CoursesCompliance as codeEvidence & continuous audit

Continuous compliance

Always-on evaluation vs point-in-time.

Advanced30 min · lesson 8 of 15

The deepest shift in modern compliance is from point-in-time to continuous. An annual audit tells you your posture on one day; continuous compliance tells you your posture every day — which is the only way to actually stay compliant rather than merely pass.

Always-on evaluation

Continuous compliance means your controls are evaluated constantly rather than assessed once a year. Cloud Config rules, CSPM, admission policy, and scheduled policy runs check configuration against your control set around the clock, so a violation surfaces within minutes of appearing instead of lurking until the next audit. This closes the blind window that point-in-time assessment leaves open — the 364 days between snapshots where posture drifts and issues hide. It also changes the nature of compliance from an event you prepare for into a property you continuously maintain and can prove at any moment.

continuous vs point-in-time
# POINT-IN-TIME (traditional):
# audit day → assess → report → ...364 days of unknown posture... → repeat
#
# CONTINUOUS (compliance as code):
# config change → evaluated in minutes → pass/fail recorded → alert on fail
# posture is KNOWN every day; evidence accrues automatically
#
# AWS Config example — a control evaluated continuously:
aws configservice put-config-rule --config-rule '{
"ConfigRuleName": "s3-encryption",
"Source": { "Owner": "AWS", "SourceIdentifier": "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED" }
}'

Why period-based audits demand it

Continuous compliance is not just nicer — it is what rigorous audits require. SOC 2 Type II assesses whether controls operated effectively across a period of months, which is impossible to demonstrate with point-in-time screenshots and only feasible with continuously-generated evidence. The same is true for staying secure: a control that was compliant at the audit and silently regressed the next week is a real exposure that continuous evaluation catches and point-in-time assessment misses entirely. Build the program so controls run and evidence themselves continuously, and both "are we secure right now?" and "can we prove we were secure all year?" become answerable at any moment.

Continuous compliance loop
1controls run constantly
Config/CSPM/admission/scheduled
2violation surfaces in minutes
not at next audit
3evidence accrues
operating effectiveness over time
4always audit-ready
known posture every day
Evaluate controls constantly: violations surface fast, evidence accrues, and period-based audits (SOC 2 Type II) become answerable.
Point-in-time compliance is a false sense of security
Passing an annual audit says nothing about the other 364 days, when posture drifts unseen. Without continuous evaluation, a control can regress the week after the audit and stay broken until the next one — compliant on paper, exposed in practice. Make evaluation continuous so posture is a known state, not an annual guess.