AWS re:Invent 2025 - A leader's guide to achieving compliance through software excellence (SNR304)

Achieving Compliance Through Software Excellence

Overview

• Presentation by Tom Goden (AWS Executive in Residence) and Ian Sukcliffe (AWS Principal Tech Strategist)
• Discusses a framework for achieving compliance through software engineering excellence, rather than relying on documentation and processes
• Outlines a 4-pillar approach: Culture, Organization, Mechanisms, and Execution

The Problem with Traditional Compliance Approaches

• Compliance is often seen as the enemy of innovation, forcing companies to choose between speed/quality and compliance
• Traditional compliance approaches are document-centric, creating "compliance theater" rather than driving real results
• Compliance is costly, with estimates of $30M annually per company in financial services and $1 trillion in administrative burden across healthcare
• Compliance costs are rising, with 98% of companies reporting increasing costs
• There is a fundamental mismatch between compliance (which wants a static "snapshot" of software) and modern software development (which is continuous)

The 4 Pillars of Achieving Natural Compliance

1. Culture

• Shift from a "compliance culture" to a "quality culture" where compliance is a natural byproduct
• Establish a "transformation army" of champions to drive automation of compliance checks
• Use weekly demos of working systems to build trust and buy-in
• Measure and celebrate progress on automation, shifting mindsets

2. Organization

• Break down silos between quality/compliance and engineering teams
• Embed compliance experts directly into product teams
• Shift decision-making and control to the product teams
• Upskill compliance professionals to become automation experts

3. Mechanisms

• Leverage existing tooling (requirements, CI/CD, testing, etc.) to generate compliance evidence automatically
• Make the pipeline the validator, automating compliance checks with every commit/release
• Store requirements in code, not documents
• Use infrastructure-as-code to automate infrastructure qualification and validation

4. Execution

• Start small, focusing on quick wins and iterating
• Avoid the temptation to "boil the ocean" - scale thoughtfully and deliberately
• Run new automated compliance processes in parallel with traditional approaches to build trust
• Celebrate successes and let them spread organically across the organization

Key Takeaways

• Compliance can be achieved through software engineering excellence, not just documentation
• Automating compliance checks and generating evidence through the development toolchain is key
• Cultural transformation is critical - shifting to a "quality culture" where compliance is a natural byproduct
• Organizational changes are needed to break down silos and empower product teams
• A phased, iterative approach focused on quick wins is most effective

Technical Details

• Specific metrics cited:
  • $30M annual compliance cost per company in financial services
  • $1 trillion in annual administrative burden across healthcare
  • 98% of companies report increasing compliance costs
  • $2.71 in penalties for every $1 not invested in compliance
• Technologies mentioned:
  • Jira for requirements management
  • Confluence for documentation
  • CI/CD pipelines
  • Automated testing
  • Infrastructure-as-code (CloudFormation, Terraform)

Business Impact

• Increased speed and innovation by eliminating the trade-off between compliance and agility
• Reduced compliance costs through automation and efficiency gains
• Improved risk management and audit readiness by having comprehensive, up-to-date compliance evidence
• Ability to attract and retain top engineering talent by allowing them to focus on innovation rather than compliance overhead

Examples

• Tom Goden's experience as CIO of Foundation Medicine, where they implemented an automated compliance approach
• Collaborating with auditors (e.g. FDA) to shift from document-centric to automation-centric compliance