GRC Lasagna with Ayoub Fandi
Episode 51 of the The Paramify Podcast podcast, hosted by Paramify, titled "GRC Lasagna with Ayoub Fandi" was published on January 5, 2026 and runs 85 minutes.
January 5, 2026 ·85m · The Paramify Podcast
Summary
“There’s this misconception in the marketplace that you need to be a coder to do GRC Engineering. You don’t. I don’t want people to be bogged down in scripting. I want them to be systems thinkers focusing on architecture and orchestration.” Kenny and Mike sit down with the GOATed pioneer of GRC Engineering, Ayoub Fandi. In case you’ve been living under a rock, Ayoub is the Security Assurance Automation Team Lead at GitLab and the Founder of GRC Engineer. This episode covers Ayoub’s wild pivot from middle school English teacher to sending 500 cold LinkedIn DMs to break into security. We dive into his first trip to Utah (discovery of "sugarcane fillets" and life-changing butter cake), why APIs are the “landlines” of the past, and how he sparked the movement behind the GRC Engineering Manifesto to give practitioners their own “Phoenix Project” moment for compliance. Key Takeaways:* Systems Over Scripts: GRC Engineering isn't about being a "coder." It’s about systems thinking and moving away from the "crawl space" of manual scripting.* The "Cell Phone" Moment: Why GRC is skipping the "landline" era of APIs and jumping straight to agentic workflows with MCP (Model Context Protocol).* FedRAMP® 20x: How Key Security Indicators (KSIs) move the burden of proof from 4,000-page narratives to 80%+ automated validation.* The 7-Minute Threat: AI-powered adversaries can pop a machine in 7 minutes. If your compliance isn't "threat-driven," it's irrelevant. Learn more about Ayoub:Gitlab: https://about.gitlab.com/ GRC Engineer: https://grcengineer.com/GRC Engineer Podcast: https://www.youtube.com/channel/UC8cvmIXoEEBs0dryLh2p2cAAyoub's LinkedIn: https://www.linkedin.com/in/ayoubfandi/ Learn more about Paramify:Website: https://www.paramify.com/Kenny's LinkedIn: https://www.linkedin.com/in/kenny-g-scott/Mike's LinkedIn: https://www.linkedin.com/in/mikecschreiner/ Chapters 00:00 Intro — Utah, butter cake, and Ayoub's first time in the U.S.02:00 How Ayoub got into GRC (500 cold DMs and ISO cramming)09:00 Struggling to commit to GRC — until Adobe's program changed everything13:00 What GRC Engineering actually means15:00 Why evidence collection is plumbing, not strategy20:00 Why AI won’t kill GRC — it’ll force it to grow up25:00 Architecting assurance: the new role of GRC30:00 Why APIs are losing ground to agentic protocols like MCP35:00 Landlines vs. Cell Phones: How automation skipped a generation38:00 Platformization, assurance, and the SaaS vendor dilemma43:00 Can platforms fix SOC 2 quality?48:00 Sticker fatigue and the case for continuous assurance52:00 Why threat-driven compliance is the only way forward56:00 Advice for early-career GRC professionals in an AI-native world
Episode Description
“There’s this misconception in the marketplace that you need to be a coder to do GRC Engineering. You don’t. I don’t want people to be bogged down in scripting. I want them to be systems thinkers focusing on architecture and orchestration.”
Kenny and Mike sit down with the GOATed pioneer of GRC Engineering, Ayoub Fandi. In case you’ve been living under a rock, Ayoub is the Security Assurance Automation Team Lead at GitLab and the Founder of GRC Engineer.
This episode covers Ayoub’s wild pivot from middle school English teacher to sending 500 cold LinkedIn DMs to break into security. We dive into his first trip to Utah (discovery of "sugarcane fillets" and life-changing butter cake), why APIs are the “landlines” of the past, and how he sparked the movement behind the GRC Engineering Manifesto to give practitioners their own “Phoenix Project” moment for compliance.
Key Takeaways: * Systems Over Scripts: GRC Engineering isn't about being a "coder." It’s about systems thinking and moving away from the "crawl space" of manual scripting. * The "Cell Phone" Moment: Why GRC is skipping the "landline" era of APIs and jumping straight to agentic workflows with MCP (Model Context Protocol). * FedRAMP® 20x: How Key Security Indicators (KSIs) move the burden of proof from 4,000-page narratives to 80%+ automated validation. * The 7-Minute Threat: AI-powered adversaries can pop a machine in 7 minutes. If your compliance isn't "threat-driven," it's irrelevant.
Learn more about Ayoub: Gitlab: https://about.gitlab.com/ GRC Engineer: https://grcengineer.com/ GRC Engineer Podcast: https://www.youtube.com/channel/UC8cvmIXoEEBs0dryLh2p2cA Ayoub's LinkedIn: https://www.linkedin.com/in/ayoubfandi/
Learn more about Paramify: Website: https://www.paramify.com/ Kenny's LinkedIn: https://www.linkedin.com/in/kenny-g-scott/ Mike's LinkedIn: https://www.linkedin.com/in/mikecschreiner/
Chapters
00:00 Intro — Utah, butter cake, and Ayoub's first time in the U.S. 02:00 How Ayoub got into GRC (500 cold DMs and ISO cramming) 09:00 Struggling to commit to GRC — until Adobe's program changed everything 13:00 What GRC Engineering actually means 15:00 Why evidence collection is plumbing, not strategy 20:00 Why AI won’t kill GRC — it’ll force it to grow up 25:00 Architecting assurance: the new role of GRC 30:00 Why APIs are losing ground to agentic protocols like MCP 35:00 Landlines vs. Cell Phones: How automation skipped a generation 38:00 Platformization, assurance, and the SaaS vendor dilemma 43:00 Can platforms fix SOC 2 quality? 48:00 Sticker fatigue and the case for continuous assurance 52:00 Why threat-driven compliance is the only way forward 56:00 Advice for early-career GRC professionals in an AI-native world
Similar Episodes
Apr 10, 2026 ·180m
Apr 10, 2026 ·34m
Apr 9, 2026 ·180m