Most teams experience compliance as a season. It arrives, everyone drops their roadmap, a spreadsheet circulates, screenshots are gathered, and a few weeks later it recedes until next time. The work is real, but the shape is wrong.
Events create panic; checks create habits
Anything that happens twice a year is an event, and events generate panic, because the gap between them is exactly long enough to forget everything you learned last time. The audit becomes a cram session against months of accumulated drift nobody was watching.
Anything that happens on every pull request is a check. Checks do not generate panic. They generate small, constant corrections, the same way a failing test does. You do not hold a quarterly testing fire drill; tests run on every change, so the codebase stays close to correct all the time. Compliance can work the same way.
The fire-drill tax is paid in the worst currency: focus
The real cost of audit season is not the hours. It is the context-switch. A team mid-flow on a hard problem gets pulled into evidence-gathering for changes they made months ago, then has to climb back into the problem afterward. That tax is invisible on any budget and enormous in practice.
A check that runs continuously spreads that cost into increments so small they disappear. A finding on a PR is read in the same headspace as the code review it lives in. No season, no cram, no context-switch.
Make it boring
The aspiration is not to make compliance exciting. It is to make it boring: a status check that is usually green, occasionally flags something specific, and leaves far less to discover in audit season because most of it was handled at the diff.
heygrc posts a GitHub check status on each pull request, grounded in the frameworks you selected, that you can optionally require in branch protection. The point of a check is to be unremarkable. heygrc is in early access; that boring future is what it is built for.