Anand Sundar

About Me

I didn't start in GRC. I started in code. Over 7+ years building payment infrastructure at scale, I kept running into the same problem, compliance was treated as an afterthought, something you scrambled for when auditors showed up, not something engineered into the system from day one. So I changed that. I became the person who built both sides. The software and the controls around it. Today, I protect $500,000,000+ in transaction volume through compliance frameworks I designed, automated, and own end-to-end across PCI DSS, SOC 2 Type 2, and NIST CSF.

Most GRC professionals manage policies. I build systems. When I joined as GRC lead, audit preparation was a 3-month fire drill, spreadsheets, Slack threads, evidence scattered across AWS, Azure, and GCP, with no single source of truth. I designed and deployed a multi-cloud compliance harvesting framework using Python, Go, and REST APIs that autonomously collects IAM policies, encryption configurations, and audit logs on demand. Audit prep time dropped 60%. The QSAs were impressed. Engineering finally trusted the process. That's the difference between checking compliance boxes and engineering compliance infrastructure.

What genuinely excites me about GRC isn't the frameworks, it's the intersection where risk management meets real engineering decisions. I'm obsessed with the moment where a well-designed control prevents a breach that never makes the news, or where automated evidence collection means a team can ship confidently instead of freezing every audit cycle. I've built open-source tools, Compliance Harvester, TrailWarden, AuditCTL, not because I had to, but because the problems were unsolved and I couldn't leave them that way. GRC done right isn't overhead. It's a competitive advantage.

I'm a rare hybrid, a GRC practitioner who codes, a compliance engineer who's also run 7-year audit cycles and sat across the table from Qualified Security Assessors. I'm deepening my platform expertise in ServiceNow GRC and IRM, pursuing my AWS Security Speciality, and expanding into cybersecurity incident response. My goal is simple, to build the kind of security and compliance infrastructure that makes organizations genuinely trustworthy, not just certifiably compliant. The two aren't the same thing. I care about the difference.

Experience Highlights

• Owned PCI DSS and SOC 2 Type 2 certification programs for 7+ consecutive years, coordinating with Qualified Security Assessors and maintaining zero certification lapses across $500,000,000+ in transaction volume.

• Reduced audit preparation time by 60% by architecting a multi-cloud compliance harvesting framework that autonomously collects evidence from AWS, Azure, and GCP eliminating the annual spreadsheet fire drill entirely.

• Built and published four open-source GRC tools, Compliance Harvester, TrailWarden, AuditCTL, and AWS Automated Access Review, proving compliance engineering depth beyond certifications and job titles.

Get in Touch

You can reach out to me on LinkedIn (https://www.linkedin.com/in/anandsundar96/) or email me @ anandsundar96@gmail.com