From Static Compliance to Continuous Monitoring
Sam Li and Austin Ogilvie, co-CEOs of Laika, on the compliance-as-a-service business model
The shift from static tools to continuous monitoring turns compliance from a once a year document scramble into an always on operating system for security. Older GRC style products mainly stored checklists and evidence, while newer platforms connect directly to systems like AWS, Google Workspace, GitHub, HR software, and device managers, test controls automatically, and show failures as they happen, which makes audits faster and gives companies a live view of who lacks MFA, which assets are unencrypted, or which required reviews were missed.
-
The old workflow was manual and point in time. Teams gathered screenshots, spreadsheets, and policy docs for auditors, sometimes with auditors checking settings live or sampling employees directly. The software mostly tracked tasks, it did not verify controls itself.
-
Modern platforms win by plugging into the source systems and reusing the same evidence across many frameworks. A background check, MFA setting, or cloud encryption control can satisfy SOC 2, ISO 27001, HIPAA, and others, so one integration layer supports both initial certification and annual recertification.
-
This also changes the auditor relationship, not just the customer workflow. Laika and Vanta both built auditor facing workflows so auditors can review the same live data instead of chasing emailed files, which lowers audit time and helps software vendors sell a recurring subscription instead of a one time prep service.
The market is heading toward broader trust and security infrastructure. Once these platforms sit inside a company’s cloud, identity, HR, and device systems, the natural expansion is into vendor reviews, trust centers, and real time security operations, with compliance becoming the entry point rather than the whole product.