Control Mapping Engine for Compliance
Sam Li and Austin Ogilvie, co-CEOs of Laika, on the compliance-as-a-service business model
This is why compliance automation becomes a control mapping engine, not a one framework product. The hard part is not checking whether MFA or access reviews exist, it is translating the same underlying security action into many buyer, auditor, and regulator requirements. That pushes the winning product toward reusable controls, shared evidence, and workflow that can be remapped as customers add SOC 2, ISO 27001, HIPAA, PCI DSS, or custom requirements.
-
Laika describes its product as a set of shared controls and monitors connected to tools like AWS, GitHub, Jira, and HR systems. Customers complete one underlying security workflow, then map that evidence across multiple frameworks instead of rebuilding the program from scratch for each audit.
-
That same architecture explains why Vanta, Secureframe, and Laika expanded from SOC 2 into ISO 27001, HIPAA, PCI DSS, GDPR, and CCPA. Once the platform is already pulling access logs, device state, vendor records, and policy attestations, adding a new framework is mostly a mapping problem and a workflow problem.
-
The market keeps generating new standards rather than converging on one. NIST released CSF 2.0 in February 2024 with broader scope and new governance guidance, while ISO 27001 remains a separate global standard. In practice, companies accumulate frameworks because different customers, industries, and geographies ask for different proof.
The next phase is software that sits underneath the growing pile of frameworks like an operating system for evidence, testing, and audit workflow. As more standards appear, the advantage shifts to platforms that can reuse one control across many attestations, give auditors machine collected evidence, and let companies add new certifications without starting over.