Continuous Planning & Compliance Integration
Threat modeling at feature level, automated compliance tracking with policy-as-code, and compliance checks integrated into planning workflow.
Milestone: Acceleration
intermediate
LT
DF
Job to be done: When launching new features with regulatory requirements, I want to identify and validate compliance controls early in refinement, so I can deploy without last-minute security rework or audit friction.
For engineers
You will integrate compliance controls into your feature refinement process by tagging stories with regulatory frameworks, automating control checks in CI (SBOM, secrets scanning, SAST), and generating audit evidence at deploy time so compliance gates don't delay releases.
What you’ll implement
These are the roadmap epic features, organized as a starter backlog.
1
Policy-as-Code in Planning2
Automated Threat Modeling3
Automated Compliance Evidence Collection4
Automated Risk-Based Prioritization5
Regulatory Change GatesExecution guide
Practical guidance aligned to the Execution Kit Definition of Done.
Outcome
Teams embed compliance via feature-level threat modeling, automated DoD controls, and audit-friendly evidence.
Before to After Transformation
× BEFORECompliance as a last-minute gate
Security reviews at launch find issues, manual evidence collection delays releases
# Before state:
- Compliance: Last-minute security review before launch
- Findings: "Missing encryption", "No audit logs", "Unsigned artifacts"
- Evidence: Manual spreadsheet collection (2-3 days)
- Release: Delayed 1-2 weeks for compliance rework
# Typical release:
1. Code complete
2. Submit for security review
3. Wait 3-5 days
4. Review finds 5-10 issues
5. Fix issues, resubmit
6. Collect evidence manually
7. Release approved (finally)
# Metrics:
- Lead time: 14-21 days (compliance overhead)
- Audit findings: 8-12 per release
- Deployment frequency: Monthly (compliance bottleneck) AFTERCompliance embedded from planning
Controls identified in refinement, automated checks in CI, evidence generated automatically
# After state:
- Compliance: Controls identified during story refinement
Example: "[soc2-cc6.1] User must be authenticated to CI check: auth tests pass"
- Automated: Secret scanning, dependency scanning, SAST in CI
- Evidence: Auto-generated (SBOM, signatures, scan results in S3)
- Release: No compliance delays (controls already met)
# Typical release:
1. Story refined with compliance tags
2. DoD includes applicable controls
3. CI runs automated checks (5 min)
4. Evidence collected automatically
5. Deploy (compliance-ready)
# Metrics:
- Lead time: 1-2 days (no compliance overhead)
- Audit findings: 0-1 per release
- Deployment frequency: Daily (compliance enabler)Symptoms
Compliance is a last-minute gate causing release delays
Security findings at launch review require rework
Audit evidence collection is manual and scattered
Regulatory requirements are unclear during feature planning
Prerequisites
A sprint planning or refinement process
Identified regulatory framework (SOC2, ISO27001, HIPAA, etc.)
At least one security or compliance stakeholder engaged
Implementation steps
Week 1
- Map regulatory controls to user story types (e.g., PII handling to encryption requirement)
- Add compliance checklist to Definition of Ready (STRIDE + regulatory controls)
- Create control mapping template (user story to applicable controls to automated checks)
Week 2
- Pilot compliance-aware refinement for 3-5 stories (identify controls during grooming)
- Tag stories with regulatory scope (e.g., [soc2-cc6.1], [hipaa-phi])
- Implement first automated control check in CI (e.g., secret scanning, encryption validation)
Week 3
- Add compliance evidence hooks to DoD (e.g., SBOM, signed artifacts, audit logs)
- Create compliance dashboard tracking control coverage and evidence completeness
- Run retrospective on compliance friction (reduce manual steps, automate evidence)
Definition of Done
- Compliance checklist integrated into Definition of Ready
- Regulatory controls mapped to story types
- At least 3 automated control checks in CI
- Compliance evidence generated per release (SBOM, signatures, audit logs)
- Compliance dashboard shows control coverage
Metrics
Leading Indicators
- % stories with compliance tags identified in refinement
- Control coverage (# automated checks / total controls)
- Compliance evidence completeness (% releases with full artifacts)
- Compliance friction (time from code-complete to compliant release)
- Audit finding response time (SLA)
Lagging Indicators
- Lead time for changes (DORA)
- Deployment frequency (DORA)
- Audit findings per release (target: 0)
- Compliance exception requests (trend down)
- Time to compliance approval (pre-release)
Failure modes
Compliance checklist becomes a checkbox exercise with no actual controls
Automated checks are too strict and block legitimate work (teams bypass)
Evidence collection is automated but nobody validates completeness
Regulatory scope creep (everything tagged as compliance-critical)
Compliance controls are enforced but not mapped to actual regulations
Ownership
Security/Compliance
- Map regulatory controls to story types and automation
- Define acceptable automated check thresholds
- Validate evidence completeness for audit readiness
Platform/DevOps
- Implement automated compliance checks in CI/CD
- Maintain compliance evidence storage and retrieval
- Optimize compliance checks for speed (< 5 min overhead)
Product/Engineering
- Tag stories with regulatory scope during refinement
- Ensure DoD includes applicable compliance controls
- Surface compliance blockers early (not at launch)
What good looks like (by org scale)
Small Teams
- Compliance checklist in refinement template
- 3-5 automated checks (secrets, dependencies, SAST)
- Manual evidence collection per release
Medium Orgs
- Control mapping per regulatory framework (SOC2, ISO27001)
- Automated evidence collection (SBOM, signatures, scan results)
- Compliance dashboard showing control coverage
- Compliance tags on stories visible in backlog
Enterprise
- Policy-as-code enforcing all controls automatically
- Immutable audit evidence storage with timestamps
- Continuous compliance monitoring (real-time control status)
- Automated audit report generation (evidence to compliance matrix)
References
Resources
Templates and related materials for this kit.
Templates
Copy/paste artifacts that support this kit.
Related capabilities
Capabilities tracked under this epic in the roadmap.
- Policy-as-Code in Planning>= 80% of planning templates integrate OPA/Kyverno policies validating security, compliance, cost constraints.
- Automated Threat Modeling>= 70% of features auto-analyzed for threats using STRIDE templates integrated into planning workflow.
- Automated Compliance Evidence Collection>= 85% of compliance requirements auto-tracked with evidence artifacts linked to work items (SOC2, HIPAA, PCI).
- Automated Risk-Based Prioritization>= 75% of backlog items auto-scored for risk (security, technical debt, business impact) informing prioritization.
- Regulatory Change Gates>= 90% of changes touching regulated systems (PII, PHI, PCI) require automated regulatory checklist approval.
Related kits
Other kits in the same milestone or with similar DORA impact.