Watch the other hand.
The industry is watching the spectacular hand: AI finding vulnerabilities at scale, the headline breach. The cost lives in the other hand: the human administrative work every vulnerability creates downstream. Enterprises do not buy prevention. They buy defensibility, and defensibility is an admin factory.
AI broke discovery. The validation bottleneck is human, and it did not scale.
Every vulnerability AI surfaces creates a fan-out of human administrative work: validate it, map it to suppliers, answer the customer questionnaire, update the register, document the fix, produce proof for auditors, insurers, regulators, and the board. In a single model generation, finding a Firefox vulnerability went from 22 found in two weeks to a contribution to 271 in one release,1 and exploit chains now cost roughly $2,000 each to build.2 Discovery scaled. The people doing the paperwork did not.
Competitors size against GRC software. The prize is the labor pool.
The real prize is the security services and labor pool, about $92.8 billion inside a $240 billion market in 2026,3 and it is barely touched. Outcome pricing reaches the budget that per-seat software cannot. The reframe, from software to labor, is the investment argument.
The Fortune 500's hidden admin tax alone equals the entire GRC software market, and all of it is labor, not software. admin-tax bar illustrative, market bars sourced
Two curves bent and landed on the same place.
AI made finding vulnerabilities nearly free, and CVE submissions are up 263% since 2020,4 so the cost moved downstream to the human work of proving control. Carriers stopped accepting attestations and started demanding continuous, verified evidence. The regulatory curve landed with them: DORA live, the EU Cyber Resilience Act reporting from September 2026, the SEC four-day rule in force. The administrative layer is the one part of the market that is under-counted, under-automated, and growing faster than headcount can.
And it is already built.
The category cannot be won with per-seat SaaS. The work is cross-functional, compliance-heavy, and liability-laden, so enterprises buy it as an outcome, from a name they trust, with someone accountable when the regulator calls. That is a consultancy sale. Evident deploys through Beyond Work, which already distributes AI automation through the major consultancies, with Accenture live and PwC following. The consultancies are also the first customer, because they run the third-party-risk factories today, and Evident lets them sell continuous assurance as a managed outcome at a structurally better margin.
By design.
Selling a security capability to the CISO means fighting procurement, the gatekeeper on every vendor. Selling it to procurement removes the fight, because procurement spends its own budget on its own outcome, inside the workflow it already owns. The first workblock, the procurement security gate, clears low-risk suppliers in minutes instead of the 31 to 90 days a control assessment runs today.5 The data position that first sale builds makes every follow-on cheaper, up the ladder into insurance, compliance, and cost of capital.
Stated plainly, because the voice requires it.
There is no live customer traction yet; the fifty percent target is validated workflow by workflow in pilot, not across a customer base. The average-Fortune-500 cost stack and the per-company saving are a model, not a delivered result. Baseline instrumentation ships in the first wave, the three-year term begins only after a 90-day production trial, and savings realization is reconciled per workflow and visible to both client and Accenture.
Sources
- Mozilla, 2026; Anthropic, Project Glasswing, May 2026. Firefox discovery: 22 in two weeks, a contribution to 271 in Firefox 150. A bug-submission contribution count, not shipped CVEs.
- Anthropic, Project Glasswing update, May 2026. Exploit chains ~$2,000 each.
- Gartner, July 2025. Security services $92.8B; total infosec ~$240B in 2026. GRC software ~$15B (IDC).
- NIST, 2026. NVD operations update: CVE submissions up 263% since 2020.
- EY, 2025. Global TPRM Survey: control assessments run 31 to 90 days.