Steve Schlarman, Senior Director of Product Management at Archer, shares how the new Archer Evolve platform is transforming compliance and risk management from a manual, reactive burden into a streamlined, AI-enhanced business enabler. Discover how quantifying risk and automating regulatory processes empowers teams to make smarter decisions and drive real business impact.
In this RSAC 2025 episode, Sean Martin sits down with Steve Schlarman, Senior Director of Product Management at Archer, to explore how organizations are rethinking compliance and risk—not just as a box to check, but as a business enabler.
At the center of the conversation is Archer Evolv, a new platform intentionally designed to move beyond legacy GRC workflows. Built on years of insight from customers and aligned with the company’s post-RSA independence, Evolv aims to modernize how compliance and risk teams operate. That includes automating burdensome regulatory processes, surfacing business-relevant risk insights, and supporting more strategic decision-making.
Leveraging technology developed by Compliance.ai, acquired by Archer last year, Archer applies AI tuned specifically for the language of compliance, helping customers reduce review time per regulatory obligation from 100 hours to just a few. That’s more than a productivity gain—it’s a structural shift in how companies adapt to nonstop regulatory change.
Another critical area is quantifying risk. Rather than relying on subjective heat maps, Archer enables organizations to calculate loss exposure in real terms. This creates a foundation for executive conversations rooted in financial and operational impact, not just abstract threat levels. That same quantitative view can be applied to understanding the cost of controls—ensuring that investments align with real business risk, rather than piling on complexity for the sake of coverage.
The conversation closes on a powerful shift: risk and compliance teams freeing up time and brainpower to collaborate directly with the business. With the manual grunt work automated and controls mapped more intelligently, these teams can help shape new services and strategic initiatives—safely and confidently.
This episode isn’t just about software or frameworks. It’s about what happens when governance becomes a driver of value, not just a reaction to fear.
Listen in to hear how Archer is helping turn risk and compliance from operational drag into business advantage.
Learn more about Archer: https://itspm.ag/rsaarchweb
Note: This story contains promotional content. Learn more.
Guest:
Steve Schlarman, Senior Director, Product Management, Archert | https://www.linkedin.com/in/steveschlarman/
Resources
Learn more and catch more stories from Archer Integrated Risk Management: https://www.itspmagazine.com/directory/archer
Learn more and catch more stories from RSA Conference 2025 coverage: https://www.itspmagazine.com/rsac25
______________________
Keywords:
sean martin, steve schlarman, risk, compliance, ai, governance, grc, quantification, controls, automation, brand story, brand marketing, marketing podcast, brand story podcast
______________________
Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverage
Want to tell your Brand Story Briefing as part of our event coverage? Learn More 👉 https://itspm.ag/evtcovbrf
Want Sean and Marco to be part of your event or conference? Let Us Know 👉 https://www.itspmagazine.com/contact-us
From Overhead to Advantage: Turning Compliance into a Strategic Asset | A Brand Story with Steve Schlarman from Archer | An On Location RSAC Conference 2025 Brand Story
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] Welcome everybody. We are at RSAC conference 2025. I have the distinct pleasure of, uh, sitting here with Steve Schleman from Archer Integrated Risk Management. Yep. Archer, I like the car Archer. Right, right. But, but you've been, uh, you've been in this space a long time. Long time. Archer's been in this space a long time.
We're not gonna waste time on. Saying who you are, maybe your role quickly for me. Yeah. I'm, I'm,
Steve Schlarman: uh, senior director of product management. I'm focused really on our risk management portfolio of products. Right. And there are other portfolios and there's our
Sean Martin: compliance as well. Exactly. So we'll kind of touch on all of that.
Yep. But, um, I'm, I'm thrilled to, uh, thrilled to have you here. I'm sure many people know of Archer. It's passed with RSA security, deep, deep roots in GRC, no question about that. Um. You haven't been, uh, you haven't been settled in, you've, you've been busy the last few months.
Steve Schlarman: Yeah. We've, we've been, uh, really focused on, uh, launching our new platform, Archer Evolve, and we've [00:01:00] made the decision to really differentiate it from our previous versions because of some of the things that have happened, uh, with Archer as a company from, uh, the time we've spun out from RSA to, uh, the technology that we're really innovating on.
And we really wanted to emphasize. The fact is, as you pointed out, we haven't rested on our laurels. Yeah. We're really pushing the envelope and, and one of the benefits of being in the space for so long is we have great relationships with our clients. So we get lots of great ideas from them direction, what the challenges that they are facing, and then we can turn around and look at, well, what are the solutions that we can put in place to help them?
And so Archer Evolve really represents that, that. Turning of the corner, we, we knew that there was a significant technology innovation coming with ai. And so that drove a lot of our strategies around some of the stuff that we've launched last year, in the beginning of this year, that really are targeting some of the, [00:02:00] the highest impact areas for GRZ teams.
Sean Martin: Right. So let, let's talk about, um, some of those challenges. I mean, he had a chance to sit down with some of the customers at during summit. And that relationship is, is definitely strong. So you got a lot of feedback in terms of what challenges are. Um, maybe can you highlight some of those? Sure, sure. That evolve is really tackling
Steve Schlarman: something that, that, that compliance teams have struggled with for many, many years is the, the velocity and the, the different, the, the nature of changes in the regulatory landscape.
And many organizations, they, they attack it by. Having people, reading the laws, looking at the regulations, looking at the frameworks, writing controls manually, trying to map all that stuff together. And frankly, when I started with Archer, that was one of my roles is, and it's uh, it's time consuming. It's somewhat subjective.
Um, it is very manual and or the human [00:03:00] error. Uh, yes. Yes. And, and the fact that the, the velocity of the changes are that. That just, uh, continue to pile up. Yeah, so that's one of the main, um, challenges we went after. And so we acquired a company called Compliance AI last year. That's right. Who had been a regulatory tech leader.
They've been in, um, in, uh, that space for about seven years. They had built an entire methodology and the technology to use AI to, uh, monitor regulatory sources. Um, automate that whole process of where the change is coming from, extracting obligations. So they tuned all of their language models towards the, the language, the vernacular of compliance, so extracting those obligations and then mapping controls.
And what they brought to us is, uh, uh, an accelerated way to meet that challenge of regulatory change. What we've been able to do over the last 12 months is then integrate that into the traditional [00:04:00] GRC processes around compliance management. So policy management, policy change management, um, control attestations, all of the process that come after that change from a regulatory
Sean Martin: perspective.
And speak to me about the change management, because I think you kind of alluded to it, right? If you do something once you're not done, there's always a constant change. Yes. So. It's really about managing change management.
Steve Schlarman: It, it, it is. And, and it's the, um, it's the fact that regardless of what industry you're in, there's at least some laws, regulations you're gonna have to, um, abide by.
Regardless of what administration is in public office, whether it's regulated or deregulated, there always fuels change. And so from a pure law, regulatory compliance perspective, there's an ongoing. Sequence of changes. There's always, um, you know, uh, things that are going out for comment, uh, speeches that indicate [00:05:00] potential changes mm-hmm.
Or memorandums being published by, um, uh, regulatory bodies that, that indicate maybe where the direction is. So there's always this kind of, uh, process. Secondly, internally, your controls. Many times are evolving as well as new technologies come out, as new business processes come online and so forth. So you have both sides of the equation shifting over time.
Yep. So
Sean Martin: the, the, you've alluded to it, but the, the way you actually mentioned AI as well, but the, the role of AI here, especially with the acquisition of the, of, uh, the company. How, how does that really help? Your clients and especially global mm-hmm. Companies that have stuff on different countries and Right.
And then of course in the US we even have state level, state level stuff to deal with. How does AI help with that flow of keeping on top of stuff? Yeah.
Steve Schlarman: Yeah. So whenever there's a change, you know, typically without the, the, uh, the benefit of, of technology, you have [00:06:00] somebody reading. Through proposed changes, reading through your controls, library reading and reading and reading.
And these are not, you know, uh, pageturners and they're, they're not short documents. And so one, you're using a highly skilled resource to do a lot of, I don't wanna say grunt work because it's, it's very important to the company, but repetitive type of, of, you know, reading a lot of documents. So
Sean Martin: what can you gimme an example, maybe a customer that's done.
Had to do it manually. What that Oh, yeah. That look like, and what they can do now. So
Steve Schlarman: we, we just worked with a client who estimated that for every obligation, so you can think of a law has multiple obligations, right? For every obligation it takes about a hundred hours. Wow. To read it, understand it, it, you know, interpret it, uh, look at the control environment, look at the business, to then make a decision of what we're gonna do about that one obligation.
And that was their number. They estimated that and, and, uh, [00:07:00] that's a significant number. They also estimated that their regulatory landscape had about 40 to 50,000 obligations. Wow. When they look at it from that perspective. So once we, once we implemented and, and we looked at that time, it dropped down to literally a few hours per obligation.
One or two hours, because the system was going through all of the proposed changes. Pulling out the language that says You should do this, you must do this, or, uh, uh, you know, uh, you must appoint a chief privacy officer. Those kind of, you know, just very straightforward obligations. And, um, and then presenting that these are the obligations, these are your controls, right?
Do you have a control that maps to that? If so, um, and does
Sean Martin: AI help with that as well? And AI helps with that as well. Analyzes
Steve Schlarman: both that. The other interesting thing that, that we've built is the idea of gaps in conflicts. So you could, uh, for [00:08:00] example, the, the con age of consent to opt into a marketing program, maybe different across different states, right?
So you can imagine which one do you apply, which one do you apply? So we can use AI to say in, in this state, it's 18 years old. In this state, it's 16 years old. And then your policy says. 17. Okay. So you have a gap, you have a conflict. Which one are you wanting to implement? Do you want to take the most stringent, do you want to take the route of, um, segmenting by, by geography?
So it, it basically, um, speeds up that entire process.
Sean Martin: One of, I have two, a lot of questions. We'll see how we get, get going here. The, the first one I want to maybe look at is kind of the ROI. Of controls, which might lead me to the next one, depending on where we go here, it's easy. I mean, we're, we're sold controls all the time, right?
Mm-hmm. Ways to mitigate risk, ways to mitigate attack, ways to respond [00:09:00] to, uh, compromise when it happens. Lots of implementation of controls, which adds complexity to the, to the, the governance piece, right? And demonstrating compliance. But we might overdo it. In some cases. So how do, how do organizations use what you provide to maybe tune and, and kind of ra rein in some of the right expenses and the team effort?
Exactly. That, that goes into actually managing all that stuff.
Steve Schlarman: So the, uh, there's a, there's different types of controls. You have the controls that you must do. So on the compliance side, if the law says you have to do something, then that's a, that's a pretty cut and dried situation. The, the, the. Place where you can adjust is really how much risk do you want to, uh, accept or expose yourself to.
Now, in the traditional approach to risk management, many companies come up with five by five heat maps. You know, they, they rank a very [00:10:00] qualitative or subjective measurement of likelihood and impact. We've taken the tack that that really the next evolution of risk assessment is to do it in a quantitative manner.
So we've built a very accessible, uh, enterprise approach to, to quantifying loss exposure. Okay. And so it replaces the reds, yellows, greens, that kind of subjective, uh, measurement of risk with much more tangible measurements. And it's really more a faithful representation of the risk. So when you quantify what the, the loss exposure could be, you now have a sense of how much, uh, I could be impacted by specific risk events.
Does this help with executive level communications? Ab Absolutely. Because you know, a, you have five reds, which ones should we invest in? Right? It's very difficult to have that conversation, right. But when you stack rank them by loss, exposure, and [00:11:00] importance to the business. That helps that, that first initial conversation.
The other thing that we're, we're really expanding is the idea of of, of cost of controls, right? So now when you actually go through the effort, which it is an effort, but the, the benefits, uh, are, are amazing when you actually estimate the cost of what these controls, um, uh, you know, what you have to pay for them, whether it's, uh, implementation of a system or it's time and resources.
You can now then make the decision, this is how much we're spending on controls, right? This is what the exposure is related to those controls. Are we making a good investment decision? Right? And, and then you're having a, a very straightforward business conversation of this is what you could be exposed to.
This is much how much you're investing. Maybe we need to, uh. Invest more because we wanna bring that exposure down, right? Maybe the business feels like could, we could take on a little more exposure and we're gonna move some investment, uh, and [00:12:00] resources over towards, uh, going after business opportunities.
And ultimately, that's really what a GRC platform should bring you. Is is that kind of business conversation. It's not check the box. Yes, we did this. It is something that really helps the business make a better decision. Yep. I love it
Sean Martin: and I, I have a dream, and I'm glad you kind of led me to this. I have a dream that security and, and risk teams have so much information and knowledge about the business that they can, they can really have an impact on how the business functions.
So you just gave the, if we're doing less in, in managing risk and, and managing controls, we can do, do things more strategically in terms of business. Capabilities, new services and things like that. Have you seen also a shift, and this is my dream, the shift to say, here's how we achieve more business, but here's how we do it in a way that we're not as exposed, that [00:13:00] we're not required to have as many controls, that we're not required to, to sit in front of a sock all day long because we're not putting so much at risk.
Steve Schlarman: Yeah. Uh, we just had a client meeting yesterday where that's the state that they've gotten to. Okay. And, and they've done it through diligence and discipline and, and really taking the tact that they, they've costed out their controls. They've implemented, uh, quantification, uh, uh, with us to help identify that loss exposure.
And, and now it, it's, it's very similar in the security world. We look for ways to automate. The, you know, uh, closing down ports and, you know, doing all of that operational stuff, which is, frees up the security operations, uh, resources to then focus on, okay, maybe emerging threats, maybe some, uh, partnering with the business, helping them go after new opportunities, those kind of things that you really want them to do rather than stare at a screen.
Yeah. All day. [00:14:00] We're seeing that now on the risk in the compliance side. Cool. We're having those much more meaningful conversations and instead of the compliance team reading a thousand pages of, of, you know, upcoming changes and trying to interpret them, now they're sitting down with the business saying, here's what the obligations are.
Right? Here's what we have in place. Um, what are we gonna do to, to, to facilitate change? Yes. To meet these new obligations. Same thing on the risk team. It's here's the exposure, here's what we spend to protect that. You against that exposure where, where makes the most sense for us to focus. Yep. And that's really what we want to be able to do is automate those things that we can automate and take off that, uh, you know, free up those resources to have those conversations.
Perfect.
Sean Martin: Well, as you know, I'm, I'm a nerd for risk, maybe not so much compliance, but is Paul connected? Yeah. Yep, it is. But I love having these conversations. Yeah. And, uh, you're always a treat too. To chat with Steve. Well, I'm I, thanks for the invitation and, uh, hopefully everybody enjoyed this [00:15:00] conversation.
Uh, please do connect with Steve, connect with the Archer team. Look for Archer Evolve. That's E-V-L-O-L-V without the on the end of course, we'll include links to all that stuff for everybody. Yep. Um, final words, Steve?
Steve Schlarman: No, I just, uh, appreciate you having, and, and it's nice to be back at RSA conference. It's been a few years since I, I've been here, but been here many times.
So it's great to see new fr uh, old friends and make some new friends Exactly.
Sean Martin: Very good. Thanks everybody. Stay tuned. Itsp magazine.com/rsac 25 for all of our coverage. Catch you on the next one.