- Prompt injection attacks manipulate AI guardrails using natural language, exploiting the semantic gap to get models to ignore developer instructions.
- AI social engineering scales faster and lowers attacker skill barriers, enabling automated, targeted campaigns like deepfakes and credential theft.
- Primary harms include data exfiltration, unauthorized transactions, and malicious or biased outputs that damage reputation and operations.
- Defenses are immature; require layered controls: human in the loop, prompt firewalls, input sanitization, least privilege, fuzz testing, patching, and user training.
Last Updated on July 9, 2026
Companies in regulated industries like healthcare, financial services, and defense need to move fast on emerging technology like agentic AI while maintaining both compliance and security. “Compliance theater” refers to cutting corners on cybersecurity and focusing on “the show” you need to present to regulators, your board, and/or clients to avoid compliance problems.
What does compliance theater look like? Why is it problematic and how can you avoid it? This article shares insights and practical guidance for business and technical leaders.
Key takeaways
- Compliance can be a destination, but security is always a journey.
- True security strongly supports compliance. But achieving compliance does not automatically make your organization secure.
- Compliance theater refers some level of executing checklist-oriented tasks to meet audit requirements rather than operationalizing and maintaining effective cybersecurity controls.
- The inevitable path from compliance theater to robust cybersecurity is mostly the concrete-sequential, step-by-step implementation and testing of controls based on a solid plan.
- Compliance theater has its place and is sometimes the best option. But too much compliance latitude can lead to legal and regulatory sanctions and wide risk exposure.
What are security and compliance?
Compliance relates to alignment with specific government regulations (e.g., HIPAA or the EU AI Act), contractual obligations, industry guidelines (e.g., PCI-DSS), or voluntary frameworks (e.g., ISO 27001 or SOC 2). The general goal is to define a minimum level of information security and data protection, either across the board for all firms or based on variables like company size, customer base, or markets/products.
Organizations usually validate compliance by undergoing point-in-time audits, either internal or external. Audits are often ongoing at intervals (e.g., annually or every three years) to maintain compliance.
Typical compliance artifacts include policy documents, data showing evidence of control operation, and documentation of key processes like risk assessment. A compliance certification verifies the presence of specific controls at the time of the audit. But it may not confirm that controls are operating consistently, up to date with the current threat landscape, or aligned with business needs/risks.
Compliance is widely viewed as a legal and market obligation and a must-have prerequisite for gaining and keeping customers. It is also a financial imperative anytime there is potential for fines and sanctions. But compliance alone is not a complete picture of a company’s cybersecurity posture.
Security refers to the actual operational performance and resilience of a firm’s security controls and their ability to protect sensitive data and mitigate identified business risks. A firm’s real-world cybersecurity posture determines how well it can proactively prevent, detect, block, address, recover from, and minimize the negative impacts of cyberattacks.
Technical indications of robust security include the presence of controls and implementation of best practices like managed detection and response, business continuity planning, user awareness training, least-privilege access controls, zero-trust network access, third party risk management (TPRM), threat hunting, and phishing-resistant multifactor authentication (MFA).
How do security and compliance relate?
Security and compliance are closely related but they are not the same thing. True security strongly supports compliance, but achieving compliance does not automatically make your organization secure.
“We passed the certification audit so we must be secure” is a common misconception. In fact, compliance can provide a false sense of security while leaving a business and its stakeholders exposed to unacceptable risk.
While “continuous compliance” may be a requirement or goal, compliance audits are usually a point-in-time assessment that verifies you have the necessary policies and minimum operational controls in place. Whether your controls are effective in defending your business from real-world threats is a separate issue.
In contrast to compliance, security is a continuous, real-time process that constantly anticipates or evolves with the IT environment and threat landscape. Security constantly seeks to decrease your attack surface and reduce actual risk to acceptable levels while maintaining compliance standards.
Compliance standards often lag behind current threats and technology. They define a baseline or minimum standard for security practice but probably not a dynamically optimized cybersecurity control environment for a specific organization.
This is essentially why compliance does not equal security. You can pass a certification audit and still suffer a preventable data breach because your controls didn’t fully protect your actual attack surface or alert you to dangerous vulnerabilities.
Teams seeking to implement new technology like agentic AI need to meet both security and compliance objectives. When security controls are operating as intended, compliance artifacts are more accurate and easier to produce.
“Compliance can be a destination, but security is a journey,” says John Verry, Managing Director at CBIZ Cybersecurity. “You get your certification or maybe you have to renew it—those are events. Security is a process that’s never finished and is always evolving and changing.”
What is compliance theater?
For companies that engage in compliance theater, there is some level of focus on demonstrating what regulators and/or auditors require to gain or maintain a certificate of compliance with a cybersecurity framework—not on achieving the true intent and objective of the framework.
Factors that contribute to a compliance theater approach may involve:
- A “checkbox mentality” where security controls are designed, implemented, and/or optimized mainly to pass audit requirements rather than mitigating risk or stopping cyberattacks.
- “Doing the minimum” to align with the baseline security level that a framework defines. Many frameworks (e.g., ISO 27001) are more flexible than prescriptive and do not mandate specific measures to stop real-world threats targeting your firm’s unique environment and industry.
- Confusing the “perfect picture” from an audit snapshot with the reality of an imperfect security posture. Security performance often drifts or degrades following a compliance audit if controls are not continuously monitored/enforced.
While businesses ultimately need to be both secure and compliant, some organizations are most concerned with achieving a compliance certification so they can win new business or avoid penalties. Following through on operationalizing security is something they plan to get to later, hopefully before unaddressed risks manifest as incidents. This is compliance theater.
Some of the hidden costs of compliance theater often include:
- Unacceptable exposure to legal and regulatory sanctions, especially in the wake of a data breach.
- Operational inefficiencies like manual processes and stressful “audit scrambles” that bog down teams and erode productivity.
- The opposite of a “security culture” where employees see cybersecurity and compliance policies as not meaningful or enforced and therefore optional to follow.
How can orgs get from compliance theater to true security?
According to John Verry, even the best run cybersecurity programs involve a bit of compliance theater, especially when newly certified.
“So often when you’re implementing a framework like ISO 27001 or CMMC, your initial focus is on the design of the management system and then your initial operationalization of that program,” relates John. “The challenge is that in that race to get to the point where you’re ready to be certified, it’s very difficult to truly operationalize the controls on a can’t fail/can’t miss basis.”
John likens operationalizing a cybersecurity program to a master task list. Some tasks must be done annually, some quarterly, some monthly, some weekly, and so on.
“Vulnerability scans, policy updates, incident response testing… Assuming the control designs are reasonable and appropriate to the organization’s risk and context, the process by which we implement all those tasks reliably is what turns compliance theater into true security,” John explains.
John acknowledges that his own business unintentionally fell into compliance theater after achieving ISO 27001 certification.
“We implemented our program and we fell into the same traps as everybody else,” laughs John. “Six months post certification we were, like: ‘Oh crap—that security metric didn’t fire. We never did the user account management reviews. No one updated the risk management review on that critical vendor…’ It takes a while for an organization to figure out how to actually operate the program they designed.”
Less can be more with GRC tools
Many companies benefit from technology support to effectively operationalize their cybersecurity governance, risk, and compliance (GRC) program. But adding a new tool may not be as effective for your team as leveraging something they already have.
John Verry observes: “Sometimes buying another GRC tool is the worst thing you can do. Say you’re a software development firm and your team lives in Jira all day. If you make them go to another system to do their GRC operations, they might not happen. If they’re doing GRC in Jira where they live and breathe, you often have a better outcome.”
John has seen many clients successfully operationalize cybersecurity using familiar tools like Jira, Wrike project management, or ServiceNow help desk ticketing.
Is compliance theater ever the best option?
Compliance theater is probably never the best option long-term because it presents severe financial and legal risks while giving stakeholders a false sense of security.
But for startups burning through capital and/or facing a “do or die” deadline on a deal that requires a specific compliance certification, prioritizing speed through compliance theater can be a legitimate, temporary stopgap measure to unlock a revenue opportunity or capitalize on a short market window.
“Sometimes ensuring the business risk isn’t realized has more net value to the organization than ensuring the cyber or privacy or AI risk isn’t realized,” states John. “If you’re that CISO, you’re getting pressured to just get the certification no matter what. And if you’re supporting that CISO, you can see how compliance theater could benefit that organization. Even though it’s frustrating as a practitioner who wants to do things right and by the book to be in that challenging situation.”
Senior leaders: Be careful what you sign.
Several of the leading cybersecurity frameworks that offer independent compliance certification, including ISO 27001 and the Cybersecurity Maturity Model Certification (CMMC), mandate a full external audit every three years. Self-attestation of compliance based on an internal audit is required in each of the intervening two years. Different variations on this theme exist, with the common goal of helping to spur ongoing compliance without placing an undue audit burden on companies.
As a senior executive, you may be asked to sign off on an attestation that your business performed a cybersecurity audit and your controls remain compliant with the certification framework.
But what if that’s mostly compliance theater? This exposes the signer to potential legal risks, up to and including US Department of Justice (DoJ) prosecution under the False Claims Act (FCA).
Can a self-attestation compliance regime improve a sector’s overall cybersecurity posture?
“One of the best ways to manage up is to require management to sign off on a risk,” John Verry points out. “I think if the CMMC program is going to work well in year two and year three, it’s going to be because of that concern and pressure that the individual who has to put pen to paper feels when it’s put in front of them.”
What’s next?
For more guidance on this topic check out the Full Metal Packet podcast on “Why Compliance Doesn’t Equal Security for CISOs in 2026” with John Verry, Managing Director at CBIZ Cybersecurity.