Your auditors signed off in November. Congratulations. You were compliant on the day the report was dated. What happened on December first is a separate matter entirely — and that is precisely the problem.

The dominant model of compliance is still structured around the audit cycle: prepare, assess, remediate, report, repeat. It is a rhythm borrowed from financial reporting, normalised by decades of checkbox frameworks, and it has almost nothing to do with how risk actually moves. Controls drift. Environments change. Threat actors do not wait for your renewal window. The audit-cycle mindset creates a fiction — a declared posture that expires the moment it is printed — and then asks organisations to manage serious regulatory and operational risk against that fiction. It is time to retire it.

Why does the audit cycle persist when everyone knows it is inadequate?

Part of the answer is institutional inertia. The frameworks that shaped the profession — ISO 27001, SOC 2, even earlier generations of NIST guidance — were designed to be assessable by external auditors working from documentary evidence. Point-in-time assessment is legible to that model. It produces a clean artefact: a certificate, a report, a letter of attestation. Boards understand certificates. Procurement teams accept them. Regulators have historically accepted them too.

The other part of the answer is cost. Running a continuous compliance programme sounds expensive because the mental model most organisations carry is "do the annual audit, but monthly." That model is expensive. It is also the wrong model entirely.

What does "continuous" actually mean — and what does it not mean?

Continuous compliance is not continuous auditing. The distinction matters enormously. Auditing is an episodic human judgment about a state of affairs at a point in time. Monitoring is an ongoing automated observation of whether controls are operating as designed. The first produces a declaration. The second produces a signal. Declarations go stale. Signals do not.

Continuous compliance means three things in practice.

Monitored, not attested. A control is not compliant because someone ticked a box confirming it was reviewed last quarter. It is compliant because the system can demonstrate, right now, that the relevant configuration exists, the relevant process ran, and the relevant evidence was captured. Attestation shifts accountability to a human at a moment in time. Monitoring distributes accountability across the system continuously.

Scored, not declared. Binary compliance — pass/fail against a checklist — obscures the thing that matters: residual risk. Two organisations can both hold an ISO 27001 certificate and have radically different actual control postures. A continuous model scores control effectiveness against the underlying risk it is intended to manage. That score can degrade as conditions change, flag a control that is technically implemented but operationally ineffective, and surface the delta between what was certified and what is currently true.

Change triggers reassessment. The most dangerous moment in any compliance programme is not the gap between audits. It is the deployment that changed a network boundary, the personnel change that left a privileged account unreviewed, the vendor who updated their data-processing terms. In a point-in-time model, none of these events triggers anything. The certificate stands until the next renewal. In a continuous model, change is itself a compliance event that the system surfaces automatically rather than waiting for a human to notice.

Is this a DORA/NIS2 problem or a universal one?

Both, and the distinction is narrowing. DORA is already enforceable. Financial entities in scope cannot manage ICT risk against a once-a-year posture; the regulation expects ongoing monitoring, testing, and incident-response capability. The tolerance for a point-in-time defence against a DORA supervisory review is effectively zero.

NIS2 transposed unevenly across EU member states, which has created the misleading impression that the obligation is soft. It is not. The directive is explicit about proportionate and continuous risk-management measures. Where transposition has been slow, enforcement will catch up. Organisations treating NIS2 as a one-time certification exercise are building on ground that will shift.

But strip away the regulatory names entirely and the underlying logic holds for any framework. A vulnerability discovered the week after your SOC 2 Type II period closes is not a theoretical problem — it is a real exposure with real consequences. The question is whether your programme will surface it in hours or in eleven months.

Does continuous compliance cost more?

Here is where the conventional argument fails, and it is worth being direct about why. The cost objection rests on an implicit assumption: that you are running compliance programmes per framework, and continuous monitoring multiplies that cost across every framework you carry. If you are running ISO 27001, SOC 2, GDPR obligations, DORA, and NIS2 as five separate programme tracks — separate controls, separate evidence, separate reporting — then yes, continuous monitoring across all five simultaneously is expensive.

The correct response to that objection is not to reject continuous compliance. It is to reject the architecture that makes it expensive.

The controls that underlie access management, incident response, change management, and data handling are not framework-specific. They are structural. ISO 27001 Annex A, the SOC 2 criteria, DORA's ICT risk-management chapter, and NIS2's risk-management obligations are all pointing at the same underlying operational requirements from different angles. A cross-framework architecture maps those obligations once and monitors them once. When a control changes state, every framework that depends on it sees the change simultaneously. Evidence is captured once and mapped to many.

This is not a theoretical efficiency. It is the only architecture under which continuous compliance is economically defensible — and the only one under which the question "are we compliant right now?" has a meaningful, non-fictional answer.

What should a board actually be asking?

The board question that currently dominates is: "Are we certified?" The question that should replace it is: "What is our current residual risk against our material compliance obligations, and what is the trend?"

That question cannot be answered with a certificate. It requires a live posture — someone who can pull up, at any moment, a scored view of control effectiveness across all material frameworks, with the change events that have triggered reassessment visible and tracked. If that view does not exist, the organisation is flying on instruments that were last calibrated at the audit date. Everything since then is assumption.

FAQ

We just completed our ISO 27001 recertification. Are we exposed? Your certification is valid and your posture is current as of the assessment period. Whether it remains current today depends entirely on whether anything has changed since — in your environment, your controls, your suppliers, or the threat landscape. The certificate cannot answer that question; only continuous monitoring can.

Doesn't continuous monitoring require significant tooling investment? Less than the incident it prevents — and materially less when it is built on a shared control architecture rather than per-framework silos. Frame the investment against the cost of an enforcement action, a breach, or the operational cost of emergency remediation before every renewal.

What about frameworks that are still audit-cycle by design? Operate to the framework's requirements for certification, and operate continuously for risk management. These are not in conflict. The certificate is a commercial and regulatory artefact; your actual risk posture is a separate, more important thing.

The honest posture

Compliance declared is not compliance achieved. It is compliance as of a date. The environment has moved on, the controls may have drifted, and the threats have certainly evolved.

The only honest posture is one that reflects what is actually true right now — not what was attested last November, not what the certificate says. That requires a living control architecture: monitoring over attestation, scoring over declaration, and change-triggered reassessment as a first-class event, with frameworks treated as overlapping lenses on shared obligations rather than separate tracks.

The audit cycle had its moment. That moment has passed. The question is not whether to move to continuous compliance — it is how quickly you can build the architecture to make it affordable. Aigis GRC was built to make that architecture available to every organisation that needs it, not just those with enterprise-scale compliance budgets. If that is a conversation worth having, it starts at agrc.ai.