Compliance Theater: Why Cybersecurity’s Favorite Shakespearean Tragedy is Failing Us

IT security teams, especially the compliance cast, love drama. The slower, more arcane, and less intelligible the script, the louder the applause. Every few years, someone strides onstage with a seemingly edgy rallying cry: “Let’s burn it all down and start again!”

Let’s be honest: torching the set doesn’t fix the play. The real villain isn’t any one framework. It’s the lackluster production we force our best people to perform “assessments” that consume weeks, cost a fortune, and deliver stale, unread artifacts.

The antagonist? Binders of off-topic prose masquerading as plot. Screenshots that expire the instant they’re printed or “evidence packages” that are obsolete by the time the curtain falls. We’re trapped in a Shakespearean tragedy where the props are fake, the lines are stale, and everyone keeps applauding while the castle quietly burns behind the scrim.

Traditional assessments repeat the same tired scenes: pages of narrative “implementation statements” drafted by non-engineers; expensive engineers reduced to screenshot clerks; the whole bundle shipped to auditors with fingers crossed that no one notices half the evidence is already out of date. Passing an audit in January tells you nothing meaningful about your security in March.

The General Services Administration (GSA) tried to break this cycle with the FedRAMP 20x pilot, a push to drag compliance into the 21st century. Goals included:

• Automate checks so teams stop dying inside chasing artifacts.
• Reuse strong commercial practices instead of reinventing government wheels.
• Shift from point-in-time snapshots to continuous, data-driven proof.
• Build trust directly between agencies and providers — no binder middleman.
• Stop slowing down innovation just to satisfy the audit calendar.

Industry shouldn’t just nod politely; it should lean in. Toss the dusty script and stage something different: real-time, query-driven compliance.

The Problem: Screenshots Are for Chumps

Legacy “evidence” is performative. An auditor drops a generic checklist and system owners scramble for artifacts: policy PDFs, console exports, and the beloved screenshot. An engineer halts real work, configures the perfect view, captures “Figure 12.1 – MFA Enabled,” pastes it into Word, and repeats that ritual hundreds of times.

It’s slow, error prone, and robs service teams of time and creates false confidence. In a cloud world where infrastructure can change hourly, screenshots are the compliance equivalent of checking your MySpace profile to gauge social relevance. Technically it exists, practically it’s still as lame as the day you wrote it. 

A New Model: Trust the Query, Not the Clipboard

With 20x as catalyst, security teams can rewrite the script. Stop telling stories and just show data. Instead of flowery paragraphs about “disks encrypted with customer-managed keys,” ask the platform directly: “List every disk and its encryption status.” The system answers immediately and without bias. Here’s the stack in plain terms:

• Query layer: Turn cloud and SaaS APIs into tables that can be queried directly. Want to know which Okta users lack MFA? Query it. Which repos lack branch protections? Query it. Which buckets are public? Query it.
• Orchestration layer: Define controls as code and run them in bulk. Each control is a check; a collection of checks is a benchmark.

Put them together and FedRAMP’s Key Security Indicators (KSIs) become executable. Instead of a binder of screenshots, give auditors a dashboard with live, drill-down results. Imagine being an assessor and receiving useful, structured data instead of a PDF brick.

How It Works: Compliance as Code

Every control becomes a declarative rule plus a query.

• Old way: “We use customer-managed keys.” (Maybe.)
• New way: A query checks every disk, in real time. If any aren’t CMK-encrypted, the control fails. Engineers decide if the state is intentional; if not, they fix it. Done.

Because controls live in source control, they’re versioned, peer-reviewed, and repeatable. When requirements change, update the query and re-run. And the model goes far beyond cloud configs: any service with an API becomes a living CMDB you can interrogate at will. 

From Paperwork to Continuous Trust

FedRAMP 20x is a glimpse of the future and, in one form or another, it’s inevitable. Current paperwork-centric practices can’t keep up with threats and can even make systems less secure by diverting resources to performance instead of protection.

Compliance is becoming a data discipline: continuous checks, automated validation, and evidence that flows from the actual running state of the system. This scales beyond FedRAMP. Any framework, government or commercial, that demands proof of implementation benefits from compliance as code. Controls become queries. Queries become continuous evidence. Auditors become validators of automation, not artifact chasers.

The thesis is simple: compliance shouldn’t be theater; it should be engineering. A query-driven model delivers continuous compliance faster, cheaper, and with more trust. The future is query-driven, automated, and continuous. Let’s stop romanticizing the tired tragedies of old and start staging a production that actually protects the castle.