AI governance and compliance advisory firms TrustEvals and Accorian have jointly released a new Governance, Risk, and Compliance (GRC) framework aimed at addressing what they describe as a fundamental flaw in how enterprises manage AI systems. The framework argues that traditional compliance models are no longer sufficient for modern AI deployments, particularly in regulated industries such as financial services.
At the center of the report is the concept of “control drift,” which highlights how AI systems can change behavior over time without explicit code modifications, creating hidden compliance and security risks.
TrustEvals and Accorian release new AI-focused GRC framework.
Introduces concept of “control drift” in AI systems.
Warns traditional compliance models are outdated for AI environments.
Highlights risks from shadow AI and EU AI Act non-compliance.
Proposes continuous, runtime-based governance models.
Accorian’s GORICO platform supports continuous AI compliance monitoring.
The framework argues that traditional Governance, Risk, and Compliance (GRC) approaches assume static system behavior, where security controls remain stable once implemented. However, AI systems behave differently due to continuous updates, evolving data inputs, and autonomous decision-making patterns.
According to the report, these factors make AI systems inherently non-deterministic, meaning their outputs and behaviors can shift over time even without direct intervention from internal engineering teams. This introduces a governance challenge that cannot be addressed through periodic audits alone.
The core idea introduced in the framework is “control drift,” which describes the gradual and often invisible degradation or alteration of security and compliance controls in AI systems.
“Classical GRC assumes the control holds, but AI GRC has to assume the control drifts,” the authors state in the framework.
This shift in assumption requires organizations to move away from point-in-time validation models and adopt continuous monitoring systems capable of detecting behavioral changes in real time.
The report identifies several critical risks that enterprises face as AI adoption accelerates:
Shadow AI Usage
A significant portion of enterprise AI activity occurs outside sanctioned systems, with employees using personal or free-tier AI tools for business tasks. This creates blind spots in governance and compliance monitoring.
EU AI Act Compliance Exposure
The framework warns that many organizations incorrectly treat AI compliance as a one-time classification exercise. Instead, regulatory obligations under frameworks such as the EU AI Act require ongoing lifecycle monitoring, with penalties for non-compliance reaching up to 15 million Euros or 3 percent of global turnover.
Safety Overfitting in AI Systems
The report also highlights a lesser-known risk where overly aggressive safety tuning can cause AI systems to generalize restrictions too broadly, limiting their ability to perform intended functions effectively.
To address these risks, TrustEvals and Accorian propose a fundamental restructuring of enterprise GRC systems. The framework emphasizes real-time, continuous monitoring over traditional audit cycles.
Key recommendations include:
Autonomy-Based Risk Controls
AI systems should be governed based on their potential “blast radius,” ensuring that high-impact actions require explicit human approval.
Runtime Detection Models
Instead of relying on preventive controls alone, organizations should implement runtime detection systems to continuously evaluate AI behavior as it operates.
Unified Governance Layers
The framework recommends consolidating operational, compliance, and audit functions into a single continuous telemetry-based system rather than maintaining separate periodic review processes.
Accorian’s AI-enabled GRC platform, GORICO, is positioned as a practical implementation layer for the framework. The platform enables organizations to move beyond static compliance checks by providing continuous visibility into risks, controls, and audit readiness.
GORICO integrates AI-assisted workflows for risk assessments, policy management, evidence tracking, and compliance operations, allowing enterprises to monitor evolving AI environments in real time.
The framework underscores a growing gap between rapid AI deployment and outdated compliance models. As enterprises increasingly rely on autonomous and semi-autonomous AI systems, governance structures must evolve to match the dynamic nature of these technologies.
TrustEvals and Accorian argue that without continuous governance mechanisms, organizations risk both regulatory penalties and operational instability as AI systems evolve unpredictably.
TrustEvals helps financial services firms turn AI into measurable top-line value while ensuring trust and reliability. Their work spans strategy, transformation, production evaluations, governance frameworks, and audit readiness for clients including banks, hedge funds, wealth managers, manufacturing firms, startups, real estate and private equity firms.
Accorian is a global cybersecurity and compliance advisory firm offering services including vCISO advisory, compliance readiness, penetration testing, cyber risk management, and security strategy. The company supports organizations across frameworks such as SOC 2, ISO certifications, NIST CSF, PCI DSS, HIPAA, CMMC, GDPR, and others.