The gap a GRC engineering AI buddy fills

GRC engineering does not survive a knowledge test. You cannot certify someone into engineering judgment. You build it through reps, real artefacts, and a teacher who sees what you are doing in the work itself.

The corpus that defines GRC engineering today sits scattered across newsletters, LinkedIn posts, podcasts, and conference talks. Reading order matters. Context matters. A learner trying to internalise it has no companion that sits next to their actual work.

That is the gap. Not "more content". Not "a course". A working AI buddy that carries the GRC engineering corpus and uses your real artefacts as the lesson material.

Enter the GRC Companion.

IN PARTNERSHIP WITH

Why Sponsor The GRC Engineer?

3,200 subscribers, growing 200 every month. ~55% open rate. ~7% click-through. 80% of readers are GRC managers, directors, VPs, and CISOs with tooling budget from the world’s best companies like Anthropic, Google, Harvey, Netflix, Instacart, Block, Coinbase and hundreds more!

One sponsor pulled 64 leads from two campaigns at 20x ROI. Another mapped close to 6 figures of closed-won revenue back to a single campaign at 7x ROI. Already trusted by Vanta, Drata, Anecdotes, Tines, Mastermind, Conveyor, Kosli and many more!

What The GRC Companion is

One sentence: The GRC Companion is a learning-only AI companion that teaches GRC engineering by using the real work you are already doing.

Three facts:

• 31 knowledge cards. Theses, concepts, metaphors, anti-patterns, and reading references. Each card cites its source, links to a brain primitive, and ends with a path back to grcengineer.com so you can read deeper.

• 14 learning skills. Concept tutor, lab builder, Socratic coach, recall quiz, Feynman explainer, task retrospective, cross-domain translator, learning-path designer, and more. The Companion routes to the right skill for what you brought.

• Four installs. Claude Code, Cursor, Claude Projects, or Codex. Pick the one you already work inside. Every adapter is installable in under five minutes.

The learning-only boundary is the load-bearing constraint. The GRC Companion teaches you to think. It does not approve vendors, sign off on audits, write production policy, or score your programme for you. You stay in charge of the work. The Companion sharpens the thinking around it.

In practice

Friday afternoon. You just finished a vendor security questionnaire for a deal sales has been chasing for six weeks.

You open Claude Code and run /companion:retro with the questionnaire pasted in.

The Companion asks one question: "Which answers did you copy from last quarter, and which actually changed your view of this vendor?"

Then it names the pattern it sees in the corpus, citing the audit-driven-thinking card. Then it proposes a ten-minute reflection task that turns the questionnaire into a learning artefact you can revisit before the next one.

The vendor review was always going to happen. The judgment is new. That is what The GRC Companion is for.

How to install

If you live in a terminal, three lines for Claude Code:

git clone https://github.com/grcengineering/companion.git ~/Tools/companion
mkdir -p ~/.claude/plugins && ln -s ~/Tools/companion/dist/adapters/claude-code/companion ~/.claude/plugins/companion
# restart Claude Code, then run /companion:retro

If you do not live in a terminal, you can use Claude Projects in your browser. Step-by-step instructions for all four platforms are at grc.engineering/companion/install.html.

What The GRC Companion is not

• Not a certificate.

• Not a vendor evaluator.

• Not an audit prep tool.

• Not a black box.

• Not something that decides for you.

• Not “not free”

The GRC Companion is what happens when you take the GRC engineering corpus and let it talk back to your real work. It teaches judgment. It does not sell credentials.

The 90-day ask

Install one path. Use the GRC Companion on one real piece of work. Tell me what taught you something and what fell flat.

The corpus grows from what teaches and what does not. Wave 2 will add more cards. A voice profile wizard will let you personalise what the Companion expects of you. The roadmap is public on GitHub.

For now, open grc.engineering/companion, browse the 31 cards, pick the install that fits your editor, and run the first prompt.

The GRC engineering AI buddy you have been missing is live.

Please give feedback, it’s been fun reworking the lab_builder into something a lot more closer to how people use AI today (me included).

If you build something with it, ship a card back. The Companion gets smarter every time a learner does.

Where It Does Not Apply

Naming what does not work earns trust on what does.

Git operations are not a substitute for risk acceptance with the CFO. Or executive alignment. Or regulator dialogue. Or vendor-CISO relationships. Or the cultural work of moving a programme from audit-driven to program-driven, which I covered in Your GRC Program Serves the Audit. The Best GRC Engineering Programs Don't.

The operating model is the artefact layer. The trust layer sits on top of it and is human work.

This is not a retreat. It is the boundary that keeps the framework honest.

That’s all for this week’s issue, folks!

If you enjoyed it, you might also enjoy:

• My spicier takes on LinkedIn [/in/ayoubfandi]

• Listening to the GRC Engineer Podcast 

  • Spotify

  • Youtube

  • Apple Podcasts

See you next week!