The Paramify Podcast

AI, FedRAMP and the "Dark Matter" of Data with Bhanu Jagasia and Vincent Tham

Is legacy compliance actually dead?  In this episode of the Paramify Podcast, we sit down with Bhanu Jagasia and Vincent Tham from BladeStack to talk about the massive shift happening in the GRC world. From the "dark matter of data" to the transition toward FedRAMP 20X, we’re moving away from 1,500-page "black box" documents and toward real-time, automated evidence. We also dive deep into the AI hype: Will knowledge workers be automated by 2027? Why does "vibe coding" fail in high-stakes compliance? And how can lean teams punch above their weight class using deterministic automation? Connect with BladeStack: LinkedIn: bladestack.io Bhanu Jagasia: linkedin.com/in/bhanujagasia Vincent Tham: linkedin.com/in/vincenttham Website: bladestack.io Connect with Paramify: LinkedIn: linkedin.com/company/paramify Kenny Scott: linkedin.com/in/kenny-g-scott Mike Schreiner: linkedin.com/in/mikecschreiner Website: paramify.com 0:00 Intro & Evidence Automation 1:27 Welcome to the Paramify Podcast 3:00 How Bladestack Got Started 6:29 Evidence Automation & the "Dark Matter" of Data 12:31 Why Expertise Still Matters in FedRAMP 14:37 Bladestack's Tech-First Approach to Compliance 18:40 AI Hype vs Reality in FedRAMP 22:52 Understanding What LLMs Actually Are 26:34 The Problem with Legacy SSPs 28:06 Why FedRAMP 20X Changes Everything 36:40 The Legacy FedRAMP Process Was Broken 40:32 How Bladestack Leverages AI Internally 43:19 Branding in an AI-Commoditized World 46:31 AI's Impact on the Threat Landscape 49:53 The Future of Compliance 54:00 Where to Find Bladestack

GRC Engineering, FedRAMP 20x, and AI with Ethan Troy

"Anytime someone says something is dead, that's exactly what I have to go learn." - Ethan Troy Kenny and Isaac sit down with Ethan Troy, Senior GRC Engineer at TRM Labs, Head of AI Research at GRC Engineering Club, and Hacker at hackIDLE. One of the GOATs of GRC engineering. He's been shipping GRC tools, automations, and agents nonstop. He's assessed FedRAMP packages from the 3PAO side at Coalfire and A-LIGN. He's pentested for the Department of the Treasury. He built a FedRAMP 20x assessment app before most people knew what 20x was. His job interview at TRM Labs? They made him build an AI agent. And yes, this is the first Paramify Podcast Isaac is on. We got into: → Why now is the best time to learn something new  → Why 85% of a good GRC agent is deterministic code, not AI  → How to actually build agents (dog food your own stuff, stop one-shotting)  → Why the SSP is becoming the SSDR (System Security Decision Record) and what that means for FedRAMP® 20x  → Why domain expertise is what separates good AI output from great AI output FedRAMP is changing rapidly. Want to learn more about these changes check out this webinar here: https://lnkd.in/ge9wQ2Zf Learn more about Ethan Troy: https://www.linkedin.com/in/ethantroy/?skipRedirect=true Learn more about TRM Labs:  https://www.trmlabs.com/ Learn more about Kenny Scott:  https://www.linkedin.com/in/kenny-g-scott/ Learn more about Isaac Teuscher:  https://www.linkedin.com/in/isaacteuscher/ Learn more about Paramify: https://www.paramify.com/ Chapters: 00:58 - Introductions & GRC Engineering 02:12 - From Nursing to Cybersecurity 05:18 - The Problem with Legacy GRC Tools 12:13 - FedRAMP 2.0: The End of SSPs? 16:48 - The FedRAMP Marketplace Metaphor 24:38 - Outcome-Based vs. Hourly Consulting 31:51 - Automating Evidence Collection 37:16 - AI & Real-Time Incident Response 45:10 - Secure Configuration Guides 52:43 - Building an AI-First Culture 58:51 - Principles for AI Agents in GRC 01:05:03 - The 85/15 Rule for AI Logic

Justin Merhoff on FedRAMP 20x, Secure AI, Trust Centers, and Modern Cybersecurity

In this episode of The Paramify Podcast, Kenny sits down with Justin Merhoff to talk about what makes security actually work: usability, speed, adaptability, and real-world adoption. Justin shares lessons from nearly three decades in cybersecurity, from his time in the U.S. Army to leading security and compliance programs in the private sector. The conversation covers FedRAMP 20x, trust centers, secure AI, accessibility in cybersecurity, and why security should support the business instead of slowing it down. They also get into the real burden of FedRAMP and CMMC documentation, why better tooling can reduce burnout for lean security teams, and why “usable security” is often the difference between a control that works in practice and one that only looks good on paper. Note: At the time this episode was recorded, Justin was with Rhymetec. He is now Director of Compliance at DTEX.ai. Links: Justin Merhoff on LinkedIn: https://www.linkedin.com/in/justinmerhoff Kenny Scott on LinkedIn: https://www.linkedin.com/in/kenny-g-scott DTEX.ai: https://www.dtex.ai/ Paramify: https://www.paramify.com/ In this episode, you’ll hear: - Why usable security is better security - How secure AI can help small teams move faster - Why trust centers are becoming more important - How accessibility gaps can create real security risk - Why servant leadership matters in cybersecurity - Why FedRAMP 20x is shifting the focus back to risk Chapters: 0:00 Secure AI, lean teams, and why the right tools matter 1:12 Intro to Justin Merhoff 2:08 How Justin got started in cybersecurity 8:31 Army stories, leadership, and early security lessons 16:06 Moving from the military into corporate security 19:17 Why security should enable the business 20:45 The future of trust centers 25:20 Secure AI, small teams, and reducing compliance burnout 29:32 Why FedRAMP 20x is a needed change 36:31 Cyber leadership, adaptability, and how people break into security 44:13 Why accessibility is a cybersecurity issue 51:18 What Justin was doing at the time and how Rhymetec helps clients 54:35 Outro This episode is a great listen for anyone working in FedRAMP, CMMC, GRC, compliance, security leadership, or third-party trust.

An Apropos of Nothing

Today's episode is An Apropos of Nothing. This episode is optional, you can skip it if you want, but it's a pretty honest glimpse into what hanging out with us is actually like.

Making Risk Make Sense with Rob Black

“There’s a 5% chance of a $5 million loss. Is it exactly right? No. But it’s way better than saying medium, because medium means nothing.” Kenny sits down with Rob Black, Founder and CEO of Fractional CISO, to break down how to translate cyber risk into language executives actually act on: probability, dollars, tradeoffs, and clear acceptance instead of vague labels that disappear into a slide deck. We also get into the “magic genie” myth of GRC tools, what vCISO looked like back in 2017, and the origin story behind Rob’s legendary wig videos. Key takeaways: • How to quantify risk without pretending it’s perfectly precise • Why “high/medium/low” breaks the conversation with leadership • Where humans are still required (even with great tools) Learn more about Rob Black here:  https://www.linkedin.com/in/blackrob/ Learn more about FractionalCISO: https://fractionalciso.com/ Learn more about Kenny: https://www.linkedin.com/in/kenny-g-scott/ Learn more about Paramify: https://www.paramify.com/