/* manifesto */
Compliance — made continuous, observable, and provable by design. Not by audit.
01 Précis
Compliance leader with 15+ years designing automated systems
that
make regulatory compliance continuous, observable, and provable by design. Built compliance-as-code stacks
integrating pre-deploy infrastructure policy scanning, evidence-generation pipelines, and automated control
assertion across FedRAMP, CMMC, ISO 27001, SOC 2, C5, IRAP, and many others worldwide.
Pioneered enterprise AI
governance aligned to ISO 42001 and the EU AI Act.
02 Experience
Aug 2025
→ PresentFlorida
Director of Product, Compliance and Trust
@ Autodesk
- Launched Compliance-as-Code initiative aligning Autodesk's FedRAMP program to FedRAMP 20x automation
requirements — shifting evidence collection from manual, team-driven processes to continuous, automated
artifact generation.
- Established a 2-year compliance automation roadmap targeting 70% reduction in audit overhead; first
phase already delivered a measurable 10% reduction in audit-driven engineering toil and removed several
feature teams from audit cycles entirely.
- Serve on the Engineering Council as the internal SME on compliance automation, embedding requirements
directly into architectural design reviews before code ships.
- Defined and operationalized a compliance KPI framework adopted across product teams, creating shared
accountability for audit readiness.
70% target audit-overhead reduction
Engineering Council SME
Oct 2022
→ Jul 2025Florida
Director, Governance, Risk & Compliance
@ UiPath
- Delivered a multi-framework certification portfolio — FedRAMP, C5, ENS, IRAP, ISO 27001/17/18, SOC 1
& 2, ISO 42001, HITRUST — directly enabling $120M+ in public-sector pipeline in two years on a $2M
program budget with zero audit findings across all tracks.
- Architected a Compliance-as-Code program on UiPath's own automation platform, integrating pre-deploy
policy scanning with automated evidence pipelines; reduced manual evidence requests 40% in year one.
- Designed a unified control framework with shared evidence architecture across 10+ certification tracks,
collapsing independent audit cycles into a single coordinated motion.
- Engineered a board-level risk quantification model translating control gap telemetry into financial
exposure, directing $25M+ in targeted cybersecurity investment.
- Rebuilt the compliance team on an engineering-first operating model — including difficult staffing
decisions — producing measurable lifts in cross-org collaboration scores.
$120M+ pipeline
$25M+ directed investment
0 audit findings
40% manual evidence ↓
Jun 2021
→ Oct 2022Seattle, WA
Head of Compliance
@ Exabeam
- Defined the FedRAMP authorization roadmap for a cloud-native SIEM platform; translated NIST SP 800-53
into engineering implementation specs and led authorization boundary design and control-inheritance
architecture.
- Delivered ISO 27001 in 6 months and SOC 2 Type II in 12 months by embedding security requirements into
the SDLC — audit artifacts produced as a byproduct of normal engineering ops, not a separate motion.
- Reduced audit-prep burden 60% across engineering teams and cut total assessment time by one month
through automated evidence workflows and continuous compliance reporting.
60% audit prep ↓
ISO 27001 in 6mo
SOC 2 Type II in 12mo
May 2017
→ Jun 2021Seattle, WA
Head of Compliance
@ DocuSign
- Transformed a legacy compliance organization with an engineering-first mandate — building automated
integrations across FedRAMP, DoD, and IRAP frameworks and shifting the team from audit coordination to
scalable compliance infrastructure delivery.
- Designed a unified audit architecture consolidating evidence collection, control mapping, and auditor
interfacing across 10 concurrent certification frameworks — 30% audit cycle reduction, 45% less cross-org
stakeholder involvement.
- Owned certification roadmaps as a strategic business asset, integrating compliance assurance milestones
into Product and Engineering planning cycles.
10 concurrent frameworks
30% audit cycle ↓
45% stakeholder load ↓
Jul 2014
→ May 2017Seattle, WA
Lead Security Engineer
@ Tableau
- Founding security-team member — built Tableau's security engineering and compliance programs from the
ground up; organizational, technical, and process foundations persisted through Salesforce's $15.7B
acquisition.
- Partnered with SRE to define shared platform tooling and automation architecture, aligning
infrastructure standards to the compliance roadmap from the outset and eliminating future retrofit costs.
- Engineered evidence architecture and auditor-facing documentation for SOX and SOC 2 — designed for
durability, removing engineering teams from audit-time interrupts.
- Pre-sales security SME for enterprise and regulated-industry deals; contributed to $75M+ in deal
closures.
$15.7B acquisition
$75M+ deal influence
Jan 2013
→ Jul 2014Redmond, WA
Lead Service Engineer
@ Microsoft
- Led FedRAMP and ITAR-compliant cloud infrastructure engineering for internal Microsoft teams at
hyperscale — compliance boundary architecture and cloud deployment patterns.
- Architected and deployed remote access and secure web access infrastructure enabling the launch of
Microsoft Azure and Office 365 in China — navigating complex data sovereignty and regulatory requirements.
Azure & O365 China launch
03 Thought Leadership
Published · shiftleftrepeat.ai
shift.left, repeat.
// Author & Publisher
A practitioner newsletter on the evolution of compliance — compliance as a platform, automated
evidence architecture, policy-as-code, and how AI is reshaping security and compliance organizations.
Featured Essay
"Compliance as Code: A Reference Model for an Industry That Isn't Ready"
A technical framework for replacing manual attestation with automated compliance telemetry
across multi-framework cloud environments.
04 Practice Areas
Compliance Engineering
Policy-as-CodeTerraform / Sentinel pre-deploy
scanningOSCALAutomated evidence pipelinesCompliance
telemetryControl-inheritance architectureFedRAMP automationFIPS
140-2
Regulatory Frameworks
FedRAMP Mod / HighCMMCDoD
IL4C5IRAPENSNIS2ISO 27001 / 17 /
18ISO 42001SOC 1 &
2HITRUSTHIPAAGDPRCCPA
AI Governance
ISO 42001EU AI ActUS AI Executive OrderAI Risk Management
FrameworksModel GovernanceAI Compliance by Design
Cloud & Infrastructure
AzureGovCloud architectureCloud-native securityZero
TrustSovereign cloud deploymentsDistributed systems security
Risk & Leadership
Cyber risk quantificationBoard-level risk reportingCross-functional
engineering influenceMulti-framework compliance programsC-level stakeholder
management
05 Education
Hodges University
B.S. Information Systems Management
Naples, FL
University of Washington
Certificate in Information Security
Seattle, WA
06 Early Career · 2003 – 2012
Nine years in infrastructure engineering, systems administration, and technical consulting across healthcare,
retail, cruise operations, and financial services — building the hands-on systems foundation that modernized
technical operations across regulated industries.
Oceania Cruise Lines
Sr. Manager, IT
Enterprise infosec strategy; reported to CEO; created tech steering committee.
Compuquip Technologies
Sr. Engineering Consultant
Security architecture assessments and data retention systems for regulated clients.
Perry Ellis International
Systems Administrator
Multi-state VMware deployments and enterprise virtualization.
Arthrex, Inc.
Systems Analyst
Infrastructure automation, DR architecture, VMware/SAN in medical-device environment.
// CERTS · Microsoft (MCSE, MCDBA, MCITP), VMware, Citrix.