Most Organizations Discover Their Compliance Gaps Only After Something Breaks Internally

Compliance certificates hang on walls and SOC 2 badges sit on corporate websites, but when an internal incident forces an actual investigation, many organizations discover that the documentation they trusted was never backed by systems capable of proving what actually happened. The gap between producing audit paperwork and demonstrating operational control in real time has become one of the most persistent risks in enterprise security, and it tends to go unnoticed until the moment it matters most.

Meshach McKenzie, Information Technology Supervisor at Skidmore, Owings & Merrill (SOM), a global architecture and engineering firm, has spent his career in ITSM and service desk operations, working through the full lifecycle from first-line support to management. He also runs UNUS London, a digital agency specializing in AI automation and RAG solutions for small and mid-sized businesses. His experience across ISO, IEC, and SOC 2 compliance environments shaped his view that audit readiness and operational resilience are fundamentally different problems.

"The difference is simple: documentation relies on people remembering to follow the process. Compliance infrastructure makes the process unavoidable. When you have a system where you have no choice, mistakes and human error are dramatically reduced," says McKenzie.

Spreadsheets break under pressure

McKenzie drew the distinction using a basic asset management example. When a laptop was reassigned to a new employee, compliance documentation meant someone manually updated a spreadsheet, unassigning one name and adding another.

That spreadsheet could be edited by mistake, was immediately out of date the moment a colleague made a parallel change, and depended entirely on staff following training and policy. Infrastructure-led compliance replaced that workflow with a GUI backed by a database with role-level security, mandatory fields, and automated audit trails. "The only way they're not compliant is if they don't use the system to log in. In terms of mistakes and human error, it's dramatically reduced."

The practical difference showed up during audits. McKenzie describes organizations where documentation-based compliance turned every audit into a multi-day evidence hunt. "If I'm the auditor and I say I'll see you tomorrow morning, you're going to be in trouble. I'm going to be sitting there while you're running around looking for the evidence." With infrastructure in place, auditors sat down and exported reports. "An audit could take half a day. That's the actual difference."

Regulation drives behavior

McKenzie observes that an organization's compliance posture was almost entirely determined by whether its industry imposed routine external audits. Charities handling public funds, financial institutions, and healthcare organizations with strict data protection requirements kept compliance at the top of their priority list.

Law firms operated with near-military discipline because the fines for noncompliance were severe and litigation was common. But for organizations outside those highly regulated environments, compliance sat at the second or third tier of priorities. "Unless they know an audit is coming, they're paying 50 to 100 thousand pounds or dollars getting consultants in to take a look at what they've got."

McKenzie shares an example from his own experience where an office in the United States needed to demonstrate ISO compliance to win a contract. The office was not ISO-certified, but the London office was. "They borrowed the certification to seal the deal." The certificate served a sales function, not an operational one.

Where it breaks first

When asked where compliance gaps typically surfaced, McKenzie is direct: internal incidents. Not audits, not regulatory reviews, not customer inquiries. Something went wrong inside the organization, an investigation followed, and the cracks appeared.

"Is information that's meant to be locked down actually locked down, or is it available to the public? Is your API key showing in the GitHub repo when it's meant to be in KeePass?" Those failures triggered leadership panic and the realization that if an external audit followed, the organization would be exposed.

McKenzie argues that the distinction between organizations that are merely audit-ready and those that are operationally secure came down to a design choice made long before any incident occurred. Highly disciplined organizations train their staff to follow rigid compliance processes. That worked, but it was fragile and expensive to maintain. Organizations that invest in infrastructure have removed the dependency on human memory entirely.

"Your staff may not even realize that what they're doing is fully compliant, because the infrastructure is ensuring compliance anyway. They can't go to the next page unless they fill in the mandatory fields. Those inputs are recorded and captured automatically." The risk of accountability gaps shrank because compliance was no longer a behavior to enforce. It was a condition of doing the work. "If you had the infrastructure in place, your mind's free. You know that the workforce is forced to use the system to be productive."