The AI wave of technical disruption is rolling in fast - and right now is the best time to paddle out and catch it.

Daniel Miessler is one of the most optimistic voices in cybersecurity and AI. He's not a doomer. He's someone who sees technology as opportunity. So when he says something striking in his newsletter, it's worth paying attention:

And if you want a visceral illustration of how fast this is moving, look at OpenClaw - the open-source AI agent created by Peter Steinberger that exploded to over 180,000 GitHub stars in a matter of weeks. On a recent episode of the Lex Fridman podcast, Steinberger described how non-programmers are already using his agent to automate business tasks, build custom tools, and interact with AI in ways that would have required a development team just a year ago.

One design agency owner told Steinberger he now runs 25 custom web services for his business - and doesn't even know how they work, but they work.

If you're a GRC analyst, compliance specialist, risk manager, or any kind of knowledge worker - this is your window to get ahead of the curve. And today I'd like to provide a great on-ramp to start.

Before we talk about what to do, let's talk about why this is urgent.

8 in 10 workers are already using AI without IT's knowledge. Forrester now calls citizen development a core pillar of the future IT operating model. Someone has to write the governance framework for that pillar. Someone needs to create policies for citizen development. Someone needs to assess the risks of AI-generated code in enterprise environments.

That someone should be you. And you'll be far more effective if you actually understand the tools being used.

Here's what Miessler says you need to do right now:

Translation for GRC analysts: You need to show, not tell. You need a portfolio of work that demonstrates what you can build. And your next job application might have a GitHub link that you won't want to leave blank.

But what are the business use cases, and what exactly do you put in your portfolio as a non-engineer? And how do you start?

That's why I'm encouraging anyone who hasn't done it already to install VSCode as a daily driver for their AI workflows, and to check out (as one example) the Simply Cyber CSF Profile Assessment Database on GitHub.

VSCode (Visual Studio Code) isn't just a code editor anymore. It's become a multi-agent orchestration hub where AI agents can write code, create automations, and build tools for you. And you can do it in natural language.

And you don't necessarily need to write code to contribute to open-source projects.

The most valuable contributions to the CSF Profile project right now are:

That's GRC work. It's probably more aligned to what you already know how to do than you realize.

The Simply Cyber CSF Profile Assessment Database is a NIST-listed community project focused on building out practical assessment guidance for the Cybersecurity Framework. If you've ever written a test procedure or documented a control, you already have the skills to contribute.

VSCode makes it easy to clone the repository, edit Markdown files, and submit pull requests. With AI coding agents installed, you can even ask the AI to help format your contributions properly.

The shift toward business users building their own tools isn't coming. It's here. Gartner predicted back in 2021 that citizen developers would outnumber professional developers 4:1 at large enterprises (VentureBeat, Oct 2021). The timeline shifted, but the trend only accelerated.

Microsoft Power Platform now has 56 million monthly active users as of 2025, and most of them aren't engineers (Microsoft FY25 Q3 Earnings / Power Platform Blog).

IDC projects a global shortage of 4 million developers, with $5.5 trillion in lost productivity on the line. Organizations need non-engineers building solutions. That's not a prediction. It's already the plan.

And here's the part that matters for GRC: you're not just potential citizen developers. You're the people who'll need to govern citizen development across the enterprise. You can't write the guardrails for something you've never touched. That developer gap is going to be filled by business users building their own tools - whether IT is ready or not.

Steinberger sees this firsthand. OpenClaw's GitHub repository has been flooded with pull requests from people who have never written software before. As he put it on the Fridman podcast:

He calls them "prompt requests" - and the bar to participate has never been lower.

That should terrify you. And excite you.

The GRC analyst who understands both governance frameworks AND can navigate GitHub? That person becomes indispensable. And contributing to a NIST-listed project is exactly how you demonstrate that capability.

Step 1: Download VSCode (5 minutes)

Go to code.visualstudio.com and install it. Free.

Step 2: Install an AI Coding Agent (5 minutes)

Open VSCode, go to Extensions (the puzzle piece icon), and search for one of these:

Step 3: Contribute Documentation to the CSF Profile Assessment Database in GitHub (15-30 minutes)

Feel free to use AI liberally. We can iterate on it. The key is to get comfortable with the workflow - cloning repos, editing files, and submitting pull requests using AI to help you along the way.

Don't hesitate to ask questions along the way. The Simply Cyber Community is all about being inclusive and supportive.

The GRC analyst who can say "I've used VSCode and GitHub to contribute to a NIST-listed project, and here are the governance considerations based on firsthand experience" has 10x more credibility than one who's only read about them.

And the governance challenges are only going to multiply. Steinberger predicts AI agents will kill off 80% of apps, as personal agents replace standalone software for everything from fitness tracking to calendar management to customer emails. On the security front, he's blunt about the risks: prompt injection remains an unsolved industry-wide problem, and weaker models are far more vulnerable to manipulation. His advice?

As these agents proliferate, GRC professionals who understand both the capability and the attack surface will be the ones writing the policies that matter.

Miessler's timeline:

If he’s right, that puts us at potential significant disruption by late 2026 or early 2027. Not far away.

The people who will thrive are those who started learning these tools now, not those who waited until their job descriptions changed.

So how do you do that when the clock is already ticking?

When Fridman asked Steinberger what advice he'd give beginners joining the agentic AI revolution, his answer was one word: "Play." He compared learning to work with AI agents to learning a musical instrument - you don't pick up a guitar once, play badly, and declare the guitar is broken. It takes practice, experimentation, and a willingness to build things you might never use. But every step compounds. As Steinberger described his own journey:

Most GRC professionals won't read this article. Of those who do, most won't take action. They'll tell themselves they'll "get to it eventually" or that "their job is different."

That's your competitive advantage.

While they're updating their resume with more certifications, you're building a GitHub profile with actual contributions. While they're reading about whether AI will affect their job, you're gaining firsthand experience with the tools. While they're waiting, you're contributing to a NIST-listed project and building a portfolio the industry can see.

The barrier to entry has never been lower. You don't need to learn Python. You don't need to understand JavaScript. You need to write test procedures, document controls, and create artifacts - exactly what you're already trained to do.

The difference is now you're doing it in the open, building a portfolio, and contributing to community infrastructure that helps the entire profession.

As Steinberger put it:

The tools are here. The community is here. The only question is whether you'll be building - or watching.