and AI chatbots or, you know, add-on AI features is so immense in terms of the impact, but it's not always clear from a marketing perspective, which is which, uh, and it's really tough actually.

You know, and, and, and maybe I'll flip that around and ask you the question I'm at, like, when you think about, you know, founders that you've interviewed and CEOs and CTOs who you've interviewed, um. The ones who are building great products, uh, and you know, are able to actually message that. Like that is actually the art and the science of the whole deal.

Right? And how have they [00:31:00] kind of stood out and made sure that their customers know that they are actually the best product and competing with all of the marketing buzzwords from everybody else. 

Mehmet: Uh, you know, the best ones who I've seen doing it without mentioning sometimes ai. Mm-hmm. So they bring the AI part just at the end.

Richa: Mm-hmm. 

Mehmet: They focus on the customer page similar to what you were telling me. So, because you know all, you know the conversation, I see each, you understand what you're doing, and I think this is your secret sauce. If you. We, you know, what are the customer pains? And this is why I tell everyone, you know, whether they are startups or even like a business trying to sell their services.

If you understand your customer pain, if you can, you know, relate your offering to, this is why I asked you the question about, you know, the value, right? So whether it's like time saving, um, risk actually, because people, they forget and you are in this business. So, you know, risk avoidance is actually a plus also as well, because you, you.

Company can lose money because someone would go [00:32:00] and sue them for some data leakage that happen. Right. And that, so, so you're saving them tons of money, which is not, of course, not something they can see potentially by counting it. But again, it, it enters into the ROI and so on. Or for example, maybe increasing revenue, increasing, you know, productivity.

And you mentioned also about like how you, you can do things faster. So people who can talk and articulate these things. And at the end say, Hey, and by the way, we do this by utilizing this cool technology called AI agents. So I've seen the people who are doing it this way are still. Doing better job than the just guys who go and say, Hey, we have AI for this.

Because, you know, I've been a customer, I've been also sitting on, on the startup seats also as well, and every time I figure out something that's stuffing, you know, um, just technology terms doesn't change things much. Mm-hmm. Yeah. The customer might ask this question, by the way, Hey, what are you [00:33:00] doing with ai?

But it's just to see if you are following the trends, but if you, yeah. Go and back and go to basics, ask about their pain points. You don't need to do this. So, absolutely. Um, and one thing, you know, I just need to, to clarify this. This is something, it's not like I discovered this is something I learned and you know, I.

People know, my audience know I'm very much, you know, although like he, he wasn't in the B2B space, I'm into the B2B space. I'm very, you know, inspired by Steve Jobs. 'cause always, I remember when he was telling we should not be talking about bits and hertz, right? Like, you talk about what, what value you add to customers.

And I think this is in business, it's pretty much the same. Now, if you want to look ahead, and I'm not asking you, Richard, because I know like in this age we cannot predict things on five and 10 years, but. If you want to predict the trends in the coming, let's say, one to two years in your space mm-hmm.

What are like the major breakthroughs or like, what, what do you think, you know, the market would look like two years from, from today? [00:34:00] 

Richa: Yeah, I think there's a few things that are gonna change. I think one of them is that continuous compliance monitoring is going to become the norm. As I said before, I think some of the roadblocks that are stopping continuous compliance monitoring have to do with integrations and legacy stacks and siloed systems, and I think that AI actually helps us leapfrog some of those issues, some of those challenges.

So I think that is a huge deal because continuous compliance monitoring will flag risks ahead of time. So risk visibility is about to increase significantly. With the increase in risk visibility, you'll basically actually see more of the problems, and that's a good thing because then you can actually address them before they're exploited.

But I do think that it's gonna create even more focus on GRC in the near to medium term. And again, that's a great thing. But I see that, um, I see that change happening. I see much more AI agents being put, um, into place. There's that quote from Jensen, uh, Huang, which I, I'll probably butcher right now, but it's something along the lines of, you know, you're not [00:35:00] gonna lose your job to ai.

You might lose your job to somebody who knows how to use ai. Um, and that's kind of the idea that I think is gonna happen. I think we're gonna see a lot more GRC engineering happening. I think we're gonna see a lot more, um, really AI led GRC teams. And I think that means a rapid increase in the fluency of ai, uh, and agent for these GRC teams, which I'm excited about.

And I think, you know, we're in a good position to help lead the charge on. 

Mehmet: Absolutely. And, uh, I, I share with you, you know, the same, um, thoughts about, you know, the future when it comes also to people who work in the domain. They should not be scared, probably. They need to learn new skills. Mm-hmm. Uh, and to be honest, like I'm happy because, you know, companies like is trying to also change something which been kind of static for a long time.

You know, it was just papers. With check marks done. And actually it wasn't like someone who keeps [00:36:00] monitoring because I always, you know, do like, I do this, uh, every time I ask people like. How do you make sure, like for example, if you, you, you are not in front of your house door, how do you make sure, like, how many people passed in front of the door?

Yes. And this is why you put a camera, how, how, this is why you put a camera actually. Right. So I tell them like, if, if you do the thing one time and you think you're done, this is not the right way to do it. And this is where technology, you know, like, let's say, hmm. How can this make, make this automatic when it comes to forms?

And maybe I should have asked you this, like, uh, you know, actually I asked you, but, you know, um, about the manual work. So I'm, I'm kind of still surprised that many companies still use paper. Paper. Just, they print papers to just do things and then they scan and then they do this. And I'm happy that AI now is disturbing this.

Right. So, so it's like we have this big change and I think every. Board member is [00:37:00] seeing this and they are going and questioning actually their teams, Hey, are we still doing this? So I'm very happy that these things are moving this way and, you know, like, uh, getting things do, done as it should be. Now, before we close and before we, we, we call it as end of the episode, this is something I ask, you know, all my guests, so Rich, is there anything you.

You thought that I should have asked you and I didn't, and of course where people can, you know, find out more and get in touch. 

Richa: Thanks for asking Mammoth. In terms of what else is to be asked, I mean, I, I think that. Uh, maybe one last thing. Sure. I think that from our perspective, AI agents are only as good as the software that they actually live in.

I do think that there is a moat. You know, the world is not. Age agentic only the future is age agentic. But the world is not only gonna be age agentic only, we still need systems of record. We still need actual [00:38:00] softwares. And I think the trick is going to be how well coordinated those agents and their softwares actually are.

And so as much as I love to talk about our AI agents, I will say that more than half of our engineering team focuses every single day on our core platform. And that's because I think long term, the platform is the moat, not the AI agents. I think everybody will have AI agents and we'll be able to build them ourselves, and it'll be a very, it would be a free, free for all on that front.

And what will be left, what will be left is the ability to actually put that data somewhere or do something with it. Not only just get the insights out of it, but then show them, make it easy for humans to understand them. That is, um, I think where we're headed. And so I just wanted to maybe close on that front and re-anchor ourselves on not only ai, but also platform.

Um, and of course, people can find us@compliance.com, uh, spelled with a y, so C-O-M-P-L-Y-A-N c.com. Or you can literally write compliance with a y.com and that will also work. Um, so yeah, [00:39:00] that's us. 

Mehmet: Um, rich, I'm happy you brought, you know about the mo, uh, percent. I agree you here because. I'm keep repeating this in every episode.

So LLMs kind of became commodity, right? Um, everything we do is commodity. The thing that will stay, and this is 'cause I'm happy you, you mentioned about the platform, so people were talking couple of months and weeks back about, you know, and we saw the stock market reacting, you know, like the, the, the software company's stocks like fell down and then people, hey.

Calm down. It's, it's not the way you think about it because Yeah. And building a platform, and this is why companies are gonna give examples not related to compliance of course. And, and, uh, GRC. So if you look at companies like Salesforce, if you look at companies like, uh, you know, ServiceNow or like. Many, many other companies who started it in one vertical, one niche, but with [00:40:00] time they build a platform, right?

Yes. And then you hook, you hook multiple things in that platform. You have the data as mode also as well, distribution becomes your mode. And then this is where you know it's gonna take long time to, someone can go and copy quote on code. Because people also, they are thinking, oh, we have these vibe coding tools.

And yeah, tomorrow I would just write a prompt and I will have a CRM. It's not as simple as you think because you have product management. You have like quality engineers, blah, blah, blah, blah, blah, all all the things. So I'm happy you brought this rich here. And for the audience, the links that you mentioned, rich, so they will be available in, in the show notes so you don't have to look, although like it's a very easy compliance with why or if the round runway way.com will work.

But I gotta put still the links in the show notes. So thank you very much. I know how busy it can be for founders. And I appreciate, you know, you shared this time with me today and with the audience. I really appreciate it, and this is how I add my episodes. This is for the [00:41:00] audience. Classical traditional thing.

Yeah. Thank you. Thank you, Richa. So, if you just guys found about the podcast, we're still in our growth phase, I would say. I hope you enjoyed it and uh, if you did, so please give me a favor, subscribe and share it with your friends and colleagues. And if you are one of the people who keep coming again and again, you know, I can't thank you enough.

I'm repeating this 2025 and beginning 2026. Uh, this cannot happen without. Someone comes and open their pod favorite podcasting app and listen to the podcast, or they open YouTube and they watch it. The podcast has been ranking in the Apple top 200 charts in multiple countries since last, but something special start to happen again, 2026, and I found out like we are now trending in multiple countries, in different continents at the same time.

Again, it's not something I push. This is because you come back and it looks like you're enjoying what I'm doing. So [00:42:00] I'm very grateful for you and as I say, always stay tuned for any episode very soon. Thank you. Bye-bye.