By Anees Merchant, EVP and Global Head of Innovation, IP, and Analytics Consulting at C5i
Why I’m Done Pretending Traditional Compliance Works in the Cloud
Let me tell you something that’ll probably get me uninvited from a few compliance conferences: We’re all lying to ourselves about cloud security.
I’ve spent enough time within the industry watching organisations and their CISO parade their ISO, SOC 2 reports, and GDPR certifications like badges of honor, while their cloud infrastructures leak data like a broken faucet. We’re using 1990s compliance thinking for 2025 technology, and it’s about as effective as bringing a knife to a drone fight.
The Compliance Theater That’s Killing Us
Recently, I sat with a CISO of a major corporation who proudly displayed their “100% compliance score” across seventeen frameworks. Meanwhile, within the organisation, business teams were paralysed by security red-tapping, unable to innovate. The teams that managed to push through? Their API keys were hardcoded in production; a massive security breach waiting to happen.
That’s when it hit me: Traditional compliance isn’t just outdated; it’s creating a dangerous illusion of security.
Your infrastructure changes every second. Containers spin up and disappear. Data flows across borders instantly. Yet compliance teams still fill out annual questionnaires about “network perimeters.” What perimeter? In the cloud, everything is the perimeter and nothing is.
The Shared Responsibility Lie
The shared responsibility model is basically cloud providers saying, “We’ll lock the building, but if you leave the windows open, that’s on you.” And most of us are terrible at closing windows.
AWS, Azure, and Google secure their infrastructure brilliantly. However, they cannot prevent you from leaving databases exposed, using “password123” for service accounts, or granting admin privileges to everyone because “it’s easier.” Your compliance framework says you’re doing great because you have a “password policy document.” But documents don’t secure systems; configuration does.
AI Made Everything Worse
Just when we thought we had cloud compliance figured out, AI crashed the party. The EU AI Act is trying to regulate something that evolves faster than legislation can be written. It’s like trying to arrest smoke.
I recently worked with a company that used AI models trained in California, deployed in Germany, and processing data from Singapore. Which jurisdiction’s rules apply? All of them, none of them, and you’re still non-compliant.
The EU wants explainable AI, but your cloud provider’s ML API is a black box. China demands data localisation, but AI needs global datasets. The US CLOUD Act allows American authorities to access your data anywhere, whereas the GDPR states that they absolutely cannot. Welcome to the compliance impossible triangle.
Multi-Cloud: Compliance Nightmare
If you are one of those, I am sure this is something that would be your nightmare: maintaining compliance across AWS, Azure, and Google Cloud simultaneously. Each platform has its own unique security model, audit format, identity system, and default configuration. Multiply that by every region you operate in, each with conflicting laws.
I’ve seen situations where being compliant with European privacy laws makes you non-compliant with American surveillance requirements. Add Middle Eastern data sovereignty norms to the mix, and you’ve got a regulatory disaster. There’s no winning move.
Privacy by Design: The Only Solution
After years of watching compliance theater fail, I’m convinced: Privacy by Design is the only approach that works.
Forget retrofitting security. Build it in from the start:
- Assume Everything Will Fail: Design systems that remain secure despite misconfigurations
- Automate Like No Other: Manual security controls have already failed
- Less Hoarding By Default: Less data, shorter retention, fewer access points
- Encrypt Every Grain: At rest, in transit, during processing, everywhere
Machines Taking Over
Cloud compliance at scale has exceeded human cognitive capacity. It’s mathematically impossible for humans to track all configuration changes, data flows, and policy violations in real-time across modern cloud environments.
Innovative organisations are turning compliance over to machines. RegTech/Compliance platforms now perform tasks in milliseconds that previously took teams months, including scanning for misconfigurations, mapping data flows, generating audit reports, and automatically fixing violations.
The compliance professionals who survive will work with these tools, rather than clinging to Excel spreadsheets.
The Geopolitical Proxy War
Cloud compliance has become a proxy war between nations. The EU uses the GDPR to counter American tech dominance. The US CLOUD Act prioritises national security over data sovereignty. China builds its own internet. Russia demands data localisation. The Middle East adds country-specific sovereignty norms.
Meanwhile, your company wants to sell globally without legal consequences. I am seeing companies go back to the drawing board to restructure entire business models to avoid certain jurisdictions because compliance or other requirements are mutually exclusive. This isn’t sustainable.
Embracing the Impossible
Here’s the liberating truth: Perfect compliance is impossible, and pretending otherwise gets you breached.
Instead of chasing 100% compliance, here’s what works:
- Pick Your Focus Areas: Focus on regulations that matter for your business
- Decision Documentation: When regulations conflict, document your risk-based choices
- Flexibility Is Key: Assume monthly regulatory changes
- Continuous Improvement: Compliance is sailing through a storm with a changing map
The Uncomfortable Future
The gap between technology and regulation is widening every day. By the time regulators understand serverless functions, we’ll face quantum computing compliance.
Organisations that survive will:
- Accept unavoidable risk
- Invest in automation, not auditors
- Build security into DNA, not documentation
- Stop using last year’s framework for next year’s technology
What Now?
Stop treating compliance as separate from development. Bake it into every architectural decision, sprint planning, deployment pipeline.
Invest in engineers’ security education over compliance certifications. A developer who understands security beats a compliance officer who doesn’t understand code.
Automate ruthlessly. Manual compliance checking means you’ve already lost.
Accept imperfect compliance. Focus on actual risk reduction, not merely completing checklists.
Prepare for non-existent regulations. Build flexible systems that are ready for whatever comes next.
The Bottom Line
Traditional compliance is dead; it just doesn’t know it yet. Organisations pursuing checkbox compliance in cloud environments are like companies that didn’t need websites in 1999.
The future belongs to those brave enough to admit old ways don’t work and smart enough to embrace continuous, automated, risk-based compliance. Everything else is expensive theater.
Your move.
P.S. – Yes, this might ruffle the feathers of the compliance community. But after watching too many “compliant” organisations get breached, I’m done being polite. The stakes are too high for security theatre.