TL;DR: Bob Costello argues that three-year authorization cycles, copy-pasted SSPs, and annual control checks leave organisations exposed to continuously adapting adversaries, while AI-assisted testing and monitoring can compress ATO timelines and surface issues in seconds, according to Secureframe. The real shift is from periodic compliance to continuous validation, where identity, access, and infrastructure controls are tested as they change, not months later.
NHIMG editorial — based on content published by Secureframe: Former CISA CIO Bob Costello on why compliance-first cybersecurity is broken and how AI changes the model
Questions worth separating out
Q: What breaks when compliance is treated as a periodic exercise instead of a live control model?
A: Periodic compliance breaks when documentation, access reviews, and control testing lag the environment they are meant to govern.
Q: Why do identity and access controls matter so much in continuous compliance?
A: Identity controls matter because attackers usually exploit who can act, not just which system is misconfigured.
Q: How can security teams tell whether continuous assurance is actually working?
A: Teams should look for shorter time to detect drift, fewer stale access paths, and evidence that control testing runs after meaningful change rather than on a fixed calendar.
Practitioner guidance
- Shorten assurance cycles around identity controls Tie authorisation, access review, and control testing to deployment events, configuration changes, and privilege changes instead of annual or multi-year checkpoints.
- Include machine and service identities in continuous testing Validate service accounts, admin roles, API access, and management interfaces with the same frequency as critical human access paths, especially where standing privilege exists.
- Use AI to expand coverage, not to replace governance Apply AI-assisted testing and monitoring to identify chained weaknesses and exposed interfaces, then route findings into accountable remediation workflows with owners and deadlines.
What's in the full article
Secureframe's full blog covers the operational detail this post intentionally leaves for the source:
- Bob Costello's full remarks on compressing ATO timelines from over a year to roughly 35 days
- The production AI pen testing workflow that surfaced an exposed firewall management interface within seconds
- How CMMC is changing identity, access, and compliance expectations for defense contractors
- The article's examples of how compliance teams are being pulled into project design earlier
👉 Read Secureframe's analysis of compliance-first cybersecurity and AI-assisted assurance →
Compliance-first cybersecurity vs continuous risk: what changes for teams?
Explore further
Compliance-first security is a control illusion when the environment changes faster than the review cycle. The article’s central claim is correct: periodic assurance creates a false sense of confidence when adversaries operate continuously. This is not just a GRC problem, it is an identity governance problem because access, privilege, and administrative trust all drift faster than annual validation can capture. Practitioners should treat live evidence as the only durable source of assurance.
A question worth separating out:
Q: Who is accountable when AI-assisted testing finds control failures in production?
A: Accountability stays with the organisation, not the tool. Security, compliance, engineering, and system owners must agree on remediation ownership, exception handling, and evidence standards before production testing begins. AI can accelerate discovery, but it does not decide risk acceptance or close governance gaps on its own.
👉 Read our full editorial: Compliance-first cybersecurity is failing under continuous adversary pressure