Bernd Janzen
GRC Analyst | Governance, Risk & Compliance | Security Operations
I build compliance baselines that hold up in practice — EU AI Act, GDPR, and NIST CSF 2.0 — and automate the evidence work with Python. Most recently at Panos.ai, where I mapped 47 compliance elements across three frameworks for an AI startup.
- Role
- GRC Analyst
- Frameworks
- EU AI Act · GDPR · NIST CSF 2.0
- Certification
- CompTIA Security+
- Status
- Available — Berlin, DACH
Background & Skills
GRC Analyst based in Berlin. At Panos.ai I built the EU AI Act and GDPR compliance baseline for an AI startup: risk classification, GPAI documentation, RoPA, and core policies — and mapped 47 compliance elements across NIST CSF, GDPR, and the EU AI Act.
I automate compliance work with Python — most recently extracting GCP asset inventory (133 resources) and mapping it to the NIST CSF ID.AM schema. That builder's approach comes from a full-stack web development background (CareerFoundry), and today it means directing AI coding agents through working pipelines and validating what they produce against real data.
CompTIA Security+ certified, completed the Masterschool cybersecurity program (May 2025 – Jul 2026). My background includes an IHK EDV-Kaufmann qualification (1993) and IT support work in the 1990s. Native German speaker.
Projects
Cloud Asset Inventory → Compliance Chatbot
From raw GCP resource data to a plain-language compliance answer. Built a pipeline that scans a live GCP environment, maps resources to the NIST CSF ID.AM schema, checks them against GRC rules, and answers compliance questions in natural language via a GDPR-aware chatbot. Found and fixed two real config-drift bugs along the way.
Aurora AI Security — Network & Security Capstone
Dual-site enterprise network with 13 VLANs, VPN connectivity, and firewall/ACL segmentation. Virtualized security lab (pfSense, Wazuh SIEM, Kali Linux, Windows Server 2022 with AD and HashiCorp Vault). GRC documentation and STRIDE threat models aligned with NIST CSF 2.0, GDPR, NIS2, and IT-SiG 2.0. Validated through red/blue team simulation and incident response playbooks.