When it comes to understanding how artificial intelligence (AI) is changing cybersecurity, those discussions tend to focus on the technical skills that cybersecurity professionals have or must acquire to compete. In today’s job market, professionals with proven AI skills are increasingly sought after as enterprises look to better utilize these platforms.
As AI interest grows, however, there is also a significant need for cybersecurity professionals and others to help address knowledge gaps when it comes to a wide range of security-related issues beyond the technical aspects. These include governance, risk assessment, data protection, data privacy, government compliance and regulatory issues.
This is where the field of governance, risk and compliance – GRC for short – is having its moment. A term coined in 2002, this field encompasses traditional IT and cybersecurity teams as well as other parts of the organization, from legal to finance to HR to the executive boardroom.
One definition of GRC is an organization-wide strategy to “manage governance and risks while maintaining compliance with industry and government regulations,” according to IBM. By creating this type of framework – one that encompasses various parts of an enterprise – an organization is then able to establish policies and procedures that address risk.
One reason GRC is gaining more attention now is that the growing use of AI is creating fresh risk concerns for organizations, from how internal data is used with these virtual chatbots and platforms to the responsibility of managing large language models. These challenges require enterprise-wide rules and procedures to ensure security.
“First, AI itself now requires governance. Organizations must develop policies around model risk, data handling, prompt injection, bias, explainability and regulatory compliance. AI introduces new oversight obligations at both the technical and board level,” said Shane Barney, CISO at Keeper Security.
“Second, regulatory expansion tied to AI is accelerating compliance requirements globally. Oversight bodies are scrutinizing automated decision systems, AI-enabled financial services and algorithmic risk models. Governance frameworks must evolve to address these technologies,” Barney told Dice. “Third, AI is automating portions of GRC workflows, including control testing, policy mapping, evidence collection and log analysis. However, AI doesn’t eliminate governance. It raises the stakes for oversight. AI increases speed and scale – on both sides of the equation. Governance becomes more complex, not less.”
While GRC job positions span multiple lines of business within an organization, cybersecurity professionals with the right skills and certifications can find new career paths as the AI field expands and more companies look for ways to deploy these technologies in a secure manner.
GRC Positions Are Growing and Paying
A 2025 report published by CyberSN, a security and IT workforce management platform provider, looked at 45 cybersecurity roles across the U.S. and found that many positions associated with GRC are seeing increasing interest as well as boosts in salary and compensation.
The CyberSN data found that the average salary for roles in the GRC category ranged from $118,000 for a privacy analyst position up to $180,000 for a data privacy officer. A cybersecurity or privacy attorney reported an average annual salary of $165,000.
With many enterprises and large organizations increasing their adoption of AI, cybersecurity experts are not surprised that GRC positions are commanding larger salaries and greater interest from recruiters and employers.
“We are living in a world of rapidly advancing technologies that will radically alter the fundamentals of how audits, risks and controls are managed. AI and other technologies introduce new layers of risk that organizations will have to adapt to. The challenge is that it’s happening so fast that many are struggling,” Chris Radkowski, a GRC expert at security firm Pathlock, told Dice. “That pace of change is exactly what makes governance, risk and compliance roles more attractive right now. The need for such jobs will only increase, driven by organizations that need professionals who can translate new technologies and risks into greater efficiency and the appropriate structured oversight required for the business.”
The growing need for cybersecurity professionals who have a technical background but can also assess business risk and related issues shows why having a broad skill set in an era of AI is critical, said Karin Olivo, assessments practice lead at Fenix24.
“When you have a broad skill set, you are not confined to one industry, which can provide greater career opportunities and mobility, should you need it,” Olivo told Dice. “Assessments, audits and program management are always in demand, and having the ability to know how security is implemented and why across many different facets of the business is an extremely marketable quality.”
What GRC-Related Certifications Can Help
Cybersecurity professionals who already have a certification can start thinking about applying for an open GRC position or begin shifting their career path. Experts note that many traditional security certifications can help in this field, and the most popular ones include:
- Certified Information Systems Security Professional (CISSP): This cert remains the gold standard generalist certification and is respected and widely recognized across industries.
- Certified Information Security Manager (CISM): This cert carries strong governance and management credibility and is often preferred for leadership tracks.
- Certified in Risk and Information Systems Control (CRISC): This cert is particularly aligned to modern, risk-centric GRC work, especially for professionals focused on enterprise risk alignment and quantification.
- Certified Information Systems Auditor (CISA): This certification remains valuable in audit-heavy environments.
- Certified Cloud Security Professional (CCSP) or Certificate of Cloud Security Knowledge (CCSK): These certs are increasingly relevant as governance expands into cloud environments.
- Certified Information Privacy Professional (CIPP): This cert is essential in privacy-heavy regulatory contexts.
Keeper Security’s Barney noted that certifications such as these can open the door, but that practical knowledge and experience are needed as professionals work up the GRC career ladder.
“Certifications matter, but primarily as signaling mechanisms. Early in your career or when transitioning roles, certifications can demonstrate commitment, discipline and baseline knowledge,” Barney added. “They help open doors. Over time, however, practical experience managing real-world incidents, audits and regulatory pressure carries more weight.”
Fenix24’s Olivo noted that, throughout her career, she has earned the CISA and CISM certifications, but, in her view, the cybersecurity certification that most closely aligns with GRC is the CISSP, which many organizations help cybersecurity professionals and others obtain.
“This certification is the most common and most respected, as it covers a broad expertise of security knowledge and is often a requirement for most defense contractor organizations,” Olivo said. “For me, this is the most valuable as it covers eight realms of the security industry and has pretty much become a standard. The other certs, manager, auditor, or compliance, can be achieved once you find your niche in the industry.”
Other certifications that are more focused on GRC issues include:
- GRC Professional (GRCP)
- GRC Auditor (GRCA)
- Certified Compliance & Ethics Professional (CCEP)
- Certified Governance, Risk and Compliance (CGRC)
GRC: Looking Ahead
While the Trump administration has signaled a shift away from industry regulation, experts such as Barney note that enterprises still must comply with numerous regulations, particularly regarding the use of AI.
This includes disclosure rules such as those enforced by the U.S. Securities and Exchange Commission. There is also the EU’s NIS2 Directive and Digital Operational Resilience Act (DORA) as well as the PCI 4.0 standard and an ever-expanding number of state-level laws and regulations.
“GRC professionals are increasingly embedded in board-level conversations because they translate technical risk into business risk,” Barney added. “That visibility elevates the role. When liability, public disclosure and executive scrutiny intersect, professionals who can manage risk frameworks, governance processes and regulatory obligations become strategically indispensable.”
