GRC plays PvE when everyone else plays PvP.

If you've ever played an online game, you know the difference.

PvE is Player vs Environment.

You fight predictable enemies. The system rewards you for grinding. You can't really lose.

PvP is Player vs Player.

Unpredictable. Adversarial. You either adapt or you get eliminated.

Now look at your security organisation.

AppSec fights real attackers exploiting real vulnerabilities. PvP. 

SecOps responds to incidents at 3am against actual threat actors. PvP. 

ProdSec embeds in engineering to stop exploits before they ship. PvP.

GRC fills out documentation. Collects evidence for auditors. Maintains risk registers that nobody reads.

That's PvE. The "enemies" are audit findings and policy gaps, predictable, structured, beatable by following a checklist.

There's no opponent. You can't lose. And that's the problem.

IN PARTNERSHIP WITH

Automate your SDLC Governance with Kosli

Are you delivering software in a regulated industry? Know the pains of ensuring supply chain security, change management, and runtime monitoring? Kosli automates all of the governance tasks in your software delivery process, giving you speed, security, and audit-ready proof—at scale.

The Jungler Paradox

In League of Legends, the jungler is the most important role on the team. They don't lane against an opponent. They roam the map. They enable every lane. They control objectives. They tip teamfights.

A great jungler makes the entire team better without anyone noticing.

GRC engineering was supposed to be that role.

Risk quantification that drives budget allocation. Control design informed by real threat intelligence. Cross-functional enablement that makes AppSec, SecOps, and ProdSec more effective.

That's the jungler, amplifying the whole team's impact without needing to carry fights alone.

Instead, GRC AFK-farms SOC 2 evidence.

0 kills, 0 assists, 0 deaths.

Highest gold on the team. Zero impact on the actual match.

The scoreboard looks productive. The outcome says otherwise.

And here's what makes the jungler paradox so painful — GRC has the resources. The budget. The executive access. The cross-functional visibility. Everything a jungler needs to dominate the map. But instead of using that position to enable the team, GRC uses it to farm faster.

Why GRC Chose PvE

GRC didn't end up in PvE by accident. It optimised for it, deliberately, over years, reinforced by every audit cycle and vendor demo.

Three forces pushed GRC into the PvE game mode:

1. The incentive structure rewards grinding.

GRC success is measured by audits passed, certifications maintained, controls documented. These are PvE metrics, they measure grinding output, not adversarial impact.

Nobody asks: "Did your risk quantification change how we allocated security budget?" 

Nobody measures: "Did your control design stop an actual attack?"

When your KPIs are PvE, you play PvE.

2. PvE has clearer boundaries.

Audit requirements are scoped. Frameworks are defined. Timelines are predictable. You know what "done" looks like because someone wrote it down in a standard.

PvP is messy. Threat actors don't follow your compliance calendar. Risk quantification requires judgment, not checklists. Cross-functional enablement means having uncomfortable conversations with teams that don't report to you.

PvE is safer. PvP requires you to be wrong sometimes. And in a profession built on control and certainty: being wrong feels like failing.

So GRC stays in the jungle, farming camps, avoiding the fights where the outcome isn't guaranteed.

3. The tooling is built for PvE.

GRC platforms are designed around evidence collection, control mapping, and audit workflows. The entire technology stack assumes the game is PvE.

Try using your GRC tool to answer: "What is our actual risk exposure to supply chain attacks, and how should we reallocate budget?"

It won't. It was built to answer: "Do we have evidence for control CC-7.2?"

The tools don't just reflect PvE thinking: they reinforce it. Every dashboard, every workflow, every integration assumes the game has no opponent.

IN PARTNERSHIP WITH

Forrester: Continuous, AI-Driven GRC is the new mandate

Forrester’s latest research doubles down on continuous, AI-driven GRC, leaving point-in-time audits in the past.

Meet Scrut Teammates, AI agents that automate questionnaires, collect evidence continuously, and drive remediation workflows that actually close gaps.

The Metrics Trap

Here's the deeper problem: PvE metrics can't measure PvP impact.

In gaming, PvE players optimise for clear speed — how fast they can farm content.

PvP players optimise for kill participation — how much they contribute to the team winning fights.

GRC optimises for clear speed. How fast can we close audit findings? How quickly can we collect evidence? How many controls can we document per quarter?

These metrics reward speed, not impact.

You can have perfect PvE metrics and still lose the match because you never showed up to a teamfight.

How often does GRC contribute to a real security outcome?

Did your risk assessment change a design decision? Did your control recommendation prevent an incident? Did your threat analysis shift budget to the right programme?

If the answer is zero, you have a 0/0/0 KDA with full build.

The scoreboard says you're farmed. The outcome says you're irrelevant.

And the worst part — nobody on the team will tell you. Because in PvE, the feedback loop is broken. The auditor says "pass." The board says "good." The team says nothing because they stopped expecting GRC to show up to fights a long time ago.

What PvP GRC Looks Like

Switching from PvE to PvP doesn't mean abandoning compliance. It means treating it as a byproduct, not the objective.

PvE GRC asks: "What evidence do we need for the audit?"

PvP GRC asks: "What controls actually reduce our risk, and how do we prove it?"

PvE GRC measures: Controls documented, findings closed, certifications earned.

PvP GRC measures: Risk reduction achieved, budget decisions influenced, incidents prevented.

PvE GRC operates on the audit calendar: quarterly reviews, annual assessments, certification cycles.

PvP GRC operates on the threat calendar: when adversaries move, GRC responds.

PvE GRC reports to: the audit committee and the sales org.

PvP GRC reports to: the security team, the engineering team, the executive team, anyone who needs risk intelligence to make better decisions.

The shift isn't about doing different work. It's about doing the work for different reasons, and measuring success by outcomes instead of outputs.

Your GRC Kill Participation Metric

Here's how to measure whether your GRC programme plays PvP:

Not an audit finding. Not a documentation update. A real decision.

• A risk quantification that changed budget allocation.

• A control gap analysis that shifted engineering priorities.

• A threat-informed recommendation that altered a product design.

• A cross-functional enablement effort that made another team more effective.

If that number is zero, you're playing PvE. You're AFK-farming compliance. And no matter how full your build is, you're not contributing to winning the match.

If that number is three or more, you're the jungler your team needs. You're showing up to teamfights. You're tipping the outcome.

The number doesn't need to be high. A jungler doesn't need 20 kills, they need 3 well-timed ganks that change the course of the game. One risk assessment that moves budget from checkbox compliance to real threat mitigation is worth more than 200 closed audit findings.

GRC engineering's real role isn't to grind compliance. It's to be the most impactful player on the security team, the jungler who makes everyone else better.

The game is PvP. The adversaries are real. Your team needs you in the fight.

Stop farming. Start fighting.

That’s all for this week’s issue, folks!

If you enjoyed it, you might also enjoy:

• My spicier takes on LinkedIn [/in/ayoubfandi]

• Listening to the GRC Engineer Podcast 

  • Spotify

  • Youtube

  • Apple Podcasts

See you next week!