GRC Engineering · AI Governance

Making compliance
engineered, not audited.

I'm Zeshan — a GRC Specialist at Cisco Splunk building automation-first governance for AI and cloud at scale, anchored in ISO 42001, ISO 27001, and SOC 2.

View my work → Read the blog

7+ Years in GRC

6 Certifications

4 Frameworks mastered

Current credentials

CISA CISM ISO 42001 LA ISO 27001 LA

Tools & frameworks

Splunk Wiz / ScoutSuite AWS SSM Jira OPA / Rego Terraform FAIR NIST CSF 2.0

Currently at

Cisco · Splunk (Remote)

About me

GRC as an engineering discipline.

I believe compliance should be built into systems, not bolted on afterward. My work centers on automating governance — translating control frameworks into code, pipelines, and policy-as-code that scales with modern cloud and AI infrastructure.

With a background spanning Deloitte India, TIAA, and now Cisco's Splunk division, I've led risk assessments across Splunk Cloud, AppDynamics, Observability Cloud, and SOAR — and I'm one of the few practitioners holding dual ISO 42001 and ISO 27001 Lead Auditor credentials.

I'm based in Araria, Bihar, where I work remotely and contribute to the OWASP Ranchi Chapter as its founder, mentoring the next generation of security practitioners from Tier-2 India.

🤖

AI Governance

ISO 42001 implementation, AI risk assessments, and governance frameworks for ML systems and LLM deployments.

☁️

Cloud Risk & CSPM

Continuous compliance monitoring across AWS using Wiz, ScoutSuite, and native tooling — mapped to SOC 2 and ISO 27001.

⚙️

GRC Automation

Policy-as-code, automated evidence collection, and CI/CD compliance pipelines using OPA, Terraform, and Splunk.

📋

TPRM & Audit

Third-party risk programs, vendor assessments, and internal audit for SaaS and cloud-native products.

Career

Experience

Seven years building GRC programs across consulting, financial services, and enterprise SaaS.

Sep 2023 – Present · Remote

GRC Specialist

Cisco · Splunk

Leading AI and cloud risk assessments across Splunk Cloud, Observability, AppDynamics, and SOAR. Implementing ISO 42001 AI governance controls, automating compliance evidence collection with AWS SSM and Splunk, and driving CSPM operations with Wiz and ScoutSuite across multi-product cloud environments.

2021 – 2023

GRC Analyst

TIAA

Managed SOC 2 Type II readiness and ISO 27001 compliance programs for financial services infrastructure. Led third-party risk assessments, vendor onboarding security reviews, and policy governance across enterprise systems.

2019 – 2021

Risk Advisory Analyst

Deloitte India

Delivered IT risk and internal audit engagements for clients across BFSI and manufacturing. Conducted control testing, gap assessments, and regulatory compliance reviews aligned to COBIT and ISO 27001.

2018 – 2019

IT Risk & Compliance

TVS Motor Company

Handled IT GRC and information security compliance within an enterprise manufacturing environment, supporting audit readiness and control framework implementation.

Credentials

Certifications & Skills

🎓

CISA

Certified Information Systems Auditor · ISACA

🎓

CISM

Certified Information Security Manager · ISACA

🤖

ISO 42001 LA

AI Management Systems Lead Auditor · TÜV SÜD

🔒

ISO 27001 LA

Information Security Lead Auditor · TÜV SÜD

🔍

NSD Pen Tester

Certified Penetration Tester

🛠️

DevSecOps

Securing DevSecOps Certification

Frameworks

ISO 42001 ISO 27001 SOC 2 NIST CSF 2.0 COBIT FAIR

Tools & Platforms

Splunk Wiz ScoutSuite AWS SSM Jira Drata SafeBase Terraform OPA / Rego Checkov GitHub Actions

Other

MBA – Business Analytics (Liverpool) B.Tech – Mechanical Eng. (KIIT) OWASP Ranchi Chapter Founder CISM Book Technical Reviewer

Writing

GRC Engineered

Practical writing on AI governance, cloud risk, and building engineering-grade compliance programs.

AI Governance

ISO 42001 in Practice: What It Actually Takes to Implement AI Governance

Most ISO 42001 guides read like a standard summary. This one doesn't — here's what the gaps look like when you're in the room doing the actual work.

📅 May 2025 ⏱ 7 min read

GRC Engineering

Automating Compliance Evidence with AWS SSM and Splunk

Why manual evidence collection is a liability, and how I built an automated pipeline that maps SSM outputs directly to SOC 2 control evidence.

📅 Apr 2025 ⏱ 9 min read

Cloud Risk

CSPM Is Not a Product — It's a Practice

Wiz, ScoutSuite, and the tools are table stakes. The real work is building the process, escalation paths, and risk appetite that make alerts mean something.

📅 Mar 2025 ⏱ 6 min read

View all posts →

Get in touch

Open to global remote opportunities.

I'm particularly interested in senior GRC, AI governance, and cloud risk roles at product-led, globally-distributed organizations. If you're building a compliance program that needs engineering depth — let's talk.

💼

linkedin.com/in/zeshan-ahmad

🐙

GitHub

github.com/zeshan-ahmad

✉️

hello@zeshanahmad.com

Making complianceengineered, not audited.