Most compliance is a photograph. You spend weeks preparing, an auditor shows up, the environment is pristine, the certificate gets issued, and everyone exhales. The photo is real. The problem is that you keep living after it's taken.
By summer, three new services have shipped. A config got loosened for a deadline and never tightened back. Someone left, someone joined, access lists drifted. None of it is malicious — it's just entropy, the natural tendency of a living system to wander away from the state it was in on audit day. And the certificate on your wall still says everything is fine.
This is why I've stopped treating point-in-time certification as the goal and started treating it as the floor. The questions worth answering aren't "did we pass?" but "would we pass right now, without warning?" and "how would we know?" Those are continuous-assurance questions, and they change how you build. You instrument controls so their state is observable on any given Tuesday, not just reconstructable before an audit. You favor evidence that's generated as a byproduct of how the system actually runs over evidence assembled by hand for the examiner.
Partners and regulators are moving the same direction. "We were compliant in Q1" is starting to sound like "the smoke detector worked when we installed it." The interesting, credible claim is the present-tense one. Build for that, and the annual audit stops being a fire drill — it becomes a confirmation of something that was already true yesterday and will be true tomorrow.
