Updated:
May 7, 2026
May 7, 2026
Anecdotes Recommends: 15 GRC Thought Leaders You Must Follow
The GRC space is loud right now. Everyone has a take on agentic AI, FedRAMP 20x, and what compliance looks like in 2026. Most of it is noise. So we put together a list of 15 GRC thought leaders whose work and voice are shaping the field.
These 15 experts are the practitioners, engineers, and strategists who are actually reshaping how GRC programs get built and run. They will provide you with practical, real-world insights to improve risk visibility and stay continuously compliant.
Ayoub Fandi
"The future of GRC for me will look like surfacing existing data from source systems and being that security orchestrator in an Agentic-first GRC world."
You can’t begin any list of GRC influencers without mentioning the GRC Engineer, Ayoub Fandi. Ayoub is the GRC Engineering Lead at GitLab. He also owns one of the most successful and insightful GRC newsletters in the industry, covering almost every possible topic you can think of in depth. A few essential reads include Compliance-as-Cope: How GRC Engineering Automated the Wrong Thing, Building the GRC Engineering Trust Infrastructure: Introducing Corsair, What Engineers Know That GRC Professionals Don't, and the State of GRC 2026 Report.
Michael Rasmussen
Michael Rasmussen is a pioneer in the GRC field. He coined the term “GRC” over 23 years ago while at Forrester Research and has played a key role in shaping how organizations approach governance, risk, and compliance across strategy, processes, and technology.
Michael is the founder of GRC Report, which provides expert analysis and coverage of industry trends. He also hosts several podcasts, including the Risk Is Our Business podcast and the Hitchhiker’s Guide to the GRC Technology Galaxy podcast. Bookmark his podcasts and subscribe to his newsletter to stay current on regulatory shifts.
Pierre Paul Ferland
Pierre-Paul Ferland is the GRC Senior Manager at Coveo, where he leads compliance and privacy initiatives in cloud-native, DevOps, and AI environments. His LinkedIn page is a go-to source of practitioner knowledge, where he regularly shares practical perspectives through short video clips. And if you appreciate a touch of humor mixed with puns, we’re sure you’ll appreciate his Cybersecurity Jokes.
Follow Pierre-Paul on LinkedIn
AJ Yawn
AJ Yawn is the Executive Chairman and Founder of the GRC Engineering Club, which is a powerful community that equips GRC professionals with essential resources, from foundational training and salary insights to an academy offering multiple Certified GRC Engineer levels.
He is also the author of two books: GRC Engineering for AWS and The Omega Project. AJ currently serves as GRC Engineering Lead at NR Labs.
Maril Vernon
"The future of GRC is not better audits, it’s better truth. If you can’t trace where your control evidence comes from, you don’t have assurance, you have theater.”
Maril Vernon is a former red teamer and cloud/AI SME who now works at the intersection of security and GRC Engineering. She’s particularly strong at helping teams move from proving compliance to proving security operationally. Maril has been honored as Cybersecurity Woman of the Year and is both a CSO contributing author and a CIS Benchmark author.
Jake Bernardes
“The future of GRC comes down to two key things: AI and data. Tier-1 GRC tasks will be automated through agents, shifting practitioners toward orchestrating systems and managing complex risk. But this only works if the underlying data is accurate, complete, and traceable. Without trusted data, even the most advanced automation breaks down under “garbage in, garbage out” limitations. Platforms powered by real data, with clear evidence of completeness, accuracy, and traceability, are the only ones that can earn auditor trust and enable meaningful transformation.
Jake Bernardes isn’t afraid to share his perspective on any GRC topic. He is one of the most well-respected and outspoken voices in the industry. Jake serves as CISO at Anecdotes, where he leads the company’s GRC program and had an instrumental role in achieving FedRAMP 20x Low authorization, a significant milestone for the GRC community.
Jake has done so many podcasts and interviews that it's so hard to list them all, but here are a select few: Agentic GRC, SOC 2, and Why Data Beats Compliance from The TPRM Podcast and The Softer (and Sometimes Spicier) Side of GRC from GRC Uncensored.
Troy Fine
Troy Fine is one of the most recognized voices in the GRC space. He is the Co-Founder of Fine Assurance and Co-Host of the GRC Uncensored podcast, where he shares candid perspectives on industry trends and challenges. A few episodes we highly recommend include Will FedRAMP 20x Repeat SOC 2’s Mistakes?, The Unfiltered Truth About CPAs and Audits, and Watching the Watchers: Oversight Over Auditors and Peer Reviews. Check out Troy's AMA about the current state of GRC here.
Adrienne Allen
Adrienne Allen is the Head of Security GRC at Anthropic. She shares her insights in the on-demand webinar Beyond the Compliance Checklist, where she joins a panel of GRC experts on how to set strategic goals and build a successful GRC program. Her session at FAIRCon25, “From Checkbox to Chess Move: Building a Risk-Driven GRC Program,” emphasized the shift from audit-driven approaches to threat-driven security models to improve controls and the importance of continuous monitoring.
Adrienne previously led the GRC program at Coinbase, where she oversaw a 40-person team across four continents.
Gerald Auger
Gerald Auger is one of the most active thought leaders in the GRC social media community. He is the Chief Content Creator of Simply Cyber, where he has grown a YouTube channel to over 270k subscribers. Gerald goes live on LinkedIn daily, where he talks about the latest breaches and trends buzzing in the news. He also teaches a GRC Analyst Masterclass and has authored the Cybersecurity Career Master Plan. If you're looking to sharpen or advance your GRC skills, Gerald has the right content to get you there.
Marius Poskus
Marius Poskus is the Global Vice President of Cybersecurity and CISO at Glow Financial Services. His LinkedIn is worth following for the content, but stay for the socks. Marius has made his colorful sock game a genuine LinkedIn tradition, and it works because the personality behind it is real. Practical insights, zero pretension, and always a good pair of socks.
Aron Lange
If you're looking to build a continuously compliant ISO 27001 program, Aron Lange can help simplify the process and accelerate your GRC career. Aron is the Founder of GRC Lab, where he provides courses and bootcamps to get you to "Be the GRC Practitioner AI Can't Replace." Check out his 12-step framework on how to implement ISO/IEC 27001 and 16 Must-Have Documents for ISO-27001 slideshows. We highly recommend it.
Andrey Prozorov
“GRC does not start with the 'C’ (Compliance). True GRC begins with Governance, is driven by Risk, and only then supported by Compliance - not the other way around.”
Andrey Prozorov is an EU GRC Strategist and Evangelist. Andrey specializes in translating NIS2, DORA, and GDPR into practical control frameworks and creates ISMS and privacy toolkits. The featured section of his LinkedIn page is loaded with EU GRC content worth bookmarking, including the “DORA Pro Handbook,” “Key NIST Publications for GRC Professionals,” and “The GRX Handbook. Volume 2: Standards & Frameworks.”
If you're searching for updates to the latest EU regulations, Andrey most likely has the answers.
{{ banner-image }}
Christophe Foulon
Christophe Foulon is the host of the Breaking Into Cybersecurity podcast and was recently featured in ISC2's 2026 top cybersecurity voices list. Christophe brings over 15+ years of experience across heavily regulated industries, designing compliance frameworks that embed into the engineering pipeline and building security programs that help companies scale. Christophe is the Principal vCISO and AI Governance Lead at Quisitive and Executive Cybersecurity Advisor of CPF Coaching.
Carlos Guerrero
“The future of GRC belongs to those who can bridge technical fluency with business acumen, those who know that trust isn't just about a clean audit, it's built and earned by your everyday practices.”
Carlos Guerrero is the Senior Compliance Executive at 360 Advanced, where he leads GTM strategy across the Chicago market. He helps organizations implement frameworks, including SOC 2, ISO 27001, HITRUST, FedRAMP, and CMMC, and he brings a rare combination of technical fluency and business pragmatism to every engagement. If you've been to a major security conference, you know Carlos by his signature cowboy hat. Hard to miss, and even harder to leave without a useful conversation.
Alessandra De Lisio
Alessandra De Lisio is the Head of Governance and Strategy at Lloyd's. She will also serve as a judge for the upcoming 2026 Women in GRC Awards in London on July 2nd. A sought-after corporate governance speaker, Alessandra has shared her insights at Compliance Summit Europe, where she participated in a panel discussion titled “The Risk You Didn’t See Coming: Financial Crime Compliance in Corporates.”
The leaders on this list are pushing GRC toward a future where evidence is continuous, controls are live, and compliance teams spend their time on decisions, not data collection. That's exactly what we're building at Anecdotes.
Anecdotes: Building the Future of Agentic GRC
Traditional GRC stops at detection. A gap is flagged, and the waiting begins. Days pass, sometimes weeks, while the risks don’t.
That’s why the future of GRC is Agentic GRC.
Data is continuously collected and analyzed in real time, ensuring your controls, evidence, and GRC program are always aligned with what’s actually happening, not what was true months ago.
Learn how Anecdotes can run your GRC program with continuous monitoring, on data your auditors trust.
