GRC Audit & Compliance Analyst at GitHub (Microsoft) focused on ISO management-system audits and AI governance. 10+ years across SaaS compliance, HRIS, and Big‑4 advisory.

• Oversee the end-to-end lifecycle of policies, from development and approval to implementation and review.
• Collaborate with stakeholders to ensure policies are up-to-date, relevant, and compliant with current regulations and best practices.
• Lead the formation and execution of steering committee structures to ensure strategic alignment and governance oversight.
• Facilitate regular meetings and communications with committee members to drive governance initiatives.
• Develop and document clear roles and responsibilities using RACI matrices to ensure accountability and clarity in governance processes.
• Ensure alignment of roles with organizational goals and governance objectives.

• Design and implement a robust policy exception management workflow to handle deviations effectively.
• Ensure exceptions are documented, reviewed, and approved in a timely manner, with appropriate risk assessments conducted.
• Oversee processes for review and approval of security exception requests.

• Identify and define key performance indicators (KPIs) and metrics to measure the effectiveness of governance policies and programs.
• Develop dashboards and reporting tools to track and communicate performance metrics.
• Support the development of dashboards and audit tools to monitor IT risk indicators and internal control health.

• Collect and analyze data related to policy adherence and governance program performance.
• Prepare comprehensive reports and presentations for leadership, highlighting insights, trends, and areas for improvement.
• Drive key Technology, Security, and Data compliance programs in support of the Digital Technology (corporate IT) organization.
• Partner closely with Legal, Privacy, and Data Security & Governance teams to develop corresponding GRC programs.

• Work closely with cross-functional teams — including legal, compliance, IT, and operations — to align governance initiatives with business objectives.
• Act as a governance advisor to leadership, providing expert guidance on best practices and emerging trends.
• 10+ years of related experience, with hands-on leadership experience in Technology Governance, Risk and Compliance.
• Build and expand relationships with key stakeholders; evangelize and influence company IT compliance and governance efforts.
• Build productive customer partnerships and repair strained relationships.

• Develop and execute a strategic roadmap for advanced Technology & Security architecture, controls, and solutions.
• Lead efforts to establish governance policies and standards for cloud, AI, and other emerging technologies.
• Collaborate with technology teams to integrate governance into cloud and AI architecture.
• Stay informed about emerging technology trends and integrate AI into workflows and decision-making.

• Implement and manage risk management activities aligned with the GitHub program.
• Lead GitHub ISO risk management programs using GitHub Projects and ZenGRC.
• Partner with executive leadership to respond to security evidence requests.
• Guide risk-based decisions focused on mitigating identified risks.
• Provide leadership and oversight for M&A due diligence efforts.
• Represent GitHub in strategic planning, budgeting, and prioritization.
• Architect and deploy controls for GRC emerging priorities; oversee control assessments and remediation.
• Interpret and apply controls from ISO 27001, ISO 27018, ISO 27701, ISO 42001, ISO 22301, SOC, NIST 800-53, and FedRAMP.

• Manage operational processes that monitor and respond to security threats.
• Partner with IT to mature operational controls.
• Lead follow-up education for policy-violating or risky behaviors.
• Oversee assessment of controls and ensure deficiencies are addressed.
• Integrate issue management into the broader GRC framework.

• Round on leadership to influence decisions and educate on risk.
• Lead and coordinate implementation of process and technology changes.
• Execute technical audits across infrastructure and security environments.
• Develop and apply audit procedures to test IT controls.
• Design and execute risk-based audits; perform control testing and data validation.
• Conduct walkthroughs and testing for SOC and ISO controls.
• Define and prioritize strategic projects; lead major cross-functional initiatives.
• Plan, schedule, and execute IT audits within budget and deadlines; supervise audit staff and coach for improvement.

• Ensure vendor contracts include proper security terms.
• Work with IT and business leadership to assess and onboard vendor systems securely.
• Maintain controls for vendor-maintained solutions.
• Deploy technical controls for Third Party Risk and Resiliency programs.
• Advise stakeholders on TPRM and vendor-related risk issues.

• Coordinate with HR and training teams for GitHub content delivery.
• Lead proactive communication and awareness campaigns.
• Create audit reports for technical and non-technical audiences.
• Champion customer security needs internally.

• Recruit and manage contractor staff; mentor team members on frameworks and best practices.
• Ensure team training and development supports internal audits.
• Assess compliance candidates in hiring processes.
• Participate in succession planning and uphold the GitHub Code of Conduct and Mission & Value Statement.

Working at the intersection of audit, governance, and AI — both as the program owner inside GitHub and as a hands-on builder.

• ISO 42001 (AIMS) — Running point on GitHub's first-ever AI Management System audit-readiness epic. Building first-of-kind AI governance evidence, control mappings, and assessor narrative in partnership with the GitHub audit lead.
• AIUC-1 Gap Analysis — Led gap analysis against the emerging AIUC-1 AI assurance framework, surfacing critical readiness gaps and translating findings into prioritized roadmap items.
• Quarterly AIMS Management Review — Primary briefer; synthesize AI control posture, KPIs, risks, and corrective actions into executive-ready reporting.
• Cross-framework crosswalks — Map ISO 42001 / AIUC-1 controls back to existing ISO 27001 and SOC evidence so AI-system owners aren't duplicating audit work.

• Built and continuously refine a personal Copilot CLI agent stack — custom skills, MCP integrations across GitHub and M365 (Mail, Calendar, Teams, SharePoint, Word, Graph), and durable runbooks — to learn modern agent design patterns hands-on.
• Maintain a per-session lessons-learned + debrief loop that captures hallucinations, scope drift, and prompt-injection patterns, then feeds them back as guardrails to harden the agent over time.
• Secrets handling: macOS Keychain only — never in custom instructions, runbooks, or prompt context.

Senior IT Control Analyst / IT Control Analyst · Apr 2017 – Mar 2021

• Designed, implemented, and tested IT controls against ISO 27001, ISO 27018, SOC, and NIST baselines.
• Led internal assessments and coordinated external audits (SSAE 18, ISO 27018) end-to-end.
• Built an SDLC compliance framework adopted by 1,500+ developers, standardizing audit evidence across engineering.

Risk Advisory Services Associate · Jul 2015 – Mar 2017

• Conducted IT general computer control reviews across UNIX, Windows, AS/400, and Oracle environments for SOX‑regulated clients.
• Tested automated application controls supporting financial reporting and provided remediation guidance.

• IT design and consulting for Standing Stone Nursery.
• Personal Copilot CLI agent stack — see AI & Automation Highlights above.

• Exotic plants 🌴
• Gardening 🌱
• Hiking 🥾
• Travel ✈️
• Reading 📚
• Cooking & Baking 🍳
• Time with the dogs 🐕🐕🐕

• LinkedIn