Every compliance finding has a price, and the price is set by one thing: how long the gap sat there before anyone noticed. Caught in the pull request, it is a one-line change and a thirty-second conversation. Caught in the audit, it is an archaeology project.
The cost of a finding grows with distance from the change
When a reviewer flags a weakened audit log on the PR that weakened it, the author still has the whole change in their head. They know why they touched that line, what it was supposed to do, and how to fix it without breaking anything else. The fix is small because the context is still warm.
Six months later, in audit season, none of that is true. The author may have left. The reasoning is gone. Now someone has to reconstruct why the log was dropped, whether anything came to depend on it being gone, and how to restore it safely. The same one-line problem has become a cross-team investigation with a deadline attached.
The PR is the last moment everyone still has context
Code review already exists. It is the one checkpoint where a human is looking at the change, on purpose, before it ships, with the intent to catch problems. Bugs get caught there. Style gets caught there. The only reason compliance is not caught there is that the reviewer does not have the framework in their head, so a change that quietly trips ISO 27001:2022 A.8.15 or GDPR Art. 5(1)(e) reads as ordinary code.
That is a knowledge gap, not a process gap. The checkpoint is in the right place. It just needs to know what the auditor knows.
Shift-left is not a slogan here, it is arithmetic
Shift-left works in security because moving a defect earlier in the pipeline makes it cheaper to fix. Compliance has the same curve, and a steeper one, because a compliance gap does not just cost engineering time, it costs the finding itself: the exception in the report, the remediation evidence, the explanation to the auditor.
heygrc is built to read each pull request against the frameworks your company has to meet and name the control a change touches, while the change is still a review comment. That is the whole idea: move the catch to the left, where it is cheap. heygrc is in early access.