What ISC2 congress 2025 made clear about modern compliance

ISC2 Congress 2025 felt different this year. The conversation has clearly moved past writing policy to implementing it.

Whether you were in a keynote, a panel, or a hands-on workshop, the theme was consistent: the only way to meet modern regulatory, technical, and business demands is to express policy as code - versionable, testable, auditable, and enforced across every layer of the stack. It's the only realistic way to prove intent, demonstrate control, and adapt when things inevitably change.

The new compliance playbook

The compliance playbook is being rewritten in real time. Manual attestations and static GRC workflows are giving way to continuous, data-driven assurance. Evidence gets gathered and validated automatically. Authorization and access controls are being expressed in code. Audit logs look more like product telemetry than checkbox exercises.

The organizations getting this right aren't just digitizing old policy documents. They're embedding enforcement directly into infrastructure, pipelines, and application logic. Compliance is becoming observable and measurable by design.

The AI governance gap

AI was the other dominant theme - and the gap between opportunity and readiness was hard to miss. Every track touched on how automation and agentic systems are reshaping operations, yet most security programs still don't have frameworks to govern them. The next phase of cybersecurity won't just be about how AI systems are built or deployed, it'll be about defining what they're allowed to do using policies.

Governance for machine identities, agent behavior, and model-driven decisions needs to be encoded early and enforced continuously. Waiting for regulation to catch up isn't a strategy.

Risk in financial terms

Risk quantification also matured into a central thread connecting security, compliance, and the business. Frameworks like Cyber Risk Quantification and Protection Level Agreements are turning technical posture into financial language, showing boards how automated, verifiable controls reduce real exposure.

It's part of a broader shift: security architecture, policy enforcement, and business risk management are finally converging into a single, measurable system.

JIT vs PBAC. A practitioner's discussion

One personal highlight was our session with Google and Apple on Just-in-Time vs Policy-Based Access Control. The discussion on dynamic authorization, least privilege, and real-time policy evaluation sparked some really thoughtful questions from a room full of practitioners dealing with these problems today. It was clear people aren't looking for more theory - they want practical, code-driven approaches to build and prove trust.

Closing thoughts

The takeaway from Nashville is consistent and urgent. Policy isn't documentation anymore. It's infrastructure. To stay ahead of regulation, AI disruption, and growing supply-chain risk, security teams need policies that can be deployed, tested, and audited like software. The future of assurance depends on it.