SS Shihan Suhail Risk · Compliance · AI

Risk · Compliance · AI

Building the systems that
keep enterprises trustworthy.

I'm Shihan Suhail, an ISO 27001 Lead Auditor and Azure cloud security specialist. I write about the collision of governance, risk and compliance with the AI that is rapidly reshaping all three.

Shihan Suhail Shihan Suhail ISO 27001 Lead Auditor · Azure Cloud Security
Read the writing About me ↗
ISO 27001 Lead Auditor
Azure Cloud Security
22 Articles published
GRC × AI Research focus

What I work on

Three intersecting disciplines

The interesting problems live where audit rigour, cloud architecture, and machine intelligence overlap.

01

Risk & Compliance

ISO 27001 Lead Auditor work, SOC 2 evaluation, control mapping and audit readiness, translating framework requirements into decisions executives can act on.

ISO 27001SOC 2GRC
02

Cloud Security

Azure landing zone assessments, policy as code, and security posture, hardening cloud estates against the gap between architecture intent and live configuration.

AzurePostureGovernance
03

AI in GRC

Where intelligent agents meet governance: continuous compliance validation, automated control mapping, and the new risks AI itself introduces.

AI AgentsAutomationAssurance

Latest writing

Field notes on GRC & AI

All articles →
01 · 8 min read

Scanning Terraform Against Azure Policy at Build Time in Azure DevOps

Azure Policy stops noncompliant resources at deploy time. This shows how to catch the same violations earlier, in the Azure DevOps build, so a bad Terraform plan fails the pipeline instead of the deployment.

AzureSecurityGRC
Read →
02 · 6 min read

Strengthening Your Cloud Security Posture with Microsoft Defender for Cloud

Knowing where your cloud environment is weak is half the battle. Microsoft Defender for Cloud gives you a continuous read on your posture and maps it straight to the standards you have to comply with.

AzureSecurityGRC
Read →
03 · 7 min read

What the EU AI Act Means for Risk and Compliance Teams

The EU AI Act is the first comprehensive law to regulate AI by risk. For compliance teams the question is no longer whether it applies, but which of your AI systems fall into which tier, and what each tier demands.

AIGRCRisk
Read →

Let's talk

Have a compliance, cloud security or AI governance problem?

I'm always happy to compare notes with peers building trustworthy systems.

Get in touch