IN PARTNERSHIP WITH

Turn GRC into a strategic advantage for your organization

46% of security leaders lose sleep over growing regulatory complexity. Today, GRC is more complex and critical to get right, yet harder than ever to manage.

Move beyond checkbox compliance and turn GRC into a strategic advantage in this new Tines guide. Learn how teams at Druva and PathAI are modernizing GRC.

For this week

• What’s going on? 🔊

• Walking through automating Quarterly Access Review using GRC Engineering 🔍

• SecurityScorecard Acquires HyperComply 💰

• Justin Pagano writes a great SOC 2 analysis 📚

What’s going on? 🔊

Lots of fun stuff in the books this week, we’re building on last week with a step-by-step example on how to automate (the right way) Quarterly Access Reviews, doing some analysis on a recent acquisition in the GRC space and giving a shoutout to a great blog post from a grc.engineering manifesto co-author (and amazing all around professional!)

Shoutout to another compliance newsletter you should check out!

Planet Compliance is the #1 resource for governance, risk and compliance professionals. Every Tuesday & Thursday we send the latest news, industry reports & regulatory guidance straight to your inbox. Join 100,000+ GRC professionals & subscribe here

Walking through automating Quarterly Access Review using GRC Engineering 🔍

Why successful automation requires systems thinking, stakeholder alignment, and boring solutions

Your IAM team has already solved the hard problems you're trying to recreate.

They understand user lifecycle management, handle privilege escalation patterns, manage access review workflows, and maintain identity provider integrations across your entire environment. They've figured out the authentication challenges, data quality issues, and production constraints you don't want to own.

When GRC builds direct integrations to identity systems, you're duplicating work whilst missing the operational context that security teams provide.

What most teams build:

• Custom scripts pulling from Active Directory APIs

• Spreadsheet-based review workflows

• Manual evidence collection processes

• Separate compliance databases

• Isolated reporting systems

What already exists in your organisation:

• Identity governance platforms with automated workflows

• Real-time access analytics and anomaly detection

• Integrated ITSM ticketing for access remediation

• Executive dashboards showing access patterns

• Automated user lifecycle management

As we explored in why GRC engineering isn't parallel to security, building redundant infrastructure wastes resources and fragments authority. The solution is working through existing security systems, not around them.

Your blueprint for Quarterly Access Reviews

The methodology below transforms quarterly access reviews from manual spreadsheet exercises into automated workflows that leverage your existing IAM infrastructure. Rather than building new systems, you'll enhance the operational processes your security teams already maintain in production.

This five-step approach prevents the coordination nightmares that kill enterprise initiatives by working through established security relationships rather than creating parallel compliance infrastructure. Each step builds on the previous one, culminating in audit-ready automation that generates compliance evidence as a byproduct of operational security workflows.

Step 1: Map Your IAM Team's Current Capabilities

Output: Clear inventory of existing access management infrastructure

Interview your IAM team to understand what they already maintain:

Real Example Discovery:

• Platform: SailPoint IdentityIQ with automated workflows

• Analytics: Real-time dashboards showing access patterns and anomalies

• Integration: ServiceNow ticketing for access requests and remediation

• Evidence: Automated audit trails for all access decisions

• Manager Interface: Self-service portal for access reviews

Step 2: Identify Integration Opportunities

Output: Specific touchpoints where compliance needs align with operational workflows

Map your compliance requirements to existing IAM capabilities:

Critical Questions:

• What access review workflows already exist?

• How do managers currently validate team access?

• Where is remediation already tracked?

• What audit evidence is automatically generated?

Step 3: Design Your Compliance Data Pipeline

Output: Technical architecture that feeds compliance from operational systems

Instead of building parallel infrastructure, design data flows from existing systems:

Access Review Data Architecture:

Example Technical Specification:

• Data Source: SailPoint's access review API (already authenticated and reliable)

• Compliance Layer: Quarterly scheduling and compliance metadata overlay

• Manager Interface: Existing self-service portal with additional compliance context

• Remediation: ServiceNow integration for access changes (already established)

• Audit Trail: Identity governance logs with compliance report generation

• Dashboard: PowerBI integration extending existing access analytics

Leveraging “Vibe Coding” where it works best

When you understand existing infrastructure, your vibe coding for GRC engineering becomes systematic rather than generic. Following prompting best practices (and giving it all the context it needs), the key is being explicit with context and desired outcomes.

Instead of vague prompting: "Build an access review dashboard for compliance"

You can be specific:

"Build a comprehensive quarterly access review dashboard for SOC 2 compliance that integrates seamlessly with our existing infrastructure. Include as many relevant features and interactions as possible to create a fully-featured implementation.

Context: This will be used by GRC analysts for quarterly compliance reporting and by executives for risk oversight, so prioritise clarity and actionable insights.

Technical requirements:

• Pull real-time data from our SailPoint IdentityIQ access review API using existing authentication

• Calculate compliance risk scores using our established methodology (criticality × exposure × review status)

• Send automated manager notifications through our current self-service portal with compliance context

• Track all remediation activities via ServiceNow integration using existing ticket workflows

• Generate SOC 2 Type II audit evidence automatically from identity governance logs

• Create executive summary reports compatible with our PowerBI environment

• Include hover states, drill-down capabilities, and export functions for audit preparation

Go beyond basic functionality to demonstrate the full potential of infrastructure-leveraged automation."

This level of precision is only possible when you've mapped existing infrastructure first. The process work enables the AI context that makes automation actually work in your environment.

Step 4: Build Compliance Workflows on IAM Foundations

Output: Automated quarterly access review process leveraging security infrastructure

Rather than replacing operational workflows, enhance them for compliance:

Enhanced Access Review Process:
├── Trigger: Quarterly schedule using IAM platform's review engine
├── Scope: Business-driven access groupings from identity governance
├── Notification: Existing manager communication channels + compliance context  
├── Review Interface: Current self-service portal with compliance questions
├── Remediation: Operational access change workflows (no new process)
├── Evidence: Automated compliance reporting from operational audit logs
└── Metrics: SRE-inspired measurement through existing analytics

Process Enhancement Example:

• Existing Workflow: Monthly access reviews for high-privilege accounts

• Compliance Enhancement: Quarterly comprehensive review with audit documentation

• Manager Experience: Same portal, additional compliance questions

• Remediation Path: Same ServiceNow ticketing, enhanced tracking

• Evidence Collection: Automated compliance reports from existing audit logs

Step 5: Implement Compliance Reporting Integration

Output: Audit-ready documentation generated from operational systems

Transform operational data into compliance evidence:

Compliance Reporting Pipeline:
├── Operational Data: Real-time access decisions and changes
├── Compliance Context: Quarterly review cycles and business justifications
├── Evidence Aggregation: Automated collection from identity governance logs
├── Executive Summary: Access risk analytics for board reporting
├── Audit Package: Comprehensive documentation from operational workflows
└── Continuous Monitoring: SRE-inspired metrics on access review effectiveness

SRE-Inspired Access Review Metrics:

• Before: "100% of access reviews completed this quarter"

• After: "Mean time to detect access anomalies: 12 hours, 0.1% false positive rate in manager certifications"

• Impact: "95% of inappropriate access removed within 48 hours of detection"

Real-world results: From 40 hours to 6 hours per Quarter

The Challenge: 2,000+ employees, quarterly SOC 2/ISO 27001 certification, 40-hour manual process with 60% manager response rates.

The Discovery: IAM team already maintained SailPoint with monthly high-risk reviews, self-service manager portal, ServiceNow integration, and comprehensive audit logs.

The Solution: Enhanced existing quarterly reviews with compliance metadata, added compliance questions to the current portal, leveraged operational risk scoring, and automated evidence generation from existing audit logs.

The Results: 85% time reduction (40 to 6 hours), 95% manager response rate, real-time data accuracy, and comprehensive audit evidence generated automatically.

Key Success Factors: Working through existing IAM expertise, using production-grade identity governance systems, maintaining operational workflows as the single source of truth, and enabling SRE-inspired metrics that measure impact rather than activity.

Pretty cool right?

Your Next Steps

This methodology embodies our 5-step implementation framework principles we recently spoke about whilst avoiding fragmented authority across competing systems.

Implementation Timeline:

• Week 1: Interview your IAM team about current capabilities and workflows

• Week 2: Map compliance requirements to existing identity governance features

• Week 3: Design integration architecture leveraging operational infrastructure

• Week 4: Implement compliance enhancements to existing workflows

Critical Success Factor: Resist building new systems until you understand what security teams already maintain. The infrastructure you need probably already exists.

Which existing security system will you leverage first for compliance automation?

Market corner💰

What’s going on in the GRC market with my analysis on it

SecurityScorecard Acquires HyperComply

Background

Have you ever heard me speak about TPRM? Once or twice right?

I’ve even done a roundtable with some amazing experts on it. I believe it’s the driver behind Compliance, Customer Trust and most of the security investments.

We care about ISO, SOC 2 (check the section below for more info on that), questionnaires, assurance and all of this because… we are selling to other companies who need to find a reliable way to review our security posture.

If you weren’t noticing, TPRM is where all GRC vendors are heavily investing, in just the last few months:

• Vanta acquired Riskey, a continuous TPRM platform

• Drata launched the AI Agent for Vendor Risk Management

• SAFE Security repositioned their brand to focus on TPRM

• Questionnaire automation vendors are pushing TPRM offerings (SecurityPal, Vendict, etc.)

• Of course there’s also the AI-native GRC tools pushing TPRM as well as native AI-TPRM vendors

All of this to say that everyone’s catching up with the pain of assessing vendors and understand that the current players are mostly checking the box but aren’t solving the underlying inefficiencies.

The acquisition of HyperComply by SecurityScorecard is to be thought about through those lenses.

SecurityScorecard USP is scanning your third-parties continuously and producing continuous visibility based on their analysis.

HyperComply (contrary to what the name suggests) is focused on questionnaire automation and trust centres, typical security sales enablement portfolio.

Analysis

In my opinion, this acquisition maps to what all the other questionnaire automation vendors have done by trying to move towards TPRM because they already answer millions of questions for their customers.

If they are trying to make the questionnaire completion faster, they could also just leverage that huge data set to be good at assessing vendors themselves (sprinkling some agents, some AI and some autonomous agentic AI in there)

What SecurityScorecard has is a leader position in the security scoring part which is already a more “dynamic” and “real-time” way of assessing your vendors. What they needed was the other arm which is questionnaire/trust center.

This way they keep their differentiator which most TPRM platforms don’t currently have and enhance it with questionnaire/trust centre capabilities.

As SecurityScorecard has strong market penetration in enterprises, they can potentially undercut Vanta, Drata and other GRC automation platforms that are trying to break into enterprises through questionnaire automation and TPRM (as they can’t displace legacy GRC tools there). They are starting with existing customers, not cold leads who need a lot of nurturing.

Key Takeaway

The SecurityScorecard-HyperComply acquisition reflects a broader market shift where TPRM efficiency drives GRC platform evolution, signaling that standalone questionnaire automation or security scoring tools are becoming obsolete in favour of integrated solutions.

For practitioners, this consolidation means you’ll get continuous TPRM from every vendor, be it GRC Automation vendors, traditional TPRM or Questionnaire Automation vendors. Sounds like an overall win for the industry in my book 🙂 

For vendors, fun times ahead and I’ll be in the front row seat to see it unfold!

PS: If you want to read more on the GRC Market I’ve written this piece for the amazing Venture in Security newsletter, it’s a great primer on the topic and was acclaimed by all GRC vendor executives and numerous VCs.

What I’ve been reading 📚

Resources I’ve been consuming which are relevant to GRC Engineering!

Justin Pagano’s blog post on SOC 2 and ALCOVE

High-level summary of his piece

This week, Justin Pagano (co-author of the GRC Engineering Manifesto) published a compelling analysis arguing that SOC 2's fundamental design flaws make it inherently gameable and proposed a new approach! (it’s also the first entry on blog.grc.engineering, very exciting!

His central thesis: SOC 2's gameability isn't a bug that emerged from cheap auditing, it's a feature built into the framework's architectural DNA through vague control requirements, point-in-time assessment methodologies, and static reporting artifacts.

Justin proposes ALCOVE (Assurance Levels for Control Operating Viability & Effectiveness), a tiered framework inspired by SLSA that would extend SOC 2 from Type I/II to Type III/IV reports. The vision includes threat-informed control requirements, comprehensive historical auditing methodologies, and dynamic reporting artifacts that reflect real-time control effectiveness. He suggests integrating cyber insurance as an economic catalyst to align stakeholder incentives toward rigorous continuous monitoring.

My Take: Working at the Right Layer

Justin identifies the structural design problem correctly - SOC 2's gameability is embedded in its architectural DNA, not a recent development from commoditisation. However, the solution isn't more prescriptive controls, which creates the "GRC-in-a-box" problem where companies spin up custom environments purely for compliance, divorced from actual security operations.

I’m actually pretty bullish on FedRAMP 20X's KSI approach to demonstrates a more practical path: flexible control descriptions with rigorous outcome measurement. The debate over "vague vs specific control language" operates at the wrong layer, the future belongs to frameworks focused on security outcomes, with AI or middleware layers processing evidence into measurable results. This connects directly to our infrastructure-leveraged approach: when you can demonstrate continuous security improvement through operational data, the control descriptions become less important than proving effectiveness through real-time evidence.

Read the full analysis: SOC 2 is dead, long live SOC 2! - this is exactly the kind of forward-thinking analysis our industry needs, even if the implementation pathway requires more development. Justin is always a person you should learn from.

Also check out my interview of Justin on the GRC Engineer podcast ⬇️

That’s all for this week’s issue, folks!

If you enjoyed it, you might also enjoy:

• My spicier takes on LinkedIn [/in/ayoubfandi]

• Listening to the GRC Engineer Podcast 

  • Spotify

  • Youtube

  • Apple Podcasts

See you next week!