Governance, Risk, and Compliance: What Has Changed According to Cyber Security Expert Sahil Dhir

Governance, Risk, and Compliance (GRC) has been the backbone of every innovation in today's digital transformation. As organizations across the globe accelerate their adoption of new technologies, maintaining security and regulatory compliance has become more challenging and more essential than ever. 

It’s no longer enough to innovate rapidly; leaders in the tech space are now measured on how seamlessly they integrate robust GRC frameworks into the foundation of their digital advancements.

Few professionals embody this critical fusion of innovation and oversight at the scale Sahil Dhir has achieved. With over fourteen years of experience in cybersecurity and risk management, Dhir has not only helped Fortune 100 companies handle complex regulations but has also delivered successes in the public sector. 

His role in scaling Illinois’ Digital Transformation Act program, growing it from just four agencies to over seventy-three statewide, highlights GRC’s power to drive transformation even in the most intricate government environments. 

Sahil Dhir’s work proves that organizations can foster innovation at scale without sacrificing risk management with the proper governance and compliance structures, a lesson that becomes more vital with every technological leap. 

In an interview with India Today, Sahil Dhir shares his journey into GRC frameworks and how these have changed over the years, drawing on his experience from his various roles and responsibilities. 

Sahil, can you please give us a short overview of your background?

Answer: With over 14 years of experience in cybersecurity and Governance, Risk, and Compliance (GRC), I have led enterprise-wide initiatives that enhance risk visibility, ensure regulatory alignment, and drive security transformation across Fortune 100 companies, Big Four consulting firms, and public sector organizations. 

My work has included implementing global GRC platforms, developing governance frameworks for emerging technologies such as generative AI, and aligning complex security programs with evolving regulatory landscapes. I currently work as a Senior Risk and Security Manager at Amazon. I shape security strategy at scale, influence organizational risk decisions, and mentor the next generation of cybersecurity professionals.

Could you tell us more specifically about your work at Amazon and how it ties into your broader experience?

As a Senior Risk and Security Manager at Amazon, I lead global security and GRC initiatives that support the company’s compliance obligations across highly regulated business lines. One of my key contributions has been developing and implementing an enterprise-wide GRC platform, significantly enhancing Amazon’s ability to monitor risk, automate controls, and maintain compliance with international regulations such as SOX, GDPR, and industry-specific mandates. 

I have also developed a generative AI risk governance framework, a strategic effort to ensure secure and compliant use of emerging AI technologies across the enterprise. These efforts have materially improved the organization’s risk posture and continue to inform policy and governance practices at scale.

My ability to deliver such large-scale, high-impact programs at Amazon is grounded in the depth and breadth of my prior experience, particularly during my tenure at Deloitte. There, I served as a key security and GRC architect for the State of Illinois’ cybersecurity modernization program. I led the implementation of a statewide security and GRC solution that unified governance and compliance functions across more than 60 state agencies. The program was one of the first in the public sector and laid a strong foundation for consistent, transparent, and sustainable risk management practices.

What was the state of the governance, risk, and compliance sector before?

Answer: Historically, GRC was heavily manual, siloed, and reactive, focusing on compliance checklists and basic risk assessments. Organizations relied on disparate tools and processes, often addressing risks after incidents. Regulatory frameworks were less complex, with limited global interoperability, and cybersecurity was a nascent concern. GRC was primarily driven by audit requirements rather than strategic integration with business objectives. Data management was rudimentary, with minimal automation, and emerging technologies like AI were not yet significant factors in shaping GRC practices.

With over 14 years in information security and GRC, how has the sector fundamentally changed since you began your career? What do you think contributed to these changes?

Answer: The GRC sector has evolved from a compliance-centric function to a strategic, technology-driven discipline. Key changes include the integration of advanced analytics, automation, and real-time risk monitoring, enabling proactive risk management. Global regulations like GDPR and CCPA have increased complexity, demanding robust frameworks. 

The rise of cyber threats, cloud computing, and generative AI has expanded the risk landscape, requiring dynamic GRC strategies. Contributors to these shifts include rapid digital transformation, heightened regulatory scrutiny, and technological advancements like AI and big data, which have reshaped how organizations align governance with innovation.

Can you describe how emerging technologies, such as AI and automation, influence modern GRC practices?

Answer: Emerging technologies like AI and automation have revolutionized GRC by enabling predictive risk assessments and streamlined compliance processes. AI-powered tools analyze vast datasets to identify patterns, detect anomalies, and predict potential risks, enhancing decision-making. 

Automation reduces manual efforts in compliance monitoring, policy enforcement, and reporting, improving efficiency and accuracy. For instance, AI-driven analytics can flag regulatory non-compliance in real-time, while robotic process automation (RPA) simplifies audit trails. These technologies empower GRC professionals to focus on strategic oversight, ensuring agility in dynamic regulatory environments.

Also Read: India Post rolls out advanced postal technology with Rs 5,800 crore investment

The rise of generative AI has introduced new complexities to GRC. What prompted your focus on developing the GenAI risk framework, and how has it changed your approach to risk assessment?

Answer: The rapid adoption of generative AI introduced unique risks, such as data privacy breaches, ethical concerns, and regulatory ambiguities, which traditional GRC frameworks were ill-equipped to handle. 

My focus on developing a GenAI risk framework stemmed from the need to address these novel challenges proactively. The framework integrates AI-specific risk identification, ethical guidelines, and compliance with emerging regulations. It has shifted my approach to risk assessment by emphasizing scenario-based modeling and real-time monitoring, enabling organizations to mitigate AI-related risks while leveraging its benefits for innovation.

You've implemented comprehensive risk mitigation strategies across multiple organizations. What are the most critical risks that didn't exist five years ago that companies must now address? 

Answer: Five years ago, risks like generative AI misuse, deepfake-driven fraud, and supply chain cyberattacks were minimal. Today, these are critical concerns. Generative AI poses risks of data leakage and biased outputs, requiring new ethical and compliance controls. Deepfakes threaten reputational and financial integrity, demanding advanced detection mechanisms. Supply chain attacks, amplified by interconnected digital ecosystems, expose vulnerabilities in third-party integrations. 

Additionally, evolving privacy laws and ESG (Environmental, Social, Governance) compliance have introduced regulatory risks that require proactive, cross-functional mitigation strategies.

Can you share an example of how you implemented an enterprise-wide governance, risk, and compliance tool? What has been its outcome or impact?

Answer: At Amazon, I led the implementation of an enterprise-wide GRC tool to streamline compliance and risk management across global operations. The tool integrated regulatory tracking, risk assessments, and automated reporting, aligning with frameworks like GDPR and SOC. We ensured seamless adoption by collaborating with leadership, audit, and legal teams. The outcome was a 30% reduction in compliance reporting time, enhanced risk visibility, and improved audit efficiency. This enabled proactive risk mitigation, reduced non-compliance incidents, and supported scalable business growth.

Given that the Illinois Digital Transformation Act program was one of the first comprehensive state-level GRC modernizations, what were your biggest adoption and rollout challenges, especially scaling from 4 to 60+ agencies? How did you overcome these challenges and resistance from agencies?

Answer: Scaling GRC modernization from 4 to over 60+ agencies involved overcoming challenges such as disparate legacy systems, varying cybersecurity maturity, and initial resistance to change. To address these, I led a phased rollout starting with pilot agencies to build trust and demonstrate value. We engaged stakeholders early through customized modernization roadmaps and collaborative governance models, provided role-based training to close skill gaps, and implemented a statewide data governance framework to ensure privacy and compliance. This strategic, inclusive approach transformed resistance into support, enabling a unified, transparent risk management ecosystem across Illinois agencies.

What are the common pitfalls organizations encounter when integrating GRC into their digital transformation journey and adapting to complex global regulations?

Answer: Common pitfalls include siloed GRC functions, inadequate technology integration, and underestimating regulatory complexity. Many organizations fail to align GRC with digital transformation goals, leading to fragmented processes. Legacy systems often hinder automation, causing inefficiencies. 

Additionally, navigating diverse global regulations like GDPR, CCPA, and emerging AI laws requires specialized expertise, which some lack. Poor cross-functional collaboration and insufficient training further exacerbate compliance gaps. To succeed, organizations must adopt integrated GRC platforms, foster collaboration, and prioritize continuous regulatory monitoring.

You've emphasized the importance of cross-functional collaboration with leadership, audit, and legal teams. How has this collaborative approach to GRC evolved? How do you balance the need for agility and innovation with the rigorous compliance demands in highly regulated industries?

Answer: Cross-functional collaboration in GRC has evolved from ad-hoc interactions to structured, strategic partnerships. Early GRC efforts were audit-driven, with limited leadership involvement. Now, collaboration integrates real-time data sharing and joint decision-making, leveraging tools like GRC platforms for transparency. Balancing agility and compliance requires embedding GRC into innovation cycles. For example, I implement agile risk assessments during product development to ensure compliance without stifling innovation. This approach, supported by automated tools and clear communication, aligns regulatory rigor with business speed in industries like finance and healthcare.

How do you see the role of GRC professionals like you evolving? What new skills and competencies will be essential for success?

Answer: The role of GRC professionals is shifting from compliance enforcers to strategic advisors driving business resilience. Future GRC experts will need AI, data analytics, and cybersecurity expertise to address emerging risks. Skills in regulatory foresight, such as anticipating AI and ESG regulations, will be critical. 

Proficiency in GRC platforms, stakeholder management, and cross-functional collaboration will also be essential. Adaptability, strategic thinking, and the ability to translate technical risks into business impacts will define success, enabling GRC professionals to guide organizations through complex, technology-driven landscapes.

What trends do you believe will most influence the future of governance, risk, and compliance, and how should organizations prepare?

Answer: Key trends shaping GRC include AI-driven risk management, stricter ESG compliance, and evolving cyber threats. AI will enhance predictive analytics but introduce ethical and regulatory challenges. ESG regulations will demand integrated sustainability frameworks. 

Cyber threats, like ransomware and supply chain attacks, will require robust defenses. Organizations should prepare by investing in AI-powered GRC tools, fostering cross-functional collaboration, and building agile compliance frameworks. Continuous training, regulatory monitoring, and scenario planning will ensure resilience against future risks, positioning GRC as a strategic enabler of growth.

Keeping In Step with Change

As the world of Governance, Risk, and Compliance continues to transform alongside the rapid pace of innovation, one truth remains clear: the evolution of GRC is both constant and necessary. Once considered rigid, frameworks are now adaptive, collaborative, and increasingly woven into the fabric of digital transformation across all sectors. 

While the journey presents new challenges with every advance, the steady guidance of experts like Sahil Dhir ensures that these shifts propel organizations toward greater resilience, integrity, and progress. Through a blend of vision and expertise, leaders like Sahil are not only leading the change. They are shaping it for the betterment of industries and society at large.

Disclaimer: The material, content, and/or information contained within this Impact Feature are published strictly for advertorial purposes. T.V. Today Network Limited hereby disclaims any and all responsibility, representation, or endorsement with respect to the accuracy, reliability, or quality of the products and/or services featured or promoted herein. Viewers or consumers are strongly advised to conduct their own due diligence and make independent enquiries before relying on or making any decisions based on the information or claims presented in the impact feature. Any reliance placed on such content is strictly at the individual’s own discretion and risk.