"Anytime someone says something is dead, that's exactly what I have to go learn." - Ethan Troy
Kenny and Isaac sit down with Ethan Troy, Senior GRC Engineer at TRM Labs, Head of AI Research at GRC Engineering Club, and Hacker at hackIDLE. One of the GOATs of GRC engineering. He's been shipping GRC tools, automations, and agents nonstop.
He's assessed FedRAMP packages from the 3PAO side at Coalfire and A-LIGN. He's pentested for the Department of the Treasury. He built a FedRAMP 20x assessment app before most people knew what 20x was.
His job interview at TRM Labs? They made him build an AI agent.
And yes, this is the first Paramify Podcast Isaac is on.
We got into:
→ Why now is the best time to learn something new
→ Why 85% of a good GRC agent is deterministic code, not AI
→ How to actually build agents (dog food your own stuff, stop one-shotting)
→ Why the SSP is becoming the SSDR (System Security Decision Record) and what that means for FedRAMP® 20x
→ Why domain expertise is what separates good AI output from great AI output
FedRAMP is changing rapidly. Want to learn more about these changes check out this webinar here: https://lnkd.in/ge9wQ2Zf
Learn more about Ethan Troy:
https://www.linkedin.com/in/ethantroy/?skipRedirect=true
Learn more about TRM Labs:
https://www.trmlabs.com/
Learn more about Kenny Scott:
https://www.linkedin.com/in/kenny-g-scott/
Learn more about Isaac Teuscher:
https://www.linkedin.com/in/isaacteuscher/
Learn more about Paramify:
https://www.paramify.com/
Chapters:
00:58 - Introductions & GRC Engineering
02:12 - From Nursing to Cybersecurity
05:18 - The Problem with Legacy GRC Tools
12:13 - FedRAMP 2.0: The End of SSPs?
16:48 - The FedRAMP Marketplace Metaphor
24:38 - Outcome-Based vs. Hourly Consulting
31:51 - Automating Evidence Collection
37:16 - AI & Real-Time Incident Response
45:10 - Secure Configuration Guides
52:43 - Building an AI-First Culture
58:51 - Principles for AI Agents in GRC
01:05:03 - The 85/15 Rule for AI Logic
