The 5 First Principles of compliance automation

Why would anyone ever want to build a career in this field? Or create a tool for it? A question we've often been asked. In this article, we explore our personal five 'first principles' to answer this question, and how you too can solve the compliance problem.

The status quo as the biggest competitor

When Max, Martijn, and I started Tidal Control, we were enthusiastic about the possibilities of automation to solve the compliance problem. This was based on the pain each of us felt in our previous companies. And so we foolishly skipped the part where you ask yourself what problem exactly you're solving, and went straight to product design. We were convinced we could build a better product than anything on the market.

But by validating our product, we discovered that competing platforms weren't our biggest enemy. The biggest competitor is the status quo: "As long as I can get away with MS Excel, why look further?"

Why organisations keep clinging to Excel

Excel feels familiar and accessible. Everyone knows it, everyone can work with it, and it costs no extra budget to use. For small teams pursuing their first certification, it seems like a logical choice. You create a spreadsheet with all requirements, add a column for status and evidence, and Bob's your uncle.

The problem only arises gradually. The spreadsheet grows and nobody knows exactly which version is the latest anymore. Evidence is scattered across different files and folders. When an auditor asks for specific documents, the search begins through email history and old backups. What started as a simple solution becomes unmanageable chaos.

Yet organisations keep holding onto this approach because change feels scary. A new platform means investment, time to learn, and the risk that it won't work as hoped. The familiar pain feels safer than the unknown solution, even if that familiar pain keeps getting worse.

The illusion that existing processes are 'good enough'

"Didn't we achieve certification last year with this approach?" is a frequently heard reasoning. And technically speaking, that's correct. You passed the audit, the certificate hangs on the wall, so why would you change a winning formula?

What this reasoning ignores is the hidden price you pay. The weeks of stress before the audit, the late-night sessions collecting missing documentation, the frustration of team members being asked for the same evidence repeatedly. These costs aren't visible in a budget, but they are in missed opportunities and team fatigue.

Moreover, compliance is becoming increasingly complex. What worked last year doesn't scale with your growth. More employees, more systems, more clients mean exponentially more compliance obligations. The spreadsheet approach that worked with ten people breaks down at fifty. By then, migrating to a better system has become even more painful.

Compliance is a broken process

Our first conviction we had to formulate is that compliance is a broken process. We believe people don't enjoy collecting evidence in screenshots and Excel files. We saw that compliance managers and auditors were rarely satisfied with the quality and consistency of results.

The pain points for compliance teams

We saw the pain our clients experienced. Compliance managers must constantly plead for additional evidence, or aren't ready in time for audits. They must endlessly explain to auditors how the same things work, as if every audit is the first. They must dig into matters that happened six months ago but weren't properly documented.

The first line doesn't have it easy either. They're interrupted in their work to take screenshots, fill in questionnaires, or explain how certain processes work. This interruption often happens at moments that don't suit them, but are urgent for the audit. The lack of structure and predictability makes compliance a constant disruptor.

For management, this means a lack of overview. They don't know what the real status of compliance efforts is until just before the audit. Risks remain invisible until they become a problem. Budgets for compliance are difficult to justify because nobody can exactly explain where the time and money goes.

Why evidence collection is so inefficient

The traditional process of evidence collection is fundamentally broken. Someone sends an email with a request for a screenshot of a particular configuration. The recipient must interrupt their normal work, log into the right system, navigate to the right place, take a screenshot, save it with a comprehensible name, and send it back. This process repeats dozens of times per audit.

The problem escalates when it turns out the screenshot is unclear, or doesn't show exactly what the auditor wants to see. Then the whole process starts again. Or worse: six months later at the next audit, exactly the same evidence must be collected again because nobody can find where the previous evidence was stored.

This inefficiency stems from the fact that evidence is collected by people instead of from systems. The systems contain all the information needed: who has which access, when was the last backup made, which version of software runs where. But instead of pulling this data directly from the source, we ask people to manually take screen captures.

How this slows growth and deals

The impact of inefficient compliance reaches far beyond just internal frustration. Delays in contracting suppliers happen because you can't quickly enough demonstrate that you meet their security requirements. Obtaining additional funding from investors gets stuck because due diligence questions can't be answered timely.

Even more painful is the inability to win larger deals. Enterprise clients ask for ISO 27001 certification or extensive security assessments. If you can't quickly and convincingly demonstrate that your information security is in order, the deal goes to a competitor who is certified. The sales team loses momentum because they must wait for compliance documentation.

Delays in client contracts arise because legal teams of prospects need months to work through your security documentation. Every ambiguity leads to follow-up questions, every follow-up question to more delay. What began as a promising sales opportunity dies a slow death in the legal review phase.

Why 10x better is more realistic than 10 per cent better

Google already noted that companies tend to improve processes through incremental improvements. "We must document our processes properly this time", or "Next year we must ALL use the same place for storing evidence", or "let's start preparing the process earlier this year".

Incremental improvements don't solve the real problem

These actions will help, don't get me wrong, but ultimately they don't solve the core problem: that you're using too many manual actors to get the job done. A better spreadsheet is still a spreadsheet. A shared drive where everyone stores evidence is still a collection of loose files without structure or automatic validation.

Incremental improvement means you accept that the current process is the right foundation, and that you only need to optimise the details. But what if the foundation itself is the problem? What if the idea that people must manually collect evidence is fundamentally outdated?

Radical improvement requires you to redefine the problem. Instead of asking "how can we collect evidence more efficiently", you ask "why are we manually collecting evidence at all?" This opens a completely different solution space where automation is central.

More controls must come from systems, not from people

The source of compliance information sits in your systems, your applications, your cloud. Why wouldn't you use this as a foundation and try to eliminate as much noise as possible? Instead of asking someone to take a screenshot of who has admin rights, why doesn't your compliance platform automatically retrieve this list from your identity provider?

Instead of asking monthly whether backups were executed successfully, why doesn't your system monitor this continuously and only alert you to problems? Instead of having auditors manually search through dozens of documents, why don't you automatically present all relevant evidence organised per requirement?

This shift from people to systems as the source of truth is what makes 10x improvement possible. You don't just eliminate manual work, you also create more reliable results. Systems don't lie, don't forget, and don't make typos in their reports. The data is always current instead of a snapshot from six months ago.

Scalability determines who survives

Compliance is a process that requires many stakeholders to "donate" a bit of their time. If everyone can determine their own method, process, and timing for delivering evidence, you'll have chaos in no time. There's no room to accommodate everyone's wishes. Or is there?

Why reusable components are crucial

Scalability comes from breaking down a problem into many reusable parts. If we can break down a compliance process into small components, and then reuse these components across different companies, compliance costs decrease for everyone.

Think about how software development works. You don't rewrite a function every time, you create a reusable component you can call. The same principle applies to compliance. A risk assessment follows the same steps everywhere: identify assets, determine threats, assess impact and likelihood, define controls. Why should each company design this process from scratch?

By making templates, frameworks, and methodologies reusable, everyone benefits from the expertise embedded in them. A policy template written by compliance experts and refined by thousands of companies is better than what an individual organisation can produce in a few hours. This collective wisdom raises the baseline for everyone.

Integrations as the foundation for lower compliance costs

We all use the same cloud providers and productivity applications anyway. Google Workspace, Microsoft 365, AWS, Slack - the building blocks of modern businesses are largely uniform. This offers an enormous opportunity for scalable compliance solutions.

If you build an integration once that automatically reads access rights from Google Workspace, then thousands of companies can benefit from it. Development costs are spread across all users, making it affordable to build high-quality integrations that would otherwise be unreachable for small organisations.

This scalable technology for a better compliance experience means you don't have to reinvent every wheel. The basic infrastructure is there, you only need to configure it for your specific situation. This dramatically lowers the threshold to start with professional compliance automation.

Technology only works when it empowers people

Human judgement is a beautiful thing. Experts are much better at understanding context than technology, and have access to more data and risk factors than technology can approach or conceive. Success is when people and technology work seamlessly together and reinforce each other. This also applies to compliance.

What automation can and cannot solve

Automation is brilliant at executing repetitive tasks, tracking status, collecting data, and flagging deviations. It's reliable, consistent, and scales effortlessly from ten to a thousand systems. For these tasks, automation is superior to people.

But automation can't understand context. It can't decide whether a particular risk is acceptable for your specific business situation. It can't think creatively about how a control can best be implemented within your culture and processes. It can't pick up on the nuance in an auditor's question and anticipate follow-up questions.

These limitations don't mean automation is worthless, quite the contrary. By deploying automation for what it does well, you free up time for people to focus on what they do well. Instead of taking screenshots, experts can think about risk strategy. Instead of maintaining lists, they can optimise processes.

Why human judgement remains indispensable

Not all controls can be fully automated. A risk assessment requires understanding of your business model, your strategy, your competitive position. Only people within your organisation have this context. A policy must fit your company culture and be realistic given your resources. Only your team can make this trade-off.

That's why our fifth 'first principle' is about creating technology that works for people, not the other way around. The goal isn't to replace people, but to support them so they can do their work better. Technology should lower cognitive load, not increase it. It should hide complexity, not add it.

The role of GRC lite functionality as practical support

That's why we started by creating a very simple and user-friendly governance, risk, and compliance module (GRC lite) aimed at helping experts do their work as efficiently as possible. Not complex enterprise software requiring weeks of training, but intuitive tools you can master in an afternoon.

The principle remains the same: reduce compliance friction by eliminating unnecessary manual and repetitive maintenance tasks. Focus experts' attention on decisions and strategy instead of administration. Make compliance accessible for organisations that don't have a dedicated compliance officer on staff.

By centralising document management, risk management, and evidence collection in one clear platform, you maintain overview without becoming overwhelmed. By building in templates and best practices, you benefit from collective expertise without hiring external consultants. Through automatic monitoring, you prevent surprises without having to constantly check manually.

In summary

The five principles in one overview

These are our five first principles to put the first line back in the driver's seat and take the compliance function to the next level:

1. The status quo is your biggest competitor - Excel and existing processes feel safe but don't scale
2. Compliance is a broken process - Manually collecting evidence wastes unnecessary time and slows growth
3. 10x better is more realistic than 10% better - Incremental improvements don't solve the fundamental problem
4. Scalability determines who survives - Reusable components and integrations lower costs for everyone
5. Technology only works when it empowers people - Automation should support experts, not replace them

What this means for modern compliance teams

For compliance teams, these principles mean a fundamental shift in how they work. Instead of spending the bulk of their time on administration and evidence collection, they can focus on what truly adds value: understanding risks, designing better processes, and providing strategic advice.

For organisations that are growing, it means compliance no longer has to be a blocker. With the right automation, you can scale without proportionally needing more people for compliance. You can respond faster to client questions, achieve certifications faster, and enter new markets faster.

For the compliance industry as a whole, it means we can evolve from a necessary evil to a strategic advantage. Compliance doesn't become more fun through automation, but it does become less painful. And ultimately, that's what's needed to make compliance a sustainable, scalable process that helps rather than hinders modern organisations.