Papers, writeups, and longer-form work.

William Asare Yirenkyi · Sarcouncil · May 10, 2026

In the United States (U.S.), where escalating cyber threats such as ransomware and supply chain attacks increasingly imperil national security and economic stability, Governance, Risk, and Compliance (GRC) engineering has emerged as a critical mechanism for Information Technology (IT) and cybersecurity control assurance. This critical literature review examines peer reviewed academic studies, standards-informed research, and authoritative professional literature from 2020 to 2025, confined to U.S. regulatory contexts. Employing a critical review methodology, it inductively surfaces themes from recurring patterns, contrasts, and tensions across sources, viewed through lenses of functional integration, risk alignment, control effectiveness, auditability, and scalability in regulated environments. This involves thematic coding to derive patterns, evaluative comparison to assess strengths and weaknesses, and contradiction mapping to identify inconsistencies and gaps. The analysis reveals a dominant emphasis on hybridizing frameworks such as National Institute of Standards and Technology (NIST) and Control Objectives for Information and Related Technology (COBIT) to unify governance and risk functions, alongside risk-based control design and automation for monitoring and predictive analytics. While these approaches demonstrably bolster enterprise risk management and sectoral resilience particularly in finance and healthcare, they simultaneously expose persistent weaknesses. This can be in the form of limited adaptability, insufficient cultural integration, scalability constraints for smaller entities, and unresolved contradictions in AI adoption amid fragmented regulations like SOX, HIPAA, and CCPA. Empirical validation remains thin, and behavioral dimensions are largely overlooked. These findings carry significant implications for assurance quality, regulatory accountability, and institutional resilience. The review illuminates how current GRC engineering supports risk-based auditing yet falls short in addressing the full complexity of U.S. regulated environments, thereby clarifying both its contributions and its enduring limitations.