What is compliance as code?
With compliance as code, regulatory policies are expressed as machine-readable code and embedded into application pipelines. That means policies are versioned in source control, tested in CI/CD pipelines, peer-reviewed in pull requests, and deployed through the same workflows as application code.
In this model, governance morphs from a manual checklist to an automated process that’s embedded directly into software delivery lifecycles.
Key compliance as code use cases include:
Securing unencrypted PII data stores to ensure alignment with standards like HIPAA and GDPR
Enforcing PCI DSS encryption standards across every storage resource at deployment time
Detecting shadow IT, like unapproved cloud accounts and untagged infrastructure, before it falls outside compliance coverage
Blocking public S3 buckets or storage blobs before they hit production
Managing open-source licensing compliance across repos
Auto-generating audit-ready reports instead of requiring you to collect evidence manually
The 2025 State of Continuous Controls Monitoring Report found that only 13% of businesses are currently taking advantage of compliance as code. More than half of organizations are still relying entirely on a manual approach, which introduces visibility gaps and prevents companies from scaling governance alongside infrastructure. Automating compliance solves these issues and maintains a continuous state of audit-readiness.
Data Governance & Compliance in the Cloud
This Guide to Data Governance and Compliance in the Cloud provides a straightforward, 7-step framework to help you strengthen your cloud governance approach with confidence.
Why is compliance as code crucial in the cloud?
Cloud environments create compliance challenges that traditional approaches simply weren't built to handle.
Cloud velocity outpaces traditional compliance
Traditional compliance tools and processes were built for static environments audited quarterly or annually. But cloud environments are fast-moving, with resources provisioned, modified, and decommissioned continuously.
Manual audits produce a snapshot of a single moment, and the cloud environment typically evolves before teams can even review the resulting report. Configuration drift, ephemeral workloads, and IaC deployments mean last month's compliance posture bears little resemblance to what's running in production today. A developer hotfixing a security group rule during an incident can inadvertently create a PCI violation that sits undetected until the next formal assessment.
In the cloud, continuous compliance coverage is a prerequisite.
Compliance failures have a major business impact
GDPR fines reach up to 4% of global revenue; HIPAA penalties reach up to $2.19M per violation category. Beyond fines, compliance failures have other consequences: Breaches can have high clean-up costs, customers leave, and product launches stall while teams remediate gaps.
PwC's Global Compliance Survey 2025 found that 77% of organizations reported compliance complexity had negatively affected business growth. The cost of retroactive compliance, which involves halting active sprints, re-architecting live databases, and remediating configurations after deployment, is much greater than preventing the misconfiguration at deployment time. Catching a missing encryption parameter in a pull request costs nothing.
Compliance as code vs. policy as code vs. security as code
While the industry frequently conflates these compliance-as-code terms, they represent distinct layers of automated governance:
Policy as code: The underlying mechanism. It refers to any organizational policy, spanning security, cost, tagging, and operations, expressed as machine-readable code with pass/fail enforcement.
Compliance as code: Policy as code applied specifically to regulatory requirements like GDPR, HIPAA, PCI DSS, SOC 2, and CIS Benchmarks. Compliance as code maps violations to a specific control and generates the evidence trail auditors require.
Security as code: The broadest umbrella; compliance as code, policy as code, and IaC combined into a single strategy that embeds security natively across the entire software delivery lifecycle.
The hierarchy is straightforward: Security as code defines the strategy. Policy as code defines what's allowed. Compliance as code ensures what's deployed meets regulatory requirements and proves it.
How does compliance as code work in practice?
Compliance as code follows a logical sequence, from mapping requirements to enforcing them automatically across pipelines. Here's how organizations can move from manual compliance to a fully automated, code-driven approach:
Map requirements to technical controls: Translate regulatory language ("Encrypt data at rest") into specific, measurable infrastructure rules ("All S3 buckets must have AES-256 enabled").
Develop policies with clear pass/fail conditions: Define each rule to produce a binary result, compliant or non-compliant, with no interpretation required.
Establish a common language with OSCAL: Use NIST's Open Security Controls Assessment Language to express requirements in a standardized, machine-readable format that works across tools and frameworks.
Write compliance policies as code: Set up rules using OPA and Rego, or cloud-native options like AWS Config Rules, Azure Policy, or GCP Organization Policies.
Test and validate policies: Run unit tests, flow tests, and edge-case validation. Policies are code and need to be treated as such.
Run automated compliance scans: Measure your live environment, establish a baseline, and surface existing violations.
Shift to continuous controls monitoring: Assess every infrastructure change against compliance requirements in real time, not periodically.
Embed checks into CI/CD pipelines: Block non-compliant configurations before they reach production.
Alert on and remediate violations: Auto-fix well-understood issues and ticket complex ones.
Collect evidence and maintain audit trails: Log every evaluation, violation, and remediation with timestamps for auditing purposes.
Compliance-as-code tools, standards, and frameworks
Compliance-as-code tools, standards, and frameworks span open-source policy engines, cloud provider–native services, and comprehensive enterprise platforms. Here are some prominent examples:
Open Policy Agent (OPA): The most widely adopted open-source policy engine; cloud-agnostic, extensible, and works across build-time and runtime environments
OSCAL: NIST's standard for expressing compliance requirements in a machine-readable, interoperable format; an enabler, not an enforcement engine
AWS Config Rules: AWS-native compliance evaluation with pre-built framework mappings and custom Lambda-based rules
Azure Policy: Azure-native enforcement with a large library of built-in definitions and custom JSON policies
Google Cloud Organization Policies: Centralized compliance constraints applied hierarchically across GCP organizations, folders, and projects
HashiCorp Sentinel: Policy as code for Terraform; blocks non-compliant infrastructure before it's provisioned
Checkov, tfsec, KICS: Open-source IaC scanners that catch misconfigurations in Terraform, CloudFormation, and Kubernetes templates early in CI/CD pipelines
Wiz: A CNAPP that consolidates fragmented toolchains; offers code-level enforcement, agentless runtime monitoring, risk contextualization, and automated evidence collection across multi-cloud environments
Watch 12-min demo
Learn what makes Wiz the platform to enable your cloud security and compliance operations.
The benefits of compliance as code
Treating compliance policies as code delivers advantages that manual approaches simply can't match at cloud scale:
Scalable multi-framework coverage: A single OPA policy can enforce PCI DSS requirements across all cloud accounts, regions, and providers simultaneously.
Consistent enforcement: Codified policies produce the same binary result every time. No auditor variance, no interpretation gaps, no undocumented "We'll fix it next sprint" exceptions.
Faster audit cycles: Continuous evidence collection replaces the pre-audit scramble. Mature teams report cutting audit prep from months to days.
Shared language for dev/GRC teams: Compliance requirements live in the same repos as infrastructure code. No more translating spreadsheets into engineering tickets.
Shift-left violation prevention: Fix misconfigurations before deployment, not after an auditor finds them in production.
Reduced penalty and incident risk: Fewer violations reach production, and those that do are caught and remediated fast, shrinking the window of regulatory exposure.
What are the challenges of compliance as code?
Compliance as code solves major problems but also introduces a few tricky ones:
Translating legal language into enforceable code
Lawyers, not engineers, write regulatory requirements. Translating "Set up appropriate safeguards" into a binary, machine-evaluable rule requires expertise in both compliance and infrastructure, and not every requirement maps cleanly to a technical control, either.
Forcing these requirements into code doesn't automatically fix the problem and make you compliant. Many aspects of compliance still rely on human verification.
Tooling fragmentation across multi-cloud and hybrid environments
AWS Config, Azure Policy, and GCP Organization Policies each have their own resource models and syntax. Consistent coverage across all of them, with unified reporting, is the central challenge. Auditors want one view, not exports stitched together from multiple different tools.
Cultural and skills gap between compliance and engineering teams
Compliance teams understand regulatory intent but can't always write policy rules. Engineering teams can write the code but don't always understand why a requirement exists. If unaddressed, this operational disconnect stalls adoption. It also fuels internal friction when automated compliance checks inevitably block active deployment pipelines.
Incompatible legacy architecture
Compliance as code assumes infrastructure that is programmable and API-driven. Legacy systems, older on-premises hardware appliances, and manually configured virtual environments without declarative states like Terraform templates or Kubernetes manifests fall entirely outside automated enforcement.
Configuration drift and hardcoded credentials
Deployment-time checks don't catch post-deployment drift. Emergency hotfixes and out-of-band changes silently push environments out of compliance. Hardcoded credentials in config files create violations that static checks miss entirely.
Evidence collection and audit fatigue
If every detected misconfiguration triggers an identical high-priority notification, engineering teams quickly find themselves navigating high volumes of tactical findings without environment-aware context. Instead of focusing on the specific toxic combinations and exposed vulnerabilities that represent actual regulatory risk, security personnel spend unnecessary time triaging meaningless alert noise.
How Wiz enables compliance as code across the cloud lifecycle
Compliance as code works best when it's not bolted together from disconnected tools. It needs a platform that sees everything, connects the dots, and acts on context.
A policy check can flag an unencrypted S3 bucket. It can't tell you whether that bucket contains PII, whether it's publicly accessible, or whether the IAM role attached to it is over-permissioned. Without data sensitivity context, security teams can’t distinguish between minor configuration issues and critical exposures. Every violation looks equally urgent, leading to alert fatigue.
Fragmentation compounds the problem. OPA rules for Terraform, AWS Config for your AWS accounts, Azure Policy for Azure: three compliance setups, three evidence trails, no unified view. But these are problems that Wiz was built to solve.
When it comes to compliance as code, here’s what Wiz brings to the table:
Single source of truth: 1,400+ built-in rules mapped to CIS, SOC 2, PCI DSS, HIPAA, and ISO 27001, with custom OPA support, across AWS, Azure, GCP, and Kubernetes. One engine, one view.
Agentless continuous monitoring: Real-time drift detection across multi-cloud environments. No agents required and no blind spots.
Shift-left validation: Wiz Code scans IaC directly in repos and CI/CD pipelines, blocking non-compliant configurations before they reach production.
Risk-contextualized compliance: The Wiz Security Graph connects violations to data sensitivity, network exposure, and identity privileges, separating real risk from noise.
Automated evidence collection: Audit-ready reporting across 140+ frameworks, cutting cycles from months to minutes.
Code-to-cloud traceability: Violations are traced back to specific IaC lines, commits, and teams, distributing compliance ownership across engineering rather than bottlenecking in GRC.
Ready to see continuous compliance in action? Book a demo to experience how Wiz can automate audit-readiness across your multi-cloud environment.
100+ Built-In Compliance Frameworks
See how Wiz eliminates the manual effort and complexity of achieving compliance in dynamic and multi-cloud environments. Get a demo
