GRC hiring isn't slowing down. Companies are adding GRC headcount, expanding programs, and investing in compliance infrastructure.

But the shape of those teams is changing.

For the last decade, most GRC teams were built like American football rosters. Large, specialised, rigid. The compliance analyst did compliance. The risk manager did risk. The tool admin configured the platform. The manager assigned tasks and reviewed outputs. Everyone had a lane. Nobody crossed it.

I covered this rigidity in GRC Team Topologies, where the question was always about centralising vs distributing. But the real shift isn't structural. It's about what each person on the team is expected to do.

That model worked when GRC was a documentation exercise. When the work was manual, you needed bodies. More controls in scope meant more people to check them.

That's not where we're headed.

IN PARTNERSHIP WITH

GRC Engineering 101: Program as Code

Whether you're just getting started or looking to level up GRC engineering in your organisation, this guide is for you.

What's inside:

→ Declare controls, requirements, and risks in Terraform
→ Change management executed through PRs & CI/CD pipelines
→ The tech stack GRC engineers should use day to day
→ Real code examples (not marketing fluff)

The Basketball Model

The GRC team of the near future looks more like a basketball team.

Five players. Everyone can dribble, pass, and shoot. But each has a specialty: one is strongest on defence (risk architecture), one is the best shooter (compliance delivery), one runs the plays (program design), one rebounds (data and evidence infrastructure), one facilitates (stakeholder orchestration).

The key difference: everyone plays every position when needed. The risk specialist can pull evidence. The compliance lead understands the data model. The person who talks to the board also understands the API integration. Fluid, versatile, complementary.

This isn't a downgrade. A basketball team isn't worse than a football team for having fewer players. It's faster. Every player matters more. Every player covers more ground. The game rewards versatility and IQ over raw headcount.

AI handles what the practice squad used to do. The humans on the court handle the decisions that require actually understanding the company.

What Every Player Needs Now

In the football model, you could be a pure specialist. A compliance analyst who only knew SOC 2 could have a full career.

In the basketball model, you need a baseline across the full court:

That last one deserves a closer look. Raw company context (documents, org charts, system configs) will eventually be available to AI agents. That part gets commoditized. What doesn't get commoditized is what you do with that context: understanding the stakeholder landscape, reading the political dynamics, knowing whose approval actually matters versus whose is ceremonial, and building the relationships that make projects go from "proposed" to "implemented."

An AI agent can read every Slack message in your company. It still can't get the VP of Engineering to prioritise your control implementation.

The IC Path Just Got More Interesting

For years, the default GRC career ladder was: analyst → senior analyst → manager → director → VP. The only way "up" was to manage people.

In the basketball model, the senior IC becomes one of the most valuable players on the court.

The deep IC understands the program's data model, the regulatory landscape specific to the company, the control architecture, and the political dynamics that determine whether any of it gets implemented. That's broader than just technical depth. It's the intersection of expertise and action that makes someone irreplaceable. I explored the skill stack this requires in What GRC Engineering Is and What It Isn't.

The IC moat isn't "I know things the AI doesn't." It's "I can make things happen that the AI can't."

The best ICs I've seen at enterprise scale:

→ Understand the stakeholder landscape deeply enough to know who to involve and when
→ Are the person the CISO actually listens to because they focus on outcomes that matter to the business, not just compliance status
→ Build bridges with engineering, legal, and product that turn proposed controls into implemented ones
→ Understand the real risk posture, not the dashboard version, but what the company is actually exposed to and why

That combination is the difference between a GRC professional who reports status and one who drives outcomes. The IC path is no longer the consolation prize for people who didn't want to manage. It's a genuine career trajectory where the ability to make things happen compounds over time.

As an IC, you can focus on the key outcomes for the business and be genuinely useful to the CISO instead of going through the motions without strong impact. That's worth more than a management title. And it's worth more in the AI era, not less.

For Existing Managers and Directors

If you're reading this as a GRC manager or director, this is not a "your job is at risk" piece. It's an opportunity piece.

Your role is evolving from managing a team of task-doers to orchestrating a team of versatile professionals + AI capabilities. That's a more senior role, not a less senior one. If you've read Becoming a GRC Product Manager, this is the natural next step.

Here's what changes:

→ You're the point guard, not the head coach. In basketball, the point guard is on the court, running plays and scoring. The future GRC leader isn't reviewing dashboards from a distance. They're in the work, shaping the program alongside their team.

→ Your value shifts to orchestration and alignment. Coordinating 5 versatile humans + AI agents across governance, risk, and compliance. Making sure the right person covers the right situation. Aligning the program's priorities with the business. Selling GRC Engineering covered the executive alignment piece.

→ You build a team of A-players. Instead of managing a pyramid of junior analysts doing manual work, you're curating a small team where every person brings real depth. Hiring gets harder but the team gets dramatically more effective.

→ Your stakeholder skills become your superpower. The influence, executive translation, and cross-functional alignment skills you've built? Those are the hardest skills for AI to replicate. In the basketball model, the person who keeps the team aligned with the business is the most important player.

The managers who struggle are the ones whose identity is tied to the size of their team. Headcount ≠ impact. The ones who thrive redefine their role around the quality of the program, not the size of the org chart.

Navigating Your Company Is Home Court Advantage

In basketball, home court advantage is real. The team that knows their court, their crowd, their rhythm beats the team with better individual stats.

In GRC, the ability to navigate your company's landscape is your home court advantage.

Every company has political dynamics, stakeholder relationships, and risk priorities that determine whether anything actually gets done. The CISO who cares about third-party risk but doesn't care about your framework mapping. The engineering VP who will only engage if you speak their language. The board member whose questions reveal what leadership actually worries about.

AI will eventually know your company's documents, configs, and org chart better than you do. That part of context gets commoditized. What stays human is the judgment, the relationships, and the ability to connect GRC work to what the business actually cares about.

When AI handles the routine, the people who can make things happen become the most valuable players on the team. Not because they know the most, but because they move the program forward.

What To Do This Week

If you're an IC:
→ Map the relationships that make your projects succeed or stall. That's your career moat, not your technical skills.
→ Start building baseline skills outside your lane. If you only know compliance, learn how the risk function works. If you're technical, practice stakeholder communication. The GRC Engineering Maturity Model can help you assess where to invest.

If you're a manager:
→ Identify where AI could handle the repetitive work your team does today. That's not a threat to your team. It's headroom for them to do higher-value work. The 3 Types of Automation framework helps you decide what fits.
→ Think about what your team looks like as a basketball team. Who are your five starters? What position does each play?

If you're early in your career:
→ Don't optimise for one narrow specialty. Build breadth across GRC and depth in one area. Versatility is the new entry requirement.
→ The ability to navigate stakeholders starts accumulating on day one. Pay attention to why things work the way they do, not just what they are.

The game is changing. But there are more seats on the court than people think. And every player matters more than ever.

That’s all for this week’s issue, folks!

If you enjoyed it, you might also enjoy:

• My spicier takes on LinkedIn [/in/ayoubfandi]

• Listening to the GRC Engineer Podcast 

  • Spotify

  • Youtube

  • Apple Podcasts

See you next week!