Why NotebookLM Feels Right for GRC Research but Falls Apart at Deliverable Time

Many GRC consultants are already using NotebookLM on their workflow. Upload your standards, your client’s policies, your engagement notes — and suddenly you have a conversational interface that can answer questions grounded in those sources. It’s free, it’s fast, and it feels like having a junior analyst on demand.

The problems start when you try to use it to produce the actual deliverables.

Why consultants reach for NotebookLM

The appeal is real. In conversations with GRC practitioners, the same reasons come up:

• Research and familiarization. Upload ISO 27001:2022, a client’s existing policy set, and an engagement scope document. Ask “which Annex A controls are relevant to their cloud infrastructure?” and get a grounded answer in seconds.
• Interview preparation. Before a scoping workshop, upload the client’s org chart and IT architecture diagram. Ask about reporting lines, technology dependencies, and regulatory exposure. It surfaces connections faster than reading through 40 pages.
• Synthesizing multiple sources. Drop in three versions of a risk register and ask what changed between them. NotebookLM is good at comparing documents you’ve already uploaded.

For these tasks — reading comprehension, synthesis, quick lookups — NotebookLM is genuinely useful. The problem is that these are research tasks, not production tasks. Consultants get paid for deliverables, and deliverables are where the workflow breaks.

Five pain points when NotebookLM meets real GRC engagements

1. No workflow — every session starts from zero

A typical ISO 27001 engagement follows a sequence: organization profile, ISMS scope, gap assessment, risk assessment, Statement of Applicability, policy generation, internal audit, management review. Each step depends on the last.

NotebookLM has no concept of this sequence. There are no stages, no mandatory outputs, no dependency tracking. Every conversation is a blank page. You, the consultant, carry the engagement methodology in your head and enforce it manually. If a junior on your team picks up the project, they need to know the right order, the right questions, and the right outputs — or they’ll skip steps and produce incomplete work.

This is the difference between a research tool and a delivery platform. Research tools answer questions. Delivery platforms encode the process.

2. No validation — the output looks plausible but nobody checked

NotebookLM will produce a risk register if you ask for one. It will look professional. But nobody verified that:

• Residual risk scores are lower than inherent scores (a logical requirement that LLMs routinely violate)
• Every “Confidential” asset in the inventory has a corresponding risk entry
• Every “Treat” decision maps to at least one Annex A control
• The SoA doesn’t exclude controls that contradict the company’s scope (excluding secure development controls when the company has a 35-person engineering team)
• Policy role titles are consistent across documents (“CISO” in one, “Security Manager” in another)
• GDPR breach notification timelines match the actual regulation (72 hours, not the 24 hours LLMs sometimes hallucinate)

The consultant catches these problems — or doesn’t. Either way, the review burden is entirely on you, and it grows linearly with the size of the document set. On a 22-policy engagement, that means reading every document against every other document for cross-reference integrity.

Rakenne’s ISO 27001 skills run 5-7 validation tools per deliverable. The residual_risk_validator catches impossible risk scores. The mandatory_topic_checker verifies that each policy covers every required section. The soa_consistency_checker flags controls excluded despite contradicting evidence in the risk register. These aren’t suggestions — they’re deterministic checks that block the output until the issue is resolved.

3. No cross-document consistency — the integration burden is on you

An ISMS is not a collection of documents. It’s a system where documents reference each other:

• The risk register references assets from the asset inventory
• The SoA maps controls to risks and links each to an evidence file
• Policies cross-reference each other by document ID
• The management review consumes inputs from monitoring, audit, and risk
• The internal audit verifies the entire chain

When you draft these documents in NotebookLM — even with all sources uploaded — there’s no mechanism to ensure they stay consistent. Change a risk ID in the register, and the SoA still references the old one. Add a new asset, and the risk register doesn’t know about it. Rename a role title in one policy, and the other eleven still use the old name.

This is the problem that consumes consultant hours: not the drafting, but the reconciliation. You become the integration layer, manually tracing threads across documents and hoping you don’t miss one.

In Rakenne, skills share a workspace. The organization profile feeds every downstream skill. The risk assessment’s output is automatically available to the SoA skill, which runs suggest_soa_inclusions to bootstrap control selection from the risk themes it found. The terminology_consistency_checker enforces consistent role titles, organization names, and normative language (“shall” vs. “should”) across the entire policy set. The treatment_to_policy_validator checks that every risk treatment decision has a corresponding policy file — and tells you which ones are missing.

4. No progress tracking — where are we in the engagement?

On a multi-month ISO 27001 implementation, consultants need to answer a simple question: what’s done, what’s in progress, and what’s missing?

NotebookLM can’t answer this. It doesn’t know what deliverables exist, which ones have been validated, or which skills haven’t been started yet. You track progress in a spreadsheet, a project management tool, or your head.

Rakenne’s dashboard tracks completion across the full skill set: which skills have produced output, how many of the 93 Annex A controls have evidence, what percentage of mandatory policies exist, and where documents are stale (last modified over 6 months ago). The isms_traceability_dashboard shows 11 cross-document link checks — scope to risk, risk to SoA, SoA to policies, policies to procedures, and so on — with green/amber/red status for each.

When a client asks “how far along are we?”, you show them the dashboard instead of assembling a status update from memory.

5. No repeatability — your methodology lives in your prompts

A consultant’s value compounds with repeatability. The second ISO 27001 engagement should be faster than the first because you’ve refined your approach.

With NotebookLM, your methodology lives in the prompts you type. Maybe you’ve saved them in a document somewhere. But there’s no enforcement — nothing stops you from skipping a step, forgetting a validation, or producing outputs in the wrong order. Every engagement is as fragile as your discipline on that particular day.

Rakenne skills are versioned workflow definitions. The same skill runbook applies to every client engagement: same stages, same validation steps, same deliverable expectations. When you improve a workflow — adding a new validation check, refining a stage’s instructions — every future engagement benefits. Juniors follow the same process as seniors. The methodology is in the tool, not in the consultant’s head.

Where NotebookLM still wins

Honesty matters. NotebookLM has genuine advantages for certain tasks:

Worth noting: Rakenne uses the same class of frontier LLM models that power NotebookLM (Google Gemini). The difference isn’t model quality — it’s what the platform does around the model. For ad-hoc research, both tools give you access to the same underlying intelligence. NotebookLM’s advantage is zero-friction setup for those tasks: no project, no skill selection, just upload and ask. For anything beyond research — structured deliverables, validation, cross-document consistency — the model alone isn’t enough, and that’s where the platform layer matters.

A side-by-side on a real deliverable

Take the most common GRC deliverable: a gap assessment against ISO 27001:2022.

In NotebookLM: Upload the standard, upload the client’s existing policies, and ask “perform a gap assessment.” You’ll get a narrative that identifies some gaps. But:

• It won’t systematically check all 93 Annex A controls — it will cover whatever it thinks is relevant
• It won’t score maturity on a consistent 0-5 scale with defined criteria per level
• It won’t check whether the client’s existing artifacts cover mandatory documented information per clause
• It won’t produce a remediation roadmap ordered by clause dependency and audit risk
• It won’t generate a machine-readable findings register you can import downstream
• It can’t render a dashboard showing PDCA progress, document freshness, and traceability health

You’ll get prose. The prose might be useful. But it’s not a deliverable you can hand to an auditor.

In Rakenne: The gap assessment skill runs seven sequential tools:

1. mandatory_artifact_detector — scans for 13+ required ISMS documents, reports FOUND/STALE/MISSING per clause
2. clause_requirements_engine — validates content coverage against ISO 27001:2022 clauses 4-10 using keyword analysis
3. maturity_rating_tool — scores 0-5 per clause area with defined criteria and negative-indicator capping
4. remediation_prioritizer — orders fixes by clause dependency, audit risk severity, effort, and current maturity
5. isms_traceability_dashboard — maps 11 cross-document links with health status
6. render_document_health — produces a document freshness dashboard
7. build_gap_dashboard_data — generates an interactive findings dashboard

The output is a structured Gap-Assessment-Report.md with clause-by-clause findings, a gap_assessment_findings.json for downstream consumption, and dashboard widgets. Every finding traces to a specific clause. Every remediation action is prioritized within the PDCA framework. The consultant reviews, adjusts, and signs off — but the structural completeness is guaranteed by the tools, not by the consultant’s memory.

What this means for your practice

The shift isn’t from “doing the work” to “not doing the work.” It’s from “carrying the framework in your head” to “having the framework enforced by the tool.”

With NotebookLM, you are the methodology, the validator, the cross-reference checker, and the progress tracker. The tool helps you research and draft. Everything else is on you.

With Rakenne, the methodology is encoded in skills. Validation is automated. Cross-document consistency is enforced. Progress is tracked. You spend your time on the parts that actually require expertise: scoping judgment, stakeholder alignment, control design decisions, remediation strategy, and client communication.

For a solo consultant or small firm, that’s the difference between handling three concurrent ISO 27001 engagements and handling five — without hiring.

Try the workflow yourself

Rakenne’s ISO 27001 skill suite is available with no signup required. Start with the Organization Profile and Gap Assessment to see how validation tools and cross-document consistency work on a real framework.

Try the ISO 27001 skills

For a deeper look at how the full ISMS workspace template chains skills together, see the ISO 27001 ISMS workspace guide .

This article compares workflows as of March 2026. NotebookLM is a Google product that evolves frequently. The comparison reflects GRC document production workflows — not general-purpose research, where NotebookLM is genuinely strong.