Vanta was named a Leader in the Forrester GRC Wave. This is what we're building next.

For two decades, GRC has been a point-in-time assessment for audits. We collected evidence, ran a periodic assessment, and handed it to an auditor. Risk was managed in snapshots. Compliance happened in cycles.

‍

That model has broken. AI usage is scaling, regulations are multiplying, threat surfaces are expanding, and boards want continuous assurance, not quarterly reports.

‍

Trust is the defining problem of the AI era, and we need a different solution. A system that orchestrates trust with deep intelligence, agents, and automation—one that continuously monitors your control environment, surfaces risk continuously, and runs on agents while pulling in GRC experts for critical decisions.

‍

Today, Forrester published The Forrester Wave™: Governance, Risk, and Compliance Platforms, Q2 2026. Vanta is named a Leader on our first-ever inclusion in the evaluation.

‍

We believe being named a Leader in a first inclusion is rare. We did it on the first try, alongside vendors with deep heritage in GRC, audit, and risk, in a Wave Forrester framed as “Automation Revitalizes GRC’s Role as Outcome Orchestrator.”

‍

That framing matters as much as the placement. The defining criteria in this Wave—continuous controls monitoring, embedded AI, integrated platform breadth—describe where modern GRC is going.

‍

What Forrester said about Vanta

Two things from our vendor profile stood out to us.

‍

First: Forrester called Vanta's innovation approach “unparalleled,” citing that we show “some of the most compelling and disruptive product launches, R&D investment, and internal development efforts in the market.”

‍

Second: The Forrester report stated that “Vanta leads in continuous controls monitoring, offering the strongest functionality, easiest implementation, broad integrations, and a focus on control performance and audit evidence." Forrester also called out our embedded AI as a strength, noting that our agents perform “high-impact tasks beyond basic summarization or content generation.”

‍

That second one matters to me most. We've long believed the operational work of GRC—evidence collection, control testing, vendor reviews—should be automated away while maintaining human supervision. Receiving the highest possible scores in the Continuous Controls Monitoring, Platform Use of AI and AI Agents, and Integration Quality criteria tells us the bet is paying off.

‍

It also matters in context. Forrester's broader market analysis is explicit that “AI is the loudest message in GRC, but today, it's delivering minimal value.” Against that backdrop, Forrester named our embedded AI a strength. It’s a recognition we don't take lightly.

‍

Where we have work to do

Every Forrester Wave evaluation flags areas where vendors are still developing. Ours is worth engaging honestly, because the feedback is real and we take it seriously. Here’s what Forrester said, and how we’re thinking about it. 

‍

On enterprise risk depth

Forrester noted our enterprise risk management functionality is still developing in the ability to connect multiple risk types to top-down strategic objectives. They're right. Our heritage is security and compliance, and we've built risk capabilities on top of that foundation rather than as a separate enterprise risk management module.

‍

Our view on where this goes: In a continuous, AI-native world, enterprise risk management doesn't live in a separate quarterly risk register. It lives in the same data fabric, with cross-domain aggregation happening continuously through the connected data and intelligence of Vanta’s Trust Graph (more on this later).

‍

On risk quantification and scenario modeling

Forrester noted these aren't yet natively supported. Agreed. Our platform today delivers AI-driven residual risk scoring and automated risk recommendations. Deeper quantification is on the roadmap for later in 2026. 

‍

We believe that quantification is grounded in the live state of your controls, assets, and vendors, not simulations driven by static questionnaires. Quantification has to reflect reality, not model it abstractly.

‍

On compliance- versus risk-centric

Forrester characterized our vision as more compliance-oriented than risk-oriented. We hear this. Vanta's heritage is compliance automation, and that's how most customers first encounter us. But the shift from compliance to risk to resilience isn't a positioning reframe, it's our product roadmap. 

‍

Forrester’s cautions are honest snapshots of where we are today. The Wave's broader signal— a Leader in our first inclusion, "unparalleled" approach to innovation, top score in the continuous controls monitoring criterion, and the highest possible score in Platform use of AI and AI agents and integration quality criteria—is about where we're going. Both are true.

‍

The bigger shift in GRC

The best GRC leaders I talk to don't want to be evidence collectors. They want to be architects of resilience, setting risk strategy, connecting GRC to business decisions, and advising the board on what the threat environment actually means.

‍

Forrester's market analysis points to a future they call “GRC engineering: codify requirements, monitor production, and enforce policy before failures occur.” That's the architecture we've been building toward for years. 

‍

We've been calling it something similar internally: the GRC engineer. This is someone who designs and maintains the automated systems that run the GRC program, rather than doing that work by hand. It's striking and, in our opinion, validating to see Forrester independently arrive at the same idea.

‍

Three things have to work together to make the GRC engineer real: a continuous signal from your environment, agentic execution against that signal, and a connected model of how every control, asset, vendor, and risk relates to each other.

‍

These are already in production at Vanta, and we’re expanding them. We shipped 20 agentic workflows last year that automate high-impact GRC work across compliance, vendor risk, and customer trust. We're targeting more than 90 by the end of 2026.

‍

The Trust Graph is our live, connected model of your program paired with Vanta’s intelligence. The Trust Graph lets agents reason about risk relationships, not just individual data points. It's the architectural layer that makes everything else scale.

‍

What we’re building toward

The arc is this: establish continuous compliance, build risk depth on top of it, and produce a GRC function that reduces risk and contributes to business resilience, not just one that passes audits.

‍

The Forrester recognition as a Leader is meaningful to us. More importantly, Forrester's market analysis aligns with the architectural shift we've been building toward for years. That alignment matters more than the ranking.

‍

The category is moving. The question for every GRC leader right now is whether their platform is built for the world that's coming or the one that's passing. We know which side we're building on.

‍

Read the Forrester Wave™: GRC Platforms, Q2 2026 report.

‍

Forrester does not endorse any company, product, brand, or service included in its research publications and does not advise any person to select the products or services of any company or brand based on the ratings included in such publications. Information is based on the best available resources. Opinions reflect judgment at the time and are subject to change. This report is part of a broader collection of Forrester resources, including interactive models, frameworks, tools, data, and access to analyst guidance. For more information, read about Forrester's objectivity here.

‍

The Forrester Wave™: Governance, Risk, and Compliance Platforms, Q2 2026, Forrester Research, Inc., May 2026.