All posts
Compliance··9 min read

The honest guide to compliance automation

Compliance platforms promise to automate your audit. They automate evidence collection. Everything else still requires a human who knows what they are doing.

Eight out of ten companies I walk into for a vCISO retainer have a green compliance dashboard and a security program a pentester would unwind in twenty minutes. The platform vendors are not lying. They are doing exactly what they advertise. The buyers are reading the product page and concluding that a green checkmark next to CC6.1 means access controls are actually working. Those are two different statements.

This post is the version of the compliance-automation conversation I have with founders in their first month of an engagement. What the platforms automate well, what they still hide a manual process behind, and the gap that turns a green dashboard into a qualified audit opinion.

What the platforms genuinely automate well

Vanta, Drata, Secureframe, Oneleet, and the rest of the platform tier are real software. They solved a real problem: evidence collection used to mean a quarterly fire drill where someone exported screenshots out of AWS, Okta, and GitHub at 11pm the night before audit fieldwork. The platforms turned that into a continuous integration that runs all year. That is a legitimate and durable improvement.

Specifically, here is what the platforms do well, in roughly the order I would weight them in a buying decision:

  • Continuous evidence collection from cloud providers, SSO, MDM, and source control. The auditor wants screenshots of MFA enforcement and asset inventories. The platform takes those daily, not quarterly.
  • Configuration drift detection. The platform notices when a new S3 bucket is public or a new admin gets added to GitHub, and creates a ticket before that becomes an audit finding.
  • Policy templates as a starting point. Not a finishing point. The templates are generic by definition; they keep you from writing a policy from a blank page, which is a real time saving.
  • Audit-period evidence indexing. When the auditor asks for proof a control operated for the full audit period, the platform has the timeline ready. Without a platform, this is a week of evidence reconstruction.
  • Vendor inventory and SOC 2 report intake. Not the actual review work, but the bookkeeping of which vendors have which reports and when each one expires.

If you are doing SOC 2 or ISO 27001 without a platform in 2026, you are spending engineering hours on a problem that is solved. Pick one.

What the platforms still hide a manual process behind

Here is where the marketing and the product diverge. The platform shows a green dashboard. Underneath each green tile is a workflow that requires a human to do the actual work. The platform tracks that the work happened, but it cannot do the work.

The five places I most often find a green dashboard masking a real gap:

  • Policy customization. The template policy says all production access is gated by SSO with MFA. Your reality is a backend engineer with a shared SSH key for the bastion host. The platform does not know.
  • Vendor risk reviews. The platform tracks that a SOC 2 report was uploaded. It does not read the report or notice that the carve-out section excludes the subprocessor handling your customer data.
  • Customer security questionnaires. Vanta's Trust Center auto-shares some artifacts. The bespoke 200-question SIG that your largest enterprise prospect just sent over still needs a human to answer.
  • Exception handling. The control says quarterly access reviews. You missed a quarter because the lead engineer left and nobody picked it up. The platform shows the gap. Closing the gap requires actual decisions and documentation.
  • Audit-prep narrative. The auditor will ask why the access review was three weeks late. The platform shows the dates. Explaining the why and showing the corrective action is human work.

The gap that gets companies audited

The single most consequential mismatch I see is between what the policy says and what the system does. The platform pulls the latest IAM configuration. The platform does not pull the policy out of your knowledge base, parse it, and check whether the configuration matches.

Concretely: your access management policy says all access to production is via SSO with MFA, sessions time out after 8 hours, and admin actions require a step-up authentication. The platform shows you SSO is configured and MFA is enforced. Both true. The platform does not check whether the session timeout matches the policy, whether step-up auth exists at all, or whether the legacy support tool that bypasses SSO is still alive in a forgotten subnet.

Auditors are getting better at finding this. Customer pentesters always find it. The fix is to write the policy after looking at the actual configuration, not before.

How to actually use a compliance platform

Here is how I tell retainer clients to think about the platform once it is set up:

  • Treat the platform as the system of record for evidence, not as the system of record for the security program. The program lives in your runbooks, your architecture, and the people doing the work.
  • Never accept a template policy without rewriting it against your actual stack. The templates are a starting point. Shipping the template as-is is the source of most policy-reality mismatches.
  • Wire alerts from the platform into the same channel where you handle real incidents. A failing control should feel like a failing service, not an email that gets archived.
  • Run a quarterly walkthrough where someone reads each policy aloud and confirms the system actually does what the policy says. This catches drift before the audit does.
  • Reserve human attention for the things the platform cannot do. Vendor reviews. Customer questionnaires. Exception narratives. Audit-prep conversations. That is where a vCISO or in-house security lead actually creates leverage.

When automation makes the program worse

There is one failure mode worth naming explicitly. Companies that adopt a platform without a security lead frequently end up with a worse posture six months later than they started with. The platform creates the impression that security is being handled. Engineering deprioritizes security work because the dashboard is green. The actual implementation gaps grow underneath. By the time the auditor or the customer pentester surfaces the gap, the team has lost six months of remediation runway.

The platform is a tool. A tool needs an operator. If you cannot afford a full-time security hire yet, the right structure is a vCISO retainer running on top of the platform, not a platform running by itself.

More reading
SOC 2

SOC 2 in 8 weeks: the pentester's playbook

Most SOC 2 readiness guides tell you to pick a framework, get Vanta, and hire a consultant. Here is the order I run every Sprint, why I run a pentest in week 1, and the three findings that blow up most audits.

Pentesting

Why I include a pentest in SOC 2 Sprints

A SOC 2 auditor checks that you have a vulnerability management policy. An attacker checks whether your vulnerability management policy is being followed. Only one of them matters if you get breached.

Get the scorecard this post is based on.

Twenty questions, scored PDF, realistic timeline to audit. Takes 4 minutes.

Start the scorecard

Ready when you are

Your next move starts with a 30 minute call.

If vCISO.com is not a fit, we will say so on the call and point you toward someone who is. If we are, we will scope a Sprint, the 90-Day Foundation, or a retainer right then.

Book a discovery callSee engagement options