How I learned to stop worrying and love compliance
Reducing risks with autonomous governance
In today’s rapid pace of digital innovation, the traditional view of compliance as a necessary tax is officially obsolete. For the modern C-suite, compliance has undergone a fundamental transformation: It has moved from a back-office administrative function to a core fiduciary liability and a significant competitive lever.
As we navigate the peak of the current regulatory supercycle, leaders must stop viewing compliance as a hurdle to innovation and start seeing it as the foundation for the high-velocity, AI-driven enterprise.
At Cloudflare, we dedicate significant resources to understanding compliance requirements, implementing the right security processes and controls, monitoring changes in our environment, and conducting assessments that demonstrate our compliance. At an earlier point in my career, I would have seen such effort as a tax. However, after 20 years in cybersecurity, I’ve finally come to stop worrying and learn to love compliance because of what it lets us accomplish as a community, not what it takes away.
Image source: Dr. Strangelove or: How I Learned to Stop Worrying and Love the Bomb
From box-checking to boardroom liability
For years, compliance was a point-in-time activity: an annual audit or a quarterly report. Essentially, many treated compliance as a check-box exercise, a necessary evil without full understanding of its real importance.
Today, the landscape has shifted toward continuous accountability, and regulations are now introducing personal liability for the board on the matter of cybersecurity. We are now operating in an environment defined by the full implementation of the EU AI Act and the Network and Information Security directive (NIS2), which reached its first major enforcement milestones in 2025. These regulations are north stars for many other regulators globally, and regulators across key markets like Singapore, Hong Kong, India, and Australia are rapidly aligning. Even in the United States, while the approach has historically been based on guidance, the US approach is increasingly aligned with those regulatory north stars.
Compliance doesn’t make you secure. Security can, however, make you compliant. If you are a laggard in cybersecurity, new regulations are hard and require effort. But essentially, this is society telling you to step it up.
To me, compliance is no longer just about meeting a standard. So about proving the integrity of your entire digital supply chain and putting in place assurance that services are provisioned in a secure manner. In a global economy where trust is the primary currency, being compliant is the difference between entering a new market in weeks versus months.
The personal fiduciary risk
The delta between being compliant on paper and being secure in practice has become a personal risk for the C-suite. Under the SEC’s 2025-2026 enforcement priorities, individual accountability for gatekeepers and executives has reached an all-time high. A paper-only compliance program is no longer a valid legal defense for a breach or disclosure failure.
Simultaneously, the AI compliance marathon has begun. With the August 2026 deadline for high-risk AI systems under the EU AI Act, organizations are realizing that governance cannot be retrofitted. Every AI agent, automated workflow, and LLM-integrated app creates a new surface for data exfiltration and shadow AI risks. These laws force a choice: take security and governance seriously or risk massive fines for violations. CxOs will do well to ask the hard questions: Who’s ultimately responsible for the actions of agents? And how do we have machines comply when they may not understand the implications of their actions?
A shift to autonomous governance
The only way to stop worrying is to move from manual compliance to autonomous governance. This means implementing technical controls that enforce policy at the edge, rather than relying on human oversight to catch errors after the fact.
Compliance as code: By leveraging a unified connectivity cloud, organizations can automate a unified layer of security controls across all assets on the internet. Controls for data localization and residency are no longer manual configurations; they are built into the network path. Using regional services allows you to keep customer metadata within specific boundaries, satisfying local sovereignty laws without the performance penalty of legacy silos.
AI-native safeguards: To meet the 2026 transparency and risk requirements of the AI Act, having a centralized control plane for all AI traffic is a tremendous boon. This enables AI security , which automatically discovers shadow AI, and applies prompt protection and data leakage prevention to prevent personally identifiable information (PII) leakage before it reaches a third-party model.
Resilience over documentation: Under mandates like DORA, the goal is operational resilience. This requires a move beyond disaster recovery to tried and tested active-active architectures that can absorb terabit-scale attacks and reroute traffic instantly, ensuring that compliance with uptime standards is a technical reality.
Embrace compliance to gain market velocity
Strategic leaders today recognize that a robust compliance posture is a market accelerator. When your security platform handles the fiduciary heavy lifting of data sovereignty, AI auditing, and operational resilience, your teams are free to focus on the next wave of transformation.
We have entered the era of the autonomous compliance officer where the network itself acts as the auditor, the enforcer, and the witness. Embracing this shift for me embodies building a resilient, high-trust brand that can scale across every global jurisdiction with confidence.
At Cloudflare, we comply with key regulations and standards, and we have earned a number of important certifications. We’re embracing compliance for the opportunities it can create.
But we’re not stopping there. We’re staying focused on our mission to build a better, more secure Internet. We’re moving beyond compliance by implementing advanced security capabilities that will keep our business, our partners, and our customers safe. Cloudflare was built to help you and your customers be more secure on the Internet.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
Dive deeper into this topic.
Learn more about how to successfully navigate the complexity of government regulations and standards while strengthening resilience in the ebook How a connectivity cloud streamlines security compliance.
Author
Gregory Van den Top — @gregoryvdtop
Field CSO, Cloudflare
Key takeaways
After reading this article you will be able to understand:
How to view compliance as an enabler and not a burden
The personal risks to the C-suite posed by regulations
Why autonomous governance is critical to maintaining compliance