We opened our recent webinar with a single question: if an auditor, regulator, customer, or board member asked for proof that your controls are working tomorrow morning, how ready would you be?
Most attendees said they’d need one to three weeks. Some admitted they’d be improvising.
That gap between having controls and proving they work is what the conversation was really about. Because requests no longer wait for audit season. They come from customers before a contract is signed, from insurers before a policy is written, from boards that want more than a status update. And when that moment arrives, the teams that scramble are the ones that treated compliance as an annual exercise.
So, how are leading organizations staying ready year-round?
The segment that got everyone leaning in: Hot Take Blackjack
The webinar featured a fast-paced yet insightful round of Hot Take Blackjack, in which the panelists responded to bold statements on audit readiness, evidence quality, control ownership, and customer trust.
It was a reminder that compliance teams are not just being judged on whether they have controls in place. They are being judged on whether those controls are understood, owned, tested, and defensible.
The biggest takeaway from the round? The strongest compliance programs do not treat hard questions as audit problems. They treat them as operating signals
The new compliance wakeup calls
Compliance has a new deadline: tomorrow morning.
Whether the request comes from an auditor, a customer, a regulator, a cyber insurer, or the board, organizations are increasingly expected to prove that their controls are working, often at a moment’s notice.
While the panel approached the topic from different perspectives, auditor, advisor, trust leader, and CISO, they all arrived at the same conclusion: compliance is becoming less about documenting controls and more about proving they work.
Here are five insights that every compliance and security team should pay attention to in 2026.
1. Audit readiness is becoming a continuous process
Most compliance programs are built around audit cycles. Evidence gets gathered, reviewed, and then packaged only when an audit is approaching.
This may have worked not so long ago, but now auditors are no longer the only stakeholders asking for proof.
Customers want assurance before signing contracts. Cyber insurers want evidence before underwriting policies. Boards want visibility into risk. Regulators increasingly expect organizations to demonstrate ongoing control effectiveness, not just annual preparedness.
The strongest teams are responding by treating evidence as a living asset rather than an audit deliverable.
What leading teams are doing differently: They are validating evidence continuously, not weeks before an audit.
2. Audit confidence breaks faster than controls do
A missing document might raise a question, but five different explanations of the same process raise concerns about the entire program.
One of the panel’s strongest points was that auditors often look for confidence before they look for gaps. They want to understand whether the people responsible for controls actually understand how those controls operate.
When ownership is unclear or stakeholders provide conflicting answers, trust erodes quickly.
In other words, a well-documented process is only useful if the organization can demonstrate that it is consistently executed.
What leading teams are doing differently: They test operational understanding, not just documentation.
3. Customers have become auditors
Not long ago, a compliance certificate was enough to satisfy most customer security reviews.
Those days are disappearing.
Enterprise customers increasingly want to understand how controls operate in practice. They ask about ownership, risk decisions, compensating controls, exceptions, and evidence. They expect thoughtful answers, not rehearsed ones.
As Loris Gutic pointed out, trust is built through transparency, not perfection.
The panel repeatedly emphasized that organizations should not be afraid to discuss limitations. Mature programs are defined by how they manage risk, not by pretending risk does not exist.
What leading teams are doing differently: They can explain the reasoning behind their controls, not just point to them.
4. Ownership is the control behind every other control
The panel highlighted a common weakness in compliance programs: controls that technically exist but are understood by only one person, are inconsistently reviewed, or are disconnected from business reality.
Jim also discussed how mature GRC programs evolve beyond evidence collection. Instead of measuring audit preparedness, they measure control effectiveness through ongoing monitoring and clearly defined KPIs.
Roland Cloutier connected this challenge to organizational change.
The lesson is simple: a control is only as strong as the ownership model supporting it.
What leading teams are doing differently: They assign accountability for validating and improving controls, not just maintaining documentation.
5. Tomorrow’s biggest compliance risks may already be in your environment
When the conversation turned to the future, two themes stood out: AI and visibility.
The panel agreed that shadow AI is quickly becoming a governance challenge. Employees are adopting AI tools faster than most organizations can assess, approve, or monitor them.
The most surprising moment of the session came from Jim Routh, and it had nothing to do with AI frameworks or regulatory timelines.
“Threat actors are actually thrilled at the lack of maturity around IT asset management,” he said. “We have IT assets in production today that nobody knows about, don’t have an owner, and are unmanaged. And that’s true across every organization.”
The problem is that new organizations have never fully solved asset inventory when they moved to the cloud. But AI is making it significantly worse. Every unsanctioned AI tool a sales team adopts, every agent spun up without IT involvement, every API connection made outside the formal process, these add to a growing inventory of assets that exist, operate, and carry risk, entirely outside the governance perimeter.
Roland Cloutier put it plainly: “Think about the number of APIs we already have a visibility problem with. Now add agentic capabilities on top of that.”
The compliance implication is stark: you can’t evidence what you can’t see. The next generation of audit gaps won’t come from a control that failed; they’ll come from infrastructure that nobody thought to govern in the first place.
What leading teams are doing differently: They treat asset inventory as a compliance capability with an owner, a review cadence, and a defined scope, not a one-time IT exercise. In practice, that means: a named owner for every deployed asset, a process for flagging new AI tools or integrations before they reach production, and regular sweeps to surface unknown or unmanaged assets before an auditor does.
It’s time to reprogram your compliance program.
Throughout the discussion, the panel returned to a common theme: compliance is no longer a point-in-time exercise.
The controls may not have changed. The frameworks may not have changed. But the expectations certainly have.
The organizations that thrive under increasing scrutiny won’t necessarily have more policies, more controls, or more documentation.
They’ll simply be able to answer a difficult question faster than everyone else: Can you prove your controls are working today?
That requires a different mindset. One that treats evidence as a continuous process, ownership as a shared responsibility, and compliance as an ongoing demonstration of trust rather than an annual exercise in preparation.
In other words, the future of compliance is not about working harder at audit time. It’s about redesigning how compliance works the other 364 days of the year.
%201.png){kind=icon}
