In this episode of Security & GRC Decoded, host Raj Krishnamurthy sits down with Kenneth Moras, Head of Security GRC at Plaid. Kenneth shares his journey from web developer and pen tester to building GRC and assurance teams at scale across leading companies like Adobe, Meta, and now Plaid.

The conversation explores how GRC must balance governance, risk, and compliance as distinct but interdependent functions — and why great programs require clarity, collaboration, and simplicity. Kenneth also dives into the origins of the Adobe Common Control Framework (CCF), co-authoring the Open Finance Data Security Standard (OFDSS), and how Plaid applies these principles to secure the future of fintech.

From reducing GRC toil through engineering and automation, to the role of AI and LLMs in risk management, Kenneth makes the case that GRC isn’t just about passing audits — it’s about building trust, reducing risk, and enabling innovation.

🔑 5 Key Takeaways

• 🌐 Career Evolution: Kenneth’s path from developer to GRC leader shows how diverse skills — from IT audit to consulting — strengthen risk leadership.
  
  
• 🏗️ Building Frameworks: Adobe CCF and OFDSS highlight the importance of reducing complexity and standardizing security controls for scalability.
  
  
• ⚖️ Governance vs. Risk vs. Compliance: These functions are distinct but must operate in harmony; misalignment creates organizational risk.
  
  
• 🤖 AI in GRC: Generative AI and MCP tools are shifting GRC from “click ops” to “chat ops,” enabling faster risk assessment and reducing toil.
  
  
• 🚀 GRC as an Enabler: Done right, GRC accelerates innovation by providing clarity, trust, and measurable security benefits.

📘 What You’ll Learn

• How to build a GRC program from scratch in a hyper-growth company.
  
  
• Why governance, risk, and compliance require unique skill sets but interlock as checks and balances.
  
  
• The story behind Adobe’s CCF and why Plaid open-sourced OFDSS.
  
  
• How AI and automation are changing GRC engineering and risk management.
  
  
• What Kenneth looks for when hiring the next generation of GRC professionals.
  
  

📺 Watch more episodes: https://www.compliancecow.com/podcast

This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: www.compliancecow.com

🔗 Connect With Our Guest: Kenneth Moras | Head of Security GRC at Plaid

⭐ Stay Connected:

Rate, review, and subscribe to Security & GRC Decoded wherever you get your podcasts:

• Spotify
• Apple Podcasts