Sign up to save your podcasts
Or
Share Ayoub Fandi: Why Your Audit Program is Lying to You
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Ayoub Fandi: Why Your Audit Program is Lying to You
Welcome back to Zero Signal! In this episode, Conor Sherman and Stuart Mitchell sit down with Ayoub Fandi, the creator of the GRC Engineering Movement and author of the GRC Engineering Newsletter, read by thousands of security and compliance practitioners.
Ayoub drops a truth bomb on the industry, exposing how typical SOC 2 audits rely on antiquated methodologies that sample a measly 25 pull requests out of thousands, slapping a 100% coverage certification on what amounts to 0.07% of actual infrastructure. He breaks down how this "abusal of trust signals" leaves organizations blind to systemic risk at a time when automated threat actors are moving faster than ever.
The conversation dives deep into why 86% of GRC teams are still stuck relying on spreadsheets, how to weaponize compliance rules to win security infrastructure battles against development teams, and why the next generation of GRC platforms won't be SaaS tools but foundational AI models with real-time data wrappers. Finally, Ayoub outlines the future of Third-Party Risk Management (TPRM) through his open-source project, Corsair, moving the industry away from static PDFs and toward cryptographic, automated continuous assurance.
The GRC Engineering Newsletter: https://grcengineering.com/newsletter
Corsair Open-Source Trust Infrastructure: https://github.com/grcengineering/corsair
Ayoub's State of the GRC 2026 Report: https://grcengineering.com/state-of-grc-2026/
Death By Claude Tracker: https://deathbyclaude.com/
Ayoub Fandi is the founder and principal pioneer of the GRC Engineering Movement. A former leading GRC engineer at GitLab, where he built custom cloud compliance infrastructure from scratch, Ayoub specializes in treating compliance and risk modeling as data engineering problems. He is an international speaker who recently presented his findings at RSA Conference 2026.
01:08 Transforming GRC from an Audit Prep Machine into an Engineering Program
01:54 The 25 PR Fallacy: Why Your SOC 2 Audit is Lying to You
02:23 Financial Auditing Legacies: Copy-Pasting Methods from the Enron Era
04:14 The Abuse of Trust Signals in Third-Party Risk Management
06:33 CISOs as Cynics: GRC Relegated to a Sales Enablement Tool
08:32 Compliance is Latin for Cash: Procurement vs. Real Security
09:16 CYA Mode: Why Standard Questionnaires Provide Zero Vendor Assurance
11:00 Building Corsair: Leveraging Open Protocols for Continuous Assurance Data
13:40 The Critical Sweet Spot: Auditing High-Risk, Low-Headcount AI Vendors
16:13 Replacing the GRC Acronym with a Trust and Assurance Framework
20:05 Deterministic Checkboxes vs. Probabilistic Risk Postures
21:08 Turning Compliance into Real-Time Observability Engine Metrics
22:56 The 2026 Survey: Why 86% of Security Programs Are Trapped in Excel
24:32 Relational Spreadsheets vs. Unified Graph Data Models
27:51 Excel Pivot Tables vs. Modern Prompt Engineering Roles
31:00 Node Hallucinations: What Happens When AI Drafts and Reviews Audit PDFs
35:28 The Notion and Cloudcore Shift: The Next GRC Platform is a Foundation Model
37:10 Leveraging Model Context Protocol (MCP) to Connect Direct Sources of Truth
41:42 The Lagging Indicator: Why Fortune 500s are Hiring Technical GRC Engineers
45:44 Parkinson’s Law: How Audit Calendars Expand to Destroy Security Innovation
47:34 Weaponizing Standards: Using Compliance to Win Hardening Battles with Devs
49:15 Control Planes and Telemetry: Who Will Own Future Assurance Programs?
Hampton North is the premier US based cybersecurity search firm. Start building your security team with Hampton North: https://hamptonnorth.com/?utm_source=website&utm_medium=podcast&utm_campaign=aware_global_swsd_all&utm_content=zero-signal
Sysdig is the leader in AI-powered real-time cloud defense; stop watching and start defending: https://www.sysdig.com/?utm_source=website&utm_medium=podcast&utm_campaign=aware_global_swsd_all&utm_content=zero-signal
Continued Reading & Resources:About the Guest:Key Topics:Meet our Sponsors:
View all episodes
By Conor ShermanWelcome back to Zero Signal! In this episode, Conor Sherman and Stuart Mitchell sit down with Ayoub Fandi, the creator of the GRC Engineering Movement and author of the GRC Engineering Newsletter, read by thousands of security and compliance practitioners.
Ayoub drops a truth bomb on the industry, exposing how typical SOC 2 audits rely on antiquated methodologies that sample a measly 25 pull requests out of thousands, slapping a 100% coverage certification on what amounts to 0.07% of actual infrastructure. He breaks down how this "abusal of trust signals" leaves organizations blind to systemic risk at a time when automated threat actors are moving faster than ever.
The conversation dives deep into why 86% of GRC teams are still stuck relying on spreadsheets, how to weaponize compliance rules to win security infrastructure battles against development teams, and why the next generation of GRC platforms won't be SaaS tools but foundational AI models with real-time data wrappers. Finally, Ayoub outlines the future of Third-Party Risk Management (TPRM) through his open-source project, Corsair, moving the industry away from static PDFs and toward cryptographic, automated continuous assurance.
The GRC Engineering Newsletter: https://grcengineering.com/newsletter
Corsair Open-Source Trust Infrastructure: https://github.com/grcengineering/corsair
Ayoub's State of the GRC 2026 Report: https://grcengineering.com/state-of-grc-2026/
Death By Claude Tracker: https://deathbyclaude.com/
Ayoub Fandi is the founder and principal pioneer of the GRC Engineering Movement. A former leading GRC engineer at GitLab, where he built custom cloud compliance infrastructure from scratch, Ayoub specializes in treating compliance and risk modeling as data engineering problems. He is an international speaker who recently presented his findings at RSA Conference 2026.
01:08 Transforming GRC from an Audit Prep Machine into an Engineering Program
01:54 The 25 PR Fallacy: Why Your SOC 2 Audit is Lying to You
02:23 Financial Auditing Legacies: Copy-Pasting Methods from the Enron Era
04:14 The Abuse of Trust Signals in Third-Party Risk Management
06:33 CISOs as Cynics: GRC Relegated to a Sales Enablement Tool
08:32 Compliance is Latin for Cash: Procurement vs. Real Security
09:16 CYA Mode: Why Standard Questionnaires Provide Zero Vendor Assurance
11:00 Building Corsair: Leveraging Open Protocols for Continuous Assurance Data
13:40 The Critical Sweet Spot: Auditing High-Risk, Low-Headcount AI Vendors
16:13 Replacing the GRC Acronym with a Trust and Assurance Framework
20:05 Deterministic Checkboxes vs. Probabilistic Risk Postures
21:08 Turning Compliance into Real-Time Observability Engine Metrics
22:56 The 2026 Survey: Why 86% of Security Programs Are Trapped in Excel
24:32 Relational Spreadsheets vs. Unified Graph Data Models
27:51 Excel Pivot Tables vs. Modern Prompt Engineering Roles
31:00 Node Hallucinations: What Happens When AI Drafts and Reviews Audit PDFs
35:28 The Notion and Cloudcore Shift: The Next GRC Platform is a Foundation Model
37:10 Leveraging Model Context Protocol (MCP) to Connect Direct Sources of Truth
41:42 The Lagging Indicator: Why Fortune 500s are Hiring Technical GRC Engineers
45:44 Parkinson’s Law: How Audit Calendars Expand to Destroy Security Innovation
47:34 Weaponizing Standards: Using Compliance to Win Hardening Battles with Devs
49:15 Control Planes and Telemetry: Who Will Own Future Assurance Programs?
Hampton North is the premier US based cybersecurity search firm. Start building your security team with Hampton North: https://hamptonnorth.com/?utm_source=website&utm_medium=podcast&utm_campaign=aware_global_swsd_all&utm_content=zero-signal
Sysdig is the leader in AI-powered real-time cloud defense; stop watching and start defending: https://www.sysdig.com/?utm_source=website&utm_medium=podcast&utm_campaign=aware_global_swsd_all&utm_content=zero-signal
Continued Reading & Resources:About the Guest:Key Topics:Meet our Sponsors: