For every stakeholder.

This page is written for directors, executives, potential employers, clients, and collaborators. It covers the business case, the technical proof of work, the roadmap, the GRC Den companion resource, and the architect behind it all.

What this platform delivers
to your organisation

Your organisation has compliance requirements — SOC 2, ISO 27001, GDPR, or others. Meeting these requirements traditionally means hiring GRC analysts to write policies, collect evidence, and scramble every year before an audit. The process is expensive, slow, and almost entirely manual. More importantly, it is reactive. By the time a GRC analyst reviews an audit log and discovers a security violation, it may have been in your production environment for days or weeks.

98.3%
AUTOMATION RATE
of all GRC events handled without human action
4.2s
MEAN REMEDIATION
from drift detection to baseline restored
12
HUMAN DECISIONS / MO
vs hundreds in traditional programmes
0
AUDIT PREP WEEKS
evidence collected continuously
TRADITIONAL GRC — REACTIVE MODEL
Policy binder in SharePoint
          ↓
  Annual audit sprint (weeks of screenshots)
          ↓
  Stale dashboard showing 3-month-old data
          ↓
  Analyst reviews alert next morning
          ↓
  Violation already live for 16+ hours
Cost: High headcount, low coverage, always reactive.
GRC CREST — PROACTIVE MODEL
Policy written as Rego → committed to git
          ↓
  Every commit evaluated against all policies
          ↓
  Violation → build blocked → PR auto-fixed
          ↓
  Production structurally cannot contain violations
          ↓
  AI agents collect evidence continuously
Cost: Minimal headcount, 100% coverage, always proactive.

Exact outcome metrics

METRIC❌ TRADITIONAL GRC✓ GRC CREST
Automation rate~20%98.3%
Time to detect a violationHours to daysSeconds
Time to remediateDays (ticket → review → fix)4.2 seconds (automated)
Annual audit preparation2–4 weeks of manual workZero — evidence collected continuously
Vendor risk assessment4–8 hours per vendorUnder 60 seconds (AI agent)
Human decisions / monthHundreds12 (highest-judgment only)
Policy enforcementWord documents in SharePointCode in git (OPA Rego)
Evidence collectionManual screenshotsAI agent cron jobs
Compliance visibility3-month-stale dashboardsReal-time live stream
Access is controlled. No public access.

Every member of staff who accesses GRC Crest has an account created explicitly by an administrator through your organisation's IAM process. Every login requires email + password (step 1) and a second authentication factor — either Google Authenticator TOTP or a one-time email code (step 2). Sessions expire after 8 hours. No one can self-register. No one can reset their own password. Access is granted, not claimed.

The ROI case

A mid-size organisation spending £500K/year on GRC headcount can typically achieve these outcomes within the first year of deploying GRC Crest:

80–90% Less Audit Prep

Eliminate 2–4 weeks of annual manual evidence collection. The audit pack is always ready — no sprint, no crunch, no overtime.

Days → 60 Seconds

Vendor risk assessments that took 4–8 hours now take under 60 seconds. For 50 vendors, that is 200–400 hours of analyst time returned per assessment cycle.

Zero Late-Discovered Violations

The category of "security violation discovered weeks after it entered production" is eliminated. Every violation is caught at the commit stage or auto-healed within 4.2 seconds at runtime.

Competitive Procurement Edge

Enterprise customers ask about compliance posture before signing. A live, automated, continuously monitored platform is a significantly stronger answer than "we have a GRC team and annual audits."

What your GRC team still does — but better

GRC Crest does not eliminate the GRC function. It elevates it. Your GRC team shifts from:

Collecting screenshots Reviewing AI-generated evidence dashboards
Manually reviewing SOC 2 reports Approving AI-generated risk assessments
Writing policy documents Describing policies in plain English
Reacting to audit findings Reviewing automated incident root-cause reports

Human GRC professionals in this system are decision-makers, not data collectors.

What this project demonstrates

GRC Crest is not a compliance dashboard — it is a fully engineered GRC automation system that demonstrates mastery across eight technical domains simultaneously. This is the proof of work.

DOMAIN 01
Production-Grade Next.js 15 + React 19 Architecture

Full App Router implementation with correct server/client component boundaries. Typed next.config.ts, proper Metadata and Viewport exports, 'use client' directives applied precisely where needed — not sprayed across the codebase.

Next.js 15.3React 19.1App RouterServer Components
DOMAIN 02
Enterprise Authentication Engineering (NextAuth v5)

Full two-factor authentication with no self-registration — matching enterprise IAM practice. JWT callbacks with mfaVerified persistence, updateSession trigger handling, module augmentation in next-auth.d.ts, middleware enforcement at the edge, and anti-enumeration error messages.

NextAuth v5JWT StrategyhttpOnly CookiesRate Limiting
DOMAIN 03
MFA Implementation (TOTP + Email OTP)

RFC 6238 TOTP via otplib (Google Authenticator compatible) and email OTP via Nodemailer. QR code generation for first-time TOTP setup. Single-use email codes with 10-minute expiry. In-memory store with documented Redis migration path for multi-instance deployments.

otplib (RFC 6238)Nodemailerqrcodebcrypt-ts
DOMAIN 04
Vercel AI SDK Integration

Uses generateText() from the Vercel AI SDK with a getModel() factory pattern — a single function replacing separate fetch implementations for each LLM provider. Provider switching via environment variable with no downstream code changes. Temperature tuned to 0.2 for consistent JSON output. Auth-gated.

Vercel AI SDK v4.3ClaudeGPT-4oCustom LLM
DOMAIN 05
Strict TypeScript Engineering

src/types/grc.ts defines 25+ interfaces covering every data contract: GRCLayer, EvidenceRecord, Incident, VendorAssessment, AIRootCauseAnalysis, LoginCredentials, MFAMethod, GRCSession, and more. next-auth.d.ts module augmentation for type-safe session access. tsc --noEmit is a required CI step.

TypeScript 5.8Strict ModeModule Augmentation25+ Interfaces
DOMAIN 06
Infrastructure Security Engineering

Full DevSecOps toolchain: OPA/Rego policy enforcement, TruffleHog secret scanning, Snyk dependency analysis, Semgrep SAST, and Checkov infrastructure scanning — all architected into CI/CD pipeline stages. The OPA Generator demonstrates programmatic generation of valid Rego, Semgrep, GitHub Actions, and Terraform artefacts from natural language.

OPA / RegoTruffleHogSnykSemgrepCheckov
DOMAIN 07
Agentic AI Systems Design

Three distinct AI agent workflows with different prompt strategies: structured JSON output enforcement (vendor risk), multi-artefact code generation (OPA generator), and forensic analysis (incident RCA). Provider-agnostic callAIJson<T>() generic with typed return. All prompts in src/lib/prompts.ts as versioned artefacts.

Structured OutputPrompt EngineeringRAG PatternsJSON Schema
DOMAIN 08
GRC Domain Expertise

Deep command of SOC 2 Trust Service Criteria, ISO 27001 Annex A, and NIST 800-53 control families. Evidence records modelled with correct framework identifiers (CC6.1, A.9.2, SC-28). Vendor assessment rubric covers the seven controls differentiating mature from immature vendor postures. Incident scenarios reflect real-world attack patterns.

SOC 2ISO 27001NIST 800-53GDPR

Complete technical stack

CATEGORYTECHNOLOGYVERSION
FrameworkNext.js15.3
UI LibraryReact19.1
LanguageTypeScript (strict mode)5.8
StylingTailwind CSS4.1
AI SDKVercel AI SDK4.3
AI ProvidersAnthropic Claude / OpenAI GPT — switchable via env var
AuthenticationNextAuth (Auth.js)v5 beta
TOTPotplib12.0
EmailNodemailer6.9
Password Hashingbcrypt-ts8.0.1
QR Codeqrcode1.5
Policy EnforcementOpen Policy Agent, Rego, Conftest
SAST / ScanningSemgrep, TruffleHog, Snyk
InfrastructureCheckov, Terraform
CI/CDGitHub Actions
Cloud MonitoringAWS CloudTrail, Prometheus, Datadog
Automationn8n, Node.js microservices
Compliance FrameworksSOC 2 Type II, ISO 27001, NIST 800-53, GDPR
Ige Fadele
Ige Fadele
TECHNICAL GRC ENGINEER
SECURITY COMPLIANCE ARCHITECT
SOFTWARE ENGINEER
AVAILABLE · 06:00 – 23:00 UTC+1

My name is Ige Fadele. I have over 10 years of experience across software engineering, IT project management, product architecture, technical GRC, information security engineering, systems integration, AI automation, and infrastructure.

GRC Crest is built from the perspective of someone who has worked close to both engineering execution and security governance — someone who has seen the gap between what policy documents say and what production systems actually do, and knows how to close it with code.

I understand the language of developers (TypeScript, CI/CD, OPA), the language of security (risk scoring, CVSS, threat modelling), the language of compliance (SOC 2, ISO 27001, NIST), and the language of business (ROI, risk exposure, procurement differentiation). That cross-domain fluency is rare — and it is the foundation of everything built in GRC Crest.

I am open to opportunities with employers, organisations, founders, product teams, security teams, and compliance teams who need practical support across technical GRC, information security engineering, compliance automation, secure software delivery, product architecture, infrastructure, and AI-enabled operations.

Work with Ige Fadele

Available for the following engagement types. All arrangements — remote, hybrid, in-office, domestic, and international — are considered.

Consultancy & Advisory

GRC programme design, security architecture review, compliance automation strategy, AI integration advisory. Engagements of any duration.

Contract / Freelance

Fixed-term contracts for specific deliverables: GRC-as-Code implementation, CI/CD compliance pipeline setup, AI agent development, security toolchain integration.

Full-Time Employment

Open to full-time roles as Technical GRC Engineer, Security Compliance Architect, DevSecOps Engineer, Platform Engineer, or Principal/Staff Engineer with security responsibilities.

Part-Time / Portfolio

Part-time engagements, fractional leadership, and portfolio/project roles for organisations building out their GRC or security engineering capability.

B2B / Startup / Founder

For early-stage companies and founders who need to build compliance and security infrastructure from scratch — fast, correctly, and without hiring a full GRC team.

International

Open to international opportunities. Willing to relocate. Currently based in UTC+1. Experienced working across time zones and with globally distributed teams.

ENGAGEMENT TYPES
ConsultancyContractFull-time Part-timeB2BAdvisory RemoteIn-officeHybrid Relocation ReadyInternational
CORE AREAS OF EXPERTISE
Technical GRCInformation Security Engineering Compliance AutomationGRC-as-Code DevSecOpsPolicy-as-Code AI IntegrationSecure Software Delivery Product ArchitectureCloud Infrastructure IT Project ManagementSystems Integration
⬡ COMPANION OPEN-SOURCE RESOURCE

GRC Den

GRC Den is a free, open-source library of production-grade GRC artefacts — policy templates, risk registers, control frameworks, and assessment tools. Built by Ige Fadele as a resource for the entire GRC community.

Whether you want to sharpen your GRC skills, get compliance artefacts you can start using today, or transition into a GRC role — GRC Den gives you everything for free.

  • Production-ready policy templates, risk registers, and control frameworks
  • Saves GRC professionals hours of trial-and-error artefact creation
  • Helps the broader GRC community become more compliance-savvy
  • Free and open-source — no catch, no paywall, no subscription
EXPLORE GRC DEN →
⬡ GRC DEN — ARTEFACT LIBRARY
📋 SOC 2 Gap Assessment TemplateXLSX
📋 ISO 27001 Risk RegisterXLSX
📄 Information Security PolicyDOCX
📄 Vendor Risk Assessment FrameworkDOCX
📄 Incident Response PlanDOCX
📋 NIST 800-53 Control MappingXLSX
📄 GDPR Data Processing RegisterDOCX
📄 Business Continuity Plan TemplateDOCX
+ dozens more artefacts — all free

Roadmap

GRC Crest is actively developed. These features are planned or in progress.

COMING SOON
Real Cloud Integration

Live AWS Config and GCP Asset Inventory polling to replace simulated evidence with real configuration data.

COMING SOON
TOTP Self-Service QR Screen

First-login flow showing a scannable QR code so users can set up Google Authenticator themselves without admin involvement.

COMING SOON
Admin User Panel

UI for administrators to add/remove users and assign roles without editing environment variables directly.

PLANNED
JIRA / ServiceNow Integration

Auto-create tickets for human-queue escalations with AI-generated context, priority, and blast radius already attached.

PLANNED
Slack / Teams Notifications

Push escalation briefs, AI summaries, and incident alerts directly to GRC team channels.

PLANNED
Redis OTP Store

Replace in-memory email OTP store with Redis for multi-instance deployments (Vercel serverless, multiple containers).

PLANNED
Audit Export PDF

One-click PDF export of the entire evidence repository as a formatted, auditor-ready compliance package.

PLANNED
Custom Framework Builder

Define your own compliance frameworks and control sets beyond the built-in SOC 2 / ISO 27001 / NIST.

PLANNED
Regulatory Update Feed

AI-monitored feed surfacing regulatory changes (GDPR, AI Act, DORA) that require policy updates.

MIT License

GRC Crest is free and open-source software. Copyright © 2025 GRC Crest / Ige Fadele.

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.