From Certification to Confidence: What the Recent Federal Risk Mandate Means for Broader IT Security

There’s a growing gap between compliance and real security. This isn’t because compliance lacks value, but because it’s often mistaken for something it was never designed to be: a complete, current picture of risk. I’ve previously discussed how trust isn’t claimed through documentation, and that compliance can drift into theater when it’s disconnected from reality. What’s changed now is that the broader environment is catching up to that view.

The White House’s move earlier this year (with its M-26-05 memorandum) toward a risk-based approach to software and hardware security didn’t introduce a new framework or retire existing ones. What it did do was clarify an expectation that security must be demonstrated continuously and not just described at a moment in time. This, of course, far more accurately reflects how systems actually operate.

Read more: In the World of Audit, Trust Isn’t Claimed. It’s Proven

Obviously this shift has practical consequences for software companies selling into the federal government. However, it also reflects the same type of rigor that a growing number of private and public-sector organizations are demanding from their technology vendors. You’re selling into more demanding buyers, operating increasingly dynamic infrastructure, and managing security with limited resources. The old model of “prepare for the audit, pass it, move on” doesn’t map well to that reality anymore.

Traditional point-in-time assessments still matter, as they provide both a structure and a shared language for evaluating controls. But it’s important to be clear about their role. They define what should exist; they don’t guarantee that those controls are effective right now. That distinction is becoming harder to ignore, as systems change more quickly and risk becomes more dynamic.

This is where attestations begin to shift in importance. A SOC 2 report or ISO 27001 certification has long served as a proxy for trust, because it signals that controls were tested and operating over a defined period. However, it’s a lagging indicator, and by the time a report is issued, the underlying systems may already look different.

Read more: When Compliance Becomes Theater, Everyone Loses

Sophisticated (and risk-aware) buyers and regulators are increasingly starting to ask a different question: not just “Were you secure?” but “Are you secure now?” While this question doesn’t eliminate frameworks or audits, it does reframe them. Frameworks become a baseline rather than a destination, audits become checkpoints in an ongoing process, and attestations become one signal among several, not the sole artifact that establishes trust.

What’s emerging in their place is a model of continuous assurance. Instead of assembling evidence periodically, you generate it as part of how your systems operate. Controls are monitored continuously and evidence is pulled directly from source systems (i.e. identity, cloud, code) rather than collected manually. When something drifts, you see it quickly and can respond before it becomes a larger issue.

This shift shows up in a few tangible ways for emerging and midsize companies. Enterprise buyers are becoming more sophisticated, and while a SOC 2 report is still expected, it’s often just the starting point. Security teams want to understand how controls are enforced in practice and how quickly issues are detected and resolved. Being able to answer with current data, rather than prepared artifacts, changes those conversations.

At the same time, the cost of maintaining compliance through manual processes is increasing. Collecting screenshots, coordinating evidence requests, and treating audits as discrete events creates overhead without improving security. As expectations move toward continuous validation, that model becomes harder to sustain.

There’s also a structural shift happening inside organizations. When evidence comes directly from operational systems, compliance stops being a parallel effort and becomes a layer on top of how your systems already function. That’s a more durable model, but it requires tighter alignment between security, engineering, and GRC teams.

At Thoropass, we’ve been adapting to this shift by focusing on what we think of as continuous audits. The goal isn’t to replace frameworks or eliminate attestations, which still remain important. The goal is to make them more reflective of reality by grounding them in continuously collected, system-level evidence.

When that’s in place, the audit process itself becomes less disruptive. Evidence doesn’t need to be reassembled each cycle because it already exists. Control gaps are surfaced earlier, when they’re easier to fix. Audit timelines shorten because much of the work has already been done. And teams gain a clearer view of their actual risk posture, not just their compliance status.

We’re entering a period where both models will coexist. Buyers will still ask for audit reports, and auditors will still issue them. But expectations around transparency and real-time assurance will continue to rise, and companies that invest in continuous approaches now will be better positioned to meet both.

The White House directive didn’t end compliance. It clarified its limits, and in doing so, it points toward a more useful way of building trust – one that reflects how modern systems actually work.

‍