Skip to content
XVault
Get in touch
Notes

Compliance ships with code.

Why programs that live in PDFs drift, and what shipping the controls as infrastructure actually looks like.

The most common failure mode in a compliance program isn't the controls themselves — it's that the controls live in PDFs and wiki pages while the actual systems run on code, configuration, and automation that nobody explicitly mapped them to. The audit passes, the certificate gets framed, and six months later the program drifts because the binder and the infrastructure are two separate things owned by two separate teams on two separate boards.

This is pretty well understood by everyone who's been on either side of an audit. What's interesting is how predictable it is. If your controls and your systems are described in different languages, owned by different teams, and updated on different cadences, drift isn't an unfortunate accident — it's the steady state. Surprise is what would require explanation.

Collapse the two artifacts into one

The fix isn't a better binder. It's making the control be the infrastructure-as-code, the evidence collection be the same pipeline that ships product, the policy be the configuration in the repo. When someone asks "who has access to the production database," the answer isn't "let me check the access-review spreadsheet" — it's terraform show. When an auditor asks for evidence of monitored access, the answer isn't a screenshot — it's a link to a query.

This is what "AI-augmented" actually means in the practice, by the way. Not that a model is drafting policies (though a model can help with the first revision of one). The leverage is in the wiring: classifying access-log events against control objectives, pulling drift reports from the configuration store and routing them to owners, structuring evidence so the next audit is a query rather than a project. The bottleneck on most programs isn't authoring policies — it's the operational tax of keeping them current. The tools collapse that tax dramatically when they're embedded in the right places.

What it looks like in practice

A short list of patterns I keep coming back to:

  • Access reviews that run as cron jobs against identity telemetry, with anomalies surfaced as ticketed issues to the data owner. Not a quarterly spreadsheet ritual.
  • Privacy impact assessments and processing records generated from the same schema definitions the engineering team writes, with annotations layered on top. Not maintained twice.
  • Vendor security reviews triggered by procurement events in the company's actual procurement tool, with the assessment workflow living in the same system the rest of the company already uses.
  • Incident-response runbooks that are deployable scripts, not Word documents. The document IS the playbook, and running through it leaves a trace.

The "auditors expect binders" objection

That's been less true every year for a decade, and it's no longer true at all for the modern auditors who handle most of this work. The format that gets accepted in a readiness review now is a screenshot of a live dashboard, a query against the audit log, or a link to a runbook in a repository. The teams that ship faster aren't the ones with thicker binders — they're the ones who stopped maintaining the binder as a separate artifact.

If you're running a program where the controls and the infrastructure don't talk to each other, you're paying that tax whether you've noticed it or not. The work to integrate them is bounded, well-understood, and pays back faster than most engineering investments because every audit afterwards is cheaper than the last one.

The goal isn't compliance theater that passes one inspection. It's a program your engineering team can actually operate.