Standards Sprawl Platformization And Mapping Workload
Sources: 1 • Confidence: Medium • Updated: 2026-04-01 03:40
Key takeaways
- According to Christina Cacioppo, a major portion of compliance work is keeping overlapping control text in sync and mapping new regimes to existing controls to identify duplicates.
- According to Christina Cacioppo, GitHub answers 92% of the security questionnaires it receives through Vanta.
- According to Christina Cacioppo, Vanta’s pre-AI operating model aimed to delay when a company needs a dedicated security/compliance hire by enabling an engineering leader to manage more of the program.
- According to Christina Cacioppo, outbound phone calls are currently working better than email for outbound selling due to AI-generated email spam, but this advantage may be temporary.
- According to Christina Cacioppo, security trust centers primarily function as ticket deflection for GRC teams by pre-packaging evidence and answers for prospects before they ask questions.
Sections
Standards Sprawl Platformization And Mapping Workload
- According to Christina Cacioppo, a major portion of compliance work is keeping overlapping control text in sync and mapping new regimes to existing controls to identify duplicates.
- According to Christina Cacioppo, Vanta’s approach is to support many compliance standards by building a system where adding a new standard is easy, rather than heavily debating which standards to prioritize.
- According to Christina Cacioppo, SOC 2 is typically the first framework customers come to Vanta for, with ISO 27001 commonly second (especially for European enterprise sales).
- According to Christina Cacioppo, current AI-related compliance standards are generally optional (opt-in) rather than regulatory, and none has clear breakout product-market fit yet.
- According to Christina Cacioppo, Vanta’s internal mapping suggests SOC 2 and ISO 27001 overlap by roughly 60–65%, with much of the incremental ISO work being documentation.
- According to Christina Cacioppo, SOC 2-related work is a plurality of Vanta’s usage but not a majority because customers also pursue many other standards, including emerging AI-related standards and industry-specific requirements.
Ai Shifts Value From Document Generation To Monitoring And Hitl Triage
- According to Christina Cacioppo, GitHub answers 92% of the security questionnaires it receives through Vanta.
- According to Christina Cacioppo, LLMs can reduce initial audit preparation by turning unstructured evidence into a structured compliance program, but continuous control monitoring remains the durable advantage of a dedicated platform.
- According to Christina Cacioppo, Vanta’s questionnaire automation is positioned as review-and-approve with confidence scoring to focus human attention on uncertain sections.
- According to Christina Cacioppo, Vanta expects to increase its number of agentic LM workflows from a couple dozen to hundreds by the end of the year.
- According to Christina Cacioppo, AI is expected to agent repetitive GRC work and shift humans toward oversight and risk-portfolio strategy.
- According to Christina Cacioppo, Vanta plans to ship agent-generated UI that renders task-specific interfaces for users, with an expected timeline of this summer.
Buyer Persona And Org Evolution For Security Grc
- According to Christina Cacioppo, Vanta’s pre-AI operating model aimed to delay when a company needs a dedicated security/compliance hire by enabling an engineering leader to manage more of the program.
- According to Christina Cacioppo, Vanta primarily targets workflows within the CISO organization today but is evaluating adjacency into enterprise risk and internal audit, with financial audit also viewed as adjacent and interesting.
- According to Christina Cacioppo, in many organizations, governance, risk, and compliance functions are centralized under the CISO organization, making CISOs a primary buyer for compliance tooling.
- According to Christina Cacioppo, compliance roles will persist but become more skilled over time.
- According to Christina Cacioppo, security, compliance, and IT responsibilities are expected to remain unified longer in smaller teams, with a later split into specialized functions.
- According to Christina Cacioppo, AI is expected to agent repetitive GRC work and shift humans toward oversight and risk-portfolio strategy.
Go To Market Channel And Positioning Deltas
- According to Christina Cacioppo, outbound phone calls are currently working better than email for outbound selling due to AI-generated email spam, but this advantage may be temporary.
- According to Christina Cacioppo, trying to tightly associate the category term 'SOC 2' with the brand 'Vanta' worked early but became strategically harmful once competitors entered and also pointed prospects at SOC 2.
- According to Christina Cacioppo, podcast advertising was highly effective for Vanta, including an early campaign where a $60,000 podcast ad buy led one salesperson to sell about 34 additional deals.
- According to Christina Cacioppo, Vanta measures billboard effectiveness using geo comparisons and tracking prospects mentioning the word 'billboard' on recorded sales calls.
- According to Christina Cacioppo, Vanta primarily sells via a sales-led motion and serves customers ranging from very early-stage founders to at least one member of the Fortune 50.
Compliance As Revenue Unlock And Distribution Gate
- According to Christina Cacioppo, security trust centers primarily function as ticket deflection for GRC teams by pre-packaging evidence and answers for prospects before they ask questions.
- According to Christina Cacioppo, for startups, compliance outcomes (e.g., SOC 2) are often the buying trigger for security work because customers ask for compliance rather than security.
- According to Christina Cacioppo, enterprise security questionnaires and audit requirements can create a moment where doing compliance unlocks significant enterprise revenue upside for startups.
- According to Christina Cacioppo, at Dropbox, launching Dropbox Paper to enterprise customers was slowed because the product lacked security and compliance commitments embedded in Dropbox contracts, leading to about 1.5 years of work with no feature building.
Watchlist
- According to Christina Cacioppo, a team at GSA is attempting to modernize FedRAMP, but it is unclear whether it will succeed and standards may continue to diverge rather than converge.
- According to Christina Cacioppo, outbound phone calls are currently working better than email for outbound selling due to AI-generated email spam, but this advantage may be temporary.
Unknowns
- What are Vanta’s net retention, gross retention, and expansion dynamics by segment (early-stage vs enterprise) corresponding to the described segmentation?
- How much time/cost reduction does the controls-as-tests approach deliver versus manual compliance processes, and how does it affect audit outcomes (exceptions, time-to-audit)?
- How accurate and generalizable are control recommendations derived from the completed-audits dataset, and do they reduce audit rework or exceptions?
- For questionnaire automation, what is the override rate, error rate, and average reviewer time saved at different confidence thresholds?
- Do trust centers measurably shorten sales cycles or reduce inbound security tickets, and under what conditions (segment, buyer type, deal size)?