[{"data":1,"prerenderedAt":465},["ShallowReactive",2],{"/en-us/the-source/authors/ayoub-fandi/":3,"footer-en-us":29,"the-source-banner-en-us":336,"the-source-navigation-en-us":348,"the-source-newsletter-en-us":376,"ayoub-fandi-articles-list-authors-en-us":387,"ayoub-fandi-articles-list-en-us":418,"ayoub-fandi-page-categories-en-us":464},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"config":8,"seo":10,"content":12,"type":21,"slug":22,"_id":23,"_type":24,"title":11,"_source":25,"_file":26,"_stem":27,"_extension":28},"/en-us/the-source/authors/ayoub-fandi","authors",false,"",{"layout":9},"the-source",{"title":11},"Ayoub Fandi",[13,19],{"componentName":14,"type":14,"componentContent":15},"TheSourceAuthorHero",{"name":11,"headshot":16},{"altText":11,"config":17},{"src":18},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463329/wyp554loeyoibx3ozren.jpg",{"componentName":20,"type":20},"TheSourceArticlesList","author","ayoub-fandi","content:en-us:the-source:authors:ayoub-fandi.yml","yaml","content","en-us/the-source/authors/ayoub-fandi.yml","en-us/the-source/authors/ayoub-fandi","yml",{"_path":30,"_dir":31,"_draft":6,"_partial":6,"_locale":7,"data":32,"_id":332,"_type":24,"title":333,"_source":25,"_file":334,"_stem":335,"_extension":28},"/shared/en-us/main-footer","en-us",{"text":33,"source":34,"edit":40,"contribute":45,"config":50,"items":55,"minimal":324},"Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license",{"text":35,"config":36},"View page source",{"href":37,"dataGaName":38,"dataGaLocation":39},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/","page source","footer",{"text":41,"config":42},"Edit this page",{"href":43,"dataGaName":44,"dataGaLocation":39},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/content/","web ide",{"text":46,"config":47},"Please contribute",{"href":48,"dataGaName":49,"dataGaLocation":39},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/CONTRIBUTING.md/","please contribute",{"twitter":51,"facebook":52,"youtube":53,"linkedin":54},"https://twitter.com/gitlab","https://www.facebook.com/gitlab","https://www.youtube.com/channel/UCnMGQ8QHMAnVIsI3xJrihhg","https://www.linkedin.com/company/gitlab-com",[56,83,155,223,285],{"title":57,"links":58,"subMenu":64},"Platform",[59],{"text":60,"config":61},"DevSecOps platform",{"href":62,"dataGaName":63,"dataGaLocation":39},"/platform/","devsecops platform",[65],{"title":66,"links":67},"Pricing",[68,73,78],{"text":69,"config":70},"View plans",{"href":71,"dataGaName":72,"dataGaLocation":39},"/pricing/","view plans",{"text":74,"config":75},"Why Premium?",{"href":76,"dataGaName":77,"dataGaLocation":39},"/pricing/premium/","why premium",{"text":79,"config":80},"Why Ultimate?",{"href":81,"dataGaName":82,"dataGaLocation":39},"/pricing/ultimate/","why ultimate",{"title":84,"links":85},"Solutions",[86,91,95,100,105,110,115,120,125,130,135,140,145,150],{"text":87,"config":88},"Digital transformation",{"href":89,"dataGaName":90,"dataGaLocation":39},"/topics/digital-transformation/","digital transformation",{"text":92,"config":93},"Application Security Testing",{"href":94,"dataGaName":92,"dataGaLocation":39},"/solutions/application-security-testing/",{"text":96,"config":97},"Automated software delivery",{"href":98,"dataGaName":99,"dataGaLocation":39},"/solutions/delivery-automation/","automated software delivery",{"text":101,"config":102},"Agile development",{"href":103,"dataGaName":104,"dataGaLocation":39},"/solutions/agile-delivery/","agile delivery",{"text":106,"config":107},"Cloud transformation",{"href":108,"dataGaName":109,"dataGaLocation":39},"/topics/cloud-native/","cloud transformation",{"text":111,"config":112},"SCM",{"href":113,"dataGaName":114,"dataGaLocation":39},"/solutions/source-code-management/","source code management",{"text":116,"config":117},"CI/CD",{"href":118,"dataGaName":119,"dataGaLocation":39},"/solutions/continuous-integration/","continuous integration & delivery",{"text":121,"config":122},"Value stream management",{"href":123,"dataGaName":124,"dataGaLocation":39},"/solutions/value-stream-management/","value stream management",{"text":126,"config":127},"GitOps",{"href":128,"dataGaName":129,"dataGaLocation":39},"/solutions/gitops/","gitops",{"text":131,"config":132},"Enterprise",{"href":133,"dataGaName":134,"dataGaLocation":39},"/enterprise/","enterprise",{"text":136,"config":137},"Small business",{"href":138,"dataGaName":139,"dataGaLocation":39},"/small-business/","small business",{"text":141,"config":142},"Public sector",{"href":143,"dataGaName":144,"dataGaLocation":39},"/solutions/public-sector/","public sector",{"text":146,"config":147},"Education",{"href":148,"dataGaName":149,"dataGaLocation":39},"/solutions/education/","education",{"text":151,"config":152},"Financial services",{"href":153,"dataGaName":154,"dataGaLocation":39},"/solutions/finance/","financial services",{"title":156,"links":157},"Resources",[158,163,168,173,178,183,188,193,198,203,208,213,218],{"text":159,"config":160},"Install",{"href":161,"dataGaName":162,"dataGaLocation":39},"/install/","install",{"text":164,"config":165},"Quick start guides",{"href":166,"dataGaName":167,"dataGaLocation":39},"/get-started/","quick setup checklists",{"text":169,"config":170},"Learn",{"href":171,"dataGaName":172,"dataGaLocation":39},"https://university.gitlab.com/","learn",{"text":174,"config":175},"Product documentation",{"href":176,"dataGaName":177,"dataGaLocation":39},"https://docs.gitlab.com/","docs",{"text":179,"config":180},"Blog",{"href":181,"dataGaName":182,"dataGaLocation":39},"/blog/","blog",{"text":184,"config":185},"Customer success stories",{"href":186,"dataGaName":187,"dataGaLocation":39},"/customers/","customer success stories",{"text":189,"config":190},"Remote",{"href":191,"dataGaName":192,"dataGaLocation":39},"https://handbook.gitlab.com/handbook/company/culture/all-remote/","remote",{"text":194,"config":195},"GitLab Services",{"href":196,"dataGaName":197,"dataGaLocation":39},"/services/","services",{"text":199,"config":200},"TeamOps",{"href":201,"dataGaName":202,"dataGaLocation":39},"/teamops/","teamops",{"text":204,"config":205},"Community",{"href":206,"dataGaName":207,"dataGaLocation":39},"/community/","community",{"text":209,"config":210},"Forum",{"href":211,"dataGaName":212,"dataGaLocation":39},"https://forum.gitlab.com/","forum",{"text":214,"config":215},"Events",{"href":216,"dataGaName":217,"dataGaLocation":39},"/events/","events",{"text":219,"config":220},"Partners",{"href":221,"dataGaName":222,"dataGaLocation":39},"/partners/","partners",{"title":224,"links":225},"Company",[226,231,236,241,246,251,256,260,265,270,275,280],{"text":227,"config":228},"About",{"href":229,"dataGaName":230,"dataGaLocation":39},"/company/","company",{"text":232,"config":233},"Jobs",{"href":234,"dataGaName":235,"dataGaLocation":39},"/jobs/","jobs",{"text":237,"config":238},"Leadership",{"href":239,"dataGaName":240,"dataGaLocation":39},"/company/team/e-group/","leadership",{"text":242,"config":243},"Team",{"href":244,"dataGaName":245,"dataGaLocation":39},"/company/team/","team",{"text":247,"config":248},"Handbook",{"href":249,"dataGaName":250,"dataGaLocation":39},"https://handbook.gitlab.com/","handbook",{"text":252,"config":253},"Investor relations",{"href":254,"dataGaName":255,"dataGaLocation":39},"https://ir.gitlab.com/","investor relations",{"text":257,"config":258},"Sustainability",{"href":259,"dataGaName":257,"dataGaLocation":39},"/sustainability/",{"text":261,"config":262},"Diversity, inclusion and belonging (DIB)",{"href":263,"dataGaName":264,"dataGaLocation":39},"/diversity-inclusion-belonging/","Diversity, inclusion and belonging",{"text":266,"config":267},"Trust Center",{"href":268,"dataGaName":269,"dataGaLocation":39},"/security/","trust center",{"text":271,"config":272},"Newsletter",{"href":273,"dataGaName":274,"dataGaLocation":39},"/company/contact/","newsletter",{"text":276,"config":277},"Press",{"href":278,"dataGaName":279,"dataGaLocation":39},"/press/","press",{"text":281,"config":282},"Modern Slavery Transparency Statement",{"href":283,"dataGaName":284,"dataGaLocation":39},"https://handbook.gitlab.com/handbook/legal/modern-slavery-act-transparency-statement/","modern slavery transparency statement",{"title":286,"links":287},"Contact Us",[288,293,298,303,308,313,318],{"text":289,"config":290},"Contact an expert",{"href":291,"dataGaName":292,"dataGaLocation":39},"/sales/","sales",{"text":294,"config":295},"Get help",{"href":296,"dataGaName":297,"dataGaLocation":39},"/support/","get help",{"text":299,"config":300},"Customer portal",{"href":301,"dataGaName":302,"dataGaLocation":39},"https://customers.gitlab.com/customers/sign_in/","customer portal",{"text":304,"config":305},"Status",{"href":306,"dataGaName":307,"dataGaLocation":39},"https://status.gitlab.com/","status",{"text":309,"config":310},"Terms of use",{"href":311,"dataGaName":312,"dataGaLocation":39},"/terms/","terms of use",{"text":314,"config":315},"Privacy statement",{"href":316,"dataGaName":317,"dataGaLocation":39},"/privacy/","privacy statement",{"text":319,"config":320},"Cookie preferences",{"dataGaName":321,"dataGaLocation":39,"id":322,"isOneTrustButton":323},"cookie preferences","ot-sdk-btn",true,{"items":325},[326,328,330],{"text":309,"config":327},{"href":311,"dataGaName":312,"dataGaLocation":39},{"text":314,"config":329},{"href":316,"dataGaName":317,"dataGaLocation":39},{"text":319,"config":331},{"dataGaName":321,"dataGaLocation":39,"id":322,"isOneTrustButton":323},"content:shared:en-us:main-footer.yml","Main Footer","shared/en-us/main-footer.yml","shared/en-us/main-footer",{"_path":337,"_dir":338,"_draft":6,"_partial":6,"_locale":7,"visibility":323,"id":339,"title":340,"button":341,"_id":345,"_type":24,"_source":25,"_file":346,"_stem":347,"_extension":28},"/shared/en-us/the-source/banner/the-economics-of-software-innovation-2025-08-18","banner","The Economics of Software Innovation","The Economics of Software Innovation—AI’s $750 Billion Opportunity",{"config":342,"text":344},{"href":343},"https://about.gitlab.com/software-innovation-report/","Get the research report","content:shared:en-us:the-source:banner:the-economics-of-software-innovation-2025-08-18.yml","shared/en-us/the-source/banner/the-economics-of-software-innovation-2025-08-18.yml","shared/en-us/the-source/banner/the-economics-of-software-innovation-2025-08-18",{"_path":349,"_dir":9,"_draft":6,"_partial":6,"_locale":7,"logo":350,"subscribeLink":355,"navItems":359,"_id":372,"_type":24,"title":373,"_source":25,"_file":374,"_stem":375,"_extension":28},"/shared/en-us/the-source/navigation",{"altText":351,"config":352},"the source logo",{"src":353,"href":354},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1750191004/t7wz1klfb2kxkezksv9t.svg","/the-source/",{"text":356,"config":357},"Subscribe",{"href":358},"#subscribe",[360,364,368],{"text":361,"config":362},"Artificial Intelligence",{"href":363},"/the-source/ai/",{"text":365,"config":366},"Security & Compliance",{"href":367},"/the-source/security/",{"text":369,"config":370},"Platform & Infrastructure",{"href":371},"/the-source/platform/","content:shared:en-us:the-source:navigation.yml","Navigation","shared/en-us/the-source/navigation.yml","shared/en-us/the-source/navigation",{"_path":377,"_dir":9,"_draft":6,"_partial":6,"_locale":7,"title":378,"description":379,"submitMessage":380,"formData":381,"_id":384,"_type":24,"_source":25,"_file":385,"_stem":386,"_extension":28},"/shared/en-us/the-source/newsletter","The Source Newsletter","Stay updated with insights for the future of software development.","You have successfully signed up for The Source’s newsletter.",{"config":382},{"formId":383,"formName":274,"hideRequiredLabel":323},1077,"content:shared:en-us:the-source:newsletter.yml","shared/en-us/the-source/newsletter.yml","shared/en-us/the-source/newsletter",{"amanda-rueda":388,"andre-michael-braun":389,"andrew-haschka":390,"ayoub-fandi":11,"bob-stevens":391,"brian-wald":392,"bryan-ross":393,"chandler-gibbons":394,"dave-steer":395,"ddesanto":396,"derek-debellis":397,"emilio-salvador":398,"erika-feldman":399,"george-kichukov":400,"gitlab":401,"grant-hickman":402,"haim-snir":403,"iganbaruch":404,"jlongo":405,"joel-krooswyk":406,"josh-lemos":407,"julie-griffin":408,"kristina-weis":409,"lee-faus":410,"ncregan":411,"rschulman":412,"sabrina-farmer":413,"sandra-gittlen":414,"sharon-gaudin":415,"stephen-walters":416,"taylor-mccaslin":417},"Amanda Rueda","Andre Michael Braun","Andrew Haschka","Bob Stevens","Brian Wald","Bryan Ross","Chandler Gibbons","Dave Steer","David DeSanto","Derek DeBellis","Emilio Salvador","Erika Feldman","George Kichukov","GitLab","Grant Hickman","Haim Snir","Itzik Gan Baruch","Joseph Longo","Joel Krooswyk","Josh Lemos","Julie Griffin","Kristina Weis","Lee Faus","Niall Cregan","Robin Schulman","Sabrina Farmer","Sandra Gittlen","Sharon Gaudin","Stephen Walters","Taylor McCaslin",{"allArticles":419,"visibleArticles":463,"showAllBtn":323},[420],{"_path":421,"_dir":422,"_draft":6,"_partial":6,"_locale":7,"config":423,"seo":427,"content":431,"type":458,"slug":459,"category":422,"_id":460,"_type":24,"title":428,"_source":25,"_file":461,"_stem":462,"_extension":28,"date":432,"description":429,"timeToRead":433,"heroImage":430,"keyTakeaways":434,"articleBody":438,"faq":439},"/en-us/the-source/security/compliance-at-the-speed-of-ai-reimagining-grc","security",{"layout":9,"template":424,"articleType":425,"author":22,"featured":323,"gatedAsset":426,"isHighlighted":6,"authorName":11},"TheSourceArticle","Regular","source-lp-devsecops-the-key-to-modern-security-resilience",{"title":428,"description":429,"ogImage":430},"Compliance at the speed of AI: Reimagining GRC","Is your governance, risk, and compliance strategy keeping pace with AI-accelerated development? Learn how to prepare for secure software delivery at scale.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463857/sb6to0pyohg2ubpxf3ex.png",{"title":428,"date":432,"description":429,"timeToRead":433,"heroImage":430,"keyTakeaways":434,"articleBody":438,"faq":439},"2025-05-14","6 min read",[435,436,437],"Traditional GRC approaches fail in modern development environments because they operate on quarterly/annual cycles while DevSecOps teams deploy code multiple times daily, creating a fundamental timing mismatch and compliance that exists only on paper.","Successful GRC modernization requires shifting from a project to a product mindset, building continuous compliance into development pipelines, and automating evidence collection as a byproduct of normal development activities.","Organizations must create unified information flows between security functions, replace manual processes with API-driven automation, and redefine metrics to focus on risk reduction rather than compliance artifacts.","The software release calendar has been replaced by a continuous flow of updates and innovations. Yet many organizations still approach compliance like it's 2010.\n\nThe adoption of DevOps practices fundamentally changed the game, compressing release cycles from months to days or even hours. Organizations that once celebrated quarterly releases now deploy to production dozens or hundreds of times daily. This acceleration has delivered enormous business value - faster time to market, quicker feedback loops, and increased competitive advantage.\n\nNow add AI-powered development tools to the mix. Large language models, AI coding assistants, and [AI agents](https://about.gitlab.com/the-source/ai/agentic-ai-unlocking-developer-potential-at-scale/) have become sophisticated enough to generate substantial amounts of functional code with minimal human input.\n\nHowever, this creates a significant challenge for governance, risk, and compliance (GRC) teams, who are often still using approaches designed for a world where releases occur quarterly, rather than hourly. Traditional GRC approaches simply weren't designed for this velocity and scale - it’s like trying to monitor and track every car on every highway in the world with a pen and paper.\n\n## Why traditional GRC falls short\nThe fundamental mismatch between modern development and traditional GRC starts with timing. While DevSecOps teams operate continuously, traditional GRC functions typically operate on quarterly or annual cycles. Annual penetration tests, quarterly compliance control testing, and monthly risk assessments simply can't keep pace with environments that change hourly. By the time a traditional security assessment is complete, the system being evaluated may have undergone dozens of changes.\n\nThe gap between automated infrastructure and manual compliance processes compounds this timing mismatch. Cloud-native applications automatically scale resources up and down in response to demand. Infrastructure-as-code templates can spin up and tear down entire environments with a single command. Meanwhile, compliance verification still relies heavily on manual evidence collection and human review. GRC teams can spend days taking screenshots of configurations that were automatically changed minutes after they documented them.\n\nThe result is security compliance that exists largely on paper but bears little resemblance to operational reality. When your integrated DevSecOps platform supports hundreds of deployments daily, yet your GRC team still manually collects screenshots every quarter for audit purposes, you have a fundamental disconnect. Risk registers become outdated almost immediately. Compliance certifications verify controls that may no longer exist in the form originally documented. And security policies address threats to systems that have since been redesigned or replaced entirely.\n\n## Transforming GRC for modern DevSecOps\nI’ve seen this tension unfold in countless organizations. Here are a few steps you can take now to help GRC keep up:\n\n### Think about GRC as a product, not a project\nThe first step in transforming GRC for modern DevSecOps environments requires a fundamental shift in thinking. Traditional GRC operates as a project - a recurring set of activities with a defined beginning and end. Modern GRC needs to function as a product - a continuously evolving set of capabilities that deliver ongoing value.\n\nThis product mindset transforms how we approach compliance and security. Instead of preparing for an annual SOC 2 audit by scrambling to collect evidence in the weeks before the auditor arrives, think about building continuous compliance directly into your development pipeline. Instead of quarterly risk management assessments, aim for real-time visibility. And look for ways to embed governance in daily operations, with version-controlled policies managed like code using Markdown.\n\nWithin [a unified DevSecOps platform](https://about.gitlab.com/platform/), this product-based approach happens naturally. Security scans become part of the merge request process. Compliance requirements transform into pipeline rules that run with every commit. And audit evidence is automatically collected as a byproduct of normal development activities. The result? The focus shifts from \"passing the audit\" to \"[building securely by default](https://about.gitlab.com/the-source/security/strengthen-your-cybersecurity-strategy-with-secure-by-design/).\"\n\n### Create unified, automated information flows\nYou’ll also need to rethink both the architecture of your GRC program and the engineering approach behind it. Begin by establishing unified information flows among security, risk, and compliance functions. A vulnerability found in a security scan should automatically update your risk register and compliance status without manual intervention. This unified data model ensures everyone works from a single source of truth, breaking down siloes between security and development teams.\n\nThe next step is to replace manual evidence collection with API-driven automation. Instead of taking screenshots of access control settings, implement API calls that query your identity provider and generate access reports automatically. Rather than manually reviewing infrastructure settings, pull configuration data directly from your cloud providers. Every security setting that requires verification should be accessible programmatically.\n\nPerhaps most importantly, leverage the same pipeline-based approach for security that you use for code validation. [Integrated CI/CD pipelines](https://about.gitlab.com/blog/ultimate-guide-to-ci-cd-fundamentals-to-advanced-implementation/) allow you to define security and compliance requirements as code, running automated validation with every change. This infrastructure-as-code approach ensures that security controls are implemented consistently and verified continuously, eliminating the gap between documented controls and operational reality.\n\n### Connect GRC to business value\nThe practical implementation of these changes doesn't happen overnight, but organizations can follow a clear path to transform their GRC approach.\n\nFirst, bridge the cultural and language gap between GRC and engineering teams. Security professionals need to understand how developers work, while engineers need to appreciate security requirements. This mutual understanding creates the foundation for effective collaboration. Create joint working sessions where compliance teams learn basic Git workflows while developers understand compliance requirements in concrete terms.\n\nNext, redefine success metrics to focus on risk reduction rather than compliance artifacts. Instead of tracking the number of policies documented or controls tested, measure actual security outcomes: vulnerability remediation times, security issues found in production versus development, and the number of compliance exceptions. These outcome-based metrics drive real improvements in security posture.\n\nThis transforms GRC from a necessary evil to a business enabler. When [security and compliance are built into development workflows](https://about.gitlab.com/the-source/security/beyond-shift-left-engineering-supply-chain-safety-at-scale/), they stop being roadblocks and become competitive advantages. Organizations with integrated security can ship faster and with greater confidence than those with traditional bolted-on approaches.\n\nThis transformation becomes even more powerful within a unified platform. End-to-end visibility across the entire software development lifecycle creates unmatched transparency into security status. The same controls that verify code quality can enforce security requirements, creating a seamless experience for developers while maintaining strong governance for security teams.\n\n## Security as an enabler, not a bottleneck\nAs AI-accelerated development transforms software development, GRC must evolve from a checkpoint process to an integral part of the development workflow. Organizations can maintain strong governance without sacrificing speed by adopting a product mindset, reimagining GRC architecture, and implementing engineering solutions that match the pace of modern development. The future of GRC isn't about slowing down development - it's about building security and compliance into every step of the process, enabling teams to move faster with greater confidence.",[440,443,446,449,452,455],{"header":441,"content":442},"Why do traditional GRC models struggle in modern software environments?","Traditional GRC models operate on quarterly or annual cycles, but DevSecOps teams now deploy code multiple times a day. This timing mismatch means compliance efforts often lag behind actual development changes, making them ineffective in dynamic environments.",{"header":444,"content":445},"What does it mean to treat GRC as a product instead of a project?","Viewing GRC as a product means continuously evolving and embedding compliance into daily workflows, rather than treating it as a periodic event. It’s about creating always-on capabilities like automated evidence collection and policy enforcement through code.",{"header":447,"content":448},"How can automation improve governance and compliance?","Automation reduces the reliance on manual reviews and paperwork by using API calls and pipeline integrations to validate security settings and collect audit data. This makes compliance scalable, real-time, and aligned with the pace of software delivery.",{"header":450,"content":451},"What tools or strategies support continuous compliance?","Unified DevSecOps platforms with integrated CI/CD pipelines support continuous compliance. They allow you to define security policies as code, apply them automatically with every change, and log evidence of compliance as part of normal workflows.",{"header":453,"content":454},"How should success be measured in modern GRC programs?","Instead of counting controls or documented policies, success should be measured through real-world outcomes like faster vulnerability remediation, fewer security exceptions, and better security hygiene from development to production.",{"header":456,"content":457},"How can AI development practices coexist with compliance requirements?","By embedding guardrails and governance into the software pipeline, AI-powered development can align with compliance needs. Structured policies, automated validation, and continuous monitoring ensure security isn’t compromised while enabling fast iteration.","article","compliance-at-the-speed-of-ai-reimagining-grc","content:en-us:the-source:security:compliance-at-the-speed-of-ai-reimagining-grc:index.yml","en-us/the-source/security/compliance-at-the-speed-of-ai-reimagining-grc/index.yml","en-us/the-source/security/compliance-at-the-speed-of-ai-reimagining-grc/index",[420],{"ai":361,"platform":369,"security":365},1758292839290]