Blog
by Mustafa Neemuchwala, Hilarie Koplow-McAdams and Ayush GoradiaSep 30, 2025
Organizations worldwide are facing increasingly stringent regulatory requirements alongside complex cybersecurity threats, resulting in comprehensive compliance processes that are both essential and resource-intensive. More than half of security teams spend five or more hours each week on manual compliance tasks and Thomson Reuters Regulatory Intelligence reported over 230 regulatory alerts a day in 2023.1,2 The sheer scale of threats teams have to assess in this changing landscape have left them in a reactive position.
Traditionally, governance, risk management, and compliance (GRC) tasks involve extensive manual effort by dedicated compliance analysts, who must ensure meticulous adherence to diverse regulatory frameworks. The processes are repetitive and error-prone, involving extensive documentation, frequent internal audits, and interactions across multiple teams including IT, legal, human resources, and senior management. Compliance analysts manually map controls to regulatory requirements, continually update and verify documentation, and perform laborious gap analyses to identify areas needing remediation. Furthermore, vendor assessments, required for third-party risk management, involve repetitive, manual questionnaires and frequent follow-up, creating more complexity and resource demands.
Lastly, compliance standards evolve over time and are updated every few years. For example, NIST CSF 2.0 was released in February 2024, while NIST CSF 1.1 was released in April 2018.3 Recertifying all existing projects that were previously assessed against version 1.1 is a near-impossible task for teams to manage.
The downside of poor controls are vast - In September 2025, a cyberattack on Collins Aerospace’s software took down check-in, boarding, and baggage systems across major European airports, forcing airlines back to pen and paper and grinding operations to a halt, affecting 1.3 million passengers, and creating a $500M revenue loss for Delta Airlines alone.4 And it’s not a one-off. Jaguar Land Rover has been unable to produce cars since the end of August after it was forced to shut down its entire IT network.5 The Snowflake breach hit 160+ companies.6 Change Healthcare’s ransomware attack froze millions of patient claims.7
In summary, these assessments are widespread, complex, and take a ton of time to complete, yet are mission critical and key revenue enablers for enterprises. We know that LLMs’ excel at tasks such as understanding documents and mapping requirements across different standards, so why not rethink the status quo of security compliance workflows?
Zania automates your GRC program with a fleet of intelligent AI agents. This autonomous platform handles everything end-to-end: evidence collection, continuous monitoring, internal and third-party risk assessments, and compliance evaluations. It coordinates with stakeholders to drive remediation, all under the strategic oversight of your team. It’s time to move beyond traditional GRC tools that just track workflows. Zania is the platform that executes GRC work.
Zania is already working with some of the largest customers in the space, including KPMG, Plaid, Grant Thornton, Armanino, Stanford University, and more to deliver security compliance in minutes, not months.
Zania’s team is well known to us at NEA–we were first introduced to Shruti Gupta, Founder & CEO, through our investment in SafeBase (acquired by Drata) who was an early design partner and immediately believed she was a perfect fit to tackle the challenges associated with GRC. Shruti built and led security teams at Airbnb, Instacart, Brex, and Microsoft Identity—living the GRC grind firsthand. Aidan Collins (CRO) led Risk Advisory at Bain & Company, Deloitte and PwC.
Inevitable category shift: Agentic workflows are transforming text‑heavy, rules‑driven processes; GRC is one of the highest‑impact domains.
Pain with budget: Compliance is a revenue enabler and board‑level priority; cycle‑time and coverage improvements pay for themselves.
Team built for trust: Security DNA + hypergrowth background + early enterprise traction.
From helping build internet‑scale infrastructure to backing AI‑native software, NEA partners with mission‑driven founders building enduring companies. We’re proud to support Shruti and the Zania team as they define the GRC platform for the AI era.
See Zania in action → Schedule a demo here!
Join the team → Zania is hiring!
Sources
https://www.metricstream.com/blog/grc-risk-regulations-focus-areas-2024.html
https://www.insideprivacy.com/cybersecurity-2/nist-publishes-the-cybersecurity-framework-2-0/, https://help.vanta.com/en/articles/11345799-understanding-the-differences-between-nist-csf-1-1-and-2-0
https://energycommerce.house.gov/posts/what-we-learned-change-healthcare-cyber-attack
Disclaimer
The information provided in this blog post is for educational and informational purposes only and is not intended to be investment advice, or recommendation, or as an offer to sell or a solicitation of an offer to buy an interest in any fund or investment vehicle managed by NEA or any other NEA entity. New Enterprise Associates (NEA) is a registered investment adviser with the Securities and Exchange Commission (SEC). However, nothing in this post should be interpreted to suggest that the SEC has endorsed or approved the contents of this post. NEA has no obligation to update, modify, or amend the contents of this post nor to notify readers in the event that any information, opinion, forecast or estimate changes or subsequently becomes inaccurate or outdated. In addition, certain information contained herein has been obtained from third-party sources and has not been independently verified by NEA. Any statements made by founders, investors, portfolio companies, or others in the post or on other third-party websites referencing this post are their own, and are not intended to be an endorsement of the investment advisory services offered by NEA.
NEA makes no assurance that investment results obtained historically can be obtained in the future, or that any investments managed by NEA will be profitable. To the extent the content in this post discusses hypotheticals, projections, or forecasts to illustrate a view, such views may not have been verified or adopted by NEA, nor has NEA tested the validity of the assumptions that underline such opinions. Readers of the information contained herein should consult their own legal, tax, and financial advisers because the contents are not intended by NEA to be used as part of the investment decision making process related to any investment managed by NEA.