TrustEvals and Accorian roll out real-time AI governance framework

TrustEvals and Accorian on June 30 unveiled a new governance, risk and compliance framework aimed at enterprise AI systems that can change after deployment. The firms say traditional one-time audits miss “control drift,” leaving companies exposed to regulatory penalties, security gaps and autonomous behavior that can shift without code changes.

Why it matters: - Enterprise AI systems can change behavior after deployment, even when internal teams do not change the code. - The firms say that makes classic, periodic compliance checks too slow for AI risk. - The framework is aimed at financial institutions and other enterprises that face regulatory exposure and operational risk from AI.

What happened: - TrustEvals and Accorian released a new Governance, Risk and Compliance framework for enterprise AI on June 30. - The firms said the framework is designed to address “control drift,” which they describe as a core vulnerability in AI deployments. - The release argues that traditional compliance models break down when applied to modern AI systems.

The details: - In traditional software, a security control stays steady once installed. - In AI systems, controls can drift because of silent vendor updates, changing data inputs and evolving autonomous agent behavior. - A system that passes a security audit today can fail tomorrow without any internal code change. - The framework says classical GRC assumes controls hold, while AI GRC must assume controls drift. - The authors say that requires continuous, real-time measurement instead of annual audits. - The framework highlights “shadow AI” as a major issue. - Telemetry studies cited in the release show 64.5% of activity on personal and free-tier AI accounts is uninstrumented business use. - The release says 75% of knowledge workers already use AI at work, often outside official IT procurement channels. - The framework warns that many companies treat AI risk classification as a one-time launch label. - It says the EU AI Act requires continuous lifecycle monitoring for high-risk systems. - The release says failing those obligations can trigger penalties of up to 15 million euros or 3% of global turnover. - The report also warns about “safety overfitting,” where aggressive testing can make an AI agent refuse core tasks too broadly. - The framework calls for autonomy budgets that match an AI agent’s “blast radius” rather than its technical capability. - High-impact actions such as moving funds should require explicit human approval. - The firms say runtime detection should become the primary security control because preventive controls in non-deterministic AI are only probabilistic. - The framework says internal operational, compliance and audit teams should all read from one continuous production trace layer.

Between the lines: - The release frames AI governance as a shift from static assurance to continuous monitoring. - That approach would raise the bar for compliance teams, security teams and auditors that still rely on scheduled reviews and sample-based testing. - The emphasis on runtime controls suggests vendors and enterprises may need to redesign how they collect evidence, assess risk and approve AI actions.

What's next: - Accorian says its AI-enabled GRC platform, GORICO, will help organizations move beyond point-in-time compliance. - GORICO provides continuous visibility into controls, risks, evidence and audit readiness. - The platform includes AI-assisted workflows for risk assessments, policy management, evidence mapping and compliance operations. - TrustEvals says its work spans strategy, transformation, production evaluations, governance frameworks and audit readiness for clients in financial services and other sectors. - Accorian says its services include vCISO advisory, compliance readiness, penetration testing, cyber risk management and security strategy.

The bottom line: - The message is clear: if AI keeps changing after deployment, governance has to keep up in real time.