To a degree, they're both right. RSA Archer, for example, generally regarded as something of a hybrid leaning more to the IT side, has had some success in the eGRC market.
"They're not mutually exclusive, and that's why it gets fuzzy," said Paul Proctor, Gartner vice president of security and risk management. "Each says they do the other, and, to some degree, they are all correct. They are separated because some are clearly better at the eGRC top-down look at everything, and some that are clearly from an IT background and better at IT."