We’ve spent the last year sitting in conversations with the people who do compliance for a living. CTOs at AI startups. Security leads at banks. The two-or-three-person team trying to keep a thousand-person city secure on a spreadsheet. Founders who built their own ISMS by hand because nothing on the market felt usable.
We didn’t go looking for complaints. We went looking for the work — what people were actually doingon a Tuesday afternoon when the auditor wasn’t in the room. What we found was a category of software that has become very good at one thing and very bad at another.
It’s good at making you look secure.
It’s bad at making you secure.
Here’s what people kept telling us.
“The dashboard is green and the gaps are still there.”
Every modern compliance tool gives you a dashboard. Big numbers, green checkmarks, a smooth ramp from “starting” to “ready for audit.” It looks great in a board meeting and it sells beautifully.
The problem is what the dashboard is measuring.
Most of these tools are built around a list of controls — pulled from ISO 27001, SOC 2, NIS2, whatever framework you’re chasing — and the dashboard is just a tally of how many of those controls have been “checked off.” Checked off, in practice, often means: someone uploaded a policy document, or wrote a one-line note, or attached a screenshot from three months ago.
The dashboard is not looking at your cloud. It’s not looking at your identity provider. It’s not looking at the code your engineers shipped yesterday. It’s looking at paperwork about your security. So you can have a perfectly green dashboard while a misconfigured S3 bucket sits open to the internet, because the bucket isn’t on the checklist.
One person we spoke to put it bluntly: all the tools are built for compliance, none for actual use. They had a CISO title at a financial institution. They knew the difference.
The tools were built for the audit, not the work
Here’s the inversion at the heart of the problem.
The way compliance tools were originally designed makes complete sense if you’re an auditor. You want a clean, ordered list of controls, you want evidence attached to each one, and you want to be able to walk through it in two days and decide whether it’s enough. The tools optimize for that walkthrough.
But you, the person on the inside, are not the auditor. You’re trying to actually be securethe other 363 days of the year. The walkthrough is the smallest part of your job. The biggest part is: monitoring what changes, deciding what’s risky, fixing things, and remembering to write down what you fixed and why.
A tool that’s optimized for the auditor’s two days makes the other 363 days worse. You end up doing security work in one place — your cloud console, your code repo, your IDP — and then you go to the compliance tool and re-documentwhat you just did, by hand, so the dashboard stays green. That re-documentation is the work nobody wants to do, and it’s the reason your compliance project keeps slipping.
Even big, serious companies are running on Excel
This one surprised us, and we keep meeting it.
We talked to a city of around a million people that was managing every piece of its security inventory in Excel. Two or three people, a budget counted in millions of euros, an Excel file. We talked to a national financial regulator using “tools not built for actual use.” We talked to a software company whose security lead had given up on the market entirely and built his own internal management system from scratch — and it was the best one we’d seen.
The pattern: the people who care most about getting security right are the people most disappointed by the tooling. So they fall back to a spreadsheet, because at least the spreadsheet is honest about what it is.
The tools have not earned the trust of the people who would benefit most from them.
The price tag is part of the joke
You’d expect this kind of structural problem to be fixed by money. It isn’t.
The numbers we keep seeing:
- A medical-devices company quoted €200,000–€300,000for a “unified security report” tool to satisfy MDR and FDA at the same time.
- A consultant engagement to set up an ISMS, end-to-end: €20,000–€40,000. The deliverable is, almost without exception, an Excel file.
- A US-first compliance suite: comparable cost per year, scaling with headcount. The product is good if you’re a US software company chasing SOC 2. It does not understand the EU AI Act.
The €200K solution doesn’t talk to your real systems either. The €20–40K Excel ages out the day the consultant walks out. The annual subscription keeps the dashboard green.
You can spend a lot of money and still not have done the security work.
The actual pain isn’t “compliance.” It’s the questionnaire.
Here’s the thing nobody puts on a slide.
The reason most companies finally invest in compliance tooling is not because they suddenly developed an inner passion for ISO 27001. It’s because an enterprise customer sent them a 150-question security questionnaire and asked them to fill it in by Friday.
That questionnaire is the real moment of pain. You scramble. You ask three people in the company what your password policy actually is. You hope nobody notices that the policy was written 18 months ago and references a project that was deprecated. You pull a screenshot of MFA being enforced, even though you set it up so long ago you can’t remember which IDP it actually lives in. You send it off and pray.
Every compliance tool on the market promises to solve this. None of them do, because they don’t have the underlying data. They have your uploaded policies. They don’t have your live cloud configuration, your active identity assignments, or what changed in your repo this morning. So when the questionnaire shows up, you’re back to scrambling.
We heard this story almost word-for-word from CTOs at three different companies. It’s not an edge case. It’s the Tuesday.
What we’d actually want
We’re building Kaamos because we’ve been on the bad side of all of this and we wanted a different shape of tool. So you have a sense of what we’re optimizing for, here’s the spec we kept ending up at:
- It connects to your real systems. Not your uploaded policies. Your cloud, your identity provider, your code. If MFA enforcement is the control, the tool should check whether MFA is enforced — not whether someone uploaded a doc claiming it is.
- It tells you the truth, not just what passes. A green dashboard that doesn’t reflect reality is worse than no dashboard. Better to know.
- It generates the documentation as a side effect of the work. The policies, the risk register, the evidence pack — they should fall out of what’s actually happening in your stack, not be a separate workstream someone has to staff.
- The questionnaire becomes a query, not a fire drill. When the 150 questions arrive, the answers should already exist, attached to live facts.
Compliance is not the goal. Security is the goal, and compliance is what a secure organization can prove on demand. When you flip the order — when the tool tries to make compliance the goal — you get the world we’ve been describing.