Grant Thornton releases part three of its Digital Transformation survey

October 08, 2025 at 10:36 AM EDT

The third installment shares respondents’ approach to technology and the role it plays with compliance and resilience

— 57% of executives chose cybersecurity and risk management as a top technology objective

— 60% noted GRC (governance, risk and compliance) tools and processes as a top tactic for mitigating risks

— 68% named cybersecurity as a top-five technology investment

— 53% rank data privacy compliance as a top cybersecurity concern

The final of three reports from Grant Thornton’s Digital Transformation survey — which gathered insights from more than 550 cross-functional senior executives across industries — revealed that embedding cybersecurity, resilience and real-time compliance into technology strategies can help organizations stay agile and innovate.

According to the data from the final installment of the survey, the positive impact of compliance and resilience isn’t lost on business leaders. When respondents were asked to rank the top priorities for their organizations’ technology enhancements, 57% chose cybersecurity and risk management as one of their top three technology objectives.

“Compliance and resilience don’t reduce agility,” said Ethan Rojhani, a partner in the Risk Advisory practice for Grant Thornton Advisors LLC. “They increase agility because they enable people to understand their bounds and parameters, so they make the most effective use of their time and resources.”

Striking the right balance between governance and innovation

The survey also found that 60% of executives identified governance, risk and compliance (GRC) tools and processes as a top three tactic for mitigating technology risks.

Controls that are redundant or too strict can stifle creativity and productivity. At the same time, experimentation without proper restraint can unleash risks that can put an organization in jeopardy. With each technology implementation, it’s important to strike the right balance between governance and innovation.

According to Johnny Lee, a partner in the Risk Advisory practice for Grant Thornton Advisors LLC, the proper balance lies in developing guardrails for technology transformations, which protect the organization from intellectual property infringement claims, preserve confidential data and ensure the quality of products and services — as well as the customer experience.

“That’s what unfolds for every technology transformation,” said Lee. “Don’t ruin the business model. Don’t send confidential information where it shouldn’t go. And once you’ve built the walled garden and the sandbox is safe, foster and encourage experimentation to challenge the status quo. Later, we can have a conversation about ROI, once we know what is reasonable and meaningful to measure.”

Compliance gets an AI makeover

Additional findings revealed 49% of executives ranked regular risk assessments as another top three approach for mitigating technology risks.

Derek Han, the Cybersecurity and Privacy leader for Grant Thornton Advisors LLC’s Risk Advisory practice, explained risk assessments are the roots of strong resilience and compliance — and large organizations might have several of these processes in place to effectively manage their risks. Where these processes were once performed manually with the help of workflow tools, companies now are implementing artificial intelligence (AI) to assist with these objectives.

“The AI models need to be trained with defined relevant risk data and response rates, but companies are finding that the tools ultimately improve speed and accuracy at a modest cost,” said Han. “Additional AI tools for resilience and compliance include third-party risk management applications and regulatory horizon scanning apps that alert management to changes in rules or laws that need to be addressed through compliance activities.”

Han added that organizations are especially focused now on improving their data to enable successful AI use.

“Data has been the core challenge — but also the opportunity — for many organizations in their AI adoption. For some, it’s going to be a real journey to make sure their data is high in quality and widely usable for training large language models within organizational boundaries.”

Incident response emerges as a cyber priority

The survey also found that executives are prioritizing cybersecurity tools: 68% of respondents named cybersecurity as one of the top five technologies they’re investing in this year. AI applications for cybersecurity can probe for vulnerabilities in defenses, review audit logs for potential breaches and instantly remediate risk issues or vulnerabilities.

According to Han, companies that use these tools need to evaluate their comfort level with augmenting human capabilities for such a vital activity — and evaluate the impact on their workforce.

“The risks of overreliance on AI in cybersecurity have to be considered,” Han said. “If we start using AI to simply replace humans to monitor, respond to, and mitigate security risks, the human foundation for cybersecurity could be diminished. It’s important to strike a balance between the use of AI tools and continuing developing the expertise and critical thinking of the human security team.”

For employees throughout the organization, AI tools should not diminish the importance of regular training and embedding strong cybersecurity awareness practices throughout your workforce. Meanwhile, the need for thorough, cross-functional incident response playbooks and resilience drills is still growing.

“Where the real resilience starts to show up is in comprehension,” Lee said. “You can’t have comprehension without clarity. You can’t have clarity without people knowing what their role is when the ‘bad day’ happens, and you genuinely can’t know that without practice.”

Han added that even in resilience drills, AI tools can play multiple roles: “AI can create simulation scenarios to test incident response capabilities. In addition, where written response playbooks can be lengthy and complicated to execute, the people on the response team can use AI to more quickly discern their responsibilities and take decisive action.”

Moving toward real-time monitoring and a culture of compliance

As laws evolve and risks emerge, continuous monitoring is becoming essential. In fact, 53% of executives now rank data privacy compliance among their top three cybersecurity concerns. The next frontier in compliance and resilience is real-time monitoring — driven by advancements in robotic process automation and AI, which can quickly detect anomalies or red flags.

According to Rojhani, companies are increasingly investing in tools that allow management to identify and correct financial reporting and IT issues long before third-party audits.

“Management is doing it upfront to make sure everything is clean,” said Rojhani. “Over time, we’ll see fewer material misstatements in financial audits and fewer IT violations from a SOC perspective. Real-time monitoring is the future.”

But technology alone isn’t enough. Compliance must be embedded in the organization’s culture and supported by leadership. According to the data, just over one in four executives cited compliance lapses or security issues as a top reason past technology initiatives failed.

“Strong compliance and resilience are built when companies appoint risk champions across business units and promote cross-functional knowledge sharing,” added Rojhani. “It’s not just tone at the top; it’s about providing the resources to embed that mindset into the organization.”

To see additional findings from Grant Thornton’s Digital Transformation survey, visit: https://www.grantthornton.com/insights/survey-reports/advisory/2025/tech-resilience.

About Grant Thornton

Grant Thornton delivers professional services in the U.S. through two specialized entities: Grant Thornton LLP, a licensed, certified public accounting (CPA) firm that provides audit and assurance services ― and Grant Thornton Advisors LLC (not a licensed CPA firm), which exclusively provides non-attest offerings, including tax and advisory services.

In January 2025, Grant Thornton Advisors LLC formed a multinational, multidisciplinary platform. The platform offers a premier advisory and tax practice, as well as independent audit practices. With almost 60 offices, the platform delivers a singular client experience that includes enhanced solutions and capabilities, backed by powerful technologies and a roster of almost 13,500 quality-driven professionals enjoying exceptional career-growth opportunities and a distinctive cross-border culture.

Grant Thornton is part of the Grant Thornton International Limited network, which provides access to its member firms in more than 150 global markets.

Grant Thornton LLP, Grant Thornton Advisors LLC and their respective subsidiaries operate as an alternative practice structure (APS). The APS conforms with applicable laws, regulations and professional standards, including those from the American Institute of Certified Public Accountants.

“Grant Thornton” refers to the brand under which the member firms in the Grant Thornton International Ltd (GTIL) network provide services to their clients and/or refers to one or more member firms. Grant Thornton LLP and Grant Thornton Advisors LLC serve as the U.S. member firms of the GTIL network. GTIL and its member firms are not a worldwide partnership and all member firms are separate legal entities. Member firms deliver all services; GTIL does not provide services to clients.