AI is driving down the cost of policies, control mappings, and document reviews. But it cannot replace risk owners or defensible decisions. In the InfoSec/GRC market, value is therefore shifting from document production to security that can actually be governed and managed.
Executive Summary
- Generative AI is accelerating a substantial share of traditional knowledge work. A field study involving 758 BCG consultants measured more than 25 percent higher speed and more than 40 percent better human-rated outcomes for tasks within the tested performance boundary. For one task outside that boundary, however, AI users were 19 percentage points more likely to land on a wrong answer.[1]
- This uneven performance frontier is precisely what hits the InfoSec/GRC market: text production, extraction, and first-pass mappings become cheaper. Context definition, scoping, risk assessment, accountability assignment, and defensible approvals remain demanding work.
- Regulation and recognized security frameworks do not require the largest possible document package. They require proportionate measures, clear executive engagement, auditable results, and continual improvement.[2][3][4]
- Buyers should therefore stop evaluating consulting engagements by slide count, firm logo, or billed person-days. What matters is whether risks, measures, evidence, and decisions can actually be governed after the project ends.
A Video on the Decline of Big Consulting Models Hits a Nervous Spot
The video The (Overdue) Collapse of Bullsh*t Companies describes a well-known business model of large audit and consulting houses: a powerful brand builds trust and access. Many junior staff produce analyses, documents, and presentations. A small number of experienced partners serve as the public face of the engagement. The client pays not only for the work delivered, but also for reputation, global structure, and high overhead.[5]
The video's framing is deliberately provocative, but its market thesis deserves serious attention. AI reduces the effort required for data extraction, document comparison, research preparation, and text drafts. That strips some of the former advantage of sheer team size. In-house teams, specialized boutiques, and individual senior consultants can now take on work that previously required a pyramid of partners, managers, and juniors.
This is not proof that large consultancies will disappear. They remain strong where global presence, very large teams, formal audit mandates, or broad liability and delivery structures are required. What comes under pressure is a narrower model: expensive standard output whose perceived value derives primarily from the provider's brand name.
GRC Output Gets Cheap First
Many typical GRC artifacts can now be prepared faster:
- Draft policies and control descriptions
- Initial framework and requirement mappings
- Summaries of standards, laws, and audit findings
- Questionnaire drafts and evidence lists
- Structuring of risk and action registers
- Management presentations from existing data
This is useful. But it is only the production side of the work.
A polished document does not answer whether the scope is right. A mapping proves no equivalence. An existing piece of evidence tells you nothing about whether a control is properly designed, fully implemented, and operating effectively over the relevant period. A risk register is worthless if nobody is authorized to treat, accept, or escalate it.
Eurostat reports that in 2024, 92.76 percent of EU companies surveyed used at least one of the requested ICT security measures. At the same time, 21.54 percent reported consequences from ICT-related security incidents in 2023.[6] The reference populations and years are not identical, so no direct effectiveness rate can be calculated from this. The numbers do highlight an important boundary, however: the mere presence of individual measures does not eliminate security incidents and does not prove a functioning management system on its own.
GRC Is Not Made Valuable by Text Production
The defensible part of the work begins at the transitions:
- Which legal, contractual, or normative requirements apply to which entity, which service, and which location?
- Which business scenarios and dependencies create the relevant risk?
- Who is authorized to decide on treatment, exception, or acceptance?
- Which control addresses which objective, in what scope, with what expected evidence?
- Has a document merely been created, or do design, implementation, and operation actually work together?
- What decision must the executive body make, and how much residual uncertainty remains?
NIS2 makes the governance dimension explicitly visible. Article 20 requires, at the level of the EU directive, that the management bodies of essential and important entities approve cybersecurity risk-management measures and oversee their implementation. Article 21 requires appropriate and proportionate technical, operational, and organizational measures.[2] The concrete applicability depends on the relevant national implementation law and the facts of each organization.
NIST CSF 2.0 also treats GOVERN as a standalone function and describes cybersecurity in terms of outcomes, not as a procurement or document checklist.[3] ISO/IEC 27001 describes a management system that must be established, implemented, maintained, and continually improved.[4] The BSI Standard 200-1 explicitly details which tasks fall to the executive level in information security management.[7] ENISA's Technical Implementation Guidance supplements the NIS2 framework for specific digital sectors with practical advice, evidence examples, and mappings; it is an orientation aid, not a legally binding extension of the regulatory framework.[10]
These sources use different legal and operational forms. What they share: a folder full of artifacts is no substitute for a functioning governance system.
AI Amplifies Good and Bad Consulting Alike
The Harvard/BCG study is interesting precisely because it does not show a blanket productivity win. Within the tested performance frontier, GPT-4 helped considerably. For the tested task outside that frontier, the probability of a correct solution dropped.[1]
For GRC work, this does not lead to an AI ban. It leads to due diligence in the professional sense:
- Sources and currency must be verified.
- Legal obligation, supervisory guidance, contractual requirement, and voluntary standard must not be conflated.
- Mappings need justification, scope definition, and uncertainty marking.
- Claimed evidence must be checked for period, origin, responsible party, and what it actually demonstrates.
- Approvals and risk decisions remain with the people authorized to make them.
How expensive unchecked AI output can become was demonstrated by an Australian government contract. The Department of Employment and Workplace Relations confirmed in an independent review conducted by Deloitte that erroneous footnotes and references were present; a corrected version was subsequently published. The revised version disclosed the use of Azure OpenAI, and the Australian government announced a partial refund. The original contract was valued at AUD 440,000 — approximately USD 290,000 at the time.[8][9]
The problem was not that AI was used. The problem was that an expensive professional process let through errors that competent source and quality control should have caught.
What Buyers Should Purchase Going Forward
A good selection conversation should spend less time on logos and methodology names. These questions are more revealing:
- Who is actually working on the engagement, and how much direct access does the buyer have to the responsible senior person?
- Which decision or operational capability should be improved at the end?
- How are sources, mappings, statements, and evidence verified?
- Does the provider distinguish between document existence, control design, implementation, and effectiveness?
- Are open assumptions and boundaries made visible, or hidden behind a maturity rating?
- Do registers, justifications, and decision records remain understandable and maintainable by the internal team after the project?
- Are there conflicts of interest between consulting, implementation, and independent assurance?
- When is another specialist, a certification body, a legal advisor, or a formal auditor required?
The last point matters. Professional consulting should not only show what it can do, but also where its mandate ends.
When A-R-C May Be a Better Fit
This section describes the positioning of A-R-C. It is not a neutral market comparison. A-R-C is not automatically the right fit for every undertaking. If a corporation needs to mobilize hundreds of people across 30 countries simultaneously or obtain a legally reserved audit opinion, it requires a different structure.
A-R-C may be a better fit when the bottleneck lies in senior governance, expert contextualization, and defensible implementation:
Direct Senior Work Instead of Partner Facade
The contact person from the initial conversation remains present in the actual work. This reduces translation losses and prevents a situation where an experienced profile is sold but the delivery falls predominantly to rotating junior teams.
Governance Capability Instead of Document Delivery
The goal is not the largest possible paper collection. Risks, measures, exceptions, evidence, and responsibilities should be structured so that management, IT, business units, and audit bodies can actually work with them.
Regulation Translated into Decisions
ISO 27001, BSI IT-Grundschutz, NIS2/KRITIS, TISAX, and audit requirements are not treated as interchangeable checklists. What matters is applicability, scope, business context, evidence, and the decision a responsible role must actually make.
AI as a Tool Under Expert Accountability
AI can accelerate research, structuring, and draft work. The result remains subject to expert review and accountability. Plausible formulations are never confused with verified findings.
Less Overhead, More Usable Senior Capacity
A lean, remotely deliverable model reduces the organizational overhead of a large house. This does not automatically mean the lowest price. It can increase the share of the budget available for hands-on senior-level work.
The difference can be stated simply: anyone who merely needs another policy document can choose from many providers and tools today. Anyone who must clarify which risks apply, who is authorized to decide, which measures take priority, and how effectiveness is demonstrated needs experience and judgment.
Closing
AI will not eliminate the InfoSec/GRC market. It will devalue standard output and make weak consulting models visible faster.
For buyers, this is good news. They can automate more document production and target external support more precisely where accountability, contextualization, independence, and implementation experience count.
A-R-C positions itself exactly at this intersection: making information security governable, auditable, and management-ready. Not through more paper, but through clear risks, defensible evidence, and traceable decisions.
How A-R-C Can Help
If your ISMS has many documents but too little governance capability, a focused Governance and Audit Readiness Review can make the bottleneck visible. A-R-C examines scope, roles, risks, measures, evidence, and management decisions, then produces a prioritized implementation plan from those findings.
Sources
- Dell'Acqua et al., Navigating the Jagged Technological Frontier: Field Experimental Evidence of the Effects of AI on Knowledge Worker Productivity and Quality, Harvard Business School, study with 758 BCG consultants. HBS summary and working paper: https://aiinstitute.hbs.edu/navigating-the-jagged-technological-frontier/ and https://www.hbs.edu/faculty/Pages/item.aspx?num=64700
- Directive (EU) 2022/2555 (NIS2), particularly Art. 20 and 21, EUR-Lex: https://eur-lex.europa.eu/eli/dir/2022/2555/oj/eng
- NIST, Cybersecurity Framework (CSF) 2.0, particularly the GOVERN function: https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-csf-20/final
- ISO, ISO/IEC 27001:2022 – Information security management systems, official overview: https://www.iso.org/standard/27001
- The Invisible Game, The (Overdue) Collapse of Bullsh*t Companies, YouTube, published July 17, 2026: https://www.youtube.com/watch?v=ohCAPyqlJpo
- Eurostat, ICT security in enterprises, data as of December 2024: https://ec.europa.eu/eurostat/statistics-explained/index.php?title=ICT_security_in_enterprises
- BSI, BSI-Standard 200-1: Managementsysteme für Informationssicherheit (ISMS): https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/BSI_Standards/standard_200_1.html
- Australian Department of Employment and Workplace Relations, Statement from the Secretary on progress under the Targeted Compliance Framework Integrity Assurance Program: https://www.dewr.gov.au/assuring-integrity-targeted-compliance-framework/announcements/statement-secretary-progress-under-targeted-compliance-framework-integrity-assurance-program
- Associated Press, Deloitte Australia to partially refund $290,000 report filled with apparent AI-generated errors, October 7, 2025: https://apnews.com/article/australia-ai-errors-deloitte-ab54858680ffc4ae6555b31c8fb987f3
- ENISA, NIS2 Technical Implementation Guidance, June 26, 2025. The guidance contains practical advice, evidence examples, and mappings; it is not a legally binding extension of the NIS2 regulatory framework: https://www.enisa.europa.eu/publications/nis2-technical-implementation-guidance
Sources verified as of July 18, 2026. This article addresses information security, governance, and implementation topics. It does not replace legal advice, certification, or independent assurance for individual cases.