Skip to content

GRC & Leadership

Who this path is for

You're responsible for AI risk, policy, or audit readiness — CISO, compliance lead, AI governance owner, or a security director whose board just added "AI" to every quarterly update. You need the frameworks, the threat taxonomy at executive altitude, and the operational links between them. You don't need to write code.

Prerequisites

  • General cybersecurity risk literacy (NIST CSF, ISO 27001 at a high level)
  • Familiarity with your organization's regulatory exposure (US federal / EU / sector-specific)

Sequence

  1. 01 Foundations — Start here — the minimum AI vocabulary to read the rest of this path without bluffing.
  2. 05 LLM Vulnerabilities — Start here — OWASP LLM Top 10, MITRE ATLAS, and NIST AI 100-2 as the three taxonomic frames every AI risk register needs.
  3. 06 Agentic Security — Start here — why agentic systems change the risk picture (Meta's Rule of Two is the most practically operational guidance in the space).
  4. 10 Incident Response — Start here — what AI-specific IR looks like; the field is nascent and that matters for your readiness plan.
  5. 09 Governance & Compliance — Start here — NIST AI RMF (voluntary, risk-based), EU AI Act (binding), ISO 42001 (certifiable) — pick your applicable regime.
  6. 09 Governance & Compliance — Go deeper — CSA AICM for control mapping; COSAI for operational defender playbooks.
  7. 14 AI for GRC — Start here — how AI is changing GRC practice itself; essential context when evaluating vendor pitches.
  8. 14 AI for GRC — Tools — one open-source compliance automation reference point to calibrate vendor claims against.

What you'll know by the end

  • Which AI governance framework applies to you, and why
  • How to map framework obligations to technical controls and operational signals
  • What an AI incident response plan looks like (and what's still missing from the field)
  • How to read a vendor AI-for-compliance pitch with honest skepticism

Where to go next

  • Practitioner — if you want to build enough hands-on intuition to argue with engineers credibly
  • Security Pro → AI — if your security team needs the threat-focused analog of this path