Compliance is not a checkbox

the failure mode

Most compliance failures I've seen weren't caused by missing controls. They were caused by controls that existed on paper but didn't exist in the workflow.

A team writes the policy. Legal reviews it. It gets a PDF. The PDF goes in a shared drive. Three months later someone ships a feature that violates the policy because the policy wasn't in the path of writing the feature.

the move

Treat compliance like infrastructure. If a rule exists, encode it. A check in CI. A required field in the form. A guardrail in the API. A typed schema that won't compile if you skip the field.

If a rule is too fuzzy to encode, it's not actually a rule — it's a hope.

three concrete examples

1. PII tagging. Every column that touches a person needs a tag. The tag is a TS type. New columns without tags fail the type check. Reviewers don't have to remember.
2. Audit trail. If a state change matters to legal, the state machine emits an audit event. Not via convention; via API design. There's no path through the code that mutates the state without emitting.
3. Data retention. A cron job, not a quarterly reminder.

the operating principle

Production-grade compliance is the code, not the doc.

Once you start treating compliance like a product surface — with users, with friction, with a maintenance budget — you stop shipping it as a tax.