Hello, GRC engineering

Why I'm starting this blog, what it will cover, and the kind of compliance work I think more teams should be doing.

This is the first post on what I hope becomes a proper technical blog about GRC engineering — the practice of treating governance, risk, and compliance as a software problem rather than a paperwork problem.

Why a blog

Compliance work has a writing problem. Most of what's published is either vendor marketing or 101-level explainers. Very little of it explains the engineering — how to actually build the systems that make continuous compliance real.

I want this blog to sit in that gap. Posts will be short, practical, and code-heavy when the subject calls for it.

What you can expect

Rough areas I plan to cover:

• OSCAL in practice — parsing, generating, and validating OSCAL documents with real tooling, not PowerPoints.
• Policy-as-code — Open Policy Agent, Rego, and how to trace every rule back to a control catalog.
• AI-assisted remediation — where LLMs genuinely help with compliance, and where they don't.
• Continuous controls monitoring — building systems that evaluate controls hourly instead of annually.
• Career notes — occasionally, how to actually break into this side of the industry.

The standing invite

If you're building in this space, I'd love to hear what you're working on. Email is on the contact page. More soon.