Ai And Agents Shift Value Toward Workflow Automation And Monitoring
Sources: 1 • Confidence: Medium • Updated: 2026-04-11 19:41
Key takeaways
- A major portion of compliance work is keeping overlapping control text in sync and mapping new regimes to existing controls to identify duplicates.
- Christina Cacioppo expects standards to continue diverging rather than converging, including in the context of FedRAMP and related state/local variants.
- Expanding Vanta into financial audit would require building a different integration set, including ERP and payments integrations, and timing those integrations is a key gating consideration.
- Christina Cacioppo characterizes Vanta as a controls platform whose core loop is deciding which controls should exist and validating they are being followed, with evidence packaging as the key artifact.
- Security trust centers primarily function as ticket deflection for GRC teams by pre-packaging evidence and answers for prospects before they ask questions.
Sections
Ai And Agents Shift Value Toward Workflow Automation And Monitoring
- A major portion of compliance work is keeping overlapping control text in sync and mapping new regimes to existing controls to identify duplicates.
- GitHub answers 92% of the security questionnaires it receives through Vanta.
- LLMs can reduce initial audit preparation by turning unstructured evidence into a structured compliance program, but continuous control monitoring remains a durable advantage of a dedicated platform.
- Vanta provides reasonable-default security questionnaires to shift buyer questions toward security outcomes (e.g., 'do you do X') rather than policy-existence questions.
- Vanta positions questionnaire automation as a 'review and approve' workflow with confidence scoring to focus human attention on uncertain sections.
- Vanta expects to increase its number of agentic LM workflows from a couple dozen to hundreds by the end of the year.
Standards Proliferation And Cross Framework Leverage
- Christina Cacioppo expects standards to continue diverging rather than converging, including in the context of FedRAMP and related state/local variants.
- Vanta’s strategy is to support many compliance standards by building a system where adding a new standard is easy.
- SOC 2 is typically the first framework customers come to Vanta for, and ISO 27001 is commonly second, especially for European enterprise sales.
- Current AI-related compliance standards are generally optional (opt-in) and not regulatory, and none has clear breakout product-market fit yet.
- Vanta’s internal mapping suggests SOC 2 and ISO 27001 overlap by roughly 60–65%, with much of the incremental ISO work being documentation.
- SOC 2-related work is a plurality of Vanta usage but not a majority because customers also pursue many other standards, including emerging AI-related standards and industry-specific requirements.
Adjacent Expansion And Bottlenecks In Integrations And Buyer Personas
- Expanding Vanta into financial audit would require building a different integration set, including ERP and payments integrations, and timing those integrations is a key gating consideration.
- Vanta’s pre-AI operating model aimed to delay when a company needs a dedicated security/compliance hire by enabling an engineering leader to manage more of the program.
- Vanta is considering expanding by adding additional pillars or verticals, including deeper coverage within security for small and mid-market businesses.
- Vanta primarily targets workflows within the CISO organization today and is evaluating adjacency into enterprise risk and internal audit, with financial audit also viewed as adjacent.
- Vanta sells primarily via a sales-led motion and serves customers from very early-stage founders to at least one member of the Fortune 50.
- In many organizations, governance, risk, and compliance functions are centralized under the CISO organization, making CISOs a primary buyer for compliance tooling.
Controls Platform And Continuous Compliance Via Automated Tests
- Christina Cacioppo characterizes Vanta as a controls platform whose core loop is deciding which controls should exist and validating they are being followed, with evidence packaging as the key artifact.
- Unlike PCI, SOC 2 does not prescribe an exact control list and instead requires companies to log and define 'useful events,' which can be confusing for startups.
- Vanta helps companies build security programs and prove that work via audits, security questionnaires, and trust centers.
- Vanta’s product experience is segmented: early-stage customers want a guided, TurboTax-like workflow, while larger customers want Datadog-like real-time dashboards, deviations, and auto-remediation for controls.
- Vanta models each compliance control as an automated test that pulls data from systems such as GitHub/GitLab and evaluates required properties (e.g., PR review separation).
Compliance As Revenue Unlock And Distribution Gate
- Security trust centers primarily function as ticket deflection for GRC teams by pre-packaging evidence and answers for prospects before they ask questions.
- For startups, customer requests for compliance (e.g., SOC 2) are a primary trigger for doing security work.
- Enterprise security questionnaires and audit requirements can make compliance work a revenue unlock for startups by enabling access to significant enterprise revenue.
- At Dropbox, launching Dropbox Paper to enterprise customers was slowed because the product lacked security and compliance commitments embedded in Dropbox contracts, leading to about 1.5 years of work without feature building.
Watchlist
- A team at GSA is attempting to modernize FedRAMP led by Pete Wasserman, and it is unclear whether it will succeed.
- Christina Cacioppo expects standards to continue diverging rather than converging, including in the context of FedRAMP and related state/local variants.
- Outbound phone calls are described as currently working better than email for outbound selling due to AI-generated email spam, and this advantage may be temporary.
Unknowns
- What are Vanta’s pricing structure, average contract value, and primary packaging metrics (e.g., per framework, per control, per questionnaire volume, per seat)?
- What are Vanta’s retention and expansion dynamics (gross retention, net retention, churn by segment, expansion by additional standards/modules)?
- How accurate are AI-assisted questionnaire answers and other agentic outputs (error rates, human override rates, incident/root-cause patterns)?
- How does Vanta’s claimed audit dataset (roughly 30,000 audits) map to model performance improvements (time-to-audit reduction, fewer exceptions, faster sales cycles)?
- What is the competitive landscape and differentiation in continuous control monitoring and standards support (feature parity, switching costs, integration depth)?