Compliance at scale
Inherited guardrails, secure-by-default accounts.
A compliance program that works for one account rarely survives contact with fifty. Compliance at scale depends on inherited guardrails and secure-by-default provisioning, so controls apply everywhere automatically rather than being reapplied — and forgotten — account by account.
Inherit controls from the top
The key to scale is hierarchy: set preventive guardrails once at the organization or management-group level and let every account, subscription, or project beneath inherit them. Service Control Policies, Org Policy, and hierarchical admission constraints make the non-negotiable controls — no public data, no disabling logging, encryption required, region limits — apply org-wide and impossible to cross, even by an account admin. This turns "did every team implement the control?" into "the control is structurally enforced for all of them", which is the only way compliance keeps pace as the estate grows. Inheritance also means a new control is added in one place and immediately covers everything.
# A preventive control at the org root — inherited by EVERY account below:{"Sid": "DenyDisableLogging", "Effect": "Deny","Action": ["cloudtrail:StopLogging", "config:StopConfigurationRecorder"],"Resource": "*"}# No account, including its admin, can disable logging. One policy, org-wide# coverage — compliance that scales without per-account effort.
Secure-by-default provisioning
The other half of scale is that new environments arrive compliant. A landing zone or account-vending process provisions each new account with the baseline already applied — inherited guardrail policies, centralized immutable logging, the standard IaC compliance gates, detection enabled — so there is no window in which it exists unprotected and no checklist for a team to forget. Compliance becomes a property of how environments are created, not a task performed after the fact. Combined with inherited guardrails, framework overlap (one control mapped to many frameworks), and continuous evidence, this is what lets a small team keep a large, multi-framework estate continuously compliant — the payoff of treating compliance as code.