Through my many years workingin GRC, I’ve found a consistent theme: Most compliance projects don’t fail – they stall. And they can be for a long while at times. I see this constantly across SOC 2, HIPAA, ISO, and internal security programs.
The stall is rarely about tooling. It’s rarely about budget (unless you are maturing your existing programs). And it’s almost never because people “don’t care about security.” Compliance efforts stall because ownership is unclear and execution is vague.
Let’s dive into the most common reasons.
Treating Compliance Like a Project
The first mistake is treating compliance like a project instead of an operating model. Teams spin up a compliance goal, write policies, maybe buy a tool, and aim to “get through the audit.” The problem is that nothing about day-to-day work actually changes. Controls are not embedded into how work already happens. They live alongside the business instead of inside it. When compliance becomes side work, it loses to real work every time.
Policies Without Execution
The second issue is “paper” compliance. Policies exist. Controls are marked implemented. But when you ask basic questions like “who owns this, how often it runs, what triggers it, or where the output lives,” the answers can get fuzzy. If a control can’t be executed on demand and explained simply, it isn’t really implemented or effective. Some of your people may disengage quickly when the work feels performative instead of operational.
We’ll formalize that later
Early on, teams may tolerate gaps because they are moving fast. Processes may be informal but assumed to be “good enough”. Documentation is postponed. Reviews are ad hoc. From my experience – later rarely has a deadline. Later may have no owner. Later becomes permanent.
Input Without Ownership
Another stall point is shared accountability without decision rights. Compliance conversations often involve security, IT, engineering, leadership, and sometimes legal. Everyone has opinions. Everyone has concerns. But no one is clearly empowered to make the final call. Meetings multiply, alignment drags on, and controls remain unchanged. Input without ownership slows everything down.
Chasing Maturity Instead of Sustainability
I also see teams stall because they overbuild. They aim for maturity levels the business cannot sustain. They design enterprise-grade processes for small or mid-size environments. They chase perfect documentation instead of defensible execution. Overengineering creates fatigue. Fatigue turns into avoidance.
The teams that actually make progress tend to do a few things consistently. They assign clear owners per control area. They design controls that are executable, not theoretical. They right-size maturity to the business, not the framework. They create early, visible wins so progress is tangible.
Conclusion: Clarity Is the Missing Control
Compliance does not stall because people are lazy or resistant. It stalls when responsibility is shared, expectations are unclear, and execution is abstract. If compliance feels stuck, the answer is usually not another tool or another policy. It’s clarity.
Curious what others see as the biggest reason compliance efforts lose momentum in their organizations?