heygrc
Engineeringthe heygrc team

Shift compliance left

Security shifted left, into the pull request. Most compliance work still waits for the audit, and controls drift one commit at a time in between.

Over the last decade, a lot of security moved off the annual calendar. The pentest did not disappear, but the day-to-day work shifted left, into the editor, the pull request, the CI pipeline, where a problem is cheap to fix because the person who caused it is still looking at it. Catching things only at the very end started to look like the expensive option.

Most compliance work has not made that move. For most teams it is still anchored to the audit: a review that happens long after the fact, against a window that has already closed, where a control that drifted months ago surfaces then if it surfaces at all. The change that caused the drift shipped in a pull request no one read for compliance. heygrc exists to move that read to where security already went, the diff.

The audit is a lagging indicator

An audit tells you what was true across a period that has already passed. That is useful, and it is late by construction. By the time a slipped control shows up, the change that caused it merged weeks or months earlier, the evidence for the time in between is already missing, and what would have been a one-line review comment is now an exception to document and a remediation to schedule.

The cost of a compliance gap grows with the distance between the change that caused it and the moment someone notices. An annual cadence stretches that distance by design.

Compliance drifts one commit at a time

Controls rarely break in a single visible event. They erode through individually reasonable changes: a retention window extended, a log line trimmed, a storage region flipped, a default loosened to unblock a partner. Each edit is defensible on its own, and none of them announces itself as a compliance change. What surfaces later is the accumulated state, not the review-time context of the individual change that moved the control.

If the drift happens one commit at a time, the one place to catch it cheaply is the commit. Anywhere later and you are reconstructing, from logs and memory, which change moved the control and when.

A leading indicator at the diff

Shifting compliance left means reading each pull request as it happens and naming the control a change touches, with the clause, while the decision is still cheap to change. It is the same move security made: not to replace the audit, but to reduce what the audit has to find, by catching control-relevant changes in review instead of letting them pile up into exceptions.

This is the aim rather than a measured result, since we are not drawing on production telemetry yet: a leading indicator on the same obligations the audit measures, at the point in time where a finding costs a comment instead of a quarter. The annual audit still happens. It should just have less to discover.

shift-leftauditscompliancecode-review