The AI Governance Playbook You Need with Tolga Erbay

In this episode of When Trust Meets AI, Tolga Erbay, Head of GRC at Dropbox, confirms that it IS possible to build trust in the age of AI while optimizing productivity in the workplace. Tune in as host and CEO of Drata, Adam Markowitz, sits with Tolga for a deep dive into the real state of AI governance frameworks, the concrete metrics (like trust-influenced ARR) that finally prove security and compliance drive revenue, and everything in between.

What You’ll Learn:

How to define trust operationally and use a practical framework to assess security risks
Why shadow AI is the new shadow IT challenge and how to strike the balance between managing AI risk and enabling productivity
The real timeline for AI governance maturity and why expecting mature AI risk frameworks within months (not years) is unrealistic
How to build a trust dashboard that speaks to executives using FAIR methodology

Which skill sets your GRC team actually needs in 20265

How AI is already freeing up your team for strategy and where the next productivity breakthrough lies

If you're caught between moving fast and staying safe, this conversation gives you the tools to safeguard yourself from third-party AI risk.

Episode resources:

Tolga Erbay on LinkedIn: https://www.linkedin.com/in/tolgaerbay/

Dropbox Website: https://www.dropbox.com/

Adam Markowitz on LinkedIn: https://www.linkedin.com/in/markowitzadam

Drata Website: https://drata.com/

Highlights:

00:00 Intro: Welcome to Trust Meets AI with Tolga Erbay, Head of GRC at Dropbox

02:38 Define Trust Operationally: Safe Places for Vulnerable Data

04:59 Shadow AI is the New Shadow IT: Balancing Risk and Productivity

08:15 AI Governance Maturity Takes Years, Not Months

11:30 The Security Landscape is Figuring Out the Gold Standard

12:55 Tolga’s Retrospective: The Evolution of AI, Trust & Governance

15:51 How Dropbox Does Trust: Scorecards & Dashboards

16:48 Measure Trust as Revenue: Connect Assurance to Business Growth

18:12 Upskill Your GRC Team in AI Fundamentals, Then Hire Deeper Expertise

19:50 Reject the SOC 2 Quick-Fix Myth: Raise the Bar on Compliance Quality

21:41 Questions Every CEO Should Ask Their GRC Leader

23:06 Influential Lessons from 20 Years in Security and GRC

25:52 AI in Personal Life: From Travel Planning to Family Adventures

26:55 Key Takeaways: Trust, AI Governance, and the Future of GRC

Quotes:

"You can't build anything without trust. I think quite simply, it means you've assessed the other party to be a safe place where you can open up or be vulnerable, with the things that you value, whether that's possessions or thoughts or even feelings.”
"The skill set is certainly changing. We have worked with our team to make sure that everybody is taking baseline AI training to understand how models work, how LLMs work, how the engagement context engines work. We've been hiring people with backgrounds in ML and people that understand this at one layer deeper than a GRC team has ever had to engage before."
"Everything feels huge when you're younger - everything feels like a big mistake or a big compliance deficiency. How you manage the relationships with people throughout the way is far more impactful than fixing every individual problem."
"It is a myth that you can get a SOC 2 in twenty days for five thousand dollars. You can spend twenty days and $5,000 and get a SOC 2, but it is impossible to do that well - to do a quality job and get anything done in terms of security or actual risk management. It's not gonna happen in twenty days."