How do you build trust in a business environment where security reviews, compliance demands, and vendor risk checks can slow everything down just when companies are trying to move faster?
In this episode, I sit down with Adam Markowitz, CEO and co-founder of Drata, to talk about why trust has become one of the most important business conversations in tech. Adam brings a fascinating perspective to the table. Before building Drata, he worked on NASA's space shuttle program, and today he leads a company that has grown rapidly by helping organizations rethink compliance, governance, risk, and assurance through automation and AI. What stood out to me in this conversation was how clearly he framed the real issue.
Compliance may have been where many companies started, but trust is the bigger story. In a world shaped by cloud services, third party vendors, and constant security scrutiny, old point in time audits and reactive processes are starting to look painfully outdated.
We also talked about Drata's acquisition of SafeBase and what that says about the direction of the market. Adam explained how security and GRC teams have too often been treated as back office functions, expected to stay quiet and keep the company out of trouble. But he sees things very differently. He argues that these teams can actively help close deals, accelerate revenue, and remove friction from the buying process. That shift matters because trust now plays a direct role in business growth. If customers can quickly get answers to security questions and understand how a company manages risk, sales cycles move faster and security teams stop being bottlenecks at the final stage of a deal.
Another part of the conversation that really stayed with me was Adam's view on AI. He sees it as both a tailwind and a test. AI is helping automate highly manual GRC workflows, improve continuous compliance monitoring, and support newer frameworks tied to AI risk itself. At the same time, he is realistic about the pressure this puts on businesses. AI may introduce fresh concerns, but it also shines a harsher light on issues that have been around for years, things like access creep, weak controls, and data integrity problems. That honesty gave this discussion a lot of weight because it moved beyond hype and focused on what companies actually need to do.
We also touched on Drata's momentum as a business, from opening a new San Francisco headquarters to expanding globally and moving further into the enterprise market. But even there, Adam kept coming back to culture, discipline, and a deep understanding of the customer problem. For me, that was the thread running through the whole episode. Trust is not a side issue. It is part of how modern companies grow, compete, and prove they can be relied on.
If your business still sees compliance as a checkbox exercise or a cost center, this conversation will give you plenty to think about. Where do you see the relationship between trust, security, and growth heading next, and what did this episode make you question about the way your own organization handles compliance? Share your thoughts with me.
Useful Links
[00:00:04] Welcome back to another episode of Tech Talks Daily. I've got a great one for you today. I'm going to be joined by the CEO and co-founder of Drata. Together we're going to talk about Governance, Risk and Compliance, or GRC. The world of big tech does love an acronym after all. But GRC is finally getting the rethink it has needed for years.
[00:00:28] And I want to talk today about why the rise of AI is accelerating that shift. And my guest story today is a great one too. He's gone from working at NASA's Space Shuttle program to building a company that now supports more than 8,500 customers and is scaling incredibly fast.
[00:00:48] So today we will get into what pushed Adam and his co-founders to challenge those point in time audits and manual questionnaires, and why continuous control monitoring is becoming the foundation for how Drata approaches compliance and assurance.
[00:01:05] And yet we'll also talk about their recent acquisition of SafeBase, the role that trust centers play in changing security from a reactive cost center and turning it into a proactive business enabler. And in doing so, shortening sales cycles and reducing the constant fire drills around security questionnaires. Man, I used to hate those back in the day of my former life.
[00:01:31] But the good news is with new AI risk frameworks emerging alongside the broader AI boom, I'm going to discuss the irony and the opportunity of using AI to help organizations manage AI related trust, compliance and third party risk without turning everything into a black box. Lots to talk about today. So enough from me. Let me introduce you to my guest right now.
[00:01:57] So a massive warm welcome to the show. Can you tell everyone listening a little about who you are and what you do? Sure. Well, thank you again, Neil, for having me. It's great to be chatting. My name is Adam Markowitz, co-founder and CEO at Drata. Drata is an agentic trust management platform. I'm a two-time founder CEO now, but an engineer by training prior to that and actually not software engineering, but aerospace and astronomical engineering.
[00:02:25] I spent time working on NASA's space shuttle program until NASA retired the fleet in 2011. I'm a father of two kiddos, but I think Drata is kind of my third child. Drata is my five-year-old, but that's a five-year-old that's growing incredibly fast. We're serving over 8,500 customers now worldwide from small startups to Fortune 100 and over a third of the cloud 100.
[00:02:46] Our customers use Drata to automate compliance with security and privacy frameworks and streamline their GRC programs, accelerate security assurance and monitor risk across their third-party vendors. I love that. And not only that, I would say you're incredibly humble because not only are you the co-founder and CEO, you've also taken Drata to 100 million in ARR in just three and a half years, which is a phenomenal achievement.
[00:03:12] But if you look back at that journey, what decisions do you think mattered most in sustaining growth at such a pace? I feel there's got to be a story there too, right? A lot of stories. Yes. We went from, yeah, one to a hundred million in three and a half years. And then after that, this last year actually grew 60% on top of that and 190% in our enterprise segment this past 12 months. So just super rapid growth from the beginning and throughout.
[00:03:39] I do not take credit for this growth myself or any single decision that I made by myself at all. That's not how this has worked. The growth and the success, it's really a result of just a lot of incredible people with a relentless work ethic and just a DNA. If my co-founders and I did anything right, I think we definitely seeded that DNA into the culture. But the folks we've surrounded ourselves with, they've taken those values and they, of course, embody them and their behavior.
[00:04:08] And that's what culture really is. And since the beginning, I think that in itself might be one of the strongest decisions that's mattered most in just sustaining our growth. Just being really deliberate with those values and why they were necessary for Drata specifically. And it's kind of an overarching driver, in my opinion, with the success. And it always will be. Growth is, I always say this, growth is change and change is uncomfortable. So rapid hyper growth is just a constant state of not being comfortable.
[00:04:35] And humans, I think, by nature would just seek comfort. And so to sustain growth means we just, we had to have a culture that was intentionally uncomfortable and actually celebrate that. Beyond culture, though, I do tend to look at it as like a three-legged stool in some sense of strategy, execution and timing in all three matter. Because it's like a stool. You don't have one of those three. It's not going to work. So there's been a lot of decisions and a lot of stories around just strategy, execution and timing of it all.
[00:05:02] And timing is one of those things where, yes, there's intuition and kind of knowing where the puck is going. But you also got to get a little lucky and be at the right time to be doing what you're doing and solving the problems you're solving. And it's such a great story. And what I love about it in particular is you've experienced super quick growth. But on the flip side of that, compliance has traditionally been slow, manual and very reactive.
[00:05:27] So what was it that convinced you that GRC was ready for a fundamental rethink through AI and automation, especially when it's an industry that's often accused of being slow to adapt and change? Yeah, I mean, it definitely started with compliance. But trust was really at the core of what convinced us the space was ready for disruption. Compliance was just one of the many ways we were earning and maintaining trust. But it was. It was very slow, manual and reactive.
[00:05:57] And point in time assessments, audits, questionnaires, those were how we were earning trust. And they felt archaic and really inefficient and even dangerous when you kind of look to where, again, the pump was going. Just the proliferation of cloud vendors, our reliance on third-party vendors, and then the surprising cost and frequency of breaches across those vendors. The eventual AI boom was just like a tailwinds on tailwinds in that regard.
[00:06:23] But we lived firsthand in our prior lives selling software in a completely different space, education, technology, so selling into colleges and universities across the globe. We felt that problem. We solved it for ourselves in a way that was automated and continuous and provable. And that's when we were convinced this was possible. You know, a 10x better solution than the status quo for something as important, as fundamental as trust. I mean, in our view, trust is never not going to be important.
[00:06:53] It only becomes more important with every new kind of technological wave that we see. And so all those things combined, especially, again, just living the problem, it really was the light bulb moments that led us to start Andrada. You mentioned trust there. Andrada's acquisition of SafeBase, I think that marked a major step forward in that strategy, too.
[00:07:17] So how does bringing trust and compliance closer to the customer change the way that companies think about risk and transparency? Yeah, I mean, for a long time, I talk to CISOs all the time, obviously. And so many of them would tell me, Adam, for the longest part of my career, security and GRC, we were kind of relegated to the back office. We were told to keep the company secure, get the audits done, and kind of keep your mouth shut. And that's pretty brutal.
[00:07:46] And just it was viewed as a cost center. And we obviously have a very different philosophy here that the security and GRC teams are actually profit centers. They accelerate revenue, and they enable the business to grow. And anyone that's worked in software knows go-to-market teams pull in the security folks when they're trying to close new business. And that prospect needs to get answers to security questions, sometimes hundreds of questions in a questionnaire. And this bottlenecks. It bottlenecks at the end of the quarter, of course, where we would see security teams just
[00:08:15] scrambling, working overtime to provide that support. And they get a quick high five, and then it's back to their day jobs. So SafeBase, as a company, they had a brilliant strategy, and they created something called trust centers for their customers. In fact, they created the entire trust center category that now exists. And these trust centers allowed security teams to basically proactively share and disseminate the information about their security programs so that buyers can self-serve those answers that they needed.
[00:08:43] And for anything additional, use AI to answer those questions. And so this in itself obviously accelerates security reviews and accelerates sales cycles, which accelerates growth. And it proves what we always said. Great security and great security teams are business enablers. Trust is the ultimate business enabler growth accelerator. And the icing on the cake is we could basically help security teams help CISOs now prove it, right? Because the trust centers are connected to the sales CRM.
[00:09:11] So they could literally show in a nice visual format just how much revenue they're accelerating and influencing every quarter. CISOs can show with one click literally how much faster sales cycles are for opportunities that go through their trust center versus those that don't. To date, over $20 billion in security influence revenue has been transacted through Draught and SafeBase Trust Center. So it's just, it's such a nice completion of the narrative of our sort of our belief that
[00:09:37] trust really is what's enabling businesses to grow and it allows us to prove it. And also, I think the pace of technological change can feel incredibly overwhelming for many business leaders listening, especially when you have cyber, regulatory and reputational risks all rising at the exact same time. So how are you seeing AI changing the way organizations can better stay compliant without
[00:10:02] grinding the business to a hole and getting caught in all that red tape that just seems to slow things down sometimes in an organization? What are you seeing here? How's AI helping? Yeah, it's amazing. Earlier I was saying how timing is one of those things where you can't always nail it, but when it lines up, it definitely helps. And the AI boom is providing tailwinds across every use case that Drata serve those customers
[00:10:29] with today, including obviously just the compliance, staying compliant. AI is being used to automate and even further than we were prior, these compliance workflows and activities because GRC itself for the longest time has been a very manual, very workflow driven process, which is just low hanging fruit, right? Perfectly ripe for AI agents to perform a lot of these tasks and workflows. And it's being used also to help just further expand the coverage of our 10X differentiator,
[00:10:59] which is our automated continuous control monitoring and testing. So we help our customers stay compliant every day of the year, not just on audit days. That was really at the heart of what we brought to market five years ago when we first launched was this idea of when we say automated compliance, we mean the continuous monitoring and evidence collection of security controls. So we could help our customers not just prove they're doing the things they say they're doing, but do that on a continuous basis, not these point in time, as I mentioned, broken processes
[00:11:29] of questionnaires, point in time assessments, point in time audits. It's about staying compliant. And then of course, AI at the end of the day is bringing new compliance frameworks to bear. Like I supported 2001 NIST's AI risk management framework. So it's not lost on us the irony where we're using AI to help customers comply with more AI frameworks. I love that. And there will be people listening that still see compliance as more of a cost center, even though it is crucial.
[00:11:57] So from your experience, how could that modern GRC become maybe more of a growth enabler instead and move away from that cost center mindset? Is this something you get asked a lot? Yeah, it's unfortunate. That's an unfortunate, I think, just misnomer because, you know, I could oversimplify it and just kind of say, we're complying with these frameworks so that we can sell to new customers
[00:12:23] in new regions or just existing customers in existing regions because the bar for assurance has been raised. Yeah, that's the kind of the very go-to-market focused view of it, which is how it plays out in a lot of situations with our customers. We like to think idealistically that, you know, we start with risk, we work our way backwards, we design controls that then mitigate that risk. And by nature of doing all of the right security practices, we will ultimately be compliance.
[00:12:52] But in reality, it's, you know, we're trying to now go sell in this region of the world and there are specific compliance frameworks that we have to comply with. GRC team, tell us how much time and how much we're going to have to invest to make this happen. That's how it kind of plays out. And so I think, you know, we need to meet our customers where they are. It's a spectrum. I mean, I just gave two kind of opposite ends of the spectrum examples there. It's a spectrum and companies are somewhere in the middle there. And the beauty is we can meet them where they are.
[00:13:21] And by delivering more than just a compliance use case in a trust management platform like Drata, we're able to offer the security assurance use case. And we put them side by side, especially in a platform approach. It brings those teams together. It brings those use cases together and it really helps connect. The effort, all the work that these GRC teams are doing from designing controls, implementing policies, monitoring, completing audits, and then the actual assurance activities that's
[00:13:49] helping unlock the value of that. And as I mentioned, allowing a CISO to walk into a board meeting and point to the amount of security influenced revenue because of the effort of that team. There's just no, there's nothing better than actually being able to connect those two pieces of the puzzle. Something we've got to mention as well. It really seems to be paying off for you guys. Because before you joined me on the podcast today, I was reading that you hit the ground running here in 2026.
[00:14:14] And just a few weeks ago, I think you moved HQ to San Francisco, which is notoriously expensive place to have any kind of real estate. So tell me more about that growth and what you're seeing at the moment and any other big stats that you're seeing coming out. Yeah, yeah, we did. We announced the opening of our new San Francisco headquarters. You know, Drada's just turned five years old. And so we started right smack in the middle of the COVID pandemic and actually incorporated
[00:14:41] during lockdowns when we weren't even allowed to get together. So the company originally started fully remote, remote first out of necessity. And now we've since moved into more of a hybrid approach. We have offices in San Diego, obviously the new headquarters we just announced in San Francisco. We have offices in New York, Sydney, and London. And so it's, it's been a global hybrid now approach. And yeah, we're also coming off of a year.
[00:15:07] I mentioned of 60% year over year growth at scale, which is just incredible testament to the team's execution across the board and 190% growth in our enterprise segment. Five years ago when Drada launched, we served primarily the SMB segment of the market. And we still do today, you know, bringing on hundreds of new SMB customers every single month. But like I said, in the last 12 months, really pulled up market serving Fortune 100 customers
[00:15:34] now across the globe, across these use cases from compliance, assurance, third-party risk, and so on. And that's grown 190% year over year. So yeah, we're just really excited to be where we are, the time that we're in, and where it's never been more important to be able to earn and maintain trust. So here in 2026, you're enjoying phenomenal success. It comes such a long way since those lockdown days, what, six years ago now.
[00:16:01] But if we go back even further, you mentioned in your intro that your career started at NASA and then moved from building and selling portfolios. I've got to ask, what lessons from those earlier chapters, was anything there that shaped how you approach building Drotter with the same co-founders? Any moments of serendipity? Any big stories? Because I feel there's got to be something there as well that has helped you now, as well as being in the right place at the right time. But there's usually a lot of things happen. Yeah.
[00:16:31] I mean, I'll say you never stop learning. No stage of Drotter or the prior business portfolio was ever easy. It's not meant to be, and that's a good thing. But some of the lessons that have stayed with me and the other co-founders from our prior lives, one I already kind of touched on a little bit, and I was just being very deliberate with culture. Yeah. You know, culture is something that gets talked about a lot. I talked to other CEOs about it. I've never heard any two CEOs define it the same. And that's okay. It's a good thing, I think.
[00:17:01] As long as there is a definition and the company is deliberate about it, I think that's what matters most. And the culture definitely needs to serve the purpose, the mission of the company versus just being something that is kind of feels good and virtuous. I mean, that's, it should be that, but it should also be very specific to the company. That's why one company should have a different culture than the next and both should be successful. So that, that's something again, that we did pretty much a day zero here.
[00:17:29] And I mentioned it earlier, just infusing that DNA and that culture early. And then obviously needing to maintain it as we've grown, it's been pretty key. You know, some of those values that came specifically for, for draw, as well, you're being, you know, customer obsessed, but competitor aware. And if you're solving a big problem, a meaningful problem, you're not going to be alone. There's going to be a lot of companies that are trying to solve that same problem. And that's a good thing. If you just follow what competitors are doing, that's, that's, that's never good.
[00:17:56] And so, you know, prior lives, we obsessed over the customer, their, their pains, their experience and using our products and it served us well. And so it kind of became the only way I knew how to do it, but it turned out to be a good thing when it comes to leadership at the company. You know, it's, it's kind of an overused cliche at this point, but smart, hungry, humble is kind of the, the three-legged stool, I guess, of that, of that piece where you need all three.
[00:18:25] I've definitely made mistakes in the prior life of, you know, finding great folks that have two of the three and just trying to convince myself that it might work. It just never does. And then I think one thing I, if I just kind of try to tie a bow on it coming off of seven, eight years, building the education technology company portfolio, you mentioned in living the problem that we're now solving with Drada, there's just a, there has been a perspective and appreciation for the problem
[00:18:54] and the opportunity to solve it here at Drada. And both, both of those things matter because from the very beginning and, you know, lightning in a bottle product market fit was fantastic and it just kind of further fed the appreciation for the opportunity to solve this. And then when the execution followed, it just became this virtuous cycle of a healthy perspective, appreciation to go solve, and then the execution that followed, and then the results that fed the appreciation
[00:19:24] and perspective. And so, you know, that I'm sure that that, that would have been there to some degree if we hadn't come off of the prior company or prior life, but maybe not to the same degree. And I think that that definitely mattered when I look back. Incredibly cool, the journey that you've been on there. And as we head to the future, I mean, as AI inevitably looks destined to become even more embedded into
[00:19:48] compliance workflows, what do you think leaders misunderstand most about the future of trust, risk, and accountability? You must get to speak with so many different leaders around the world and hear so many different stories, but what is the thing that they misunderstand most about this? Yeah, I mean, I think there's some, some universal truths. Like I mentioned earlier, like trust will never not be important. Yeah. With every new technological leap, like just whether it was cloud, obviously now AI,
[00:20:17] whatever comes next, trust will always be this just fundamental prerequisite for success. And I think it just gets proved further with every shift. Misunderstandings. I think it's not so much misunderstandings of just where I see like the focus with AI. I see obviously a lot of security teams focusing on just the new risks that AI is exposing.
[00:20:40] But in a lot of the situations, all the conversations I'm having, it's, it's also just magnifying risks that have always been there, like within our companies, right? And so maybe you could get away with not maniacally focusing on them or designing the right controls to help mitigate. But now, as soon as you bring in X tool, X technology using AI, it just immediately brings that risk to life, whether it's, you know, data integrity or, you know, access creep and drift, like least privilege.
[00:21:10] I mean, these are things that we've been talking about for years, decades and design controls and having control frameworks around. And if those controls aren't operating effectively, which is really what compliance is all about, ensuring that these controls are operating effectively, then as you introduce this new tooling or new technology, it's just going to immediately expose those cracks that were always there. I think that's, I don't know, maybe not getting talked about enough. I don't know if it's so much as a misunderstanding or misnomer, but it's definitely interesting.
[00:21:41] And when looking at AI, there's a lot of hype that surrounds it. Also, I suspect when you're scrolling down your LinkedIn newsfeed or wherever you hang out, there'll be a few misconceptions, myths, maybe even untruths. Are there any of those that we can maybe lay to rest today so we can stop seeing these in our timelines? I mean, if people would stop calling SOC 2 a certification, that would be nice. I could beat that drum and stand on the pedestal to scream in that, but it's fine.
[00:22:10] I don't think it's ever going to stop. I've almost given up and just kind of nodded my head. It's fine. As long as people are talking about it, it's good. That's one. I also think compliance itself can kind of get a bad rap. In some cases, for a good reason. I mean, there's definitely bad apples and just bad practices out there. But when I hear compliance being completed with security or people trying to make a point that compliance isn't security, of course, that's a true statement.
[00:22:38] At the same time, no amount of security is going to make a company impenetrable. Compliance should be the result of good security. But compliance and trust doesn't mean that you're impenetrable, right? It means that you're trusted to do the things you said you were doing and that you should be doing. And that includes even responding to when there is an incident. And so, you know, no one likes ambulance chasing. No one likes finger pointing. And after an incident or after a brief saying, well, look, they had a clean SOC 2.
[00:23:06] So clearly that proves my point that compliance isn't security. That doesn't help anybody. And it defeats the purpose, right? Again, whether it's SOC 2 or any compliance framework, it isn't saying that they are secure. It's saying they're going to do the things they say they're doing. And I guess that's the first point that SOC 2 is not a certification. I think that matters, right? The report, it's an attestation. It's attesting to the fact that these controls are in place. They're operating effectively based on how we design them.
[00:23:35] And you can see them for yourself. That's why those two things actually are connected. It's true compliance is not security. It wasn't meant to be. I think that's a powerful moment to end on. So many big takeaways from our conversation today. And anybody that wants to continue the conversation or just find out more information about Drata or keep up to speed with some of the big announcements that you've probably got coming up as well. Where should everybody go? Well, I think probably for the live feed of announcements and activity,
[00:24:04] LinkedIn is definitely the place. Drata's company page on LinkedIn or, of course, Drata's website, droughton.com. Perfect. I'll add links to absolutely everything there. And I would encourage people to join this conversation. Let me know your thoughts. Come over to techtalksnetwork.com. Send me an audio or a DM message. I'd love to hear from you. And also I'll include a link to your LinkedIn, Adam, as well. See if we can get anybody to ask you any questions. But more than anything, just thank you for starting this conversation today.
[00:24:33] Oh, no, I appreciate it. Thank you, Neil. I think one of the things I appreciated most about this conversation with Adam today is just how directly it connects trust to business momentum without pretending that that work is going to be easy or comfortable. And talking about this real shift that's happening in security and GRC, away from being pushed into the background and toward becoming a more visible part of how modern companies win deals,
[00:25:00] expand into new regions, and build credibility with customers. It's something that I didn't see coming, if I'm honest. And the SafeBase Trust Centre store is also another good example of the change that we're talking about here. It is about meeting buyers where they are, reducing friction, all while still keeping accountability and transparency intact. And I think Adam also made a cracking point there about compliance.
[00:25:26] It's not a guarantee of being breach-proof, and it's never meant to be either. But when it's done well, it becomes evidence that a company is doing what it says it does, consistently. And that matters even more as AI will inevitably increase the speed of scale and risk, etc. As AI inevitably increases the speed and scale of risk.
[00:25:50] Ask, after listening today, do you see trust, compliance and assurance as a cost you tolerate or as a capability that you can build into a real advantage? Let me know as always, techtalksnetwork.com. Everything you need will be over there. Other than that, I'll be back again tomorrow with another guest. Speak to you all then. Bye for now. Bye for now. Bye for now. Bye for now.