The Origin of GRC Engineering
When I first started talking about GRC Engineering, it wasn’t about launching a new movement or trying to coin a phrase. It was about naming a truth that so many of us in security and compliance had been living for years.
Traditional compliance is broken.
It’s slow, reactive, and disconnected from the systems it’s meant to protect. Engineers see compliance as a burden. Auditors see engineering as a black box. And somewhere in the middle, organizations lose sight of what compliance was supposed to prove: that they are truly secure.
I’ve sat in hundreds of audit meetings where the room was filled with tension. Engineers explaining why their architecture was safe, auditors asking for screenshots, security teams trying to bridge the gap with spreadsheets. Everyone is working hard, but none of it feels connected. That’s where GRC Engineering came from, the idea that compliance should be designed, built, and verified the same way we build our systems. If infrastructure can be code, then compliance can be too.
Today that idea becomes real with Evidence Studio.
The Problem with Traditional Compliance
Most companies are still managing compliance manually, even as their environments evolve daily. Controls are tested once or twice a year, long after the data has changed. Evidence is collected through screenshots and CSV exports. Context is lost in translation. Compliance teams spend more time gathering artifacts than actually understanding their environment.
This model doesn’t scale. It doesn’t adapt. And it certainly doesn’t inspire confidence.
Compliance that can’t see or prove what’s happening in real time isn’t really compliance: it’s documentation.
That’s the problem GRC Engineering set out to solve.
From Idea to Implementation
Before Compyl became the platform it is today, it started with a simple but powerful idea from the Founder and CEO, Stas. He saw the same problem I did from a different angle. He built the early version of Compyl not as a checklist or dashboard, but as a way to automate the hard parts of compliance that engineers hated such as pulling data from multiple systems, validating it, and organizing it for auditors.
He wanted to build a system that could run compliance like code. The first version was raw but powerful. It collected data automatically, logged results, and created traceable evidence without the need for screenshots or endless spreadsheets.
That was the spark.
What Stas built became the foundation of Compyl. The core of the platform was never about forms, frameworks, or questionnaires. It was about truth.
Automation, visibility, and proof. These were the three principles that defined Compyl long before I joined, and they are the same three principles that define GRC Engineering. That alignment was instant. When we started talking, it was clear this wasn’t just another GRC platform.
This was the one place where GRC Engineering could actually live.
The First Expression: Automating User Access Reviews
The first real expression of Compyl’s vision came through the User Access Review engine, powered by what we called the Query Builder. Anyone who’s been through an audit knows how painful UARs are. They’re required by every major framework, SOC 2, ISO 27001, NIST, PCI DSS, yet they’re still done manually in most organizations.
Teams export CSVs from each system, compare them by hand, chase approvals through tickets or email, and then compile screenshots to prove it happened. It’s tedious, error-prone, and disconnected from the broader compliance process.
The Query Builder changed that. It automated the entire workflow. You could connect to AWS, Azure, GCP, Okta, Auth0, Salesforce, and dozens of other systems.
Compyl would pull the data directly, transform it into a review-ready format, and automatically assign reviewers and approvers. Every action was logged. Every decision had a full audit trail. For the first time, the control itself was automated, not just the evidence collection.
That was real GRC Engineering in action.
From Query Builder to Evidence Studio
Fast-forward to today. Compyl now supports more than 500 prebuilt queries that cover every major system and framework.
But the vision has evolved.
We’re taking everything that made the Query Builder powerful and expanding it into something much bigger:
Evidence Studio.
Evidence Studio isn’t a new feature. It’s the next evolution of how Compyl engineers compliance. What used to be a query is now a blueprint, a reusable, structured unit of evidence logic that defines how a control is validated across systems. Blueprints allow you to create automated, verifiable control checks that run on your schedule, with full traceability from data to policy.
And we didn’t stop there. Instead of leaving these blueprints as isolated automations, we’ve connected them through Playbooks, complete sets of blueprints mapped to both a framework and a technology.
For example, a SOC 2 Playbook for AWS, or an ISO 27001 Playbook for Okta. Each Playbook includes preconfigured evidence blueprints that collect and verify data for the most common controls in that environment.
Now GRC teams don’t need to start from scratch. They can deploy entire compliance playbooks out of the box, customize them, and let Compyl continuously run, verify, and log control execution. It’s no longer about collecting evidence once a year.
It’s about maintaining a living system of compliance that proves itself every day.
Evidence Studio represents the maturity of the original vision. Automation with context, scale, and intelligence. It’s compliance as a system, not a task.
Evidence Playbooks: From Frameworks to Function
We’re extending that idea even further with Evidence Playbooks. Over the past few months, I’ve been building Playbooks that map specific frameworks to real-world integrations. Each Playbook contains prebuilt evidence blueprints tied to systems like AWS, Okta, and Azure.
For example, the SOC 2 Playbook for AWS includes 25 ready-to-run blueprints that automatically collect proof of encryption, IAM policy compliance, logging configurations, backups, and change management. The ISO 27001 Playbook for Okta includes automated checks for MFA enforcement, password policy, and inactive user cleanup.
These Playbooks are based on real audit experience and map directly to the controls auditors test every day. The result is a new kind of compliance workflow, one where engineering and audit finally speak the same language. Evidence Studio doesn’t just automate data collection. It validates that the control is actually working. It replaces “trust me” green checkmarks with proof.
Why I Joined Compyl
That’s why I joined Compyl. Over the last few years, I’ve had conversations with dozens of companies building GRC products. Most focused on forms, frameworks, or checklists. They wanted to make compliance easier, but not necessarily smarter.
Compyl was different.
From the start, the focus was on automation and engineering. This is the only platform I’ve seen where you can practice real GRC Engineering. Integrated data, continuous evidence, and the ability to verify every control through real systems.
Compyl is where GRC finally shifts left into the pipeline, where compliance happens automatically, alongside the work engineers already do.
The Future of GRC Engineering
The future of GRC looks a lot like DevOps.
It’s automated, integrated, and code-driven. The same way infrastructure moved from manual processes to Infrastructure as Code, compliance is moving toward GRC as Code. Evidence Studio is the first real step in that direction.
Every control will have an evidence blueprint. Every audit will validate live data. Every GRC engineer will build, deploy, and test controls just like software. This is the future I’ve been talking about for years. A world where compliance and security aren’t separate disciplines but parts of the same workflow.
Where evidence isn’t static but dynamic. Where GRC teams spend their time improving systems instead of documenting them.
Evidence Studio is where that future begins. It’s where we stop guessing, stop pretending, and start proving. It’s where GRC Engineering finally becomes real.
A Call to Builders
If you’ve ever been frustrated by screenshots, spreadsheets, or manual reviews, this is your moment.
Evidence Studio was built for you.
Because the future of GRC isn’t documented. It’s deployed.
