Automating Access Reviews for Compliance
Sam Li and Austin Ogilvie, co-CEOs of Laika, on the compliance-as-a-service business model
This reveals why compliance automation is less about stopping elite hackers and more about shrinking everyday permission mistakes before they become audit failures or customer trust issues. In practice, the core workflow is simple, managers regularly review who can access AWS, GitHub, HR, and other systems, remove access that no longer makes sense, and document that review so an auditor can verify it without chasing screenshots and spreadsheets.
-
Laika is built around this kind of recurring operational work. Customers connect cloud, code, ticketing, and HR tools, then the product collects evidence, monitors controls continuously, and routes less technical tasks like policy signoff, training, vendor reviews, and access reviews into a guided workflow.
-
That is the business model shift in the category. Older SOC 2 audits were one off consulting projects that could cost $50K to $100K and drag on for over a year. Laika, Vanta, and Secureframe turned that into annual software subscriptions because access rights, training, and re certification have to be checked again and again.
-
The human step is the point, not a gap in the software. Laika argues a second set of eyes from someone who knows the business is necessary to judge whether a permission is still appropriate, while the software makes that review repeatable and auditor ready. That same human in the loop dynamic is why integrated audit workflows matter across the category.
The next phase of the market is turning these periodic compliance checks into a daily security operating layer. As vendors add more frameworks and more continuous monitoring, the winning products will be the ones that start with access reviews and evidence collection, then expand into broader security workflows that stay useful between audits.