 platform, you’re not just adding another piece of software. You’re centralizing the most sensitive parts of your business: security controls, vulnerabilities, audit evidence, risk registers, vendor data, and remediation plans. 

Think of it as handing over the keys to your kingdom — or the Rosetta Stone to your entire technology stack. If that platform is compromised, the fallout doesn’t just hit the platform provider. It hits every customer whose sensitive data was stored inside.

Attackers know that GRC platforms contain:

In other words, everything an attacker would need to exploit your environment at scale. A breach here isn’t just data leakage. It’s a blueprint for how to attack your systems.

Unfortunately, there have already been examples of platforms in the compliance and audit space experiencing major breaches and data co-mingling issues. Those incidents highlight the obvious question: why would you entrust that level of information to a platform that doesn’t meet the same standards you’re expected to meet.

FedRAMP authorization isn’t just a rubber stamp. It demonstrates that a platform has:

Independent validation of its security controls by a certified third-party assessment organization (3PAO).

 with ongoing vulnerability scans, incident reporting, and regular plan of action updates.

Structured change control to ensure updates don’t introduce new risk.

Incident response requirements aligned with federal standards.

For customers, that means the platform isn’t just claiming to be secure — it has to prove it, every month, through continuous monitoring and oversight by the FedRAMP Program Management Office and sponsoring agencies.

Imagine a contractor that uses a non-FedRAMP GRC platform. That platform suffers a breach, exposing customer data. The attacker now has:

A list of every open vulnerability the contractor hasn’t fixed

Configuration details for sensitive systems

Within days, the contractor’s own systems are compromised using the attacker’s new playbook. The breach isn’t limited to the platform provider — it cascades to every organization whose data was stored there.

That’s the nightmare scenario FedRAMP is designed to prevent.

Some companies assume FedRAMP only matters if you’re working directly with federal agencies. The reality is broader:

Commercial organizations also benefit when their GRC platforms are FedRAMP-authorized, because they inherit the assurance of continuous monitoring and independent validation.

Prime contractors increasingly prefer subcontractors to use FedRAMP-authorized systems, since it reduces supply chain risk.

State and local governments are adopting GovRAMP, which is modeled on FedRAMP, extending the same requirements to a wider audience.

In short: if a platform isn’t secure enough for the federal government, why would it be secure enough for your business.

The Diligent approach to FedRAMP security

At Diligent, we take this seriously because we know what’s at stake. Our platform is:

IL5 Authorized for Department of Defense workloads

That means customers can confidently entrust their most sensitive compliance data to the platform, knowing it’s protected by the same standards the government itself requires.

And because FedRAMP requires continuous monitoring, customers also benefit from the ongoing oversight, reporting, and transparency that comes with it. It’s not just a one-time certification. It’s a continuous commitment to security.

Ready to talk tech? Here's what to ask your vendor

If you’re evaluating GRC platforms, here are the questions to put on the table:

Do you have FedRAMP authorization? At what impact level?

Which federal agencies sponsor your authorization?

Are you currently pursuing higher authorizations (e.g., FedRAMP High, IL5)?

How do you handle continuous monitoring and incident reporting?

Can you provide evidence of independent assessments, not just internal claims?

If a vendor can’t answer those questions with clarity and proof, that’s a red flag.

When you put your compliance posture into a platform, you’re betting the business on that provider’s security. Without FedRAMP authorization, that bet comes with unnecessary risk.

In a market where breaches are inevitable and attackers are looking for the easiest way in, FedRAMP authorization isn’t just a badge. It’s a baseline.

For organizations evaluating their options, the question is simple: would you trust your business to anything less?

FedRAMP authorization is the standard for trustworthy GRC platforms

 to protect your organization's critical assets with continuous monitoring, independent validation, and government-grade security.

Why FedRAMP authorization matters for GRC platforms

As organizations increasingly adopt AI technologies, governance and legal teams face mounting pressure to harness these innovations while maintaining robust oversight and compliance. With 

Diligent's Modern Governance Virtual Summit

 quickly approaching, we had the opportunity to speak with Deisha Thomas, Legal Operations Consultant at Kailera, about the challenges and opportunities AI presents in the governance landscape.

Q. Hi Deisha! Can you tell us a bit about yourself and your background in legal operations?

A. Hi! My name is Deisha Ling Thomas, also known as Deisha Ling Vazquez. I have over 25 years of experience in the legal industry, and I currently support an in-house legal team at Kailera as Legal Operations Professional. Kailera is a clinical-stage biopharmaceutical company, where I provide strategic advice on initial contract process improvements, legal technology and vendor selection. I’m also standing up the company’s contracting function by creating standardized processes and automation. Additionally, I serve as Head of Community for Legal Operators, which has given me a broad perspective on how different organizations are approaching legal operations.

Q. What are the most significant challenges that legal and governance teams face when adopting AI, and how can they overcome these hurdles?

A. From my perspective, some of the biggest challenges when adopting AI are data privacy and security, navigating regulatory issues, especially in highly regulated industries like healthcare, biopharmaceuticals and financial services, and stakeholder buy-in. To overcome these challenges, it’s crucial to have proper training in place, establish clear AI policies and governance that outline risks, risk management processes, and define roles and responsibilities. Cross-collaboration between different departments is also vital. This includes working closely with compliance, data privacy and operational business functions to address potential risks and ensure a cohesive approach.

Q. How can growth-stage companies leverage AI-enabled reporting and workflows to enhance their governance and legal operations?

A. Leveraging data and analytics from AI-enabled reporting and workflows can significantly enhance governance and legal operations for growth-stage companies. A good starting point is contract automation, which can help reduce time spent on low-value tasks and costs while providing a single source of truth. Utilizing AI-enabled board governance automation dashboards and reporting can also streamline processes and improve decision-making.

Q. How can organizations ensure compliance and manage risk when adopting AI technologies in their legal and governance processes? What best practices can you recommend?

A. It's essential to create and implement a comprehensive AI code of conduct, AI governance framework and complete regular risk assessments. Organizations should establish clear policies around incident management, data privacy and security. Once these policies are in place, it's crucial to have clear auditing procedures and updates as AI continues to evolve rapidly.

I also recommend investing in extensive training and upskilling programs for teams. Bringing in AI experts for hands-on training can be particularly valuable as it allows teams to gain practical experience with AI tools and technologies, understand how to apply them effectively in their specific context and learn from experts who have real-world experience implementing AI solutions. Additionally, having clearly defined roles and responsibilities, along with an established committee comprising representatives from different departments, can help ensure proper checks and balances.

Q. For lean teams, what are the most effective ways to implement AI solutions without compromising on compliance and professional standards?

A. The key is focusing on human-AI collaboration, where AI is used to enhance the work of people, not replace them. It's about creating an environment that encourages exploration and testing within clear guidelines, policies, and governance. Providing basic training in a psychologically safe environment can help teams feel comfortable using AI tools. It's also important to have a strategic plan and governance framework in place. And remember, it's okay to start small and iterate over time.

Q. Looking ahead, how do you envision AI continuing to shape the future of governance and legal operations? What steps should organizations take now to prepare for these changes and stay ahead of the curve?

A. I think AI is going to continue to free up time for more strategic tasks and initiatives. As it evolves at a rapid pace, organizations need to foster a culture of continuous learning, training, and demoing products to stay ahead. Establishing a dedicated person, department, or committee for AI oversight will be crucial in navigating both the benefits and challenges that come with AI adoption.

Diligent Q&A - Navigating AI in Governance with Insights from Deisha Thomas 

This article originally appeared in our September 11, 2025 edition of the Diligent Minute Newsletter. For more insights like these, delivered straight to your inbox, subscribe

Governance leaders feel more confident about AI these days, if the findings from our latest 

We asked GCs their key areas of risk right now, and only 8% mentioned technological disruption. This calm was a little surprising to me, given the current frenzy to integrate AI and see results as soon as possible.

AI risk perceptions among governance leaders

recent episode of the Corporate Director Podcast

 particularly timely. We talked to Beena Ammanath, Global Head of the Deloitte AI Institute and a faculty member for Diligent’s AI Ethics and Board Oversight Program. Ammanath’s literally written the book — 

 — on navigating tech disruption, and I always find her take on things very thoughtful, nuanced and reassuring, as you’ll see in these expert tips for AI strategy and adoption. 

Sticking with our GC theme, the paralegals who support them have typically followed an established career path. Early on, they spend a lot of time looking up statutes and contracts and reviewing documents. The information they learn along the way equips them for more senior roles.

But now AI has automated the whole process, transforming the team’s workload and profession’s overall pipeline and career trajectory. It leaves paralegals understandably worried — especially when they hear promises that AI will take away the boring parts of their work and make their jobs easier.

“Leaders have a responsibility to go beyond the clichés,” Ammanath said. “What happens to the workday when organizations make the job easier? If AI is going to create new jobs, what are those roles?”

“I think leaders have a huge responsibility to proactively think about that,” Ammanath said, citing the need to create organizational structures for new career paths and provide both targeted upskilling and general AI training to build fluency across the workforce.

Then there’s the matter of the human/machine relationship. “How can leaders thrive and succeed in this era of AI where humans and machines are working so closely together?” Ammanath asked. “To work in the best possible way, where can we get the maximum benefit with the minimum side effects?”

We’ve all seen cautionary tales about students outsourcing the entirety of their coursework to ChatGPT. This should go without saying but: Don’t do that in your organization.

In the podcast, my cohost Meghan Day and I talked about studies of what people’s brain waves look like when they use AI at different levels. The heaviest AI use showed the lowest brain function — almost like people were asleep. More optimal EKG activity happened when AI users started a task with their brains and then added ChatGPT.

“Personally, I’ve been most successful embracing AI in my job in areas where I already know what good looks like,” Day said. “And AI is able to speed my work along.”

AI also promises big potential for board members. You can train different agents to have different personalities and perspectives so they can frame problems in new ways for you, for example. But you’ll still need to oversee them and evaluate their output with your own human expertise to ensure accuracy and nuance.

3. Make continuous education — and hands-on use — a cultural norm

Navigating AI’s risks and rewards requires knowledge of AI itself.

This doesn’t mean dropping everything to become an AI expert (although those nine-figure job offers make it tempting). It means having a basic understanding of core AI principles, like machine learning, deep learning and computer vision — and what these principles look like in action.

“As corporate directors, it's important to focus the time and energy to not only learn about AI, but start using AI tools in your job,” Ammanath said.

AI is changing the way we work and the way we lead. For practical strategies and insights from Beena Ammanath,

listen to the full conversation on the Corporate Director Podcast: AI leadership strategies for a changing world.

This article originally appeared in our August 28 edition of the Diligent Minute Newsletter. For more insights like these, delivered straight to your inbox, subscribe 

My colleague Josh Black, Vice President of Editorial at Diligent, doesn’t use words like “eventful” and “unconventional” lightly. So, when I saw them front and center in the editor’s forward of this year’s Proxy Season Review, which Diligent Market Intelligence prepares in association with Olshan Frome Wolosky and Campaign Management, I paid even more attention than usual.

“It is difficult to recall a more eventful or unconventional proxy season since the first year of the pandemic,” Black declared. 

Relentless market volatility is only part of it

. Activists have beena dopting new tactics and advancing stronger director candidates to achieve their desired objectives, especially in the U.S. “It feels very much like an inflection point,” Black added.

Proxy season 2025: Evolving shareholder engagement strategies

In this year’s review, his team examines this inflection point, connecting the dots between what we’ve seen in this year’s proxy season and what these trends mean for boards and advisors right now. Here are a few key takeaways, starting with shareholder engagement.

You’ve probably observed a noted decline in proactive communications by institutional investors lately. Regulatory developments, like revised guidance on Schedule 13D/G eligibility, are a big part of this.“ Norms have unmistakably evolved,” Campaign Management CEO and Founder Michael Fein pointed out in his analysis. “Institutional investors paused outreach, reassessed compliance exposure, and pulled back from dialogue just as several proxy campaigns were gathering momentum.”

Shareholders still care deeply about board structure, accountability, and transparency — critical contributors to strong corporate performance in uncertain times.

In the first half of the year, 33 governance-focused proposals passed with majority support. Board composition has been a common target, with director shuffles at Phillips 66 and Penn Entertainment far from isolated anomalies. We’ve also seen a significant increase in withhold campaigns for driving director changes and other demands.

2. Make real-time data and shareholder sentiment a board priority

Amid this perfect storm of new tactics, heightened scrutiny and radio silence from institutional investors, it’s harder than ever to anticipate vote dynamics and activist positioning.

Is a withhold campaign targeted pressure for governance enhancements, or a prelude to a full-blown proxy fight? Your company’s future depends on answering questions like these quickly and well. And this means moving beyond historical data, guesswork and ad hoc interpretation to real-time intelligence.

Now is the time to invest in systems and processes that deliver accurate, actionable data on investor sentiment, proxy trends, and governance benchmarks.

It’s time to look beyond business as usual for shareholder engagement as well. This means rethinking how your organization interacts with institutional investors. What new touchpoints can you leverage to fill in communication gaps? How can you proactively share your governance story — especially future-focused strategies and positive milestones — in a way that responds to current trends and sentiment?

Think about harnessing all of the data collected in the steps above, like 

 and proposal outcomes, to shape your narrative. “The 2025 proxy season made clear that activists will not sit on the sidelines waiting for more ideal economic conditions,” Andrew Freedman, Chair of Olshan Frome Wolosky’s Shareholder Activism Practice Group, warned in this year’s review. And here’s what he recommends: “Stay prepared to respond to well-crafted demands and sharp strategies, underscored by an unwavering focus on performance and accountability.”

Keep reading for more on the 2025 proxy season

Dive into our full analysis — AI, ESG, 2025’s wildest campaigns and much more — in the full report: The Proxy Season Review 2025.

Want regular access to original research in the field of GRC? Bookmark our 

 for the latest surveys, podcasts and reports.

Diligent

Blog

Why FedRAMP authorization matters for GRC platforms

Diligent Q&A - Navigating AI in Governance with Insights from Deisha Thomas

Your Data Matters