The Great GRC Convergence Crisis: When Compliance Becomes the Enemy of Security

Twenty-five years ago, I never thought I’d find myself writing an article suggesting that compliance frameworks—once the foundation of every security program—might actually be undermining our progress. But here I am, in October 2025, during National Cybersecurity Awareness Month, facing a hard truth: 44% of financial services institutions now say compliance is their top cybersecurity challenge (Bridewell, 2025). As troubling, it’s not just a financial sector problem, it’s shaping the CISO conversation everywhere.

As one of the original contributors to the NIST Cybersecurity Framework, and now as a virtual CISO advising everyone from Fortune 500s to public sector agencies, I’ve watched firsthand as that initial promise of streamlined GRC has spiraled into what I now call the Great GRC Convergence Crisis. We’re drowning in overlapping frameworks, and ironically, it’s making us less secure.

When Good Intentions Create Bad Outcomes

Let’s look at the evidence. According to Compliance Week’s 2025 survey, 32% of organizations cite regulatory change as their biggest GRC headache—and IBM’s latest research confirms 63% of breached organizations had either no AI governance policy or an incomplete one when their incidents occurred. We’ve handed our teams a mountain of frameworks and are now astonished that they spend more time chasing compliance than managing the risks themselves.

Just last month, I was engaged for a risk assessment at a regional financial institution. What did I find? Seventeen separate compliance monitoring systems cobbled together to answer to GDPR, CCPA, DORA, NIS-2, CMMC 2.0, and a raft of state privacy rules. The result? The security operations center spent 65% of its time on compliance reports, not monitoring threats. When I asked the CISO about conducting their last tabletop exercise, the answer was all too familiar: “We’ve been too busy preparing for audits.”

It’s not unusual—nearly every client I see is running in circles, chasing compliance but becoming less secure. Compliance management is cannibalizing the resources we desperately need for detection, response, and, frankly, innovation.

The Framework Multiplication Problem

We’re not just overwhelmed—we’re jumping through contradictory hoops. Here’s a taste, from the world of access management:

• ISO 27001: Go for role-based access control but figure out your own details.
• NIST CSF: Enforce least privilege, with policy-driven access.
• CMMC 2.0: Get explicit with multi-factor authentication.
• DORA (since January 17, 2025): Prove you can withstand operational incidents and report failures to authorities.
• NIS-2: Log and report authentication mishaps on tight deadlines.

The result? Five different access control tools for five different auditors. Security effectiveness suffers as processes tangle, alert fatigue sets in, and teams lose sight of what really matters: are we actually reducing risk?

The Hidden Cost of Compliance Theater

Let’s call it what it is: compliance theater. Some organizations are spending millions annually chasing after checkboxes on compliance platforms, leaving precious little for real security investment.

Take a recent board engagement: I mapped one healthcare client’s all-in GRC burden at about $3.2 million a year (staff, tech, consultants, audits)with no significant drop in breach likelihood or impact. Was the compliance ROI anywhere to be found? Not really. We were spending more on proof than on progress.

The macro numbers are telling, too. IBM’s 2025 report shows average global breach costs have dipped slightly to $4.44 million (down from $4.88 million)—but in the U.S., incidents are up to $10.22 million. Clearly, money spent on fragmented compliance isn’t moving the needle where it matters.

Compliance fatigue isn’t just a phrase, it’s quantifiable and real (see ISACA’s 2025 findings). As paperwork piles up, I see three recurring consequences:

1. Patching and vulnerability management get delayed—audit checklists always take the front seat.
2. Incident response readiness weakens—SOC teams are pressed into compliance paperwork.
3. Security innovation withers—everyone’s too busy ticking boxes to tackle tomorrow’s risks.

The Convergence Solution: Unified Risk Management

Being part of the team that created the original NIST CSF, I know frameworks only work when you integrate, not multiply. My best clients don’t chase every new acronym. They unify risk management, mapping strong, risk-reducing controls to requirements across frameworks.

That’s the pivot: moving from “How do I satisfy Framework X?” to “How do I build and prove real security that multiple auditors will accept?”

Here’s my personal formula—the GRC Consolidation Strategy:

Unified Control Architecture

• Design one set of controls to satisfy multiple compliance regimes.
• Map each measure across frameworks; ruthlessly eliminate redundancies.
• Ditch siloed reporting in favor of a consolidated monitoring pipeline.

Risk-Driven Compliance

• Focus FTE effort where it lowers risk, not just where it impresses auditors.
• Move from point-in-time assessments to always-on, continuous insight.
• Report on metrics that matter—does it actually protect you, or just document you?

Automated Evidence Collection

• Leverage AI compliance platforms to auto-generate reporting artifacts.
• Build dashboards that keep auditors (and boards) off your back with a click.
• Free your best people from paperwork so they can respond, design, and lead.

The October 2025 Reality Check

October is a good time for a gut check. Regulation won’t be less complex next year—AI and new privacy mandates ensure it’ll get worse before it gets easier. But organizations ready to treat GRC as a unified, strategic risk program are seeing two critical upsides: their costs start to align with value, and—this is crucial—they’re actually getting more secure.

Here’s what I’m advising CISOs and boards right now:

Immediate (30 Days):

• Inventory all your GRC tooling. Identify and start streamlining anything redundant.
• Map existing strong controls to all frameworks—look for consolidation.
• Calculate your total real cost of compliance, factoring in people, technology, and outside vendors.

Next 90 Days:

• Deploy a unified risk platform to cover multiple frameworks.
• Retrain compliance officers to think risk first, not documentation-first.
• Shift toward real-time, continuous controls and monitoring, replacing periodic checklists.

Long Term (2026+):

• Advocate for harmonization, active with industry bodies to drive framework convergence.
• Anticipate new regs where you can, so you’re ready before the wave hits.
• Transform GRC from a compliance expense to a source of true risk intelligence.

The Path Forward: Security-First Compliance

This Great GRC Convergence Crisis isn’t just another bump in the road, it’s a fork. You can keep climbing mountains with framework, or you can re-engineer your approach for integration, visibility, and results.

The organizations that get this right will finally see real return on GRC investment and—more importantly, more measurably better security. As someone who helped draft frameworks, I know the intent was always risk reduction, never burden for its own sake.

If your GRC processes aren’t tangibly making you safer, fix that first. Otherwise, all you’ve built is compliance theater, and the curtain’s coming down.

Let’s move past incremental improvements. The modern threat landscape demands a security-first, unified GRC strategy. The time is now.