Continuous compliance
Always-on evaluation vs point-in-time.
The deepest shift in modern compliance is from point-in-time to continuous. An annual audit tells you your posture on one day; continuous compliance tells you your posture every day — which is the only way to actually stay compliant rather than merely pass.
Always-on evaluation
Continuous compliance means your controls are evaluated constantly rather than assessed once a year. Cloud Config rules, CSPM, admission policy, and scheduled policy runs check configuration against your control set around the clock, so a violation surfaces within minutes of appearing instead of lurking until the next audit. This closes the blind window that point-in-time assessment leaves open — the 364 days between snapshots where posture drifts and issues hide. It also changes the nature of compliance from an event you prepare for into a property you continuously maintain and can prove at any moment.
# POINT-IN-TIME (traditional):# audit day → assess → report → ...364 days of unknown posture... → repeat## CONTINUOUS (compliance as code):# config change → evaluated in minutes → pass/fail recorded → alert on fail# posture is KNOWN every day; evidence accrues automatically## AWS Config example — a control evaluated continuously:aws configservice put-config-rule --config-rule '{"ConfigRuleName": "s3-encryption","Source": { "Owner": "AWS", "SourceIdentifier": "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED" }}'
Why period-based audits demand it
Continuous compliance is not just nicer — it is what rigorous audits require. SOC 2 Type II assesses whether controls operated effectively across a period of months, which is impossible to demonstrate with point-in-time screenshots and only feasible with continuously-generated evidence. The same is true for staying secure: a control that was compliant at the audit and silently regressed the next week is a real exposure that continuous evaluation catches and point-in-time assessment misses entirely. Build the program so controls run and evidence themselves continuously, and both "are we secure right now?" and "can we prove we were secure all year?" become answerable at any moment.