VantaCon UK 2026: Privacy joins the platform, the Agent gets smarter, and trust becomes a growth strategy

"AI is rewriting trust." That was Christina Cacioppo's opening line at VantaCon UK 2026, and the thesis the day kept returning to. The bar for proving security has been reset. Customers, auditors, and boards expect real-time, continuous proof now, not a screenshot from last quarter.

‍

Across a day of product announcements, customer stories, and conversations with security leaders from Nando's, Synthesia, Dashlane, and Intercom, here's what mattered most.

‍

The bar for trust has been reset

77% of leaders say their stakeholders now demand verified proof of compliance, up 12% year over year. The average company spends 12 working weeks a year on compliance work. And almost two-thirds of leaders say they spend more time proving security than improving it.

‍

The era of point-in-time checks and static PDFs is over. Consider GitHub: When the team launched Copilot, it was hit with an overnight wave of security questionnaires from enterprise buyers asking what the new product did, what data it touched, and where the risk lived. With Vanta, GitHub handled 93% of those questionnaires within six months, six months ahead of plan. The questions arrive faster now, from more people, and the answers have to be live.

‍

What Vanta announced: the Agentic Trust Platform in action

Jeremy Epling, our Chief Product Officer, walked the room through the four product moves he flagged as most important for the modern security leader in today's AI era. Each one builds toward the same goal: making trust continuous, connected, and provable in real time.

‍

Stop running privacy in a silo, with Vanta Privacy

Privacy has been treated for years as a separate problem: a separate team, a separate tool, disconnected from your compliance programme and risk register. We're fixing that. ROPA and DPIA management, plus agentic workflows for GDPR, are live in Vanta today, and we're building toward what Jeremy Epling called "the privacy operating system for the AI era." Demo'd on stage: the Agent drafting a DPIA in minutes from your existing policy context and processing details. Work that used to take a day.

‍

Risk management, end-to-end

Multiple risk registers, custom fields per team, and scenario-based scoring roll up into a single board-ready enterprise view, with the Agent auto-drafting controls so risk doesn't live in a sprawl of disconnected spreadsheets. The same engine extends to your third parties, Shadow AI included. The Agent auto-enriches vendor intake, categorises inherent risk, pulls evidence from Trust Centers, and flags gaps before your team has asked the first question.

‍

Keep all your promises, with Customer Commitments

Every promise made post-contract (breach notification windows, sub-processor change obligations, SLAs) now lives in one place with Customer Commitments. Contracts sync from Ironclad today, with DocuSign and Google Drive coming in Q2. The Agent extracts the obligations and tells you when action is needed.

‍

Craig Schwartz, General Counsel and Head of InfoSec at Nominal, put it this way: "Customer Commitments is exactly what teams need to manage obligations with confidence."

‍

Get answers you can act on, with the Vanta Trust Graph and Agent.

Everything Jeremy announced sits on the Vanta Trust Graph, the industry's first connected data and intelligence layer purpose-built for trust and security programs. With [400] integrations across your cloud infrastructure, security tooling, HR, and identity providers, and [1,400+] tests an hour, the Trust Graph doesn't just store your data: it structures and connects it to reflect how your program actually works. 

‍

"Most tools dump everything into one system and hope an AI can make sense of it,” said Jeremy. “Vanta's Agent works from a clean, structured foundation (the Trust Graph), which is why it gives you answers you can actually act on."

‍

That foundation powers the new Vanta Agent experience: A 24/7 GRC engineer that knows your frameworks, controls, and systems, with memory built in so its guidance gets smarter over time. The Agent runs in Vanta and in tools like Claude and Cursor through our MCP server and REST APIs.

‍

As Elizabeth Walker, Security Compliance Manager at Samsara, whose team manages 820 controls across 10 frameworks, notes: "It is truly like having a 24/7 GRC engineer right on our team."

‍

How Nando's is scaling security in the AI era

The day's marquee customer moment was Christina's fireside chat with Jason Kirk, CISO at Nando's Group. Nando's runs roughly 1,200 casual-dining restaurants worldwide, best known for its peri-peri chicken.

‍

But behind the storefronts, it's more of a digital business than people realise: 14 million active customers, four million UK transactions a month, and between £500 and £600 million flowing through its apps annually in the UK alone. However, more than half of website traffic is from bad actors. Jason puts that down to Nando's being a well-loved teen brand that attracts curious hackers.

‍

Jason runs security across the UK, South Africa, North America, and Australia and New Zealand, with zero direct reports. His operating frame borrows from product: "What does minimum viable governance look like?" 

‍

When Nando's shareholders mandated NIST adoption, he saw no way to hit it without hiring 17 extra people, until automation. After evaluating four tools, his read was clear: "When we'd stacked up our requirements, we could see that Vanta was the only tool we could sensibly use." His next focus is unstructured data, where he's leaning on Vanta's privacy capabilities.

‍

"The less pain that I can inflict on my business, the better."

— Jason Kirk, CISO, Nando's Group

‍

In the AI era, scale doesn't come from hiring 17 more people. It comes from giving the team you have a structured foundation and an agent that does the rest. As Christina put it on stage: "Trust isn't a compliance exercise. It's a growth strategy."

‍

Want to see it for yourself? Watch the full keynote on demand.

‍

Where trust goes from here

VantaCon UK is one stop on our wider Trust Tour, and wherever you are in your trust program, the playbook from London holds: privacy alongside compliance, risk in one view across your enterprise and your vendors, and the Agent working for you in whatever tools you're already in. When you're ready to see the Agentic Trust Platform in your own environment, book a demo.