Thinking

The Compliance Reckoning

Casey Ellis

Casey Ellis

4 min read
Share

There's a dirty secret in cybersecurity. A lot of the money flowing into the industry isn't buying security. It's buying the appearance of security. And the people writing those checks? They know it.

I've spent two decades building Bugcrowd and disclose.io, and I've watched the same pattern play out hundreds of times. A CISO walks into a budget meeting. They need to justify spend. They don't reach for the metric that says "we reduced our actual attack surface by 40%." They reach for the one that says "we passed our audit." Those are not the same thing, and everyone in the room knows it. Nobody says it out loud.

The places where we've sold security to folk that don't actually care about security -- checkbox compliance, annual pentests purchased to satisfy auditors, vulnerability programs that exist on paper but route findings into a black hole -- those are about to come under enormous pressure. AI is the reason. But not in the way most people think.

The Economics of Not Looking

Compliance theater has survived for a remarkably simple economic reason: the cost of verifying whether an organization is actually secure has always been higher than the cost of checking whether they claim to be. An auditor shows up, confirms the pentest report exists, ticks the box, moves on. Nobody asks whether the 47 findings in that report got fixed. Nobody asks whether the pentest scope was deliberately narrowed to avoid the parts of the codebase everyone knows are held together with duct tape and prayer.

This works because verification is expensive. Sending a human to actually validate security posture -- not just the existence of a program, but its effectiveness -- costs real money, takes real time, and requires real expertise. So the industry settled for proxies. Certifications. Attestations. Reports that confirm the existence of reports.

Every bug has quantifiable value. A critical RCE in a production system represents real economic risk -- potential breach costs, regulatory fines, customer churn, litigation. But compliance frameworks don't price bugs. They price processes. They ask "do you have a vulnerability management program?" not "what's the mean time to remediation on your critical findings?" That's not an accident. It's a feature. Because if you start pricing actual risk, you expose the gap between the program on paper and the program in practice.

AI Makes Verification Cheap

Here's where things get interesting.

AI doesn't just find bugs faster, though it does that too. The real disruption is that AI makes verification radically cheaper. Continuous assessment of an attack surface that used to require a team of specialists running month-long engagements can now happen in hours. The cost curve for actually checking whether an organization is secure -- not whether they have a certificate that says they might be -- just collapsed.

Think about what that means. The entire compliance-industrial complex is built on an arbitrage: the gap between the cost of appearing secure and the cost of being secure. When AI compresses the cost of the latter, that arbitrage disappears. Suddenly it's cheaper to actually test whether the firewall rules make sense than to pay a consultant to confirm the firewall policy document exists.

This is already happening in bug bounty. The programs that thrive are the ones run by organizations that genuinely care about risk reduction. They take findings seriously. They fix things. They measure mean time to remediation. They treat vulnerability reports as threat intelligence, not paperwork. The programs that struggle? They're the ones bought to satisfy a procurement requirement. Findings go into a queue that nobody owns. Researchers stop bothering because nothing gets fixed. The program becomes exactly what it was purchased to be: a checkbox.

AI amplifies this divergence. Organizations that actually care will use AI-augmented testing to find and fix more, faster. Organizations that don't will find it increasingly hard to hide behind the paperwork, because the same AI tools that help defenders also make it trivially easy for attackers -- and regulators, and insurers, and customers -- to probe whether the emperor has clothes.

The CISO's Choice

I've watched the security industry evolve through several waves. The honest answer is that we've spent a lot of that time optimizing for the wrong buyer. When your customer is an auditor, you build for auditability. When your customer is a compliance framework, you build for checkboxes. When your customer is a board that asks "are we compliant?" instead of "are we secure?" -- you give them compliance.

But the model is shifting. It has to. We've gone from a world where breaches were embarrassing to one where they're existential. Ransomware doesn't care about your SOC 2 Type II. Nation-state actors don't check whether you've completed your annual pentest before they exploit the vulnerability it would have found if anyone had bothered to read the results.

The CISOs who chose the checkbox over the conversation -- who opted for the comfortable fiction of compliance over the uncomfortable work of actual risk reduction -- are running out of room. Not because the auditors got tougher. Because the tools to verify reality got cheap enough that the fiction stops being plausible.

I've seen this in the bug bounty space for years. Customer apathy on fixing reported issues is the single biggest drag on program effectiveness. The model has drifted, in too many cases, from "find it and fix it" to "find it and file it." Payouts happen. Fixes don't. The program exists. Security doesn't improve. Everyone stays technically compliant.

What Comes Next

The reckoning isn't a single event. It's a repricing. Insurance underwriters are already starting to probe beyond attestation. Regulators are moving toward outcome-based requirements. Customers with their own AI-powered assessment tools are asking harder questions during procurement. Each of these forces independently erodes the value of checkbox security. Together, they make it untenable.

Security has always been a marketing, design, and economics problem masquerading as a technology problem. The marketing said "you need compliance." The design optimized for auditor satisfaction. The economics rewarded the appearance of security over its substance. AI is about to rewrite all three variables simultaneously.

The organizations that figure this out first won't just be more secure. They'll have a genuine competitive advantage -- lower insurance premiums, faster procurement cycles, fewer breach-related losses. Security as an actual business function, not a cost center that produces binders.

For everyone else: the cost of pretending just went up. Dramatically. And unlike your last compliance audit, AI doesn't grade on a curve.

Read more