When “Compliance” Becomes a Proxy for Trust

Over the past few days, a story has been doing the rounds about a fast-growing compliance startup and its sudden parting of ways with a major backer. It’s easy to get pulled into the specifics, the allegations, the responses, and the inevitable back-and-forth. But I find myself less interested in the company itself, and more interested in what this moment is quietly revealing about how we think about compliance. Because if we’re honest, we’ve been drifting toward something a little uncomfortable. We’ve started to treat compliance as a proxy for trust.

From behaviour to proof

For years, compliance has been framed around evidence. Can you show that the right controls are in place? Can you produce logs, screenshots, and reports? Can you demonstrate alignment with a recognised framework? That work matters and always has, particularly in environments where accountability needs to be demonstrated to regulators, partners, and customers. But somewhere along the way, the question shifted from whether we are behaving in a way that is secure, responsible, and governed, to whether we can prove that we are. Those are not the same thing, and the distinction is becoming increasingly important.

The rise of automated compliance

What we are now seeing, particularly with the rise of automation and AI-driven tooling, is a new layer emerging across the compliance landscape. Systems can now collect signals across an organisation’s environment, generate artefacts of compliance, and prepare teams for audits faster than ever before. On one level, this is a natural and welcome evolution. The manual burden of compliance has long been a pain point, especially for organisations trying to balance growth with responsibility. However, it also introduces a subtle but significant risk. The faster and more seamless the generation of “evidence” becomes, the easier it is to blur the line between what is actually happening and what is being represented.

Layers, distance, and misalignment

This is not a critique of any one company. It is a reflection of a broader pattern that has been building for some time. We have created an ecosystem where systems operate, other systems observe them, and additional layers interpret and package that behaviour into something that can be presented, certified, and relied upon. Each of these layers adds value, but each also introduces distance. With that distance comes the potential for misalignment between reality and representation, particularly when the process becomes highly automated.

Where does trust actually sit?

That raises a more fundamental question about where trust actually sits. Is it in the report, the dashboard, or the automation layer that assembles everything into something digestible? Or does it sit much closer to the source, in the underlying behaviour of the system itself? There is a meaningful difference between tools that help organisations demonstrate compliance and environments where compliance is structurally embedded into how data is handled, accessed, and shared. One approach focuses on showing that the right thing has been done. The other focuses on making it difficult to do the wrong thing in the first place. Both approaches have a role, but they are not interchangeable.

What this means for SMEs

For small and medium-sized businesses, this distinction matters even more. These are the teams who are often told they need to “get compliant” quickly in order to win business, secure partnerships, or meet customer expectations. They don’t have large governance teams or dedicated compliance functions, yet they are expected to navigate increasingly complex requirements with limited time, budget, and support.

In that environment, the appeal of fast, automated compliance is completely understandable. It promises speed, simplicity, and a way to keep moving without getting buried in process. But it also risks reinforcing the idea that compliance is something you assemble after the fact, rather than something that is built into how your systems operate from the beginning.

For SMEs, the real question is not just how to prove compliance, but how to create environments where good behaviour is the default. Where access is controlled, data is handled intentionally, and actions are inherently auditable. That shift reduces reliance on interpretation and increases confidence in what is actually happening.

Trust lives in architecture

Moments like this serve as a useful reminder that compliance is not, and has never been, the end goal. It is a signal, and while it can be a powerful one, it remains a representation rather than the thing itself. Trust, on the other hand, is earned much closer to the source. It lives in how systems are designed, how data is controlled, and how actions can be verified and, just as importantly, revoked. It lives in architecture, not just in artefacts.

A quiet but important shift

As we continue to build more sophisticated tools to manage, monitor, and report on compliance, it is worth asking whether we are investing enough in the foundations those tools rely on. No amount of automation can compensate for a gap between behaviour and representation, and no report, no matter how well generated, can carry trust on its own. Moments like this do not just challenge a company, they challenge an assumption. And that is often where the most interesting work begins.

About the Author

Kim Chandler McDonald is the Co-Founder and CEO of 3 Steps Data, driving data/digital governance solutions.

She is the Global VP of CyAN, an award-winning author, storyteller, and advocate for cybersecurity, digital sovereignty, compliance, governance, and end-user empowerment.