“There’s this misconception in the marketplace that you need to be a coder to do GRC Engineering. You don’t. I don’t want people to be bogged down in scripting. I want them to be systems thinkers focusing on architecture and orchestration.”
Kenny and Mike sit down with the GOATed pioneer of GRC Engineering, Ayoub Fandi. In case you’ve been living under a rock, Ayoub is the Security Assurance Automation Team Lead at GitLab and the Founder of GRC Engineer.
This episode covers Ayoub’s wild pivot from middle school English teacher to sending 500 cold LinkedIn DMs to break into security. We dive into his first trip to Utah (discovery of "sugarcane fillets" and life-changing butter cake), why APIs are the “landlines” of the past, and how he sparked the movement behind the GRC Engineering Manifesto to give practitioners their own “Phoenix Project” moment for compliance.
Key Takeaways:
* Systems Over Scripts: GRC Engineering isn't about being a "coder." It’s about systems thinking and moving away from the "crawl space" of manual scripting.
* The "Cell Phone" Moment: Why GRC is skipping the "landline" era of APIs and jumping straight to agentic workflows with MCP (Model Context Protocol).
* FedRAMP® 20x: How Key Security Indicators (KSIs) move the burden of proof from 4,000-page narratives to 80%+ automated validation.
* The 7-Minute Threat: AI-powered adversaries can pop a machine in 7 minutes. If your compliance isn't "threat-driven," it's irrelevant.
Learn more about Ayoub:
Gitlab: https://about.gitlab.com/
GRC Engineer: https://grcengineer.com/
GRC Engineer Podcast: https://www.youtube.com/channel/UC8cvmIXoEEBs0dryLh2p2cA
Ayoub's LinkedIn: https://www.linkedin.com/in/ayoubfandi/
Learn more about Paramify:
Website: https://www.paramify.com/
Kenny's LinkedIn: https://www.linkedin.com/in/kenny-g-scott/
Mike's LinkedIn: https://www.linkedin.com/in/mikecschreiner/
Chapters
00:00 Intro — Utah, butter cake, and Ayoub's first time in the U.S.
02:00 How Ayoub got into GRC (500 cold DMs and ISO cramming)
09:00 Struggling to commit to GRC — until Adobe's program changed everything
13:00 What GRC Engineering actually means
15:00 Why evidence collection is plumbing, not strategy
20:00 Why AI won’t kill GRC — it’ll force it to grow up
25:00 Architecting assurance: the new role of GRC
30:00 Why APIs are losing ground to agentic protocols like MCP
35:00 Landlines vs. Cell Phones: How automation skipped a generation
38:00 Platformization, assurance, and the SaaS vendor dilemma
43:00 Can platforms fix SOC 2 quality?
48:00 Sticker fatigue and the case for continuous assurance
52:00 Why threat-driven compliance is the only way forward
56:00 Advice for early-career GRC professionals in an AI-native world
