build compliance systems that don’t just pass audits—they improve how teams work.
Every organization already runs on a system—some are designed, most are inherited. Over time, those systems drift, calcify, or quietly lose meaning. I help teams surface what no longer fits and redesign what’s been outgrown—so trust becomes the outcome of how your system actually behaves.
Before we talk solutions, we talk reality.
And most of the time, that starts with friction no one’s had time to name—until now.
Systems drift. Teams compensate. Policies collect dust. Trust erodes slowly, then all at once.
This next section outlines some of the patterns I see most often—the ones that show up before anyone says “we need help.”
Governance fails quietly when no one owns the system. These scenarios point to fractured accountability, unclear handoffs, and cross-functional friction that derails otherwise good intentions.
01
The GRC Program Exists—But No One Can Say What It DoesThere’s a charter. There’s a roadmap. There’s a Slack channel. But when you ask different stakeholders what the GRC program does, you’ll get vague generalities—“audit stuff,” “security maybe,” “keeping us out of trouble.” This is a program built from activity, not purpose. GRC Economics realigns the function to strategic outcomes: what risks are being reduced, what decisions are being supported, what behavior is being shaped. Embedded GRC ensures the system is not just operational, but explainable. Policies are rewritten. Processes are clarified. Ownership is made explicit. The program stops being invisible. It starts being coherent. Because if no one can say what it does, it’s not working.
02
Governance Is Top-Heavy and Team-LightDecisions about governance happen at the top—but execution fails at the edge. Policies are written in isolation. Controls are assigned without input. Teams implement without understanding, comply without commitment, and eventually disengage. This is governance imposed, not integrated. GRC Economics reestablishes the system’s logic—ensuring controls, policies, and priorities align with how decisions are made across layers, not just reported up. Embedded GRC makes governance usable at the ground level—designing rituals, documentation, and escalation paths that teams can navigate without translation. Together, they flatten the structure just enough to make it responsive. Governance isn’t just about authority—it’s about coherence. And coherence doesn’t scale without listening.
03
Everyone’s Doing Their Job—But No One Owns the SystemSecurity owns the controls. Legal owns the policy. Delivery owns the tooling. But when something goes wrong—when the evidence isn’t there, or the control drifts, or the policy gets bypassed—everyone looks sideways. This is the hallmark of fragmented governance. GRC Economics reintroduces structure: clear objectives, mapped accountability, aligned incentives. Embedded GRC operationalizes that structure—connecting artifacts and touchpoints so ownership is visible, not implied. SAFe GRC sustains it through cadence—so validation isn’t a special event, but a regular habit. Governance doesn’t work if it only exists in silos. These approaches turn it back into a system—one with clear owners, clear flow, and shared responsibility.
04
No One Knows Where Governance LivesThe policy is in Confluence. The audit tracker lives in Excel. Evidence is scattered across SharePoint, Slack threads, and someone’s inbox. Everyone owns a piece of the puzzle—but no one sees the whole. This is fragmented governance. Embedded GRC reclaims clarity—building source-of-truth documents, simplifying ownership, and reducing the cognitive load of just finding the right file. SAFe GRC reinforces that clarity in flow, embedding governance checkpoints directly into Agile ceremonies and tooling. Together, they don’t just centralize the data—they make it visible where it matters. If governance is hard to find, it won’t be used. And if it’s not used, it’s not protecting anything.
When compliance lags behind delivery, trust suffers and teams scramble. These problems emerge when audits are theatrical, evidence is delayed, and governance doesn’t match the rhythm of actual execution.
01
Delivery Moves Fast—But Compliance Lags BehindSprints close. Features ship. Releases move quickly. But compliance is still playing catch-up—scrambling for evidence, logging controls after the fact, and struggling to keep pace with delivery. This is what happens when governance isn’t designed to move with the work. SAFe GRC fixes this by embedding compliance signals directly into Agile cadence: sprint demos, standups, retros, backlog grooming. It doesn’t slow down the train—it rides with it. Evidence is captured incrementally, not chased in a panic. Controls are tested in flow, not manually after deadlines. And governance becomes something your teams expect—not something they sidestep. The speed of delivery doesn’t need to come at the cost of trust. With the right design, they reinforce each other.
02
Compliance Work Is Always Last-MinuteThe quarter ends. The audit looms. Suddenly, every control needs a screenshot, and everyone is digging through chat logs for “evidence.” It’s not that no one cares—it’s that the system was never designed to capture anything until it’s too late. SAFe GRC fixes this at the root: aligning control signals, reviews, and evidence capture with the team’s sprint cadence. You’re not gathering evidence after delivery—you’re producing it as delivery. Controls are validated inside backlog grooming. Risk discussions happen in PI planning. Assurance becomes incremental, not theatrical. Last-minute panic isn’t a capacity problem. It’s a cadence problem. And this approach gives you one that works.
03
Engineers Feel Like They’re Being Punished by PolicyEvery ticket feels like friction. Every policy drop adds another step. Engineers start seeing GRC as something to work around—not work with. That’s not resistance—it’s a signal. Embedded GRC listens to it: mapping controls to workflows, simplifying language, and eliminating rituals that interrupt more than they protect. SAFe GRC goes further—embedding compliance into Agile ceremonies so governance rides in the same lane as delivery, not across it. These approaches don’t water down requirements—they align them. When engineers feel respected, they stop resisting. When policies feel useful, they stop being ignored. The system holds—not through force, but fit.
04
GRC and Security Teams Don’t Speak the Same LanguageSecurity speaks in vulnerabilities. GRC speaks in frameworks. Delivery speaks in velocity. And no one feels fully understood. Misalignment turns into missed context, duplicated effort, and quiet resentment. Embedded GRC closes the gap—translating controls into shared language, making risk real across disciplines, and clarifying how governance supports—not slows—technical teams. SAFe GRC reinforces that bridge in real-time: syncing policy checkpoints with sprints, turning controls into story points, and embedding validation into delivery rhythms. These approaches don’t force fluency. They build it. Because if you want a unified system, everyone needs to be in the same conversation.
The policy exists—but no one reads it. Documentation that’s too abstract, complex, or misaligned becomes background noise. These issues highlight where clarity breaks down and context is lost.
01
Policy Is Technically Accurate—But No One Uses ItThe policy is correct. It meets framework requirements. It references all the right standards. And yet—no one reads it, follows it, or refers to it when decisions are made. That’s not a people problem. That’s a design problem. This is what happens when governance is written for regulators, not humans. Embedded GRC rebuilds policy as a functional asset: readable in context, referenceable in a moment, and structured around clarity, not jargon. If someone can’t use the policy under pressure, it’s not doing its job. The goal isn’t perfection—it’s trust and usability. Good policy doesn’t just survive an audit. It survives Tuesday.
02
Frameworks Are Implemented—But Everything Feels Duct-TapedThe policies exist. The control matrix is complete. The auditor gave a green light. But the program feels stitched together—layered across years of findings, leadership changes, and half-adopted standards. No one knows what to remove. Everything feels fragile. GRC Economics helps unearth the strategic misalignments beneath the surface—surfacing duplicated intent, overfit controls, and frameworks that conflict with delivery logic. Embedded GRC rebuilds what remains—clarifying structure, streamlining documentation, and making the system coherent again. This isn’t about gutting everything. It’s about reconnecting what matters and letting go of what doesn’t. Compliance shouldn’t feel like a patchwork. It should feel like a system.
03
There’s a Backlog of Policy Work—But No One Has the TimeEveryone agrees the policy needs rewriting. The standard is outdated. The approval chain is unclear. But policy work keeps getting bumped—for launches, incidents, or just daily reality. It’s always important, never urgent. Embedded GRC helps reduce the weight—rewriting content for clarity, streamlining formats, and aligning language to what people already understand. Fractional GRC Leadership closes the execution gap—bringing senior-level strategy and structure without needing full-time bandwidth. Together, these approaches move policy from the backlog to the business. Governance doesn’t need more pages. It needs time, ownership, and clarity. This gives you all three.
04
Documentation Is Everywhere—But Meaning Is MissingYour team has documentation. Lots of it. A policy for every standard. A control for every requirement. A spreadsheet to track exceptions. But ask someone what it all means, and the answer is… silence. This is documentation drift: governance artifacts created for coverage, not clarity. Embedded GRC restores meaning by stripping jargon, rewriting with purpose, and aligning each document to a real use case. If something exists, it should have a job. If no one knows what it’s for, we archive or rework it. Governance doesn’t improve through volume. It improves through focus. And that’s what this approach delivers.
Even well-built systems erode when no one’s looking. Controls misalign, risk models go stale, and governance stops reflecting how work actually happens. This category surfaces the slow decay that eventually shows up as real failure.
01
Controls Exist—But No One Can Explain WhyThe control is in place. It’s documented, audited, and maybe even automated. But ask three people what it’s for, and you’ll get three guesses—or blank stares. This is a system built for audit, not alignment. Controls that once made sense were patched over, inherited, or duplicated without clear ownership or connection to strategy. Over time, the signal fades and only the structure remains. GRC Economics addresses this by mapping every control to a strategic or risk-reducing outcome—nothing extra, nothing assumed. Embedded GRC takes it further: making the control usable, visible, and reinforced in daily context. Together, these approaches eliminate dead weight and restore intent. A control that no one can explain is a control that no longer belongs.
02
Risk Registers Are Full—But No One ActsThe risk register is thorough. You’ve ranked impact, calculated likelihood, added mitigation steps. But nothing’s moving. No decisions, no escalations—just stale entries on a heat map. This is the illusion of governance: documentation without behavior. GRC Economics reframes risk registers as decision tools—not repositories. It aligns risk ownership with actual tradeoffs and escalation paths that trigger movement. SAFe GRC brings risk into delivery, aligning it with sprint planning, capacity discussions, and PI cadence—so it’s not tracked separately, but managed continuously. A risk that doesn’t move is either misunderstood or unowned. These approaches make sure it’s neither. Risk management doesn’t start with documentation. It starts with accountability.
03
Audits Are Passed—But Findings Keep RepeatingYou pass the audit every quarter. And every quarter, the same findings return—reshaped, renamed, but never resolved. The evidence gets submitted, but nothing actually changes. This is audit as performance, not audit as improvement. GRC Economics traces the repetition back to its source: a failure in incentives, ownership, or decision architecture. It doesn’t just ask “Did we respond?”—it asks “Did we change the system that caused it?” SAFe GRC closes the loop by embedding validation and feedback into sprint cycles, ensuring that fixes are operationalized—not just logged. An audit is a snapshot. But a system should move. These approaches make sure it does.
04
Controls Are “Live”—But No One’s Monitoring DriftThe control was implemented six months ago. The team changed last quarter. The process shifted last week. And no one noticed that the control no longer applies. This is system drift. GRC Economics addresses the root—misaligned incentives, unclear ownership, and a lack of real-time accountability. SAFe GRC embeds control validation into delivery cadence—so drift is surfaced in sprint demos, retros, and backlog review. A control isn’t “live” because it passed once. It’s live if it still makes sense now. These approaches treat drift as a condition to manage, not a failure to blame. Because what matters isn’t what was installed—it’s what still holds.
05
You’ve Outgrown the System—But No One’s Stopped to Redesign ItThe company doubled in size. New markets, new risks, new dependencies. But the governance system still runs like it did three years ago—frozen in early-stage assumptions, legacy approvals, and outdated cadences. GRC Economics evaluates the system at scale: what it was built for, where it’s failing now, and what must be re-anchored for longevity. Embedded GRC does the groundwork—rewriting artifacts, shifting rituals, and reassigning ownership so the system grows with the business, not around it. Scaling isn’t just about more controls. It’s about more precision. If you’ve outgrown the structure, it’s time to rebuild—not patch. These approaches give you the blueprint and the tools.
People may comply, but they don’t trust the system. This theme explores the gap between enforcement and belief—when governance feels performative, disconnected, or quietly demoralizing.
01
Teams Comply—But Still Don’t Trust the SystemThe boxes are checked. The evidence is submitted. The auditors are satisfied. But ask the teams what they think of compliance, and you’ll hear frustration, eye-rolls, or total disengagement. This is governance that enforces behavior but fails to earn belief. Embedded GRC addresses the human layer—rewriting documentation, clarifying purpose, and embedding signals that reinforce trust, not surveillance. SAFe GRC meets teams in their flow—making compliance something they do naturally, not under duress. When compliance feels imposed, people will meet the minimum. When it feels aligned, they adopt it fully. These approaches shift governance from a source of tension to a source of stability. Trust can’t be mandated. It has to be designed for.
02
Controls Are Enforced—But Behavior Doesn’t ChangeThe control is mandatory. The training is complete. The reminders are automated. But people still work around it—or worse, game it. This is what happens when controls are technically enforced but behaviorally misaligned. GRC Economics helps model the incentives beneath the behavior—why the workaround exists, what it avoids, and what it accidentally rewards. Embedded GRC addresses the usability layer: is the control visible? Understandable? Sustainable under pressure? Enforcement isn’t enough if the system doesn’t make sense. These approaches rewire governance around how people actually work, not how someone assumed they would. Compliance that changes behavior is earned—not forced.
03
Trust Is a Talking Point—But Not a Design PrincipleYou say you’re building trust. It’s in your mission, your audits, your leadership slides. But inside the system, trust isn’t designed for—it’s assumed. Controls are reactive. Policies are abstract. The teams do what’s required but don’t believe it serves them. GRC Economics reframes trust as a structural output, not a communication strategy. It ties governance directly to incentives, behaviors, and strategic clarity. Embedded GRC supports that with usability—turning documentation into something people can read, use, and sustain. Together, they build systems that don’t just claim trust. They demonstrate it. Not through messaging. Through behavior. Trust isn’t earned by saying the word. It’s earned by how the system behaves when no one’s watching.
Each approach is shaped by lived patterns—designed to meet the pressure points you’ve just seen.
Heavy on systems thinking and strategic alignment. Prioritizes long-term adaptability and incentive clarity. Less focus on day-to-day usability or Agile rituals.
Most GRC programs don’t fail because of one big event. They fail in small, consistent ways—when controls stop making sense, when policies no longer reflect reality, when trust begins to erode quietly across teams. These patterns show up differently depending on the organization, but the underlying issues repeat: misalignment, fatigue, reactive governance, and compliance that can’t keep up with change.
The approaches I use weren’t pulled from a whiteboard or built around frameworks alone. They were shaped over time, in the field—through audits that turned messy, delivery teams that lost confidence, and risk registers that said the right things but failed to drive the right behavior. Each model is built to address a specific kind of drift: economic, operational, or cultural.
Some teams need to rethink their governance strategy at the system level—realigning incentives, structures, and decision logic. Others are dealing with fatigue: documentation no one uses, security controls no one understands, policies that no longer help people do their jobs. And for many, the core issue is delivery—compliance that arrives too late, adds too much friction, or exists entirely outside the team’s flow of work.
There’s no universal fix. But there are tested ways to rebuild trust from the inside out—without slowing the business down. These three approaches offer different entry points, depending on your environment, your pressure points, and your goals. Each one is designed to hold up under real conditions—not just on paper.
Excels in clarity, cross-functional fluency, and sustainable rhythms. Strong under pressure, especially where governance needs to feel natural across silos.
Leans into cadence, flow, and Agile-native delivery environments. Extremely strong in execution sustainability and pressure response. Moderate in strategic or cross-functional reach.
Start with what’s real, not what’s required.
Before we reference any frameworks, we start with your system as it exists: how decisions are made, how risk moves, where accountability lives—and where it doesn't. Compliance frameworks are useful, but only once they’re mapped to real behaviors and real gaps. We’ll ask what’s working before we fix what’s broken.
You can expect:
• A system-level review before any checklist
• Patterns surfaced, not symptoms masked
• Controls rooted in how your team actually moves
If it only looks good on paper, it doesn’t count.
Performing compliance isn’t the same as earning trust. I don’t do box-checking exercises, decorative audits, or screenshot archaeology. Every control we implement should hold up under scrutiny—by auditors, yes, but more importantly, by your own teams. If the system needs to bend to look right, it's not designed right.
You’ll never get:
• Fake assurance
• Compliance for show
• A framework forced into place
Everything connects—so we design like it does.
Controls don’t live in isolation. They live inside networks of tooling, behavior, delivery, and drift. I take a systems approach to design—modeling escalation paths, control interactions, and the invisible incentives that shape real decisions. Governance isn't a static artifact; it's an active environment.
What this means:
• Escalation paths that work
• Incentives aligned with behavior
• Control portfolios, not just isolated fixes
Readable, referenceable, and real.
Most policies fail not because they’re wrong—but because they’re unreadable, forgotten, or disconnected from daily work. I rewrite documentation so it serves a purpose: to anchor decisions, explain context, and reduce ambiguity when things get hard. A good policy isn’t longer—it’s clearer.
You can expect:
• Tiered frameworks (not flat PDFs)
• Human-readable language
• Controls written for how your teams actually operate
Governance doesn’t have to feel like friction.
If governance lives outside the delivery rhythm, it will always be bypassed. I embed compliance into Agile cadences, sprint reviews, planning rituals, and service delivery timelines—so trust becomes a byproduct of how your teams already move. When the system flows, the evidence does too.
Built-in, not bolted on:
• Controls surfaced during standups, not quarterly check-ins
• Evidence collected during delivery, not after
• Governance rituals that sync with your real cadence
Time, trust, and attention are limited.
I design for reality—not fantasy GRC budgets or perfect audit timelines. Every solution respects your team’s capacity, context, and working bandwidth. No multi-year blueprints. No over-scoped policy refreshes that collapse under weight. Just clear, right-sized systems your team can actually maintain.
I take into account:
• What your team is already doing
• What tooling you have today
• What can be realistically sustained without me
Not declared. Demonstrated.
Trust isn’t a goal—it’s an outcome. It shows up when systems behave the way people expect them to: clearly, repeatedly, and without drama. I build governance models that create predictability—through transparency, shared ownership, and small wins that compound. Trust isn't something you launch; it's something you prove, over time.
This looks like:
• Cross-functional ownership
• Fewer escalations, more clarity
• Systems people believe in because they’ve seen them work
Explore services built for real teams, real pressure, and real accountability
Strategic design of governance systems that scale with clarity, auditability, and organizational trust.
Dynamic risk registers, escalation paths, and decision tools rooted in behavior, incentive, and design.
Advisory and part-time GRC leadership to bridge frameworks, teams, delivery, and strategic execution.
Embedded controls, audit signals, and rituals aligned with Agile cadences, sprints, and PI planning.
Guidance rooted in game theory, behavioral modeling, and strategic tradeoffs—helping you design governance systems that make sense economically, not just regulatorily.
Align sprint rituals with real compliance checkpoints—so evidence is captured continuously, not chased at quarter’s end.
Translates technical controls into policy language, mapped evidence, and accountable workflows—so your systems hold up under scrutiny, not just design.
Reveal where your current controls unintentionally reward risk or disengagement—and redesign governance around actual human behavior.
Integrate GRC priorities, capacity planning, and risk work into Agile PI cycles—so compliance is delivered alongside features, not after.
What I Bring to the Table
I approach GRC like an engineer with a behavioral lens. Every control, policy, and process exists inside a system—and systems drift when they’re not designed with care.
I don’t create noise or build for appearances. The work I do is often invisible until it matters—then it holds up under pressure.
Everything maps to something that matters: a control objective, a delivery milestone, or a trust outcome. Nothing is random. Nothing is extra.
I speak policy, security, product, and delivery—without dumbing it down or overcomplicating. That translation layer reduces friction where most teams stall.
Documentation, metrics, and guidance should be readable, referenceable, and real. I don’t ship things that require a decoder ring.
I build governance that can run without me. Recurring cadences, embedded rituals, and clear accountability keep the system alive and resilient.
53+
Custom GRC programs, policy architectures, and governance frameworks built across industries and maturity levels.3x
Increase in meaningful, documented control coverage across teams and tools—without adding friction.35+
Mapped, aligned, or implemented across global and industry-specific frameworks—from ISO and SOC 2 to emerging AI and ESG standards.27+
From first-line startup launches to full-scale rebuilds for mature orgs—always fit-for-purpose, never overbuilt.Each metric reflects how well governance holds up under pressure, change, and real-world delivery.
❯❯❯❯
Control Adoption Across TeamsControls aren’t just implemented—they’re understood, trusted, and actually used.
This score reflects how well controls are embedded into everyday workflows across engineering, product, and security teams. Instead of compliance being “someone else’s job,” adoption shows shared ownership across roles. High adoption rates reduce bypassing, shadow systems, and audit risk.
❯❯❯❯
Evidence Collection EfficiencyEvidence is captured continuously—not chased after deadlines.
This metric captures how well audit and assurance signals are built into delivery rhythms. It means fewer screenshots, less panic, and better data trails. Teams don’t stop the work to prove it happened—proof is part of the system.
❯❯❯❯
Framework-to-Flow AlignmentGovernance isn’t bolted on—it moves in sync with delivery.
This measures how well your frameworks (SOC 2, ISO 27001, HIPAA, etc.) are reflected in real team practices—backlogs, sprints, reviews, and rituals. The closer the alignment, the less friction between “what’s required” and “how we work.” Good alignment removes resistance.
❯❯❯❯
Sustainability of ExecutionThe system works—without needing heroes to hold it together.
This measures how long governance structures remain effective without manual patchwork or burnout. High sustainability means recurring rituals, embedded ownership, and clear accountability. It’s not just designed—it’s maintained.
Let’s Build the System You Actually Need
From strategic design to operational flow, I help organizations turn compliance into something real, usable, and worth trusting.