• GRC Engineer
  • Posts
  • ⚙️ Control Orchestration: The Missing Link in Enterprise Compliance Programs

⚙️ Control Orchestration: The Missing Link in Enterprise Compliance Programs

Driving Consistent Security Control Execution in Complex, Mixed-Technology GRC Environments

Author

Ayoub Fandi
April 10, 2025

How many of your "implemented" controls would survive these three questions?

  1. When was the last time this control was actually executed? (Test of Design doesn’t count)

  2. Who specifically performed it, and could they demonstrate the process right now?

  3. What direct evidence exists proving it was effective, not just completed?

For most organisations, these simple questions reveal one thing: we've built GRC programs that excel at documenting controls but fail at ensuring they're executed.

Your risk register doesn't capture your biggest risk: the growing gap between security documentation and security execution.

Control orchestration bridges this gap by transforming GRC from a documentation exercise into an operational reality.

Let’s dig into it!

IN PARTNERSHIP WITH (MAYBE YOU?)

Interested in partnering with the GRC Engineer?

This slot is full for the upcoming months!

If you are still interested to partner with the GRC Engineer check out the slot down the middle ⬇️

Why It Matters 🔍

The why: the core problem this solves and why you should care

The dirty secret of a lot of enterprise GRC programs: Many controls exist primarily as documentation rather than operational security measures.

GRC programs collect evidence of control existence rather than driving control execution. But attackers don't target your documentation - they target weaknesses in your actual security.

This creates a dangerous security theatre where compliance metrics look impressive while actual protection remains inconsistent.

Compliance frameworks aren't failing us - our execution of those controls is.

The most sophisticated GRC program can't protect your organisation if controls aren't consistently executed, validated, and improved. Documentation without execution doesn't just waste resources - it creates a false sense of security.

When implemented effectively, control orchestration delivers tangible business benefits:

  • Lower audit toil - Less remediation work and fewer findings mean shorter, smoother audits (most of the time)

  • Less context-switching for control owners - Automated workflows reduce the manual burden on technical teams (they can be your friends then)

  • More accurate risk visibility - Security decisions at the leadership level are based on actual posture, not theoretical controls

Control orchestration changes this dynamic completely by creating mechanisms that don't just document - they drive action.

# Traditional GRC: All talk, no action
control:
  name: "Access Review"
  documentation: "/policies/nice-but-useless-pdf-no-one-reads.pdf"
  status: "Implemented"  # Translation: We have a document
  last_verified: "¯\_(ツ)_/¯"
  
# GRC Orchestration: Controls that actually happen
apiVersion: security/v1
kind: ControlRunner
metadata:
  name: access-review-q1
spec:
  trigger: "0 0 1 */3 *"  # Cron: Automation > Hope
  owners: ["[email protected]"]
  steps:
    - run: "generate-reports"
    - run: "notify-reviewers"
      deadline: "5d"
      escalate-after: "3d"
    - run: "enforce-completion"
      min-threshold: "98%"
  evidence:
    store: "s3://evidence/access-reviews/"
    notify: ["[email protected]", "[email protected]"]
    retention: "1y"

Strategic Framework 🧩

The what: The conceptual approach broken down into 3 main principles

Just as Kubernetes revolutionised container management by shifting from imperative commands to declarative desired states, control orchestration transforms GRC by focusing on outcomes rather than documentation.

The principles below draw directly from Kubernetes' success in managing complex, distributed systems at scale - applying those same proven patterns to security control execution.

Source: ByteByteGo

Focus on Workflows, Not Just Controls

Traditional GRC focuses on defining and documenting controls. Orchestration focuses on the workflows that execute those controls.

This shift in perspective has some hidden benefits. Instead of asking "Do we have an access review control?" you start asking "What's the workflow that ensures access reviews actually happen when they should?"

By designing and implementing workflows, you ensure controls aren’t just static requirements. Instead they are embedded as operational processes. This bridges the gap between policy writing and policy adherence.

Embrace Mixed-Technology Execution

Not every system has robust APIs you can just call whenever. Not every process can be fully automated either, especially for organisational controls. Control orchestration embraces this reality rather than fighting against it.

Kubernetes faced similar challenges in its evolution. Early Kubernetes deployments struggled with stateful applications, storage management, and integration with legacy systems. The solution wasn't to force everything into containers, but to develop operators, controllers, and integration patterns that could accommodate diverse workloads.

Similarly, effective GRC orchestration combines:

  • Automated execution where systems support it natively

  • Semi-automated workflows for human-in-the-loop controls/limited integrations

  • Manual execution with automated validation where full automation isn't possible

Just as Kubernetes uses a declarative model to define desired state while accommodating different implementation methods, your control orchestration should define expected outcomes while allowing for different execution mechanisms based on your technology landscape.

This flexibility is critical when building what we previously called a Central Data Layer - a unified foundation that connects your disparate GRC systems and activities.

Build Feedback Loops Between Operations and Governance

Control orchestration creates bi-directional data flows that traditional GRC approaches often miss.

Kubernetes uses its control plane architecture to deliver that. When a pod fails, the control plane takes action to restore the state instead of just documenting a failure. When resource constraints emerge, the system scales out or in depending on the need. This continuous feedback loop is what makes Kubernetes resilient and self-healing.

GRC needs the same principle applied to security controls.

When a control fails in operation, that data should immediately flow back to the controls owners to trigger re-evaluation or improvement. Likewise, when the compliance team identifies a new requirement, it should inform the operational workflows in place.

These feedback loops ensure your control environment evolves based on actual operational data rather than theoretical assessments. The result is a continuously improving security posture driven by real-world experience—exactly what makes Kubernetes clusters resilient at scale.

IN PARTNERSHIP WITH (MAYBE YOU?)

Interested in partnering with the GRC Engineer?

There’s still some inventory for the middle slot, reach out if you want to be a part of the GRC Engineer journey!

Want to work together, this is where it happens ⬇️

Execution Blueprint 🛠️

The how: 3 practical steps to put this strategy into action at your organisation

Map Your Control Reality, Not Just Your Control Documentation

Start by conducting a control execution assessment - not just reviewing documentation, but examining how controls actually operate in your environment.

For each key control:

  • Identify how it’s executed (systems, teams, or individuals)

  • Document how often it is (not just desired frequency)

  • Determine validation methods (How do you know when it's performed?)

  • How you collect evidence of the process (Is it generated as a byproduct or separate process?)

This assessment often reveals large gaps between what you think happens and what actually happens. Document these honestly even though it might be embarrassing in the short term - they are the greatest opportunities for improvement.

Focus first on high-risk controls where failure would have the greatest impact. Perfect orchestration of all controls isn't realistic, especially at first, so prioritisation is essential as we often point out!

Build Orchestration Mechanisms for Your Technology Reality

Don't think you need to speak boto3 fluently to orchestrate controls. Use what you have to drive meaningful improvements right now!

For environments with limited API capabilities:

  • Use low-code tools like Zapier, Tines, Airtable or Power Automate to create control workflows

  • Implement simple reminder systems with escalations that trigger when deadlines approach

  • Create standardised evidence repositories with automated validation checks

For more advanced environments:

  • Leverage CI/CD pipelines to enforce preventive controls in code and infrastructure

  • Implement event-driven architectures that trigger controls based on system changes

The right approach depends on your technical reality, not an idealised environment. An effective Google Apps Script workflow that drives consistent execution is infinitely more valuable than a sophisticated API integration that never gets implemented.

Here's a simple orchestration framework you can adapt to your environment, let’s call it TEVEE:

  1. Trigger - What starts the control execution process? (time-based, event-based, or manual)

  2. Execution - Who/what performs the actual control activity?

  3. Validation - How do you verify the control was executed correctly?

  4. Evidence - What proves the control was executed and effective?

  5. Escalation - What happens if the control fails or isn't executed?

Examples?

  • Git + Markdown + CI/CD pipeline: Policies stored in version-controlled markdown files with automated publishing to internal wiki after approval, cutting policy update time from weeks to hours.

  • Jira + Slack webhook + Form: When change request tickets are created, security team automatically receives notification with pre-populated risk assessment form, improving assessment completion rate.

  • Power Automate + MS Forms + SharePoint: Quarterly access reviews delivered via personalized forms with automated escalations, increasing adherence rate and saving manual work.

Integrate Human Elements into Your Orchestration

Even with robust automation, most enterprise control environments include significant human components. Effective orchestration must account for these.

Implement processes that:

  • Define ownership for each control execution step

  • Create accountability mechanisms with escalation paths for missed executions

  • Send notifications that enable immediate response

  • Generate metrics to track human reliability

For controls with manual components, focus on making the human steps as simple and frictionless as possible. Complex processes with high friction inevitably lead to low adherence and inconsistent data.

An often-overlooked approach is creating "human APIs" as I often talk about - standardised interfaces where teams interact with consistent inputs, outputs, and expectations. These can be as simple as structured email templates or as sophisticated as dedicated workflow portals.

Remember: The most elegant orchestration solution is worthless if it doesn't match your operational reality. Start where you are, not where you wish you were.

Did you enjoy this week's entry?

Login or Subscribe to participate in polls.

Reading Queue 📖

The learn: This week's resource to dive deeper on the topic

I’ve just published a 3500+ word deep-dive on the GRC automation market for the Venture in Security of the great Ross Haleliuk.

It included my very own imperfect and probably pretty wrong GRC Magic Quadrant! Gartner reached out after this to say they like it. Don’t know what to make of that to be fair.

Make sure you are subscribed to Ross’ newsletter, his content is top notch!

That’s all for this week’s issue, folks!

If you enjoyed it, you might also enjoy:

See you next week!

Reply

or to participate.