Compliance bloat starts as a software problem long before it becomes a crisis.
Marc Levine, CEO of MetricStream and former head of Structured Finance at Moody’s Analytics, has spent his career inside high-stakes risk systems. That perspective shapes how he sees GRC: less about policies and checklists, more about workflows, data models, and accountability structures that either scale or snap under pressure.
MetricStream sits in the middle of that tension. The company was early to GRC and now runs a single configurable platform that connects enterprise risk, cyber, third-party risk, audit, and compliance across banks, energy companies, pharma, and software vendors. Levine is steering the company into a new growth phase—modernizing a long-standing product, rebuilding reporting, and integrating agentic AI so evidence collection, assessments, and testing shift from manual drudgery to a connected operating layer for risk.
In this episode, he unpacks what GRC looks like from the inside—and what it takes to rebuild a legacy platform for the AI era.