Why Vertical Solutions Win (and AI Sometimes Loses) in GRC

For decades, enterprise companies turned their heads while risk steadily accumulated in global systems. Just-in-time manufacturing, extended networks through low-cost geographies and reliance on narrow shipping corridors all seemed reasonable when trade was stable and borrowing costs were low.

But we know now that those conditions were the exception, not the rule, and that simultaneously risk was ticking upward.

Over time, that’s made governance, risk and compliance (GRC) technology, which helps companies identify and manage risk, one of the most consequential and compelling categories in enterprise software. When compliance failure means fines, sanctions, cargo seizure or seven-figure losses, GRC software moves from nice-to-have to mission-critical.

FTV Capital’s Jerome Hershey has spent the better part of a decade investing in GRC software, backing companies like Windward in maritime, Highway in transportation and Lean Solutions Group, which provides strategic support services for the transportation, logistics, insurance and finance industries. FTV itself has over two decades of experience in the GRC space, investing in more than a dozen companies including Actimize, FundApps, ID.me and ReliaQuest.

We talked with Jerome about why he believes industry depth is a compelling differentiator in GRC, the qualities FTV looks for in successful companies and where generic AI tools fall short.

You have a highly focused approach to investing in GRC companies, choosing to go deep in certain verticals. What’s your rationale for this strategy?

Many defensible GRC businesses are built on industry-specific depth. Every industry has its own regulatory makeup – agencies, enforcement methods and risk vocabulary. When a bank treasurer screens a vessel for sanctions exposure, or a freight broker verifies a carrier’s insurance coverage, few horizontal platforms can serve those workflows with a level of domain expertise customers trust.

FTV companies such as Windward and Highway illustrate this well. Windward’s platform pulls from more than 20 data sources, including satellite imagery, radio frequency emissions, vessel ownership records and cargo manifests. This feeds a proprietary maritime intelligence engine refined over 15 years. Highway processes millions of data points daily, from motor vehicle logging signals to federal database pings, to maintain an identity graph for every network carrier. That proprietary data infrastructure is the moat, and it compounds with every additional customer and transaction.

That’s not to say horizontal approaches aren’t successful too. In fact, FTV has backed several successful horizontal GRC businesses, such as A-LIGN, a company we’ve invested in three times. A-LIGN wins precisely because cybersecurity compliance frameworks like SOC 2 and ISO 27001 are consistent across industries.

What are the macro forces affecting GRC right now? Why is this moment different?

Three forces are converging to create a massive tailwind for GRC businesses.

The first is a sanctions surge: the U.S. and Europe have sanctioned thousands of new entities, creating a compliance burden that requires sophisticated software to manage at scale.

The second is geopolitical conflict actively rewiring supply chains. Think of the disruptions caused by the Iran conflict alone. Companies that once asked, “Is this supplier cost-effective?”, now ask, “Is this supplier compliant?” That diligence layer didn’t exist a decade ago.

Finally, supply chain due diligence laws now require companies to understand goods flow in ways they never have. What makes this moment different is that AI plays both sides. AI can help GRC vendors enable automation at scale; AI also expands the threat landscape. Deepfakes, AI-driven voice manipulation and synthetic identity fraud create new vectors that compliance frameworks weren’t designed to catch. Difficult times for the world tend to drive strong demand for GRC solutions.

FTV has a long history of investing in GRC companies, backing businesses with strong fundamentals like high margins and recurring revenue. What other qualities do you look for?

Over more than 20 years, FTV has found GRC leaders share four qualities beyond the usual SaaS metrics.

First, they have proprietary data, or at least a platform that pulls together messy third-party data in a way that’s truly hard to replicate. Software is an interaction layer, but the real moat is the data infrastructure underneath.

Second, they benefit from regulations becoming more complex. When regulators keep raising the bar, it’s a reliable form of demand generation for GRC companies.

Third, they benefit from network effects. Highway’s Trusted Freight Exchange creates a two-sided dynamic, with more verified carriers making the platform more valuable to brokers, which in turn attracts more carriers. FundApps has a similar flywheel: its clients contribute to a shared intelligence layer around regulatory changes that no firm could build alone. Those feedback loops make our companies difficult to displace.

Then, we look for a shift from system of record to active workflow engine. The most exciting GRC companies are moving from storing compliance data to automating compliance decisions. Windward’s MAI Expert is an early example: an agentic AI automates risk screening within a customer’s own workflow. That shift creates dramatically more value per customer and makes switching even harder.

Can you talk more about where AI genuinely transforms GRC workflows – and where it doesn’t apply?

To understand where AI is headed, it helps to look at GRC industry history. Early information services firms relied on analyst teams in lower-cost geographies to manually build risk profiles. A compliance officer then cross-referenced profiles against customer records by hand. It was slow, expensive and error-prone, but has become more automated over time. Agentic AI will turbocharge the trend. Human-intensive processes will persist, but only where they’re deeply woven into the broader data platform and value proposition.

Think about sanctions screening across thousands of vessels. This is a routine, high-volume, pattern-driven task that AI excels at. Compliance teams will become smaller and more productive but won’t go away. When regulators want to know why a flagged transaction was approved, “the model said so” is not an acceptable answer.

AI meaningfully raises the floor, but the ceiling remains with humans. Successful GRC companies will use AI to expand capacity and improve judgment without pretending that automation removes risk.

Transportation and logistics stocks have been rattled by AI disruption narratives recently. Are they structurally more exposed to disruption, or is the market overreacting?

AI is a disruption risk for operational logistics software but a tailwind for compliance-focused logistics software. The market is right to ask the question. It’s just applying the same conclusion to businesses with very different underlying moats and conflating two different parts of the logistics stack.

Operational logistics, things like routing optimization, load matching and capacity forecasting, are genuinely exposed to AI disruption. Again, those are pattern-recognition problems, and investors should ask tough questions about defensibility there.

But the compliance layer of logistics is something else. Highway’s value is not about routing intelligence; it’s about carrier identity, fraud prevention and building trusted infrastructure. This is not a pattern-recognition problem. The more freight moving through Highway’s verified network, the more valuable the network becomes. When AI-fueled identity theft increases fraud, the need for strong identity infrastructure only becomes greater.

Is it a serious threat when an AI-native horizontal GRC platform claims it can learn any industry’s regulatory environment and knock out vertical software?

We think seriously about this topic, but it doesn’t change our thesis.

The core challenge for any horizontal, AI-native challenger is data. You can fine-tune a large language model on publicly available maritime regulations. But Windward’s advantage isn’t in publicly available information; it’s in 15 years of proprietary vessel behavior data refined by human review, and sanctions pattern recognition informed by real enforcement outcomes.

A scenario that would get our attention: an AI-native platform finds a way to access proprietary vertical data through another channel, becoming the default data infrastructure for a major industry player or competing at a price point so much lower that customers would accept more limited coverage. We watch for both possibilities.

Still, businesses most exposed to this disruption are legacy horizontal GRC vendors with broad but shallow offerings. The specialists we back are differentiated by their depth.

Looking five years out, will vertical GRC consolidate into a few dominant platforms, or will specialists remain the most defensible?

Both outcomes are likely in different parts of the market. In the broader ecosystem, we expect consolidation as a few platforms build strong positions in their verticals, then expand to become the operating system for that whole supply chain segment.

At the same time, deep vertical specialists will remain highly defensible, protected by industry-specific data, embedded workflows and tightening regulation.

The likely winners by 2030 will be those that dominate one vertical, build a proprietary data advantage and then expand into adjacent use cases without losing the depth that made them valuable in the first place.

This interview includes contributions from multiple members of FTV’s investment team, including Partners Richard Liu and Kapil Venkatachalam, Principal Giovanni Bacarella and Vice President Max Penn.