Chipmunk Robotics - Second-Foundation.ORG

Why I Started Second Foundation: Compliance Should Be Real, Not Performative

I didn’t start Second Foundation because I wanted to build another compliance tool. I started it because I spent years doing compliance work the hard way—and saw how broken the system really is.

Where This Started: My Time at Expedia Group

Earlier in my career, I worked at Expedia Group as a compliance manager. We took risk and controls seriously, but the tools we had made the work harder than it needed to be.

The GRC platforms on the market looked good in demos, but in real life they didn’t help much. Risk assessments, control tracking, testing, and evidence collection were still manual, scattered, and time-consuming. Automation was promised, but rarely delivered. Most of the effort went into managing spreadsheets and documents instead of actually improving controls.

What I learned there was simple: compliance problems usually come from bad systems, not bad people.

Seeing the Bigger Picture at the AICPA

Later, as a CITP committee member at the AICPA, I focused on technology and AI adoption in the accounting profession. I saw growing pressure on firms and companies to “use AI,” often without clear guidance on what that should actually mean.

There was real interest in better tools—but also real concern about audit quality, independence, and professional judgment. That confirmed something I already believed: technology should support good compliance work, not replace it or hide weak practices.

The Rise of “AI Compliance” Claims

In the last few years, I’ve seen many startup GRC platforms claim they can get companies “SOC or ISO compliant in days” using AI. In reality, many of these tools just help generate documents faster.

They don’t fix poor risk assessments.
They don’t design better controls.
They don’t change how companies actually operate.

Speed without substance is not compliance. It just creates the appearance of it.

A Hard Truth About Audit Quality

I’ve also seen cases where some CPA firms are not careful enough when issuing SOC or ISO opinions. Sometimes it’s because the same firm is helping implement controls and then reviewing its own work. Sometimes it’s pressure to move fast or keep clients happy.

When independence slips, trust slips with it. And once trust is gone, the whole system breaks down.

Why I Built Second Foundation

Second Foundation is my response to all of this.

A simple, AI-native GRC platform—free for core risks and controls
I’m building an AI-native GRC platform focused on SOC and ISO audits. Common risks and controls should be easy to understand and available to everyone—for free. AI should help people learn and structure compliance, not lock knowledge behind paywalls.

Compliance that actually means something
The goal is not to help companies “get a report.” The goal is to help them do the work—understand their risks, build real controls, and improve security and operations.

Working with CPA firms that value independence and quality
I want to partner with CPA firms that care about doing audits the right way. Second Foundation will respect auditor independence, and I expect firms to issue opinions they truly stand behind.

Final Thought

Compliance isn’t just for big companies or auditors. It’s for anyone who handles data, money, or trust.

And it only works when it’s real.