Listen and watch now on Youtube, Spotify and Apple. Episode transcript is available at the top of the page and timestamps for the episode are at the bottom.
This episode was particularly exciting for me because Ibrahim brings a completely different perspective to GRC engineering than what we usually hear about. Whilst most discussions focus on B2B SaaS companies and cloud-native environments, Ibrahim has spent years implementing GRC engineering principles in one of the most complex and regulated environments imaginable: the US federal government and national security sector.
Ibrahim's journey from delivering ATOs for defence and intelligence agencies to now leading global insider risk at Google gives us a unique lens into how GRC engineering principles apply across vastly different contexts. His experience with OSCAL, controls as code, and automating compliance in air-gapped environments offers lessons that extend well beyond the public sector.
Have a great listen and let Ibrahim and myself know what you thought of it.
Feel free to share it if you enjoyed it 😀
🎙️ In This Episode
How do you apply GRC engineering principles when "lift and shift to the cloud" isn't an option and your environment is deliberately air-gapped for national security reasons?
In this episode, I'm joined by Dr. Ibrahim Waziri Jr., Global Insider Risk Lead at Google Cloud and former Microsoft Federal GRC Engineering leader, who's spent years proving that automation and engineering principles can transform even the most regulated, complex environments. Ibrahim shares insights from delivering ATOs across the US defence and intelligence sectors, building OSCAL implementations, and bridging the gap between mission-critical compliance and modern engineering practices.
We discuss:
The evolution from static RMF documentation to dynamic, automated compliance
Why prescriptive frameworks like NIST actually accelerate automation (contrary to popular belief)
How OSCAL is transforming the relationship between compliance teams and engineers
The unique challenges of implementing GRC engineering in air-gapped environments
Why mission-driven value metrics differ fundamentally from commercial ROI calculations
How to balance speed with security in environments where mistakes can cost lives
The global harmonisation challenge facing multinational organisations
Why some of the most innovative GRC engineering is happening in the public sector
Ibrahim's perspective on the regulatory acceleration we're seeing worldwide
And much more!
💡3 Insightful Ideas
GRC engineering is about moving from static to dynamic
"GRC engineering is to me, it's about moving from being static, manual document heavy to kind of being dynamic automated, you know, embedding GRC into the sector of lifecycle. Building the automation, the machine readable approach to it. Traditionally compliance has been a process that happens some sort of like after the fact. Auditor comes in, the team scrambles to produce documentation."
Prescriptive frameworks actually accelerate automation
"The prescriptive nature of US federal kind of frameworks really does make automation easier. When you kind of have this very clear definition of what needs to be documented, what evidence is required and how compliance is usually measured, you will be able to kind of, it makes it easier to codify these into kind of tooling."
Value looks different in mission-driven environments
"In the commercial world values usually measured in money, time to value, speed, market share, competitive differentiation. In mission-driven environments, you tend to find value from trust, resilience, mission assurance. Speed is highly valuable, but not at the expense of security, especially within the national security sector."
📌 Timestamps
(00:00) Intro
(02:39) Ibrahim's journey from PhD research to federal GRC implementation
(07:50) Transition from traditional compliance to GRC engineering at Microsoft
(11:08) How to define GRC engineering in highly regulated environments
(16:07) Why prescriptive frameworks are actually GRC engineering enablers
(23:21) The challenge of multi-framework compliance in global environments
(28:20) How OSCAL is bridging the gap between compliance and engineering teams
(35:07) Balancing prescriptive guidance with organisational flexibility
(43:47) Measuring value when profit isn't the primary metric
(52:49) The bureaucracy vs. necessary rigour distinction in public sector
(59:49) Where GRC engineering is heading in federal and global contexts
⚙️ GRC Engineering Connection
Ibrahim's insights reveal how GRC engineering principles scale to the most complex regulatory environments, offering lessons for any organisation dealing with multiple frameworks or legacy infrastructure:
Prescriptive as Enabler: Contrary to common belief, highly detailed frameworks like NIST 800-53 and FedRAMP actually accelerate automation by providing clear, consistent requirements that can be easily codified. This principle applies to any organisation looking to automate compliance across multiple standards.
Authorization Boundaries Define Engineering Boundaries: Ibrahim's insight about air-gapped environments applies broadly to any constrained infrastructure. Your GRC engineering approach must align with your technical boundaries, whether that's regulatory isolation, legacy system constraints, or multi-cloud complexity.
Mission-First Metrics: The shift from commercial ROI to mission assurance metrics provides a framework for any organisation where compliance serves broader objectives than profit maximisation. This includes financial services, healthcare, and critical infrastructure sectors.
🌶️ Hot Take
The public sector isn't slow at innovation, it's optimising for different constraints. When you're protecting national security or critical infrastructure, the cost of failure isn't measured in customer churn or revenue loss, it's measured in human lives and national security impact.
As Ibrahim notes: "It might not move as fast because most times, this is a risk based organization, risk based environments, where the cost of a mistake in some of these highly regulated environments, it's directly correlated with human lives."
📚 References
To learn more about Ibrahim
LinkedIn: https://www.linkedin.com/in/iwazirijr/
Abstract from a RSA Conference Presentation: https://www.rsaconference.com/Library/presentation/USA/2025/Bridging%20Cybersecurity%20Governance%20and%20Engineering%20Implementing%20Security%20and%20AI%20Policies
Ibrahim’s Youtube channel with cybersecurity courses he taught: https://www.youtube.com/@iwazirijr/videos
Resources mentioned
OSCAL (Open Security Controls Assessment Language): https://pages.nist.gov/OSCAL/
NIST 800-53 Security Controls: https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final
FedRAMP: https://www.fedramp.gov/
DoD Risk Management Framework: https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/851001p.pdf
CSA Cloud Controls Matrix (CCM): https://cloudsecurityalliance.org/research/cloud-controls-matrix/
That’s all for this podcast’s issue, folks!
If you enjoyed it, you might also enjoy:
My spicier takes on LinkedIn [/in/ayoubfandi]
Read the GRC Engineer deep-dives relevant to this episode:
See you this Thursday!
Start learning AI in 2025
Keeping up with AI is hard – we get it!
That’s why over 1M professionals read Superhuman AI to stay ahead.
Get daily AI news, tools, and tutorials
Learn new AI skills you can use at work in 3 mins a day
Become 10X more productive