GRC Engineering

// for GRC engineers, by GRC engineers

Manage GRC  
Like Infrastructure

GRC engineers deserve an engineering tech stack.
All versioned, all reviewable, all deployable through your git repo and actions.

When was the last time you used your AWS console to create a resource?

hands on manual

see it in action

Full Lifecycle: Definition to Enforcement

// from terraform to infrastructure policies

1.

Define in Terraform

Framework, controls, and evidence mappings as code

frameworks.tf

controls.tf

requirements.tf

risks.tf

2.

GRC Operations

Custom rules detect gaps and warnings in evidence

gap detection

warnings

custom queries

AQL filters

3.

Asset-Level Enforcement

GRC Agent generates infrastructure enforcement TF

AWS SCPs

Azure Policy

GCP Org Policies

K8s Policies

Manage your GRC program through code

// infrastructure patterns for GRC programs

Anecdotes Terraform Provider

// your GRC program, defined in HCL

Define and declare your GRC program as Terraform configurations. Frameworks, controls, requirements, policies, risks. All versioned, all reviewable, all deployable through your git repo and actions.

framework_soc2_bu1.tf
resource "anecdotes_framework" "soc2_2024" {
  name        = "SOC 2 Type II - 2024"
  description = "Annual SOC 2 Type II audit"

  audit_start_date = "2024-01-01"
  audit_end_date   = "2024-12-31"

  settings {
    auto_control_status = true
    evidence_visibility = "audit_period"
  }

  tags = ["production", "customer-facing"]
}

resource "anecdotes_control" "access_mgmt" {
  framework_id = anecdotes_framework.soc2_2024.id
  category     = "Access Management"
  name         = "CC6.1 - Logical Access"
  owner_email  = "security-team@company.com"
}
requirements.tf
resource "anecdotes_requirement" "siem_monitoring" {
  name        = "SIEM Monitoring Active"
  description = "Maintain active SIEM monitoring with defined alert thresholds for security events"

  category = "Security Operations"
  owners   = ["soc-team@acme.com"]
}

Change Management Through CI/CD

// pull requests, not tickets

Treat compliance changes like infrastructure changes. Branch, commit, review, merge, deploy. Your existing CI/CD tooling (GitHub Actions, GitLab CI, Jenkins) becomes your GRC deployment engine.

feature/add-hipaa

Code Review

merge to main

terraform actions

Anecdotes

GRC Stakeholders

.github/workflows/anecdotes_grc.yml

name: grc program
on:
  pull_request:
    paths: ['main']
  push:
    branches: [main]
    paths: ['main']

jobs:
  plan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: hashicorp/setup-terraform@v3
      - run: terraform init && terraform plan -out=tfplan
        working-directory: grc/
        env:
          ANECDOTES_API_TOKEN: ${{{ secrets.ANECDOTES_API_TOKEN }}}
      - name: Comment Plan on PR
        if: github.event_name == 'pull_request'
        uses: actions/github-script@v7
        # Posts terraform plan output to PR for review

  apply:
    needs: plan
    if: github.ref == 'refs/heads/main'
    environment: production
    steps:
      - run: terraform apply -auto-approve tfplan

Branch Protection

Require reviews before merge

Plan Output

See changes before applying

Audit Trail

Git history = change log

Rollback

git revert = compliance revert

Env Promotion

staging → production

Build and Operate on Anecdotes

// use data and ai

custom_evidence_pipeline.py

# Push evidence from internal applications to Anecdotes
import requests

API = "https://gateway.anecdotes.ai"
TOKEN = os.environ["ANECDOTES_API_TOKEN"]

# Create custom evidence collection (one-time)
requests.post(f"{API}/evidence/v1/evidence/create",
    headers={"Authorization": f"Bearer {TOKEN}"},
    data={
        "service_id": "internal-access-mgr",
        "evidence_name": "Privileged Access Report",
        "evidence_help": "Weekly privileged user export"
    })

# Push data on schedule (cron/Airflow/etc)
def sync_privileged_access():
    data = internal_api.get_privileged_users()
    requests.post(f"{API}/evidence/v1/evidence/{id}/upload",
        headers={"Authorization": f"Bearer {TOKEN}"},
        json={"data": data})

Explore Data Studio

Explore agent Studio

claude_desktop_config.json

# Custom role for framework-specific access
resource "anecdotes_custom_role" "soc2_contrib" {
  name = "SOC2 Contributor"

  pages_access {
    my_anecdotes = true
    risks        = "edit"
    policies     = true
  }

  frameworks_access {
    type          = "limited"
    framework_ids = [anecdotes_framework.soc2.id]
  }
}

# SCIM group mapping
resource "anecdotes_scim_mapping" "security" {
  idp_group      = "security-engineers"
  anecdotes_role = anecdotes_custom_role.soc2_contrib.key
}

new grc event:

plugin.connectivity_failed

webhook_payload.json

{
  "event": "evidence.gap_detected",
  "timestamp": "2024-11-25T14:32:00Z",
  "data": {
    "evidence_id": "okta_users_12345",
    "evidence_name": "Okta - List of Users",
    "gap_count": 3,
    "rule_name": "MFA Not Configured",
    "framework": "SOC 2 Type II - 2024",
    "control": "CC6.1 - Logical Access",
    "evidence_url": "https://app.anecdotes.ai/evidence/okta_users_12345"
  }
}

Start Engineering Your GRC

// Four steps to set up GRC-as-code

1.

Get API Access

# Admin → Access Manager → API Tokensexport
ANECDOTES_API_TOKEN="your-token"

2.

Initialize Terraform

terraform {
  required_providers {
    anecdotes = { source = "anecdotes-ai/anecdotes" }
  }
}
provider "anecdotes" { api_token = var.token }

3.

Configure Your First Resource

# Create your first framework or policy as code

4.

Set Up CI/CD

gh secret set ANECDOTES_API_TOKEN # Create
.github/workflows/compliance.yml

Engineer Your GRC Program

Get a Demo

The Case for Vertical AI in GRC: Beyond Generic Chatbots

// for GRC engineers, by GRC engineers

Manage GRC  
Like Infrastructure

When was the last time you used your AWS console to create a resource?

Full Lifecycle: Definition to Enforcement