Three chapters shaped how I work.

I began as an engineer, where precision was not optional. My first role involved drawing airplane cockpit components from Mylar blueprints. The geometry either matched reality or it did not. That instinct stayed with me.

At KPMG, I spent four years across audit, risk, and controls work, contributing to close to 35 engagements in Financial Services, Telecom, Energy, Airports, and Real Estate. I worked across procurement, payroll, revenue, legal, compliance, ERP controls, access management, and data integrity. The work taught me that the most important thing is rarely the control as documented, but the distance between the documented control and the system in operation.

I also passed the CISA exam in 2012 during this period, which strengthened the audit and control foundation that still shapes how I examine systems today.

Before that, at Idea Cellular, I worked on customer communications compliance for millions of subscribers. It was operational, repetitive, and exacting. It also taught me early that governance only matters when it is embedded in daily practice.

My next chapter moved outward, from internal controls to user and product experience.

In Singapore, I co-founded a UX design agency and worked with startups and enterprises on product and customer experience. Later, I moved into product and solutions roles across healthcare and AI-powered software development. These years taught me to look at systems not only from the inside, but from the perspective of users, customers, and product teams.

This is where I learned to translate across GTM, engineering, customer, product, and governance contexts, a skill that still shapes how I work today.

Relocating to the Netherlands gave the work a new frame.

As regulations such as DORA, CRA, GDPR, and the EU AI Act moved closer to operational reality, I saw the same question returning in a more urgent form: do organisations actually comply, or do they mainly have documentation that says they do?

Since arriving in the Netherlands, I have been thinking through what it means to be a full-stack GRC practitioner. To answer that properly, I needed to get closer to systems, which is why I deliberately deepened my technical capability through intensive DevSecOps training across cloud, CI/CD, SAST, SCA, containers, and automated guardrails.

For me, this shift does not mean abandoning GRC. It means extending it so regulatory intent can be traced into architecture, controls, pipelines, evidence, and findings that can stand up to scrutiny.

This is the direction I am pursuing now: bringing together audit methodology, regulatory understanding, and technical depth for work that needs to hold up in regulated environments.