My favorite aspect of my role at Drata has to be getting to spend time with people who genuinely care about moving this industry forward. People who are willing to challenge how things have always been done, laugh about the pain we’ve all lived through, and still get excited about what’s next.
That’s exactly what my conversation with Ayoub Fandi was at Drataverse London 2025. Ayoub is a GRC engineering leader at GitLab, founder of GRC Engineer, and one of the most influential voices shaping how the industry thinks about modern GRC.
I started off by saying, “One of the things I love most about this role is being able to spend time with you, to laugh together, to share stories, to commiserate, to celebrate together.” And that sentiment carried through the entire conversation. What followed wasn’t just chatting about our favorite tools, biggest wins, or recent challenges; we talked about how GRC is changing, whether we like it or not.
GRC Engineering: From Checklists to Problem Solving
When I think about where GRC is headed, I can’t help but come back to why Drata exists in the first place. Five years ago, it took someone who had personally felt the pain of audits to say, “There has to be a better way than pulling screenshots and evidence over and over again.” That’s where Drata was born, and to me, that’s the essence of GRC engineering.
Ayoub put it perfectly when he said GRC has been “underserved in terms of tooling and capabilities,” and for a long time was seen as “the most boring part of security.” The reality is that GRC teams sit on an incredible amount of context and depth. As he said, outside of the CISO, GRC often has “the biggest amount of depth across every single control” and works with HR, legal, and engineering all at once.
Ayoub described it as “bringing an engineering mindset to GRC problems”. Instead of relying on manual evidence collection and point-in-time exercises, modern teams are designing repeatable workflows, leaning into automation, and closing gaps with tailored solutions when out-of-the-box tooling falls short.
Historically, that breadth didn’t translate into influence because the work stayed trapped in static artifacts. GRC engineering changes that by making control monitoring more continuous, data-driven, and actionable for the rest of the business.
Compliance and Security Aren’t Opposites
I get asked all the time whether security equals compliance, or compliance equals security. My answer has always been the same: they’re complementary when they’re done well.
Ayoub echoed this thought, saying how “the more we move toward engineering and providing real insights back to engineering teams, this dichotomy won’t make sense anymore, because we’ll have literally the same objective.”
We talked about how powerful it is when GRC professionals can sit down with infrastructure teams and say, “You’re already doing infrastructure as code. You already scan it for security. Now you can also apply a compliance lens before anything is deployed.” That shift-left approach means you build it once, correctly, instead of fixing it after the fact.
Watching compliance shift left alongside security is one of the most exciting changes I’ve seen in this space.
AI in GRC: Powerful, But Only A With Strong Foundation
AI came up naturally in our discussion, because it’s everywhere right now. Ayoub shared how his team at GitLab is already using AI internally, especially in third-party risk management, to process massive documents like SOC 2 reports. He described using AI to handle the first pass, while still keeping the human in the loop to review the content and ensure consistency and assurance.
At the same time, he was clear about what worries him. “What’s scary for me is when AI is just summarizing anything,” he said. If teams rely on AI without having standardized workflows and clean data, they risk building false confidence. As Ayoub put it, “You don’t do the basic hygiene because you think AI’s going to do it for you.”
I’ve personally tested this by pitting generic large language models against Drata’s purpose-built workflows. I remember saying, “I know there are four exceptions in this SOC 2 report.” The generic model found three. When I ran it through Drata’s trained workflow, it found all four, with the correct management responses.
That’s the difference between AI as a novelty and AI as assurance.
Assurance: The Next Evolution of GRC
I’ve built and operated GRC programs for years, and I’ve seen the same pattern repeat itself. Teams grind all year, panic when auditors arrive, and then breathe a sigh of relief once the audit is over.
Ayoub challenged that model directly. He talked about how assurance forces us to ask, “who actually cares about this outcome at any point in time?” The answer to that question is customers, partners, and internal teams who rely on us every single day, not just once a year.
With continuous monitoring, GRC teams stop focusing on the people who show up once a quarter asking for evidence. Instead, they become partners who can say, “We’re watching this with you. We’ve got your back.” In fact, I’ve seen this firsthand at Drata. Control owners now trust the system because they know where they stand every day, not just at the end of the audit period.
That shift builds confidence amongst teams and customers alike, and it completely changes how GRC is perceived at organizations.
Trust Centers, Vendor Risk, and What’s Next
Ayoub and I also talked a lot about trust at scale. Before trust centers existed, many of us had a simple “/security” page where we recorded what we were actually doing. That alone was a powerful exercise—but now, trust centers have raised the bar.
Ayoub pointed out that certifications still matter, but they’re no longer enough. With AI-driven threats moving faster than ever, customers want ongoing assurance signals, not annual snapshots. He envisions a time where third-party risk management and trust centers are tightly integrated, allowing organizations to continuously assess vendors and continuously demonstrate their own posture.
As he said, “Every single vendor you already have is becoming an AI vendor.” That reality means more assessments, more complexity, and a greater need for automation that doesn’t sacrifice rigor.
Where to Invest First: A Pragmatic Roadmap
I asked Ayoub a very practical question: “if you only have so much time and budget, where do you place your bets?”
His answer was refreshingly honest. Early on, he said, you almost have to “over-index in compliance” because it unlocks revenue and establishes a baseline. But as organizations mature, compliance becomes table stakes. That’s when GRC teams can become truly strategic.
When GRC stops being a cost center and starts acting as a decision engine, it’s where priorities are set and where tradeoffs get made, such as which investments to make, how to support the CISO with defensible data, and how to tie security decisions directly to business outcomes.
The Future: GRC as the Brain of the CISO
Toward the end of our conversation, we looked ahead a few years. When I talk to CISOs and boards today, I know they don’t want lists of vulnerabilities. They want to know the top risks, who owns them, how they’re trending, and what investments are being made to reduce them.
Ayoub summed it up in a way that still sticks with me. Soon, when a CISO wants to know something, “it’ll have to go through GRC, because they have all the reporting, all the dashboards, and the data is fresh.”
That’s the ultimate vision: GRC as the trusted source of truth for security posture, risk, and assurance across the organization.
Leading with Empathy and Collaboration
We closed on a human note, and I’m glad we did. Ayoub reminded everyone in the room that GRC still works with people. He talked about moving away from transactional stakeholder management and toward collaboration. About grabbing coffee with engineers. About understanding the pain it takes for someone to pull the exact information you’re asking for. About recognizing how product teams prioritize work.
That empathy, he said, is what allows GRC to shift from being reactive to an embedded partnership role.
For me, that’s the real takeaway from Drataverse 2025. The next era of GRC isn’t just about better tooling or smarter AI. It’s about building trust, internally and externally, through engineering, assurance, and genuine collaboration.
Ready to step into that future at your organization? Start with a demo personalized for your organization’s needs.
About Ayoub Fandi
Ayoub Fandi is the Security Automation Assurance Team Lead and staff engineer at GitLab and the founder of GRC Engineer, a community and platform dedicated to modernizing how governance, risk, and compliance is practiced.
With a background that spans a variety of security, engineering, and compliance disciplines, Ayoub is known for pushing GRC beyond checklists and audits into continuous monitoring, automation, and risk-driven decision making. Through his writing, speaking, and hands-on leadership, he has become one of the faces of modern trust.
