Why Automated GRC Systems Miss the Risks That Matter Most

The dashboard illusion

Automated governance, risk, and compliance platforms promise clarity: green means safe, red means trouble. But that simplicity can mislead executives when the underlying reality is far more complex.

Nichole Windholz, CISO at Onspring, warns that color-coded dashboards often flatten important distinctions. A red indicator might signal a missing control—or it could mean evidence is stale, an owner missed an attestation, or a low-impact asset crossed a threshold. Those scenarios demand different responses, yet they look identical on a heat map.

The result is a defensive posture in the boardroom. Instead of discussing what changed and what decisions leadership needs to make, CISOs spend time explaining why something is red or defending the dashboard itself. Windholz argues boards need context, trend lines, ownership, and a clear view of which risks are accepted, which are being addressed, and which are worsening—not just a mosaic of status colors.

When bad data looks authoritative

Automation moves fast, and polished outputs can mask serious problems. If a source system feeding a GRC platform is misconfigured or mapped incorrectly, the resulting reports look credible but are wrong.

Windholz says auditing the auditor starts with data lineage. Security leaders must know where data originates, who owns the source, how often it refreshes, which field mappings are used, and what has changed since the last review. Without that chain of custody, organizations shouldn't treat the output as authoritative.

Periodic validation is essential: spot checks of evidence, reconciliation between systems of record, and alerts when integrations fail or data stops refreshing. When a dashboard shows unexpected improvement, leaders should be just as curious as when it shows decline. Did the control improve, or did the data feed change?

The risks automation cannot see

Some exposures resist telemetry entirely. Insider behavior, vendor concentration, geopolitical shifts, and executive decisions to skip control reviews don't generate clean data streams. Automated GRC systems can document assumptions, flag concentration risk, and track whether reviews happened on time—but they cannot eliminate the blind spot.

Windholz says mature CISOs should be transparent about these limits. Boards need to understand which risks can be monitored continuously, which require human judgment, and which rest on assumptions that must be tested over time. Security risk is business risk, and pretending every exposure has a sensor attached creates false confidence.

What automation would—and wouldn't—have changed

Windholz points to the 2024 Change Healthcare ransomware attack as an instructive case. A top-tier GRC platform could have exposed gaps like missing multifactor authentication on critical access points and connected those gaps to business impact by showing which processes and downstream partners depended on affected systems.

It also would have improved the record for each control, requiring current evidence rather than stale attestations and showing who approved exceptions and when they expired.

But automation would not have stopped the ransomware itself. It would not have replaced identity security, segmentation, endpoint protection, or incident response execution. Its value is more modest: helping organizations identify weak signals earlier and establish accountability before an incident becomes a broader disruption.

Why it matters

As organizations invest heavily in automated GRC platforms, the gap between polished dashboards and operational reality is widening. Boards are being asked to make risk decisions based on incomplete signals, and CISOs are shouldering the burden of translating scattered data into business context—often alone. Understanding the limits of automation, and building systems that preserve the story behind a risk signal, is essential to making those decisions with confidence.

Looking ahead

Windholz believes the category is overinvested in presentation and underinvested in trust. Too many companies are building better dashboards without fixing the operating model behind them. The strongest organizations will know which workflows deserve automation, which decisions require experienced risk owners, and which signals matter most.

These insights were shared in an interview with Help Net Security, which first reported the details.