Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
ChaptersCircleEventsBlog

A New Era for Compliance: Introducing the Compliance Automation Revolution (CAR)

Published 04/29/2025

Home
Industry Insights
A New Era for Compliance: Introducing the Compliance Automation Revolution (CAR)

Written by Daniele Catteddu, CTO, Cloud Security Alliance (CSA).

 

Introducing the Compliance Automation Revolution (CAR) Initiative

In today’s rapidly evolving digital landscape, it is of strategic importance that technology providers are not only secure but can, at any time, demonstrate in a consistent manner ongoing protection of data whenever required. In other terms this means that compliance and assurance are paramount. Organizations operate in an environment shaped by ever-growing regulatory requirements, complex supply chains, and rising expectations around security, privacy, and appropriate third-party risk management. These factors have culminated in traditional approaches to compliance being inefficient, insufficient and unsustainable in the future.

The Cloud Security Alliance (CSA) has always been committed to helping our community navigate these challenges. Today, we are thrilled to announce the formal launch of our new initiative: the Compliance Automation Revolution (CAR).

Backed by our community of industry experts and with the initial blessing from some policymakers and regulators, CAR aims to fundamentally transform how organizations approach compliance, security governance, assurance, and, ultimately, trust. The initiative will focus on four key action areas:

  • Automating Evidence Collection and Sharing: Developing methods and tools to automatically gather compliance evidence and share them in a standardized machine-readable format.
  • Shifting Compliance Left: Embedding compliance checks early in development as part of system design and CI/CD pipelines.
  • Harmonizing Regulatory Frameworks: Mapping and aligning frameworks into a common, reusable set of controls.
  • Driving Risk Quantification: Developing metrics and models to quantify security and compliance risk in objective terms, including defining standardized metrics for control effectiveness and assurance levels.

From CSA’s perspective, we can’t overstate the importance and timeliness of this initiative. It addresses the reality that compliance and assurance have become integral aspects of business strategy, a driving force for competitive advantage, and a factor of differentiation based on security excellence. At the same time, compliance and assurance must keep pace with the speed of innovation.

It’s time for a true paradigm shift in how we achieve compliance, trust, and assurance in the cloud and AI.

 

The Growing Burden of Traditional Compliance

Compliance fatigue is real. Organizations today face several critical challenges:

  • Constantly Evolving Requirements: The regulatory landscape is a moving target. Laws differ across regions and industries, and change frequently. The rise of data privacy laws and AI ethics guidelines adds even more complexity.
  • Inefficient Manual Processes: Despite technological advances, much compliance work remains manual and repetitive. Audits often rely on spreadsheets, emails, and human judgment. These processes are error-prone and don't scale. Even when frameworks overlap, compliance efforts get duplicated due to lack of harmonization.
  • Growing Workloads & Talent Shortage: The proliferation of regulations has increased compliance costs and stretched teams thin. Organizations must comply with hundreds of requirements while struggling to find experienced professionals.

Put bluntly, compliance operations have become overly-duplicative, time-consuming, and expensive. Clearly the status quo is not sustainable. We need to alleviate these burdens without compromising on security or trust. We need to leverage compliance efforts to improve the assurance posture of our organizations and increase the overall level of trust within our ecosystem.

 

Evidence-Based Trust: The Key to Continuous Assurance

Trust isn’t just a label you apply; it’s a state earned through evidence-based assurance. If we want to build confidence among stakeholders, we must increase our credibility and replace snapshot, point-in-time audits with continuous, data-driven insights.

Evidence-based trust is at the heart of both the Zero Trust strategy and our new approach. In fact, the CAR initiative’s mission is to facilitate “evidence-based trusted relationships” between technology providers, customers, and regulators​. Two factors are especially critical here: the quality of evidence and its timeliness.

  • Quality of Evidence: Traditional audits often sample a tiny slice of systems, which can miss issues. By automating compliance checks, organizations can test their controls comprehensively and continuously, improving accuracy and confidence. In short, better evidence (broader and deeper) means better assurance.
  • Timeliness of Evidence: Even the best evidence loses value if it’s stale. Point-in-time compliance gives a snapshot that may be obsolete weeks or months later. In today’s fast-moving cloud environments, we need evidence that is collected and verified in real time. Timely evidence collection allows stakeholders to detect and address security or compliance drift as soon as it occurs, rather than long after the fact​. 

This is the essence of continuous assurance – having an up-to-date, ongoing picture of risk. When evidence reflects the current state of operations and is continuously updated, trust becomes a living thing, not snapshot events. Organizations are also far better prepared for audits at any moment, with audit-ready evidence always on hand​.

By focusing on high-quality, timely evidence, we shift the paradigm from compliance as a periodic scramble to compliance as a continuous process. This evidence-driven approach is essential to keep up with modern threats and regulatory expectations.

 

Realigning Operational Security and Compliance

As hinted above, compliance and security are meant to be two sides of the same coin. They are supposed to be dear friends walking hand in hand in the same direction. Instead, a persistent challenge in most organizations is the disconnect between security operations and compliance. These silos can lead to duplicated efforts, delayed remediation, and overlooked vulnerabilities.

For compliance to be truly valuable, it must reinforce security operations—and vice versa. Control tests and policy checks can inform security teams about configuration drift or malicious changes. Meanwhile, continuous security monitoring can feed evidence into compliance programs, offering real-time insight into control effectiveness.

CAR aims to integrate security and compliance, so they function as mutually supportive disciplines rather than isolated tasks. Automated evidence collection, standardized control mappings, and data-driven risk metrics all help bring security operations and compliance back into alignment. In a truly modern approach, operational security practices and compliance activities become complementary aspects of the same overarching mission: continuous, demonstrable trust.

 

Modern Approaches: From Infrastructure as Code to Compliance as Code

Achieving continuous, evidence-backed assurance at scale is only possible by leveraging modern, software-driven methods. In practice, this means extending the “as code” philosophy that revolutionized IT (think Infrastructure as Code) into the realm of security and compliance. Automation and codification of policies are the linchpins of making compliance efficient and proactive. Some of the approaches making this possible include:

  • Infrastructure as Code (IaC): Managing infrastructure through code instead of manual configuration. IaC creates auditable, version-controlled records of configurations, establishing a foundation for compliance by design.
  • Policy as Code (PaC): Expressing policies in machine-readable code enables automated enforcement and validation throughout development and deployment. This catches violations early and ensures uniform enforcement.
  • Compliance as Code (CaC): Taking PaC further by encoding regulatory and framework controls as testable code that integrates into CI/CD pipelines. This replaces manual checklists with continuous, automated compliance verification.
  • Security as Code (SaC): Embedding security controls and tests into the software lifecycle. This ensures security checks aren't an afterthought but are built into development and deployment from the start.

Collectively, these practices allow organizations to bake compliance and security into systems and workflows. When infrastructure, policies, and controls are defined in code, they can be validated automatically at machine speed. This dramatically increases consistency, reduces human error, and enables the shift to continuous compliance.

By adopting these “as code” techniques, organizations institutionalize the notion that security and compliance are not one-off events but continuous processes. This integrated, code-based approach provides the automation backbone needed to close the loop between operational security and compliance documentation—ensuring that both teams see and work off the same evidence and metrics.

 

The CAR Mission

CAR's mission is to modernize the entire compliance ecosystem through automation, integration, and data-driven assurance. The initiative will focus on:

Automate Compliance (Automated Evidence Collection and Sharing): Develop methods and tools to automatically gather compliance evidence and share them in a standardized machine-readable format, specifically Open Security Controls Assessment Language (OSCAL). Instead of waiting for auditors to request documents, evidence should be collected continuously from systems (logs, configurations, runtime metrics), aggregated in real-time, translated into a common language (OSCAL), and shared between those with the need to know. 

Automation here will drastically reduce the manual labor of audits. It will also improve accuracy – evidence is captured at the source, leaving less room for error or omission. By automating evidence collection, an organization can prove its compliance posture at any time with minimal effort.

Shift Compliance Left (Compliance by Design): Embed compliance checks early in development—as part of system design and CI/CD pipelines. This "compliance by design" approach makes compliance an integrated aspect of engineering rather than a painful afterthought.

Harmonize Regulatory Frameworks: Tackle the problem of redundant and conflicting regulations by mapping and aligning frameworks into a common, reusable set of controls. CAR will work to standardize controls and mappings across regulations (leveraging efforts like CSA’s Cloud Controls Matrix) so that companies can comply with many requirements at once rather than piecemeal. We want to establish common languages for controls and evidence, enabling “write once, comply with many.” 

Harmonization means a control tested for one framework can satisfy others, eliminating duplicate work. It also means regulators can gain mutual recognition of equivalent standards. By reducing fragmentation, we make compliance efforts more efficient for service providers and more transparent for customers and regulators.

Drive Risk Quantification: Evolve compliance from a checkbox exercise to a true risk-management tool. The CAR initiative will prioritize developing metrics and models to quantify security and compliance risk in objective terms. This involves defining standardized metrics for control effectiveness and assurance levels. 

By quantifying risk, we can ensure that compliance efforts are proportionate to the actual risks – offering the right level of assurance for the criticality of a service​. It also allows business and technical leaders to make data-driven decisions on where to invest in security improvements. In short, CAR seeks to turn compliance into a measurable science, linking it directly to risk reduction outcomes.

These core goals define the scope of CAR’s effort. Achieving them will involve developing open standards, reference architectures, and best practices. For example, CAR will explore common control libraries and machine-readable regulations to support automation, as well as continuous audit processes that regulators can eventually embrace. Underlying all of this is the principle of continuous assurance – enabling a shift from point-in-time certifications to ongoing, real-time confidence in security. By automating controls and evidence and aligning them with risk, we can provide assurance that keeps up with the speed of cloud innovation.

 

Industry Voices on the CAR Initiative

One of the most exciting aspects of the Compliance Automation Revolution is the groundswell of support we’re already seeing within the tech and compliance ecosystem. Cloud providers, GRC solution vendors, and audit firms alike recognize the need for this change and are joining us to make it happen. Here are just a few voices of support for CAR’s vision:

“Adhering to compliance is often viewed as a costly, point-in-time snapshot that lags behind the pace of innovation. CAR represents a vital industry collaboration to change that paradigm. By embracing automation, harmonization, and 'compliance-as-code,' we're not just aiming to reduce audit fatigue; we're building a future founded on continuous, evidence-based trust that can finally scale with the dynamic nature of cloud and AI.” 

- Archana Ramamoorthy, Senior Director, Regulated and Trusted Cloud, Google Cloud, CAR Founding Member

“The Compliance Automation Revolution marks a strategic move toward aligning compliance and security as complementary forces. As the regulatory landscape grows more complex, and threats become more sophisticated, it is critical for organizations to proactively address both. We're excited to work with CSA in advancing this mission.” 

- Anil Markose, GVP, Chief Compliance Offer for Oracle SaaS

“Enterprises today face increasingly complex GRC environments, and the need for scalable, automated solutions has never been greater. At Anecdotes, we’re proud to be an ambassador for the Compliance Automation Revolution initiative, championing innovation that will help organizations navigate these challenges with greater ease and efficiency. This initiative tackles an unsolved problem, and we anticipate every enterprise will benefit from the groundbreaking work coming out of it.”

- Yair Kuznitsov, CEO and Co-Founder, Anecdotes

“Security and compliance should be less of a burden — they should be a business enabler. The Compliance Automation Revolution provides the framework and collaboration needed to streamline compliance efforts, reduce risk exposure, and ensure organizations stay ahead of emerging threats.” 

- Adam Shnider, Executive Vice President/Compliance Services, Coalfire

“By joining the Compliance Automation Revolution, we reaffirm our commitment to proactive security and compliance excellence. In an era of growing regulatory complexity, automation is key to reducing operational risk and streamlining compliance efforts. CAR represents a significant step forward in enabling organizations to shift resources from manual compliance tasks to innovation and business growth.” 

- Fabio Battelli, Senior Partner, Deloitte Central Mediterranean for Cyber Security Services

“The regulatory landscape is shifting fast — and so are emerging threats. Static, check-the-box compliance models are no longer sufficient to keep pace. At Salesforce, we see compliance as a trust enabler, not a roadblock. That’s why we’re proud to join the Compliance Automation Revolution and partner with CSA to drive scalable, proactive solutions, leveraging the power of AI, that help organizations meet rising expectations with confidence.” 

- Prashant Vadlamudi, SVP, Product Security, Salesforce

“In today’s environment of mounting regulatory demands and rapidly evolving cyber threats, the Compliance Automation Revolution isn’t just timely, it’s essential. It’s about transforming how organizations approach compliance, turning a traditionally reactive process into a proactive strategy for resilience. By embracing automation and collaboration, we can drive smarter decisions, reduce risk, and build a stronger, more secure future.” 

- Avani Desai, CEO of Schellman

“As regulations grow more complex and the threat landscape evolves, companies need automation not just to keep up, but to get ahead. The Compliance Automation Revolution is an important industry movement, and Vanta is proud to join this effort to push the industry toward smarter, more scalable ways of working. Together, we can simplify compliance, strengthen security programs, and free up teams to focus on what matters most.” 

- Jadee Hanson, CISO, Vanta

 

Join the Revolution: A Call to Action

The entire ecosystem stands to gain from compliance automation and continuous assurance: regulators get more timely information, cloud providers reduce audit fatigue, enterprises gain confidence in vendors, and auditors can deliver deeper insights.

Today’s launch of CAR is an open invitation. We invite everyone who has a stake in the future of cloud trust to participate in this initiative and help shape the next generation of compliance solutions. In particular, we extend a call to action to:

  • Regulators and Policymakers: Your input is critical to ensure that new automated compliance methods fulfill regulatory needs. Join us in exploring how continuous assurance can meet or exceed the objectives of traditional audits. By collaborating, regulators can also gain tools to streamline oversight and receive higher-quality compliance data from industry in real time. 
  • Cloud Providers and Tech Companies: The providers of cloud infrastructure and services are on the front lines of this challenge. We urge cloud platforms, SaaS companies, and technology firms to contribute to CAR’s working groups. Share your insights on automating compliance at scale, and adopt the best practices and standards that emerge. Let’s work together to make compliance a value-add for customers, not a pain point.
  • GRC and Security Solution Providers: If you develop Governance, Risk, and Compliance tools or security automation solutions, CAR is your opportunity to help define the future. We welcome GRC and security software vendors to collaborate on open standards and ensure your products align with the continuous compliance vision. Your expertise in user experience and workflow integration will be invaluable as we create practical tools for automation. By participating, you can stay ahead of the curve and offer your clients solutions that are “CAR-ready.”.
  • Auditors and Assessors: Third-party auditors, assessors, and consulting firms are crucial to the credibility of any compliance-related framework. We call on the audit community to get involved in CAR . Together, we can develop techniques for continuous auditing, where auditors spend more time analyzing risk and less time gathering evidence. Embracing automation will not replace the auditor – it will empower you to provide deeper, more meaningful assurance services. 

In the spirit of CSA’s principles, the Compliance Automation Revolution is a community-driven effort. We believe in transparency, collaboration, and innovation – and we need voices from all corners of the industry to ensure we collectively get this right. If you’re passionate about making compliance more effective and less painful, now is the time to get involved. Join our mailing list by filling out this form, or contact us directly at car-info@cloudsecurityalliance.org. Help us turn compliance from a costly obstacle into a continuous, security-enhancing practice.

The revolution in compliance starts now, and everyone is welcome! Let’s make this happen and usher in a new era of continuous assurance for all.

Artificial IntelligenceComplianceInnovating from the cloud StandardsSTAR

Share this content on your favorite social network today!

Cloud Assurance
Related Resources
STAR
The industry's standard for security assurance in the cloud.
Cloud Controls Matrix & CAIQ v4
The standard cybersecurity control framework.
Trusted Cloud Provider
Demonstrate your commitment to holistic security.
Latest from CSA
Be the First to Explore CSA’s AI Safety Certification
New: Top Threats to Cloud Computing 2025
CSA Announces Partnership with Industry Leaders
Unlock Cloud Security Insights

Unlock Cloud Security Insights

Choose the CSA newsletters that match your interests:

Subscribe to our newsletter for the latest expert trends and updates

Audit Cloud Providers with Confidence & Enroll in STAR Lead Auditor Training
Related Articles:
Cloud Security Alliance Transforms IT Compliance and Assurance with Launch of Compliance Automation Revolution (CAR)

Published: 04/29/2025

The Evolving Role of GDPR Auditors

Published: 04/29/2025

New Cloud Security Alliance Certification Program Equips Professionals With Skills to Ensure Responsible and Safe Development and Management of Artificial Intelligence (AI)

Published: 04/28/2025

Understanding SAQ A and SAQ A-EP Eligibility: A Streamlined Approach to PCI DSS Compliance

Published: 04/28/2025