🤖 New: Try my NIST 800-53 AI Chatbot
Welcome to my portfolio

Tiffany Walker-Roper

AI GRC Professional

Connecticut, USA | Remote

Get In Touch Learn More

About Me

Privacy and security professional specializing in AI governance and GRC engineering, combining legal and technical expertise across highly regulated environments. Builds practical GRC automation and AI threat modeling tools using AI-assisted development, and applies governance frameworks (NIST AI RMF, EU AI Act, ISO 42001) to AI systems.

Throughout my career, I have worked across aerospace, financial services, and technology industries to design and implement scalable compliance frameworks. From privacy readiness assessments for CCPA/CPRA/GDPR to building Python-based GRC automation tooling with AI-assisted development, I bridge the gap between compliance strategy and technical implementation. I am the 2026 IAPP Young Privacy Professional for the CT chapter and am currently pursuing a Master of Science in Cybersecurity & Information Assurance.

GRC Engineering Portfolio

A self-directed journey building 25+ Python automation tools for Governance, Risk, and Compliance — progressing from foundational scripts to a full-stack GRC framework across four phases. Built using AI-assisted development tools (Windsurf), demonstrating practical application of AI coding tools to GRC engineering workflows.

View Source Code on GitHub
1

Foundations

Simple scripts that solve real GRC problems
Built core Python skills through hands-on GRC tooling: an AWS environment validator, password policy checker, compliance evidence logger, CSV policy parser with overdue detection, and a NIST 800-53 to CIS Benchmark control mapper with JSON persistence.
Environment Validation Password Policy Checker Evidence Logger Policy Inventory Parser Control Mapper File I/O CSV JSON NIST 800-53 CIS Benchmarks
5 tools built Lessons 1 – 5
2

AWS & APIs

Working with cloud services and automation
Connected Python to AWS via boto3 to build real security scanners: an IAM user auditor checking MFA and key age, an S3 bucket security scanner, a CloudTrail log analyzer for suspicious patterns, an automated compliance report generator using OOP, and a scheduled compliance monitor with proper logging.
IAM Auditor S3 Security Scanner CloudTrail Analyzer Compliance Report Generator Scheduled Monitor boto3 OOP Logging AWS IAM AWS S3 CloudTrail
5 tools built Lessons 6 – 10
3

Advanced Automation

Infrastructure as Code, databases, and web apps
Built production-grade tools: a CloudFormation template validator against security rules, an infrastructure drift detector with baseline snapshots, a SQLite-backed risk register with CRUD operations, an AI risk register aligned to EU AI Act and NIST AI RMF with OWASP LLM Top 10, a Slack/email alerting system with retry logic, and a Flask GRC dashboard with real-time compliance visibility.
CloudFormation Validator Drift Detector Risk Register AI Risk Register GRC Alerter GRC Dashboard Flask SQLite YAML EU AI Act NIST AI RMF OWASP
6 tools built Lessons 11 – 15
4

Capstone

Putting it all together
Combined all previous tools into a unified GRC automation framework — a structured Python package with shared configuration, a CLI entry point (python -m grc_framework), and unit tests via pytest. Supports audit, scan, report, monitor, and alert commands from a single interface.
GRC Framework Python Packaging pytest CLI Design Modular Architecture
1 unified framework Lesson 16

AI Threat Model Generator

🔐

AI Threat Model Generator

Open-source Claude Code skill for automated threat modeling
An open-source Claude Code skill that automates structured threat modeling for systems and applications. Point it at a system description, URL, or codebase and it produces a comprehensive threat model report with risk ratings and prioritized mitigations.
STRIDE OWASP Top 10 OWASP LLM Top 10 OWASP Agentic AI MITRE ATT&CK Claude Code Markdown
Frameworks Supported: STRIDE, OWASP Top 10 (2025), OWASP Top 10 for LLMs and Gen AI Apps (2025), OWASP Top 10 for Agentic Applications (2026), MITRE ATT&CK, Combined multi-framework analysis
Report Output: Executive summary, system architecture overview, asset and entry point inventory, risk-rated threat analysis, risk matrix visualization, prioritized mitigation roadmap (P1/P2/P3), documented assumptions and limitations
View Source Code on GitHub

AI Usage Governance Agent

🛡️

AI Usage Governance Agent

Runtime monitoring for LLM usage with compliance framework mapping
An open-source Python toolkit and Claude Code skill pack that monitors AI usage events in real time. Assesses LLM prompts and outputs for PII and credential exposure, scores risk using weighted factors, maps policy violations to four compliance frameworks, and produces audit-ready reports. Built for GRC teams that need enforcement to match policy, not just documentation.
Risk Scoring Policy Detection Compliance Mapping Alert Routing Audit Reports Python Claude Code PyYAML Regex + NLP GDPR SOC 2 ISO 27001 NIST AI RMF
Frameworks Mapped: GDPR (Art. 5, 25, 32), SOC 2 (CC6.1, CC6.3, CC6.7, CC7.2), ISO 27001 (A.8.2.3, A.9.2.4, A.9.4.3, A.12.4.1, A.13.2.1), NIST AI RMF (GOVERN-1.1, MAP-4.1, MANAGE-2.2, MANAGE-3.1, MEASURE-2.7)
Capabilities: 8 composable Claude Code skills (analyze-risk, classify-risk, check-policy, map-compliance, detect-patterns, send-alert, generate-report, monitor-loop), 4 Python tools with YAML-driven configuration, severity-based alert routing from immediate through monthly, weighted risk scoring across four factors, one-command batch orchestrator with sample data
View Source Code on GitHub

AWS Automated Access Review

IAM Security Automation Tool

Serverless AWS security assessment with AI-powered reporting for GRC teams
A comprehensive, zero-configuration security assessment tool that automatically evaluates your AWS environment for IAM misconfigurations, overly permissive permissions, missing security controls, and external access risks. Built for security professionals and GRC teams, it combines findings from multiple AWS security services into actionable reports with AI-powered analysis via Amazon Bedrock.
AWS Lambda CloudFormation Security Hub IAM Access Analyzer Amazon Bedrock Python Serverless AI-Powered SOC 2 Type 2 IAM Security
Core Features: IAM security auditing with MFA gap detection, Security Hub finding consolidation, external access analysis via IAM Access Analyzer, AI-generated executive summaries via Amazon Bedrock, automated email delivery, and scheduled execution at configurable intervals. Built serverless on Lambda and deployed via CloudFormation, with reports stored in S3.
Compliance & OSS Contribution: Designed for SOC 2 Type 2 audits, the tool runs monthly access reviews automatically and creates timestamped reports for audit evidence. During deployment, identified and resolved 10 blocking issues across Windows shell compatibility, Bedrock API migration (Claude v2 to Sonnet 4.6, Text Completions to Messages API), and undocumented IAM permissions for Bedrock access.
View Source Code on GitHub

NIST 800-53 AI Chatbot

AI

RAG-Powered Security Controls Assistant

AI agent for querying NIST 800-53 security controls using Retrieval-Augmented Generation
A Retrieval-Augmented Generation (RAG) chatbot built with n8n, Pinecone, and OpenAI that answers questions about NIST 800-53 security controls. Designed for GRC professionals, auditors, and security teams who need quick, accurate access to control details — powered by real documentation rather than general LLM knowledge alone.
n8n Pinecone OpenAI API Google Drive RAG Vector Embeddings AI Agents Node.js NIST 800-53
Why RAG for GRC: General-purpose LLMs are unreliable for compliance work. They can confidently invent control identifiers or misquote requirements, which is a non-starter for audits and security questionnaires. RAG grounds every answer in retrieved document chunks and explicitly says "I don't know" when the knowledge base is silent. Practical uses include sales enablement, multi-framework compliance documentation, and project onboarding.
How It Works: A Google Drive trigger ingests new documents, which are chunked via recursive text splitter, embedded with OpenAI, and stored in Pinecone. User queries are embedded with the same model, matched against the vector database, and passed to the AI agent, which retrieves relevant chunks and generates grounded responses with conversation memory. A Node.js and Express backend serves the web chat interface.
Try It Live The chatbot is live in the bottom-right corner of the page

Skills & Expertise

🤖AI Governance Frameworks

NIST AI RMF EU AI Act OWASP LLM Top 10 OWASP Agentic AI Top 10

🔒Privacy & Compliance

CCPA/CPRA GLBA GDPR PCI-DSS SOC 2 HIPAA NIST 800-53 NIST CSF ISO 27001 ISO 42001 CIS Controls

Technical

Python Flask AWS (IAM, S3, CloudTrail, CloudFormation) boto3 SQLite OneTrust Claude Code Windsurf

🎯Core Capabilities

Risk Assessment Security Auditing Policy Development Privacy Impact Assessments Compliance Gap Analysis AI Threat Modeling Process Improvement Cross-Functional Leadership

Certifications

🤖

AIGP

AI Governance Professional (IAPP)

🔍

CySA+

Cybersecurity Analyst (CompTIA)

🔐

ISO 27001

Lead Auditor (Mastermind Assurance)

📋

GRCP

GRC Professional (OCEG)

🔎

GRCA

GRC Auditor (OCEG)

🧠

IAIP

Integrated Artificial Intelligence Professional (OCEG)

🏗️

AIGA

Certified AI Governance Program Architect (Logical AI Governance)

Get In Touch

✉️

Email

Send me a message
💼

LinkedIn

Connect on LinkedIn
📝

Blog

Read my thoughts on Substack
💻

GRC Portfolio

Browse the code on GitHub