Drata

Multi-framework compliance is getting harder — and the assumption that combining SOC 2, ISO, FedRAMP, HITRUST, and CMMC will automatically create efficiency gains doesn't always hold up in practice. In our latest Partner POV, Jared James, Principal at Baker Tilly US, shares what he's seeing as organizations face more frameworks, higher expectations, and less room for inefficiency. He breaks down: 🧨 Why AI risk extends well beyond privacy — and what organizations are underestimating right now. 🧨 How compliance programs get overbuilt (and underbuilt) — and how to calibrate. 🧨 How Baker Tilly + Drata are helping teams shift from reactive audit prep to proactive compliance management. Plus: how one client cut their SOC audit timeline from five to six months down to two. 💥 Dive in here: https://okt.to/q4zgn7

Our products track over a million vendor security questionnaire answers annually through Drata's Trust Graph. Six months ago, our team flagged something: a new question category was climbing fast. Security and procurement teams had started asking about AI agents: what's running, who owns them, how they're governed. When the pattern stabilized, I spent time with CISOs across healthcare, financial services, public software companies, and a frontier AI lab. Different industries. Same five questions every time: → What AI agents are running here? → Do they have the right permissions and scope? → What identity do they run under? → Are they behaving as expected? → Can you show evidence of all of it? These five questions add up to something structural: a fourth dimension of trust. Certifications. Questionnaires. Third Party Risk Assessments. And now — AI Agent Governance Posture. The trust transaction between enterprise companies has permanently changed. The data caught it forming. The CISOs confirmed it. The EU AI Act (and others) codifies it. I wrote about this in detail, and looking forward to hearing from more experiencing this firsthand: https://lnkd.in/ec_VriWP

Building a compliance-first culture isn't about shortcuts. It's about trust. Next Thursday, May 28, our own Kayla Anderson-Thaler is joining Exceptional Capital for a candid Q&A — Compliance Without the Chaos — designed for founders and builders who want to get it right from day one. They'll cover: 🔒 What SOC 2 actually is (hint: it's not a certification). 📈 How security maturity impacts fundraising and growth. ⚠️ The "fastest path to compliance" shortcuts that can hurt you later. Open invite to founders, builders, and anyone mapping out their next idea. Register to save your spot 👉 https://okt.to/B6uwI2

Houston, we have a new edition of Trusted out now. 🔻🪐

Thrilled to share that Saepio Information Security named Drata its New Partner of the Year — and our own Jack Halstead was recognized as Sales Account Manager of the Year. 🏆 We’re incredibly proud of this partnership and grateful to the Saepio team for the recognition. Huge congratulations to Jack for this well-earned honor and for the impact he continues to make for our customers and partners. Here’s to even more ahead together. 🚀

If CMMC is on your radar, you know the gap between "understanding the framework" and "audit-ready" is real. On May 28, we are hosting a live Ask an Auditor session with A-LIGN, where you can get your CMMC questions answered directly by someone who runs real-world assessments for a living. No theory. No marketing speak. Just practical guidance on readiness, evidence collection, and what actually moves the needle. Submit your questions at registration and get clear answers during the live Q&A. 🗓 May 28 | 12 PM ET 👉 Register here: https://okt.to/k0MLQU

The EU AI Act regulates AI based on risk, and not all AI systems face the same requirements. There are four categories: 👀 Minimal risk ✋ Limited risk ⚠️ High risk ⛔ Prohibited The problem for today’s GRC leaders? Most companies don’t yet know how their AI systems should be classified. And this classification determines whether organizations must implement risk management frameworks, technical documentation, human oversight, and/or continuous monitoring. Understanding this model is the first step toward compliance. We break it down in our latest EU AI Act resource: https://okt.to/Q4AOba

Trust isn’t just business anymore. It’s personal. And that changes everything for GRC teams around the world. Tune into the latest episode of When Trust Meets AI as host, Adam Markowitz and Olivia Rose of Rose CISO Group, to unpack the playbook for security leaders who want to lead their teams into the future: 👉 Why your tech debt determines your AI success more than your AI strategy 👉 The unexpected truth: GRC is becoming a revenue-protecting function 👉 A simple yet powerful mindset shift for leaders (hint: stop self-sabotaging) Full episode here: https://okt.to/iyLgXr

KB4-CON 2026 in the books. ✅ The Drata team took Orlando by storm as KB4's exclusive GRC partner — booth buzzing, two sessions on stage, and some great conversations about AI and the future of GRC. Big thanks to KnowBe4 for having us. Until next year. 🚀

Trust is built on transparency. That’s why we’re excited to see A-LIGN’s Trust Center now live — giving customers a secure, streamlined way to access the information they need about A-LIGN’s security program, all in one place. From audit management to evidence collection, A-LIGN continues to help organizations navigate cybersecurity compliance with confidence. 💪 Check out their new Trust Center: https://okt.to/JLlWxP