Expert-in-the-loop: why agentic GRC needs a certified human signer
Regulators and auditors require attributable authorship. An AI-drafted document with no human signer does not stand up to review. The expert-in-the-loop pattern is what separates agentic GRC from unsupervised AI output: the agent drafts, the certified specialist reviews and signs.
The regulatory requirement: attributable authorship
Regulators and auditors are not interested in whether a document was produced by a human or an agent. They are interested in who is accountable for the content. The signature on a policy, an assessment, or a risk register is a representation: a named, qualified individual stands behind the work and can be held to it.
An unsigned AI output is not a regulatory artefact. It is a draft. A draft is useful internally but is not enough to stand up at audit, in a regulator’s file, or as evidence in a customer’s diligence pack.
What experts catch that agents miss
Three categories of judgement consistently sit with the human reviewer rather than the agent:
- Edge cases in regulatory interpretation. When two regulators have issued slightly different guidance, when a national transposition diverges from the directive, when a recent court decision has shifted the read. Agents pull from training data and from retrieved documents; experts integrate the latest professional consensus.
- Context the agent cannot see. Internal decisions taken in conversation, half-finished migrations, exceptions agreed at executive level. The agent reads what is written down. The expert knows what the engineering team is actually doing.
- Materiality judgements. Whether a risk is acceptable, whether an exception is reasonable, whether a control description maps adequately to actual practice. These are professional judgements with professional liability attached. They sit with the named human.
Bundled-expert vs partner-network billing
There are two commercial models for the expert layer in agentic GRC. The first is a partner network: the platform refers you to a consultancy for the review work, and you contract with them separately. The platform charges a software fee; the consultancy charges hourly. The total cost is the sum.
The second is bundled: the certified specialist is part of the platform team, and their time is part of the subscription. Review is not optional and does not produce a separate invoice. The total cost is the subscription.
The bundled model has two structural advantages. The expert has full context of the platform-generated drafts, because they sit inside the same workflow. And the customer cannot accidentally ship an unreviewed output, because the path through the platform requires review.
The partner-network model has the advantage of letting the customer choose its consultancy. For organisations with an existing trusted consultancy relationship, that matters. For organisations without one, it is one more thing to procure.
What "certified" actually means
A certified compliance specialist is a named professional with credentials relevant to the work. Common credentials in the EU compliance and assurance space include CIPP/E (Certified Information Privacy Professional/Europe) for GDPR work, CISA (Certified Information Systems Auditor) and CISSP for security and audit work, ISO 27001 Lead Auditor for ISMS audits, and chartered accountant qualifications (ACA, ACCA, etc.) for assurance reporting under ISAE.
The relevant question for a customer is not whether the platform mentions "experts" or "specialists" in marketing copy, but who specifically reviews and signs the output, what credentials they hold, and whether their name appears on the artefact.