Senior GRC & Compliance Engineering Leader

Turning compliance into a system that actually works.

A decade of federal and enterprise security experience, building risk-driven, scalable GRC programs that automate compliance and replace manual audit work. I translate regulatory requirements into engineering solutions like Policy-as-Code, Compliance-as-Code, and continuous controls embedded directly in the CI/CD pipeline.

View My Work → Explore GRC Playground
Ashley Pearce
Ashley Pearce
Senior InfoSec Analyst · Rise8
Top Secret
10+ yrs
cATO RMF Policy-as-Code NIST 800-53 GRC Engineering SSDF Founder · GRC Playground USAF Veteran
About Me

Security isn't the add-on. It's the foundation.

I'm a senior GRC and compliance engineering leader with a decade of work across federal and enterprise security programs. Today I architect a modern GRC engineering function inside Rise8, a defense software company built around continuous Authorization to Operate. My work lives inside the CI/CD pipeline, where compliance has to be automated, auditable, and fast. Not a checklist someone prints before an audit.

That perspective wasn't theoretical. I've spent the last decade building it. I've worked on federal cATO programs at Rise8, third-party risk at Amazon, enterprise security exceptions at PepsiCo, classified RMF and ATO work in eMASS at Sev1Tech, and audit and recovery foundations at Bowhead, all grounded by my time in the United States Air Force. That blend of military discipline, enterprise scale, federal regulation, and modern delivery is what shaped how I think about security programs today.

Outside my day job, I founded GRC Playground, a hands-on lab platform that converts traditional compliance analysts into GRC engineers. I lead Career Operations for the GRC Engineering Club, and I write and speak about Compliance-as-Code, cATO, and the future of the discipline. I care about this field. I want it to grow up.

Continuous Authorization to Operate

Architecting cATO programs inside real software delivery pipelines. RMF that moves at the speed of deployment, with real-time risk telemetry replacing point-in-time audits.

Policy-as-Code & Compliance-as-Code

Translating security controls into versioned, machine-readable, pipeline-native checks. If a human has to manually validate it every time, it's not a compliance program. It's a liability.

Programs that Scale

Building reusable Policy Libraries, control-to-pipeline mappings, and automated evidence collection so that maturing governance does not slow delivery. It accelerates it.

Educator & Builder

Founder of GRC Playground. Head of Career Operations at the GRC Engineering Club. Mentor to analysts becoming engineers. The skill gap in this field is real, and I have spent long enough watching it slow down good teams.

Philosophy

How I think about modern compliance.

Four operating principles I have arrived at through a decade of audits, exceptions, and ATO packages. They quietly drive every program I have built.

Principle 01
Compliance is a product, not a paperwork exercise.

A control that does not enforce itself is a story we tell auditors. Real compliance is a system: versioned, testable, deployed, and observed. Treat it like the software it lives next to.

Principle 02
If a human has to validate it every time, it is a liability, not a control.

Manual evidence collection scales linearly with auditors and exponentially with risk. Pipeline-native enforcement and automated evidence make assurance a side effect of doing the work right, not a quarterly fire drill.

Principle 03
Trust is earned through transparency, not binders.

cATO works because Authorizing Officials get continuous, real-time signal, not 600-page point-in-time packages. The right answer to "are we secure?" is a live dashboard, not a stack of PDFs from last quarter.

Principle 04
Right-size the controls. Then defend the right-sizing.

Checkbox compliance fails twice: first when it costs more than the risk it mitigates, and again when it gives engineers reason to route around the security team. Risk-based scoping is the conversation that earns the program a seat at the table.

Selected Experience

A decade at the intersection of security, software, and scale.

Federal contracting, hyperscale enterprise, Fortune 50 risk programs, and now defense software delivery. Each role rewrote how I think about controls.

Dec 2023 to Present · Remote
Senior InfoSec Analyst
Rise8 · Defense Software · cATO
Current Role

Architecting and leading a modern GRC engineering program embedded inside a secure CI/CD release pipeline, replacing document-driven compliance with controls-as-code and automated evidence collection mapped to NIST 800-53 Rev. 5 and NIST SSDF. Driving cATO strategy across product and engineering teams and partnering directly with Authorizing Officials to establish trust through transparency, real-time risk telemetry, and ongoing assurance rather than point-in-time audits.

What I'm Building
  • A comprehensive Policy Library: SOPs, control baselines, control-to-pipeline mappings, and training resources scaling reusable Policy-as-Code across multiple engineering teams
  • Controls operationalized into CI/CD stages using GitLab, ArgoCD, Trivy, SonarQube, OWASP ZAP, Cosign, HashiCorp Vault, and SD Elements
  • Pipeline-native evidence generation, replacing manual artifact gathering with automated BOE (Body of Evidence) collection
  • An enablement and mentorship program transitioning analysts into GRC engineering roles, with curriculum, training materials, and labs that make RMF, ATOs, and cATO operationally fluent
Impact
  • Shortened audit cycles and reduced manual effort by shifting evidence collection from human to pipeline
  • Faster time-to-authorization without sacrificing rigor, with agile delivery and compliance moving in lockstep
  • Established trust with Authorizing Officials through continuous, transparent risk signal instead of static packages
  • Influenced peer organizations through published thought leadership on RMF, cATO, and Compliance-as-Code
cATO NIST 800-53 Rev. 5 NIST SSDF (800-218) GitLab CI/CD ArgoCD HashiCorp Vault Policy-as-Code Compliance-as-Code
Aug 2022 to Dec 2023 · Remote
Third-Party Security Specialist
Amazon · Hyperscale Enterprise

Owned end-to-end risk assessments of third-party vendors against ISO 27001 and Amazon's internal security standards at hyperscale. Authored risk analysis reports and remediation plans, partnered with vendors to design compensating controls where direct compliance was not feasible, and worked with internal stakeholders to make accept / mitigate / reject decisions on residual risk.

Core Work
  • Full vendor controls evaluation and findings process across the Amazon ecosystem
  • Compensating control design for vendors unable to meet baseline requirements
  • Residual risk decisions with internal risk leadership
Impact
  • Strengthened the assurance posture of Amazon's vendor ecosystem
  • Surfaced systemic gaps in vendor controls and recommended program-level improvements rather than one-off remediations
  • Brought a risk-driven, scalable lens to vendor reviews at hyperscale
ISO 27001 Third-Party Risk Vendor Assessments Compensating Controls
Oct 2021 to Aug 2022 · Remote
Security Exceptions Specialist
PepsiCo · Fortune 50

Owned daily review and adjudication of enterprise security exceptions across a global Fortune 50 environment, evaluating risk impact to network, data, and business operations. Partnered with requestors, control owners, and risk leadership to design mitigating controls, develop remediation paths, and right-size exception terms based on actual residual risk.

Core Work
  • Exception review at scale across distributed business units
  • Mitigating control design with control owners
  • Contributed to the evolution of internal standards, procedures, and controls used to manage exception risk
Impact
  • Right-sized exception terms aligned to real residual risk, not policy theater
  • Improved exception program maturity across distributed business units
  • Built habits of risk-based scoping that I carry into every program today
Enterprise Risk Security Exceptions Mitigating Controls Fortune 50
Aug 2019 to Oct 2021 · Remote
Cyber Security Analyst & GRC Subject Matter Expert
Sev1Tech LLC · Federal Contracting

Served as GRC SME across classified and unclassified federal systems, implementing security controls and risk assessment frameworks aligned to NIST 800-53 and DoD RMF requirements with sustainable, audit-ready documentation. This is where I first integrated automated security assessments into CI/CD pipelines and used eMASS as a system of record for continuous compliance. An early precursor to the cATO program work I lead today.

Core Work
  • RMF Authority to Operate (ATO) workflows in eMASS, including control baselines, assessment results, POA&Ms, and compliance documentation
  • Risk assessments and tests of data processing systems; control effectiveness evaluation
  • Standards, procedures, and remediation guidance authored to manage residual risk
  • Automated security assessments integrated into CI/CD pipelines
Impact
  • Early continuous compliance work that became the foundation for my later cATO program design
  • Trained staff on processes, procedures, and controls; reported gaps and remediation status to senior leadership
  • Established the audit-ready documentation patterns I still use today
NIST 800-53 DoD RMF eMASS ATO & POA&M Classified Systems
2014 to 2019 · Foundational Roles
Bowhead Family of Companies & United States Air Force
Federal Contracting · Military Service

The technical and operational foundation underneath everything that came later. Government contracting taught me audit discipline. Military service taught me how systems are actually used in mission environments, and how to build them so the people on the ground can trust them.

Bowhead: Data Migration Tech & Tier 1-2 Help Desk
  • Built an audit process tracking 200+ systems with recurring backup requirements, supporting disaster recovery compliance
  • Coordinated Configuration Control Board operations across system owners
  • Tier 1–2 support across distributed federal environments
USAF: Cyber Services Technician
  • SharePoint administration and end-user support across military operational environments
  • Led a continuous-improvement initiative that drove measurable workplace efficiency gains
  • Awarded the Presidential Volunteer Service Award
USAF Veteran Configuration Control Disaster Recovery Presidential Volunteer Service Award
5-Lab Curriculum
01
Policy-as-Code Foundations
NIST controls → machine-readable rules
Live
02
Real-World Misconfigurations
Find, analyze, and remediate
Live
03
Pipeline Integration
Compliance checks in CI/CD
Coming Soon
04
Continuous Monitoring Automation
Evidence collection without humans
Coming Soon
05
cATO in Practice
Connecting the full picture
Coming Soon
Flagship Project · 2024 to Present

GRC Playground

A hands-on, lab-based learning platform built to convert traditional compliance analysts into GRC engineers. Most GRC professionals are excellent at the what. Playground teaches the how.

Anchored around a 5-lab Policy-as-Code curriculum grounded in real-world misconfigurations and case studies, not synthetic exercises designed to look good in a course catalog. Every lab maps directly to continuous authorization and modern controls automation.

The origin is personal. Over years of RMF work, I kept seeing the same bottleneck: organizations with strong security intent but no infrastructure to enforce it at scale. Playground exists to close that gap, one practitioner at a time.

Real-world labs
Subscription model
Progress tracking
Policy-as-Code focus
cATO scenarios
Visit grcplayground.com → GitHub Repo
Writing & Speaking

Shaping the conversation around modern GRC.

Publishing, building community, and influencing how peer organizations approach the next era of compliance.

LinkedIn · Industry Channels

Writer on Modern GRC

Publishing on RMF, cATO, Compliance-as-Code, and the future of GRC engineering, reaching a growing audience of practitioners and leaders rethinking how compliance integrates with software delivery.

  • Continuous Authorization to Operate in practice
  • Policy-as-Code patterns for federal teams
  • The analyst-to-engineer transition
  • Right-sizing controls without losing rigor
Read on LinkedIn →
Community Leadership

Head of Career Operations · GRC Engineering Club

Leading career operations for an emerging professional community focused on advancing the GRC engineering discipline. Building programming and resources that help practitioners shift from documentation-heavy work into engineering-driven compliance.

  • Career programming and resource design
  • Connecting analysts to engineering opportunities
  • Community-led skill development for the next generation
Get involved →
Founder · Educator

GRC Playground & Curriculum

Authored a Policy-as-Code lab series grounded in real misconfigurations and case studies, where each lab ties directly to continuous authorization and modern controls automation. Designed for engineers and analysts converting to engineering-first compliance.

  • Lab-based curriculum mapped to NIST controls
  • Real-world misconfiguration case studies
  • Built for the analyst-to-engineer arc
Explore Playground →
Mentorship · Internal

Analyst-to-Engineer Enablement

Built and lead an internal mentorship and enablement track at Rise8 that transitions traditional GRC analysts into GRC engineers, with curriculum, training materials, and labs that make RMF, ATOs, and cATO operationally fluent rather than theoretical.

  • Curriculum and training resource design
  • Hands-on lab development for federal teams
  • Cross-functional partnership with engineering
Talk about programs →
What I'm Building Next

Agentic GRC.

The next wave of GRC is not another dashboard. It is autonomous agents quietly handling evidence collection, control mapping, audit response, and continuous monitoring, so humans can focus on the judgment work that actually requires judgment. This is where I am pointing my work next, and where the discipline is heading.

i

Agent-driven evidence collection

Pipeline-resident agents that watch the build, gather artifacts at the moment they're created, and assemble Body of Evidence packages without a human ever opening a folder.

ii

Natural-language control mapping

Translating regulatory language and audit questions directly into control implementations and queries against existing telemetry, so the long tail of "where is this requirement enforced?" gets answered in seconds, not weeks.

iii

Continuous control monitoring with reasoning

Agents that don't just detect drift but explain it, propose remediations, and open the right tickets in front of the right humans, closing the loop between detection and action.

Currently sharpening
Google IT Automation with Python (Coursera, in progress through Jun 2026) · prototyping agentic workflows in the Playground curriculum · publishing on agentic GRC patterns in real federal pipelines.
Skills & Tooling

The technical depth behind the frameworks.

Risk, frameworks, engineering, tooling, and leadership. The full breadth of what a senior GRC engineering leader actually has to operate across.

GRC & Risk

Enterprise risk management, controls design and assurance, audit readiness, third-party risk, security exception management, and risk-based scoping over checkbox compliance.

Enterprise Risk Management Controls Design & Assurance Audit Readiness Third-Party Risk Security Exceptions Right-Sized Controls

Frameworks

Deep federal and growing enterprise framework fluency, built on years of audit-ready documentation across classified and unclassified environments.

NIST 800-53 Rev. 5 NIST SSDF (800-218) NIST CSF RMF cATO ISO 27001 SOX PCI-DSS GDPR

GRC Engineering

The engineering layer that turns frameworks into something a pipeline actually enforces and a system actually proves, every day, automatically.

Policy-as-Code Compliance-as-Code Automated Evidence Collection Controls-as-Code in CI/CD Continuous Control Monitoring BOE Artifact Automation cATO Program Design

Tooling & Platforms

The actual stack I work in day to day. Pipeline-native security tooling and federal compliance systems of record.

GitLab CI/CD ArgoCD Trivy SonarQube OWASP ZAP Cosign HashiCorp Vault SD Elements eMASS Python (in progress)

Leadership & Strategy

The work that turns a function into a program: partnership across product, engineering, legal, and the executive table; mentorship; thought leadership.

Program Development Cross-Functional Partnership Executive Stakeholder Alignment Mentorship & Enablement Training Program Design Thought Leadership

Communication & Translation

Translating regulatory complexity into product, engineering, and executive language, and back. The work that quietly determines whether a compliance program lands.

Technical Documentation Curriculum Development Public Writing & Speaking Visual Design Background PM Discipline
Education & Credentials

Formal training, ongoing learning, active clearance.

S+

CompTIA Security+ Active

Industry-standard validation of foundational security operations and risk management.

P

Product Manager Certification

The Product School. Bringing PM rigor to compliance program design.

D

Visual Arts & Graphic Design Coursework

Full Sail University. A design foundation that quietly shapes how I communicate compliance to engineers, leaders, and auditors.

Py

Google IT Automation with Python In Progress

Coursera · Feb 2026 to Jun 2026. Sharpening Python automation directly applied to GRC engineering and agentic workflows.

+

Additional CompTIA Foundations

A+, Network+, CCENT, CEH, and CASP coursework (New Horizons). The stack of technical foundations underneath the GRC work.

// Active Clearance

Top Secret · Active

Cleared for sensitive federal and DoD security work. Available immediately for cATO, RMF, and engineering-led compliance programs that require trusted access.

Recognition

Presidential Volunteer Service Award · United States Air Force.

Let's Connect

Ready to bring engineering-grade compliance to your organization?

I'm building toward senior IC and GRC Engineering leadership roles across federal and modern tech. If you're working on security programs that need to move at the speed of software delivery, or if you want to talk about cATO, Policy-as-Code, agentic GRC, or Playground, reach out.

Connect on LinkedIn → ashleypearce19@outlook.com GitHub