We are happy to announce that The Forrester Wave™: Governance, Risk, And Compliance Platforms, Q2 2026, is now live. We’ve evaluated 12 vendors in this iteration and are grateful to all of them for their participation in the process. Today’s GRC platforms market faces many headwinds. Many GRC platforms still require too much manual data entry, only offer basic workflow automation, and are too complex, unwieldy, and expensive for the function they perform today. And unfortunately, intelligent integration of AI into the platform isn’t coming to help soon, reflected in tepid feedback from customers on their adoption plans for it.

Yet the GRC platforms market is going to fundamentally reform its purpose over the next 18–24 months to focus on becoming an orchestrator of outcomes and action for risk professionals. Here are some significant market developments we encountered during the evaluation:

  • Automation will transform GRC platforms from a system of record to a system of action. GRC platforms have long been a system of record, recording the outputs of various risk management, compliance, and internal audit workflow results. GRC vendors are seeking to intelligently partner with specialist risk data providers, regulatory content providers, and risk domain specialists, rather than seek to build these capabilities themselves. The platform remains a data repository of record but uses orchestration and automation of a broader ecosystem of risk technologies to deliver outcomes and action, not just static data.
  • AI is providing minimal value for customers today but must change quickly. GRC vendors have leaned in aggressively to the agentic AI future, and if they are to be believed, it’s already here. But our Wave assessment discovered that this is not yet the case, as much of the current AI functionality boosts current capabilities rather than the promised transformational change. Customers think so, as well, citing functional limitations and a high financial cost as barriers to adoption. GRC providers must turn the AI marketing hype into value by supporting the most in-demand outcomes such as significantly accelerating processing times for risk assessments and compliance reviews.
  • For now, continuous controls monitoring is embryonic and too audit-focused. Continuous controls monitoring (CMM) was the single weakest current offering criterion in the Wave evaluation. Many GRC platforms implement CCM purely as a mechanism for gathering audit evidence for internal auditors. While this is a current pain point, this use case is not the most important one. Instead, CCM done right enables continuous performance monitoring of controls effectiveness, policy enforcement, and, in some cases, a trigger point for control remediation. To unlock the value of this use case, GRC platforms vendors need to build not only technical integrations to enterprise systems of records such as ERP systems but also rich libraries of control performance monitoring use cases and commonly used effectiveness thresholds.
  • GRC platforms will gather too much data unless it hones to specific use cases. The security analytics market initially focused on collecting as much data as possible and generated unnecessary storage costs with limited security value. Security analytics tools drove better value by later leveraging the MITRE ATT&CK framework to develop a tighter set of monitoring and threat use cases that narrowed the data needed. Likewise, CCM will exponentially increase the volume of data. But as GRC engineering capabilities become more widespread, customers and vendors need to work together to build libraries of controls performance monitoring use cases to gather only the required data.
  • Limited consensus exists about how to price AI, making comparison hard. There is widespread variability for pricing AI within GRC platforms. This also extends to pricing for the AI governance capability within GRC platforms. AI for GRC is focused on delivering AI capability across an entire GRC platform, whereas AI governance is focused on helping risk teams manage their AI governance programs and use cases. Customers often end up needing to pay for both, depending on the vendor. We saw everything from no additional charges to fixed-price package additions to consumption-based pricing based on the number of AI use cases governed. Reference customers also were confused with the pricing approaches, with customers frequently citing the lack of clarity over the value for money from their investment in AI capabilities.

GRC platforms are a core enabler of all aspects of the Forrester Continuous Risk Management Model. These platforms only become more important as the monitoring of risk decisions, controls effectiveness, and risk posture transitions from point-in-time assessments to continuous assurance. Read the latest Wave results and request a guidance session or inquiry from us to discuss our findings about the market in more detail.