Is it time to stop pretending GRC is technical? Alan Luk makes the case for a new kind of compliance leader—and it might surprise you.

In this sharp and unfiltered episode of Security & GRC Decoded, Alan Luk, Director of GRC at Grammarly (and former Microsoft and PwC leader), joins Raj to dismantle common myths about GRC—and why even your engineers might be thinking about it all wrong.

Drawing from over 20 years of experience, Alan makes the case for why GRC should be seen as a program management function, not a technical one—and how that shift unlocks better controls, less friction with engineering, and less painful audits. From audit war stories to his vision for continuous assurance, Alan brings blunt honesty, practical insight, and some well-earned hot takes to the mic.

🔑 Key Takeaways:

✅ Why most companies—and even GRC pros—misunderstand what GRC is actually for
✅ How PM skills (not coding) unlock stronger GRC outcomes and happier engineers
✅ What good compliance teams do before audit season to avoid chaos
✅ Why control owners—not GRC—should own the metrics (and what to do if they don’t)
✅ A bold vision for the future: GRC as an observability layer, not an evidence factory

🎯 Take Action:

→ Rethink what GRC really means inside your org: is it a service, a blocker, or a translator?
→ Audit your compliance program’s audit readiness—do you have metrics or just screenshots?
→ Share this episode with your PMs, engineers, or auditors who still think GRC is just check-the-box

👉 Follow Security & GRC Decoded for fresh insights on how to make your GRC program faster, smarter, and more resilient.
🎙️ Security & GRC Decoded is brought to you by ComplianceCow. Discover how ComplianceCow helps teams move from reactive compliance to proactive control automation.
🚀 Liking the show? Leave a rating and review to help us grow and keep bringing you bold GRC conversations.

💬 Connect with Alan Luk:
💼 LinkedIn: https://www.linkedin.com/in/alan-luk-4027b29/
🌐 Company: https://www.grammarly.com