For every stakeholder.
This page is written for directors, executives, potential employers, clients, and collaborators. It covers the business case, the technical proof of work, the roadmap, the GRC Den companion resource, and the architect behind it all.
What this platform delivers
to your organisation
Your organisation has compliance requirements — SOC 2, ISO 27001, GDPR, or others. Meeting these requirements traditionally means hiring GRC analysts to write policies, collect evidence, and scramble every year before an audit. The process is expensive, slow, and almost entirely manual. More importantly, it is reactive. By the time a GRC analyst reviews an audit log and discovers a security violation, it may have been in your production environment for days or weeks.
Policy binder in SharePoint
↓
Annual audit sprint (weeks of screenshots)
↓
Stale dashboard showing 3-month-old data
↓
Analyst reviews alert next morning
↓
Violation already live for 16+ hours
Policy written as Rego → committed to git
↓
Every commit evaluated against all policies
↓
Violation → build blocked → PR auto-fixed
↓
Production structurally cannot contain violations
↓
AI agents collect evidence continuously
Exact outcome metrics
| METRIC | ❌ TRADITIONAL GRC | ✓ GRC CREST |
|---|---|---|
| Automation rate | ~20% | 98.3% |
| Time to detect a violation | Hours to days | Seconds |
| Time to remediate | Days (ticket → review → fix) | 4.2 seconds (automated) |
| Annual audit preparation | 2–4 weeks of manual work | Zero — evidence collected continuously |
| Vendor risk assessment | 4–8 hours per vendor | Under 60 seconds (AI agent) |
| Human decisions / month | Hundreds | 12 (highest-judgment only) |
| Policy enforcement | Word documents in SharePoint | Code in git (OPA Rego) |
| Evidence collection | Manual screenshots | AI agent cron jobs |
| Compliance visibility | 3-month-stale dashboards | Real-time live stream |
Every member of staff who accesses GRC Crest has an account created explicitly by an administrator through your organisation's IAM process. Every login requires email + password (step 1) and a second authentication factor — either Google Authenticator TOTP or a one-time email code (step 2). Sessions expire after 8 hours. No one can self-register. No one can reset their own password. Access is granted, not claimed.
The ROI case
A mid-size organisation spending £500K/year on GRC headcount can typically achieve these outcomes within the first year of deploying GRC Crest:
Eliminate 2–4 weeks of annual manual evidence collection. The audit pack is always ready — no sprint, no crunch, no overtime.
Vendor risk assessments that took 4–8 hours now take under 60 seconds. For 50 vendors, that is 200–400 hours of analyst time returned per assessment cycle.
The category of "security violation discovered weeks after it entered production" is eliminated. Every violation is caught at the commit stage or auto-healed within 4.2 seconds at runtime.
Enterprise customers ask about compliance posture before signing. A live, automated, continuously monitored platform is a significantly stronger answer than "we have a GRC team and annual audits."
What your GRC team still does — but better
GRC Crest does not eliminate the GRC function. It elevates it. Your GRC team shifts from:
Human GRC professionals in this system are decision-makers, not data collectors.
What this project demonstrates
GRC Crest is not a compliance dashboard — it is a fully engineered GRC automation system that demonstrates mastery across eight technical domains simultaneously. This is the proof of work.
Full App Router implementation with correct server/client component boundaries. Typed next.config.ts, proper Metadata and Viewport exports, 'use client' directives applied precisely where needed — not sprayed across the codebase.
Full two-factor authentication with no self-registration — matching enterprise IAM practice. JWT callbacks with mfaVerified persistence, updateSession trigger handling, module augmentation in next-auth.d.ts, middleware enforcement at the edge, and anti-enumeration error messages.
RFC 6238 TOTP via otplib (Google Authenticator compatible) and email OTP via Nodemailer. QR code generation for first-time TOTP setup. Single-use email codes with 10-minute expiry. In-memory store with documented Redis migration path for multi-instance deployments.
Uses generateText() from the Vercel AI SDK with a getModel() factory pattern — a single function replacing separate fetch implementations for each LLM provider. Provider switching via environment variable with no downstream code changes. Temperature tuned to 0.2 for consistent JSON output. Auth-gated.
src/types/grc.ts defines 25+ interfaces covering every data contract: GRCLayer, EvidenceRecord, Incident, VendorAssessment, AIRootCauseAnalysis, LoginCredentials, MFAMethod, GRCSession, and more. next-auth.d.ts module augmentation for type-safe session access. tsc --noEmit is a required CI step.
Full DevSecOps toolchain: OPA/Rego policy enforcement, TruffleHog secret scanning, Snyk dependency analysis, Semgrep SAST, and Checkov infrastructure scanning — all architected into CI/CD pipeline stages. The OPA Generator demonstrates programmatic generation of valid Rego, Semgrep, GitHub Actions, and Terraform artefacts from natural language.
Three distinct AI agent workflows with different prompt strategies: structured JSON output enforcement (vendor risk), multi-artefact code generation (OPA generator), and forensic analysis (incident RCA). Provider-agnostic callAIJson<T>() generic with typed return. All prompts in src/lib/prompts.ts as versioned artefacts.
Deep command of SOC 2 Trust Service Criteria, ISO 27001 Annex A, and NIST 800-53 control families. Evidence records modelled with correct framework identifiers (CC6.1, A.9.2, SC-28). Vendor assessment rubric covers the seven controls differentiating mature from immature vendor postures. Incident scenarios reflect real-world attack patterns.
Complete technical stack
| CATEGORY | TECHNOLOGY | VERSION |
|---|---|---|
| Framework | Next.js | 15.3 |
| UI Library | React | 19.1 |
| Language | TypeScript (strict mode) | 5.8 |
| Styling | Tailwind CSS | 4.1 |
| AI SDK | Vercel AI SDK | 4.3 |
| AI Providers | Anthropic Claude / OpenAI GPT — switchable via env var | — |
| Authentication | NextAuth (Auth.js) | v5 beta |
| TOTP | otplib | 12.0 |
| Nodemailer | 6.9 | |
| Password Hashing | bcrypt-ts | 8.0.1 |
| QR Code | qrcode | 1.5 |
| Policy Enforcement | Open Policy Agent, Rego, Conftest | — |
| SAST / Scanning | Semgrep, TruffleHog, Snyk | — |
| Infrastructure | Checkov, Terraform | — |
| CI/CD | GitHub Actions | — |
| Cloud Monitoring | AWS CloudTrail, Prometheus, Datadog | — |
| Automation | n8n, Node.js microservices | — |
| Compliance Frameworks | SOC 2 Type II, ISO 27001, NIST 800-53, GDPR | — |
Work with Ige Fadele
Available for the following engagement types. All arrangements — remote, hybrid, in-office, domestic, and international — are considered.
GRC programme design, security architecture review, compliance automation strategy, AI integration advisory. Engagements of any duration.
Fixed-term contracts for specific deliverables: GRC-as-Code implementation, CI/CD compliance pipeline setup, AI agent development, security toolchain integration.
Open to full-time roles as Technical GRC Engineer, Security Compliance Architect, DevSecOps Engineer, Platform Engineer, or Principal/Staff Engineer with security responsibilities.
Part-time engagements, fractional leadership, and portfolio/project roles for organisations building out their GRC or security engineering capability.
For early-stage companies and founders who need to build compliance and security infrastructure from scratch — fast, correctly, and without hiring a full GRC team.
Open to international opportunities. Willing to relocate. Currently based in UTC+1. Experienced working across time zones and with globally distributed teams.
GRC Den
GRC Den is a free, open-source library of production-grade GRC artefacts — policy templates, risk registers, control frameworks, and assessment tools. Built by Ige Fadele as a resource for the entire GRC community.
Whether you want to sharpen your GRC skills, get compliance artefacts you can start using today, or transition into a GRC role — GRC Den gives you everything for free.
- ⬡ Production-ready policy templates, risk registers, and control frameworks
- ⬡ Saves GRC professionals hours of trial-and-error artefact creation
- ⬡ Helps the broader GRC community become more compliance-savvy
- ⬡ Free and open-source — no catch, no paywall, no subscription
Roadmap
GRC Crest is actively developed. These features are planned or in progress.
Live AWS Config and GCP Asset Inventory polling to replace simulated evidence with real configuration data.
First-login flow showing a scannable QR code so users can set up Google Authenticator themselves without admin involvement.
UI for administrators to add/remove users and assign roles without editing environment variables directly.
Auto-create tickets for human-queue escalations with AI-generated context, priority, and blast radius already attached.
Push escalation briefs, AI summaries, and incident alerts directly to GRC team channels.
Replace in-memory email OTP store with Redis for multi-instance deployments (Vercel serverless, multiple containers).
One-click PDF export of the entire evidence repository as a formatted, auditor-ready compliance package.
Define your own compliance frameworks and control sets beyond the built-in SOC 2 / ISO 27001 / NIST.
AI-monitored feed surfacing regulatory changes (GDPR, AI Act, DORA) that require policy updates.
MIT License
GRC Crest is free and open-source software. Copyright © 2025 GRC Crest / Ige Fadele.
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.