“How did you go bankrupt?” a character asks in Hemingway’s The Sun Also Rises.
“Two ways,” comes the reply. “Gradually, then suddenly.”
That is how organizations fail.
Decay builds quietly until, all at once, trust evaporates. The surprise is rarely the failure itself. The surprise is that the warning signs were ignored.
One of the clearest of those warning signs is compliance.
Compliance Isn’t Security
Security practitioners like to say, “compliance isn’t security.” They are right. Implementing a compliance framework does not make you secure.
SOC 2 shows why. It is a framework for attesting to controls, not for proving resilience. Yet many organizations treat it as a box-checking exercise: templated policies, narrow audits, point-in-time snapshots.
The result is an audit letter and seal that satisfies procurement but says little about how the company actually manages risk.
That is why security leaders often overlook compliance’s deeper value.
But doing so misses the point. Compliance is not proof of security. It is a vital sign of organizational health.
Compliance as a Vital Sign
Think of compliance like blood pressure. It does not guarantee health, but when it trends the wrong way, it signals that something deeper is wrong.
Organizational health has many dimensions. One of the most important is reproducibility, the ability to consistently do what you say you do.
That is what compliance is really about. Not proving security, but proving reproducibility.
Security outcomes flow from reproducible processes. Compliance is the discipline of showing those processes exist and can be repeated under scrutiny.
If you are not using your compliance program this way, as a vital sign of organizational health, there is a good chance you are doing it wrong.
Telemetry vs Point-in-Time Theater
Compliance only works as a vital sign if it is measured continually.
A one-time audit is like running an EKG after the patient has died. It may capture a signal, but it tells you nothing about resilience.
If your compliance telemetry only changes at audit time, you do not have telemetry at all. You have theater.
Healthy organizations use frameworks as scaffolding for living systems. They establish meaningful policies, connect them to real procedures, and measure whether those procedures are working. Over time, this produces telemetry that shows trends, not just snapshots.
Hollow organizations optimize for paperwork. They treat audits as annual fire drills, focus on appearances, and let compliance debt pile up out of sight.
On paper they look fine. In reality they are decaying.
Distrust Looks Sudden, but Never Is
The certificate authority ecosystem makes this pattern unusually visible.
Every distrusted CA had passing audit reports. Nearly all of them showed years of compliance issues before trust was revoked. Audit failures, unremediated findings, vague documentation, repeat exceptions. All accumulating gradually, all while auditors continued to issue clean opinions.
When the final decision came, it looked sudden. But in reality it was the inevitable climax of a long decline.
The frameworks were there: WebTrust, ETSI, CA/Browser Forum requirements. What failed was not the frameworks, but the way those CAs engaged with them.
Independent Verification, Aligned Incentives
The auditor problem mirrors the organizational one, and it appears across every regulated industry.
Auditors get paid by the organizations they audit. Clean reports retain clients. Reports full of findings create friction. The rational economic behavior is to be “reasonable” about what constitutes a violation.
Audits are scoped and priced competitively. Deep investigation is expensive. Surface verification of documented controls is cheaper. When clients optimize for cost and auditors work within fixed budgets, depth loses.
Auditors are often competent in frameworks and attestation but lack deep technical or domain expertise. They can verify a policy exists and that sampled evidence shows it was followed. They are less equipped to evaluate whether the control actually works, whether it can be bypassed, or whether the process remains reproducible under stress.
In the WebPKI, WebTrust auditors issued clean opinions while CA violations accumulated. In finance, auditors at Wirecard and Enron missed or downplayed systemic issues for years. In healthcare, device manufacturers pass ISO audits while quality processes degrade. The pattern repeats because the incentive structure is the same.
The audit becomes another layer of theater. Independent verification that optimizes for the same outcomes as the organization it is verifying.
The Pattern Repeats Everywhere
This dynamic is not limited to the WebPKI. The same pattern plays out everywhere.
Banks fined for AML or KYC failures rarely collapse overnight. Small violations and ignored remediation build up until regulators impose billion-dollar penalties or revoke licenses.
FDA warning letters and ISO 13485 or IEC 62304 violations accumulate quietly in healthcare and medical devices. Then, suddenly, a product is recalled, approval is delayed for a year, or market access is lost.
Utilities cited for NERC CIP non-compliance often show the same gaps for years. Then a blackout, a safety incident, or a regulator penalty makes the cost undeniable.
SOC 2 and ISO 27001 in technology are often reduced to checklists. Weak practices are hidden until a breach forces disclosure, the SEC steps in, or customers walk away.
For years, auditors flagged accounting irregularities and opaque subsidiaries at Wirecard. The warnings were dismissed. Then suddenly €1.9 billion was missing and the company collapsed.
Enron perfected compliance theater, using complex structures and manipulated audits to look healthy. The gradual phase was tolerated exceptions and “creative” accounting. The sudden phase was exposure, bankruptcy, and a collapse of trust.
In security, the same pattern shows up when breaches happen at firms with repeat compliance findings around patching or access control. To outsiders the breach looks like bad luck. To insiders, the vital signs had been flashing red for years.
Different industries. Different frameworks. Same structural pattern: gradual non-conformance, ignored signals, sudden collapse.
Floor or Facade
The difference comes down to how organizations engage with frameworks.
Healthy compliance treats frameworks as minimums. Organizations design business-appropriate and system-appropriate security controls on top. Compliance provides evidence of real practices. It is reproducible.
Hollow compliance treats frameworks as the ceiling. Controls are mapped to audit templates. Documentation is produced to satisfy the letter of the requirement, not to reflect reality. It is performative.
Healthy compliance is a floor. Hollow compliance is a facade.
Which one are you building on?
Why Theater Wins
Compliance theater is not a knowledge problem. It is an incentive problem with a structural enforcement mechanism.
The people who bear the cost of real compliance (engineering time, operational friction, headcount) rarely bear the cost of compliance failure. By the time collapse happens, they have often moved on: promoted, departed, or insulated by organizational buffers.
Meanwhile, the people who face immediate consequences for not having a an audit letter and seal (sales cannot close deals, partnerships stall, procurement rejects you) have every incentive to optimize for the artifact, not the reality.
The rational individual behavior at every level produces collectively irrational outcomes.
Sales needs SOC 2 by Q3 or loses the enterprise deal. Finance treats compliance as overhead to minimize. Engineering sees security theater while facing pressure to ship. The compliance team, caught between impossible demands, optimizes for passing the audit. Executives get rewarded for revenue growth and cost control, not for resilience that may only matter after they are gone.
Even when individuals want to do it right, organizational structure fights them.
Ownership fragments across the organization. Security owns controls, IT owns implementation, Legal owns policy, Compliance owns audits, Business owns risk acceptance. No one owns the system. Everyone optimizes their piece.
Organizations compound this with contradictory approaches to security and compliance. Security gets diffused under the banner that “security is everyone’s responsibility,” which sounds collaborative but becomes an excuse to avoid investing in specialists, dedicated teams, or proper career paths. When security is everyone’s job, it becomes no one’s priority.
Compliance suffers the opposite problem. Organizations try to isolate it, contain the overhead, keep it from interfering with velocity. The compliance team becomes a service function that produces audit artifacts but has no authority over the processes they are attesting to. They document what should happen while having no power to ensure it does.
Both patterns distribute responsibility without authority, then act surprised when accountability evaporates.
Time horizons misalign. Boards and executives operate on quarterly cycles. Compliance decay compounds over 3 to 5 year horizons. By the time the bill comes due, the people who made the decisions have harvested their rewards and moved on.
At the top, executives rarely see true compliance health. Success is presented as green dashboards and completed audits. In the middle, compliance leaders want to be seen as delivering, so success is redefined as passing audits and collecting audit letters and seals. At the ground level, practitioners know the processes are brittle, but surfacing that truth conflicts with how success is measured. Everyone looks successful on their own terms, but the system as a whole decays.
Accountability diffuses. When collapse happens, it is framed as a “perfect storm” rather than the predictable outcome of accumulated decisions. Causation is plausibly deniable, so the individuals who created the conditions face no consequences.
The CA distrust pattern reveals this clearly. WebTrust audits happen annually. CA/B Forum violations accumulate gradually. But the CA’s business model rewards sales, not security or compliance.
The compliance team knows there are issues but lacks authority to halt issuance. Engineering knows the processes are brittle but gets rewarded for features. Leadership knows there are findings but faces pressure to maintain market share.
Everyone is locally rational. The system is globally fragile.
What Compliance Actually Predicts
Compliance failures do not directly cause security failures. But persistent compliance decay strongly correlates with organizational brittleness.
The specifics change: financial reporting, PKI audits, safety inspections. The pattern does not.
Gradual decay. Ignored signals. Then sudden collapse.
Compliance does not predict the exact failure you will face. But it does predict whether the organization has the culture and systems to sustain discipline when it matters.
That is why it is such a reliable leading indicator.
Organizations that suffer “sudden” compliance collapse are not unlucky. They are optimally designed for that outcome. The incentives reward short-term performance. The structure diffuses accountability. The measurement systems hide decay.
The surprising thing is not that it happens. It is that we keep pretending it is surprising.
Building Systems That See
Ignore your blood pressure long enough and the heart attack looks sudden. The same is true for organizations.
Compliance frameworks should not be dismissed as paperwork. They should be treated as telemetry, imperfect on their own but invaluable when tracked over time.
They are not the whole diagnosis, but they are the early warning system.
At its best, compliance is not about passing an audit. It is about showing you can consistently reproduce the controls and practices that keep the organization healthy.
If compliance is a vital sign, then what matters is not the paperwork but the telemetry. Organizations need systems that make compliance observable in real time, that prove reproducibility instead of just certifying it once a year, and that reveal patterns of decay before they turn into collapse.
Until we build those kinds of systems, most compliance programs will remain theater. Until compliance is treated as reproducibility rather than paperwork, incentives and structure will always win out.
The frameworks are fine. What is missing is the ability to see, continuously, whether the organization is living up to them.
Ignore the vital signs, and collapse will always look sudden.