Why general-purpose AI feels useful in GRC
AI changed how teams approach governance, risk, and compliance. Questions that once took days now get answered in seconds. Drafts appear instantly. Summaries sound confident.
At the surface level, a general-purpose assistant genuinely helps. It can:
- Summarize policies and regulations
- Explain concepts in plain language
- Brainstorm controls and approaches
- Draft responses that sound reasonable
For early exploration or learning, that is valuable. It reduces friction and speeds up understanding. The problem starts when teams treat these drafts as finished work.
What GRC actually requires
Real GRC work has non-negotiable requirements:
- Full coverage of applicable obligations
- Clear mapping between requirements and evidence
- Accurate applicability decisions
- Traceability to primary sources
- Outputs that stand up to audits, regulators, and customers
Confidence without coverage is not progress. It is a risk. A summary that reads well but silently drops half the obligations does not save you time. It hides the work you still owe.
What the benchmark measured
To understand the real difference, we ran an internal benchmark of Sorena AI against a leading general-purpose AI across 43 independent, real-world GRC tasks, each reviewed by auditors who are domain experts. These were not toy examples. They included:
- GDPR, CCPA, and CPRA privacy audits
- EU AI Act, Data Act, and sustainability readiness
- Regulatory timelines and applicability analysis
- Framework crosswalks across ISO, NIST, PCI, ETSI, and IEC
- Clause-by-clause delta analyses
- Audit-ready compliance plans
Each task was scored against auditor-defined requirements in two independent passes, with coverage, accuracy, and factual errors tracked explicitly. The results describe that benchmark set and scoring rubric; teams should still validate performance on their own documents and workflows.
A benchmark needs a method, not just a winner
A credible GRC benchmark starts before anyone asks the model a question. Define the task set, the expected source universe, the scoring rubric, the denominator for coverage, the baseline model and date, and who reviews the answer. Then publish the misses, not just the wins.
That matters because fluency hides failure. A general-purpose answer can sound plausible while skipping the obligation, failing to cite the source, or refusing to admit that coverage is partial. The useful benchmark question is not “which model sounds better?” It is “which system found the required obligations, cited them, and produced an answer an auditor can verify?”
The results: answers versus execution
The pattern was consistent across the benchmark set.
Sorena AI
- Reached full coverage against the auditor checklists used in the evaluation
- Grounded answers in primary sources
- Flagged gaps instead of guessing
- Produced reviewable, source-linked outputs
The general-purpose baseline
- Typically covered a fraction of the required obligations
- Missed large portions of the auditor checklists
- Introduced factual errors and unverifiable claims
- Could not prove completeness or coverage
The gap was not marginal in this evaluation. The baseline often produced answers that sounded right on the surface but quietly missed critical obligations, timelines, or controls that auditors expect to see. In GRC, slow work can be fixed. Wrong work looks fast until it collapses, breaks trust, and sends teams backward into rework.
The detailed benchmark data
Below is the full breakdown: coverage by category, and every one of the 43 sessions scored by two independent auditors. Sorena coverage is the copilot column; the baseline column is the average of both scoring passes.
Read the table as an audit-readiness check, not a beauty contest. The useful signal is whether the answer found the required obligations, cited the source, avoided factual errors, and left a reviewer enough evidence to verify the result.
Coverage by category
| Category | Tasks | Sorena AI | Baseline (avg) | Baseline errors |
|---|---|---|---|---|
| Privacy Audit | 12 | 100% | 30% | 43 |
| AI Act Compliance | 6 | 100% | 28% | 20 |
| Regulatory Timeline | 3 | 100% | 18% | 17 |
| Sustainability Compliance | 9 | 100% | 21% | 53 |
| Employment Law | 2 | 100% | 18% | 3 |
| Technical Review | 11 | 100% | 28% | 47 |
| Session | Category | Scenario | Sorena Score | ChatGPT Score | Factual errors | Notes |
|---|---|---|---|---|---|---|
#012026-01-06 | Privacy Audit | Privacy Notice Audit - Global e-commerce retailer Audit of a global e-commerce privacy notice against GDPR and CPRA/CCPA, focusing on transparency, retention, cross-border transfers, and user rights. | 100% | 38% | 5 | |
#022026-01-06 | AI Act Compliance | AI Terms & Privacy Audit - AI lab Audit of an AI lab’s consumer terms and privacy policy for EU AI Act and GDPR, focusing on provider duties, transparency, and operational compliance. | 100% | 19% | 3 | |
#032026-01-06 | Privacy Audit | Privacy Policy Audit - Consumer device manufacturer Privacy policy audit for a consumer device ecosystem, assessing GDPR/CPRA disclosures, retention clarity, transfers, and rights transparency. | 100% | 21% | 5 | |
#042026-01-06 | AI Act Compliance | Cloud Service Terms Audit - Major cloud provider Contract-focused audit of cloud service terms and privacy notices for EU AI Act and GDPR coverage, including transfers, processor terms, and AI restrictions. | 100% | 19% | 4 | |
#052026-01-06 | Regulatory Timeline | EUDR Timeline - Office equipment manufacturer EU Deforestation Regulation (EUDR) workback plan for a paper supply chain, with due diligence milestones, evidence expectations, and reporting deadlines. | 100% | 19% | 9 | |
#062026-01-06 | Regulatory Timeline | EUDR Timeline - Beverage multinational EUDR compliance timeline for a global beverage supply chain, mapping commodity sourcing to scope, due diligence steps, and declaration deadlines. | 100% | 13% | 7 | |
#072026-01-06 | Regulatory Timeline | EU Data Act Timeline - Connected appliance manufacturer EU Data Act compliance timeline for a connected-appliance manufacturer, covering data access, sharing, trade secrets, and cloud switching requirements. | 100% | 26% | 1 | |
#082026-01-06 | Privacy Audit | Privacy Policy Audit - Gaming platform Privacy policy audit for a gaming platform, focusing on GDPR transparency and CPRA/CCPA disclosures for California residents. | 100% | 43% | 3 | |
#092026-01-06 | AI Act Compliance | AI Terms & Privacy Audit - AI platform Audit of an AI platform’s terms and privacy policy for EU AI Act and GDPR readiness, emphasizing transparency, training boundaries, and provider vs deployer responsibilities. | 100% | 48% | 6 | |
#102026-01-06 | AI Act Compliance | Cloud Terms + DPA Audit - Cloud provider Audit of cloud service terms and a data processing addendum for GDPR Article 28 and EU AI Act readiness, including key contractual caveats and deployer obligations (e.g., FRIA). | 100% | 33% | 5 | |
#112026-01-06 | AI Act Compliance | AI API Terms + Privacy Audit - Model API provider Audit of an AI model API’s terms and privacy policy for GDPR and EU AI Act requirements, focusing on data-use boundaries, retention, and developer obligations. | 100% | 28% | 1 | |
#122026-01-06 | Privacy Audit | Privacy Policy Audit - Global search platform Privacy policy audit for a global search platform, assessing data categories, purposes, rights, transfers, retention, and opt-out tooling under GDPR and CPRA. | 100% | 25% | 4 | |
#132026-01-06 | Privacy Audit | Privacy Policy Audit - Social platform Privacy policy audit for a social platform, focusing on disclosure completeness, legal bases, retention clarity, and rights mechanisms under GDPR and CPRA. | 100% | 22% | 5 | |
#142026-01-06 | Privacy Audit | Privacy Statement Audit - Enterprise software vendor Enterprise privacy statement audit for GDPR and CPRA, focusing on transparency obligations, retention, DSAR mechanics, and user rights coverage. | 100% | 47% | 2 | |
#152026-01-06 | AI Act Compliance | Product Terms + Privacy Audit - Enterprise cloud/vendor Audit of enterprise product terms and privacy statements for EU AI Act and GDPR, focused on contractual commitments and shared responsibilities across the AI value chain. | 100% | 31% | 1 | |
#162026-01-06 | Privacy Audit | Privacy Statement Audit - Streaming service Privacy statement audit for a streaming service, evaluating GDPR transparency and CPRA disclosures such as sharing, preference signals, and required policy structure. | 100% | 33% | 5 | |
#172026-01-06 | Privacy Audit | Terms + Privacy Audit - Secure messaging app Audit of a secure messaging app’s terms and privacy disclosures for GDPR and CPRA, focusing on lawful bases, retention, rights, and audit-ready gaps. | 100% | 32% | 1 | |
#182026-01-06 | Privacy Audit | Privacy Policy Audit - Music streaming service Privacy policy audit for a music streaming service, reviewing GDPR/CPRA disclosures around data categories, sharing, international transfers, and rights. | 100% | 36% | 1 | |
#192026-01-06 | Privacy Audit | Privacy Policy Audit - Messaging platform Privacy policy audit for a messaging platform under GDPR and CPRA, including transfers, retention, rights workflows, and required disclosures. | 100% | 56% | 1 | |
#202026-01-06 | Privacy Audit | Privacy Policy Audit - Short-form video platform Privacy policy audit for a short-form video platform under GDPR and CPRA, focusing on disclosures, rights, ad legal bases, and cross-border processing. | 100% | 24% | 6 | |
#212026-01-06 | Privacy Audit | Privacy Policy Audit - Social network Privacy policy audit for a social network, evaluating GDPR and CPRA transparency items, user rights coverage, and retention disclosures. | 100% | 30% | 5 | |
#222026-01-07 | Employment Law | Union Comparison - Swedish software developer Comparison of Swedish unions and collective agreements for a full-time software developer, covering benefits, tradeoffs, and agreement coverage. | 100% | 20% | 1 | |
#232026-01-07 | Employment Law | Employment Contract Review - Sweden Employment contract compliance review under Swedish law, identifying risk areas, missing mandatory elements, and practical remediation guidance. | 100% | 17% | 2 | |
#242026-01-07 | Technical Review | Security Guidelines Review - Connected products Technical review of connected product security guidelines, identifying inconsistencies and aligning requirements to real regulatory regimes and standards. | 100% | 25% | 12 | |
#252026-01-10 | Technical Review | Cybersecurity Conformity Planning - CE/CRA readiness Cybersecurity conformity assessment planning for CE/RED readiness, including evidence artifacts, assessment steps, test strategy, and documentation expectations. | 100% | 37% | 5 | |
#262026-01-10 | Technical Review | IoT Security Crosswalk + Test Plan - Consumer IoT Consumer IoT security crosswalk and test plan, mapping ETSI and NIST requirements into testable procedures and evidence lists. | 100% | 30% | 4 | |
#272026-01-10 | Technical Review | FIPS 140 Delta Analysis - Cryptographic modules Delta analysis of FIPS 140-1 vs FIPS 140-2 for cryptographic modules, highlighting changed requirements and assessment implications. | 100% | 41% | 1 | |
#282026-01-10 | Technical Review | FIPS ↔ ISO Crypto Module Mapping Crosswalk between FIPS and ISO/IEC cryptographic module requirements, mapping controls and clarifying evidence expectations for audits. | 100% | 34% | 1 | |
#292026-01-10 | Technical Review | ISO 27001/27002 Migration Package - ISMS update ISO 27001/27002 migration package from 2013 to 2022, covering control changes, reorganization themes, and statement of applicability updates. | 100% | 34% | 4 | |
#302026-01-10 | Technical Review | NIST 800-53 ↔ ISO 27001/27002 Mapping Control mapping between NIST SP 800-53 Rev. 5 and ISO/IEC 27001:2022 Annex A to support alignment, crosswalks, and audit preparation. | 100% | 12% | 5 | |
#312026-01-10 | Technical Review | NIST CSF 1.1 to 2.0 Crosswalk Crosswalk from NIST Cybersecurity Framework 1.1 to 2.0, highlighting changes and mapping structure to support transition planning. | 100% | 29% | 5 | |
#322026-01-10 | Technical Review | NIST 800-171 Rev. 3 Delta + CMMC Mapping Clause-level delta analysis of NIST SP 800-171 Rev. 2 vs Rev. 3 with CMMC 2.0 mapping, identifying added objectives and assessment impact. | 100% | 18% | 4 | |
#332026-01-10 | Technical Review | OT Security Framework Crosswalk + Gaps (IEC 62443/NIST) OT security framework crosswalk between IEC 62443 requirements and NIST SP 800-82 guidance, identifying gaps plus example tests and evidence. | 100% | 20% | 3 | |
#342026-01-10 | Technical Review | PCI DSS v3.2.1 to v4.0 Delta + Crosswalk PCI DSS v3.2.1 to v4.0 delta analysis with crosswalks to NIST SP 800-53 Rev. 5 and ISO/IEC 27001:2022, including key changes and timelines. | 100% | 32% | 3 | |
#352026-01-14 | Sustainability Compliance | EU Energy Efficiency Directive Readiness - IoT appliances Readiness assessment for an EU IoT home-appliance manufacturer under the EU Energy Efficiency Directive, including obligations, exemptions, and a practical implementation plan. | 100% | 26% | 8 | |
#362026-01-14 | Sustainability Compliance | ESPR + Digital Product Passport Readiness - Appliances Readiness assessment for ESPR and Digital Product Passport obligations for an EU smart-appliance manufacturer, covering applicability, data requirements, and execution plan. | 100% | 22% | 2 | |
#372026-01-14 | Sustainability Compliance | EU Batteries Regulation Readiness - Embedded batteries Readiness plan for EU Batteries Regulation obligations relevant to consumer appliances with embedded or supplied batteries, including labeling, due diligence, and reporting. | 100% | 27% | 6 | |
#382026-01-14 | Sustainability Compliance | EU CSDDD Readiness - Supply chain due diligence Readiness assessment for EU corporate sustainability due diligence obligations for an EU-listed appliance manufacturer, including governance, risk mapping, and remediation. | 100% | 34% | 4 | |
#392026-01-14 | Sustainability Compliance | EU CSRD/ESRS Compliance Plan - Listed appliance manufacturer CSRD/ESRS compliance applicability and readiness plan for an EU-listed smart-appliance manufacturer, including reporting scope, materiality, assurance, and data controls. | 100% | 20% | 11 | |
#402026-01-14 | Sustainability Compliance | EU CSRD/ESRS Compliance Plan - Listed automotive manufacturer CSRD/ESRS applicability and compliance plan for an EU-listed automotive manufacturer, including ESRS scope, phased timelines, and operational reporting readiness. | 100% | 25% | 5 | |
#412026-01-14 | Sustainability Compliance | EU Green Claims Readiness - IoT appliances Readiness assessment for EU green-claims compliance in marketing and product communications for an EU IoT appliance manufacturer. | 100% | 12% | 6 | |
#422026-01-14 | Sustainability Compliance | EU Packaging Waste EPR Readiness - Appliances Packaging waste and EPR compliance readiness plan for an EU home-appliance manufacturer, covering registration, reporting, labeling, and operational controls. | 100% | 14% | 6 | |
#432026-01-14 | Sustainability Compliance | EU Water Sustainability Readiness - IoT appliances EU water-sustainability and water-efficiency compliance readiness plan for IoT appliances, including product efficiency, disclosures, and governance. | 100% | 14% | 5 |
Privacy Notice Audit - Global e-commerce retailer
Privacy AuditAI Terms & Privacy Audit - AI lab
AI Act CompliancePrivacy Policy Audit - Consumer device manufacturer
Privacy AuditCloud Service Terms Audit - Major cloud provider
AI Act ComplianceEUDR Timeline - Office equipment manufacturer
Regulatory TimelineEUDR Timeline - Beverage multinational
Regulatory TimelineEU Data Act Timeline - Connected appliance manufacturer
Regulatory TimelinePrivacy Policy Audit - Gaming platform
Privacy AuditAI Terms & Privacy Audit - AI platform
AI Act ComplianceCloud Terms + DPA Audit - Cloud provider
AI Act ComplianceAI API Terms + Privacy Audit - Model API provider
AI Act CompliancePrivacy Policy Audit - Global search platform
Privacy AuditPrivacy Policy Audit - Social platform
Privacy AuditPrivacy Statement Audit - Enterprise software vendor
Privacy AuditProduct Terms + Privacy Audit - Enterprise cloud/vendor
AI Act CompliancePrivacy Statement Audit - Streaming service
Privacy AuditTerms + Privacy Audit - Secure messaging app
Privacy AuditPrivacy Policy Audit - Music streaming service
Privacy AuditPrivacy Policy Audit - Messaging platform
Privacy AuditPrivacy Policy Audit - Short-form video platform
Privacy AuditPrivacy Policy Audit - Social network
Privacy AuditUnion Comparison - Swedish software developer
Employment LawEmployment Contract Review - Sweden
Employment LawSecurity Guidelines Review - Connected products
Technical ReviewCybersecurity Conformity Planning - CE/CRA readiness
Technical ReviewIoT Security Crosswalk + Test Plan - Consumer IoT
Technical ReviewFIPS 140 Delta Analysis - Cryptographic modules
Technical ReviewFIPS ↔ ISO Crypto Module Mapping
Technical ReviewISO 27001/27002 Migration Package - ISMS update
Technical ReviewNIST 800-53 ↔ ISO 27001/27002 Mapping
Technical ReviewNIST CSF 1.1 to 2.0 Crosswalk
Technical ReviewNIST 800-171 Rev. 3 Delta + CMMC Mapping
Technical ReviewOT Security Framework Crosswalk + Gaps (IEC 62443/NIST)
Technical ReviewPCI DSS v3.2.1 to v4.0 Delta + Crosswalk
Technical ReviewEU Energy Efficiency Directive Readiness - IoT appliances
Sustainability ComplianceESPR + Digital Product Passport Readiness - Appliances
Sustainability ComplianceEU Batteries Regulation Readiness - Embedded batteries
Sustainability ComplianceEU CSDDD Readiness - Supply chain due diligence
Sustainability ComplianceEU CSRD/ESRS Compliance Plan - Listed appliance manufacturer
Sustainability ComplianceEU CSRD/ESRS Compliance Plan - Listed automotive manufacturer
Sustainability ComplianceEU Green Claims Readiness - IoT appliances
Sustainability ComplianceEU Packaging Waste EPR Readiness - Appliances
Sustainability ComplianceEU Water Sustainability Readiness - IoT appliances
Sustainability Compliance- - Results based on internal evaluation conducted January 2026.
- - ChatGPT (baseline) is OpenAI ChatGPT, used as a general-purpose AI comparison.
- - All factual errors counted are from ChatGPT responses only.
- - This evaluation focused on regulatory and compliance research tasks.
- - Results may vary depending on specific use case and document types.
- - Not a substitute for legal counsel or professional advice.
Why this gap exists
This is not a failure of intelligence. It is a mismatch of purpose.
A general-purpose assistant is designed to generate helpful, conversational answers, optimize for fluency, and respond quickly with plausible output.
Sorena AI is designed to execute compliance work: track obligations explicitly, enforce coverage and completeness, ground every statement in a source, and produce outputs auditors can verify.
General-purpose AI can answer questions fluently. Sorena is built to execute GRC work with coverage, citations, and reviewable evidence. These are different jobs.
The risk of false confidence
The most dangerous failure mode in GRC is not being wrong loudly. It is being wrong quietly. When teams lean on a general-purpose assistant for audit-critical work:
- Missing obligations are not obvious
- Partial answers look complete
- Errors are hard to detect
- Coverage cannot be proven
That creates false confidence. Teams believe the work is done until an audit, regulator, or customer proves otherwise. Visibility without execution is not progress. It is exposure.
Where general-purpose AI still has a place
None of this means a general-purpose assistant has no role in GRC. It is useful for learning and education, early exploration, drafting ideas that will be validated later, and general assistance outside audit-critical workflows.
But when compliance must be complete, grounded, and defensible, execution matters more than answers. That is where Sorena AI is the system of record and the execution layer GRC requires.
What actually works at scale
The benchmark points to a simple conclusion. GRC scales when:
- Humans make judgments and decisions
- Systems handle coverage, mapping, tracking, and evidence
- Execution is continuous, not episodic
- Outputs are verifiable by design
Do not take our word for it. Benchmark it yourself against your own tasks and see the difference in real GRC work.
Frequently asked questions
How was the benchmark scored?+
Each of the 43 tasks was scored against auditor-defined requirements in two independent passes by domain-expert auditors. Coverage is the share of required obligations explicitly and correctly addressed. Factual errors were tracked separately and counted only against the general-purpose baseline responses.
What is the general-purpose baseline?+
The baseline is OpenAI ChatGPT, treated here as a leading general-purpose AI assistant used as a comparison point. All factual errors reported are from the baseline responses only. Results reflect an internal evaluation conducted in January 2026 and may vary by use case and document type.
Does 100% coverage mean Sorena replaces auditors or legal counsel?+
No. Sorena handles coverage, mapping, tracking, and evidence so people can focus on judgment and risk decisions. The output is audit-ready and source-linked, but it is not a substitute for legal counsel or professional advice.


