Compliance season used to be a CSV-collection exercise. Each tool exported what it thought was the truth, the auditor reconciled by spreadsheet, and the answers from IAM didn't match the answers from EDR for the same employee. We rebuilt the substrate.
What we measure
- Coverage: for each control, which assets are covered by which tool, with what last-observation timestamp.
- Quality signals: auditor pushback rates, reopen rates after remediation, time-to-evidence per finding.
- Throughput: how long each finding spends in each stage of the pipeline, and where it queues.
The shape of the mess
IAM, EDR, vuln management, and code review each owned their own state and their own export format. Their disagreements weren't bugs (they reflected which tool last observed which event) but to the auditor they read as contradictions.
One append-only event spine
Every producer appends events to a single, versioned, append-only spine. Consumers (audit dashboards, compliance reports, incident response, risk register) project what they need without ever rewriting source-of-truth. Replays are cheap; schema evolution is explicit.
A normalized event looks like this:
{
"event_id": "7a13...",
"subject_id": "U-429801",
"control": "AC-2",
"asset": "iam_account",
"stage": "review_passed",
"ts": "2026-01-07T12:44:05Z",
"source_system": "iam_v3"
}What it enabled
The biggest change was organizational, not technical. When every team looked at the same numbers for the same controls, the weekly compliance review went from "whose data is right" to "what do we do next." Audit preparation dropped from weeks to days.
What it cost
Schema-evolution discipline is the bill. Adding a field is fine; removing one is a contract change with notice. Retention contracts are explicit and tier-by-tier. The spine itself is boring infrastructure; the politics of letting go of per-tool dashboards was the hard part.