Compliance as Code: Automating Regulatory Requirements
Compliance in regulated industries is expensive, time-consuming, and perpetually incomplete. Enterprises in financial services, healthcare, government, and energy spend enormous sums on compliance activities — documenting controls, gathering evidence, conducting assessments, responding to auditor requests — and yet the gap between compliance posture at audit time and compliance posture at any given moment remains uncomfortably wide.
The fundamental problem is that compliance has historically been treated as a periodic exercise. Controls are documented, evidence is gathered, and auditors assess compliance at a point in time. Between assessments, the environment drifts — configurations change, new systems are deployed, access permissions evolve, and the compliance posture at the time of the last audit may bear limited resemblance to the current state.
Compliance as code addresses this gap by expressing compliance requirements as executable policies that are automatically and continuously evaluated against the actual state of the environment. Instead of documenting that “all databases must be encrypted at rest” and periodically checking a sample of databases, the organisation defines a policy that checks every database continuously and alerts immediately when a non-compliant database is detected.
This is not a theoretical concept. The tooling ecosystem — Open Policy Agent (OPA), HashiCorp Sentinel, AWS Config Rules, Azure Policy, Chef InSpec, and others — has matured to the point where enterprises can implement continuous compliance for significant portions of their regulatory obligations. The shift from periodic to continuous compliance is perhaps the most impactful application of automation in enterprise governance.
The Architecture of Compliance Automation
Compliance as code operates through several interconnected components that together provide continuous compliance assurance.
Policy definition is the translation of regulatory requirements and organisational standards into executable code. Each compliance requirement is expressed as a policy that defines what compliant state looks like, what evidence must be collected, and what action should be taken when non-compliance is detected. OPA’s Rego language, Sentinel’s policy language, and InSpec’s domain-specific language each provide mechanisms for expressing policies as code.
The policy definition process requires collaboration between compliance experts (who understand the regulatory requirements and their intent), security architects (who understand the technical controls that satisfy the requirements), and engineers (who can express the controls as executable policies). This collaboration is essential — policies written without compliance expertise may miss the regulatory intent, while policies written without technical expertise may be impractical to implement.
Policy evaluation runs the defined policies against the actual state of the environment. This evaluation can occur at multiple points: at deployment time (preventing non-compliant resources from being created), continuously (detecting drift from compliant state), and on demand (generating compliance evidence for auditors). The evaluation frequency depends on the risk profile — critical controls may be evaluated every hour, while lower-risk controls may be evaluated daily.
Evidence collection captures the results of policy evaluations as compliance evidence. Each evaluation produces a record that documents what was checked, when it was checked, what the result was, and what the environment state was at the time of the check. This evidence is stored immutably, providing a continuous audit trail that auditors can review at any time. The shift from “we gathered evidence for the audit” to “we have continuous evidence available at all times” fundamentally changes the audit experience.
Remediation orchestration responds to detected non-compliance. Automated remediation — automatically correcting non-compliant configurations — is appropriate for well-understood, low-risk corrections (enabling encryption, adjusting access permissions). Manual remediation with automated notification is appropriate for complex or high-risk situations where human judgement is needed. The remediation approach should be defined as part of the policy, ensuring consistent response to each type of non-compliance.
Regulatory Framework Mapping
Enterprises in regulated industries must comply with multiple overlapping frameworks — APRA CPS 234 for financial services in Australia, PCI DSS for payment card processing, SOC 2 for service organisations, ISO 27001 for information security management, and industry-specific regulations. Each framework has dozens or hundreds of individual controls, many of which overlap across frameworks.
A control mapping capability translates framework-specific requirements to the organisation’s control library. A single technical control — “all data at rest is encrypted using AES-256” — may satisfy requirements in multiple frameworks. The mapping documents this relationship, enabling a single policy evaluation to provide evidence for multiple compliance obligations.
Maintaining this mapping is an ongoing effort. Regulatory frameworks evolve — new requirements are added, existing requirements are clarified, and interpretation guidance changes. The mapping must be reviewed and updated as frameworks change, ensuring that the automated policies remain aligned with current requirements.
The benefit of this mapping is substantial. When a new regulation introduces a requirement that is similar to an existing control, the compliance team can identify the existing policy that satisfies (or nearly satisfies) the new requirement, avoiding redundant implementation effort. When an auditor requests evidence for a specific control, the compliance system can immediately provide continuous evidence without manual collection.
Implementation Strategy
Enterprise compliance automation should follow a progressive adoption strategy that builds capability and confidence incrementally.
Phase one targets the highest-value controls — those that are checked most frequently, most likely to drift, or most consequential when non-compliant. Infrastructure security controls (encryption, network segmentation, access management) are typical starting points because they are well-defined, technically measurable, and relevant across multiple regulatory frameworks. Cloud-native policy services (AWS Config, Azure Policy) provide immediate value for cloud resource compliance with minimal implementation effort.
Phase two extends to application-level controls — code security scanning, dependency vulnerability management, secure configuration validation, and data handling practices. These controls require deeper integration with the software delivery pipeline and may require custom policy development for organisation-specific requirements.
Phase three addresses operational and process controls — change management compliance, incident response procedure adherence, and business continuity testing. These controls are more complex to automate because they involve human processes, but aspects can be automated through workflow tooling and process monitoring.
Throughout this progression, the compliance team should maintain both the automated policies and the traditional compliance documentation. The automated policies are the enforcement mechanism. The documentation provides the context, rationale, and human-readable explanation that auditors need. Over time, the documentation references the automated policies as evidence, and the traditional evidence gathering process is replaced by automated evidence production.
Measuring Compliance Automation Value
The value of compliance as code manifests across several dimensions.
Audit preparation time decreases dramatically. Instead of weeks of evidence gathering before each audit, the compliance system produces continuous evidence that is available on demand. Organisations report reducing audit preparation effort by fifty to seventy percent after implementing compliance automation.
Compliance gap detection time decreases from months (between periodic assessments) to hours or minutes (through continuous evaluation). This means that non-compliant configurations are detected and remediated before they can be exploited, reducing the organisation’s actual risk rather than just its reported compliance posture.
Compliance confidence increases because the organisation knows its compliance state at all times, not just at the point of the last assessment. This confidence enables faster technology adoption — new systems can be deployed with assurance that compliance policies will be automatically applied and verified.
The CTO who invests in compliance as code transforms compliance from a periodic, manual burden into a continuous, automated capability. For regulated enterprises, this is not merely an efficiency improvement — it is a fundamental enhancement to the organisation’s actual security and compliance posture, delivered with less effort and greater confidence than traditional approaches can achieve.