As cloud adoption accelerates, the way organizations approach governance, risk, and compliance (GRC) must evolve. In a recent fireside session hosted by Rewind and Technology Advice, industry experts from Amazon Web Services (AWS), Adaptavist, and Rewind came together to discuss how modern compliance strategies can be reimagined to build truly resilient and audit-ready cloud environments. This article distills their insights from the webinar on integrating compliance into workflows, key controls for cloud and SaaS environments, and the cultural shifts necessary to foster a strong cross-functional compliance program.
James Ciesielski, Co-Founder and Entrepreneur in Residence at Rewind, opened the discussion by highlighting a common misconception: many businesses view compliance as a checkbox exercise—a finite game with the sole goal of passing audits. This mindset, he argues, is flawed.
“Compliance is often seen as a necessary evil, something to get through just to achieve a successful audit outcome. But that’s the wrong way to think about it.”
Instead, James advocates for an infinite mindset, where compliance is seen as an ongoing journey of continuous improvement that strengthens organizational resilience and builds customer trust over time. This shift is critical in an era where the cloud and SaaS tools are central to business operations and where the regulatory landscape is rapidly evolving.
One of the first questions tackled was what it looks like when compliance is baked into systems from the start, rather than being an afterthought. James shared a customer story involving a large “Internet of Things” company exploring cloud migration. They recognized a significant risk: the SaaS tools they relied on lacked a backup strategy, leaving them vulnerable to data loss.
This example underscores the importance of integrating compliance controls like backup and recovery directly into cloud operations. Dan MacKay, Principal Compliance Specialist at AWS, echoed this by emphasizing the value of automation and repeatable patterns in deploying controls:
“When customers automate controls and deploy them consistently, they gain the confidence to innovate quickly while staying within risk guardrails.”
Dan also noted the “go slow to go fast” approach, especially relevant with emerging technologies like generative AI. Organizations must balance risk assessment with enabling builders to move rapidly but safely, supported by strong governance and automated compliance processes.
When asked about the essential controls organizations should prioritize, James highlighted several foundational elements:
Dan added that while controls are important, organizations should avoid getting lost in the minutiae. Instead, he recommends working backwards from specific risks and threats relevant to the organization’s context. This principles-based approach aligns well with many regulatory laws and frameworks, which define outcomes rather than prescriptive controls.
“Focus on implementing best practices rather than chasing one single standard. This is your best defense against big audit or regulatory findings.”
He also emphasized the evolving nature of evidence collection for audits:
“Today we have full visibility into controls and actions in cloud environments. The focus shifts from proving controls were always working to showing how exceptions were promptly detected and corrected.”
Matt Doar, Head Toolsmith at Adaptavist, brought a vital perspective on the human factor. He stressed that compliance starts with the people managing and using systems:
Matt’s advice underscores that even the best technical controls will fall short without a strong compliance culture.
Throughout the discussion, several universal principles emerged that organizations should embrace to build effective GRC programs in the cloud:
James summarized this well:
“Automate the simple, repetitive parts of compliance so your team can focus on the areas with the highest risks and opportunities for improvement.”
This approach promotes continuous improvement and makes scaling compliance more manageable.
Dan warned against viewing compliance as solely an IT issue:
“If you just list technical controls without explaining how risks are managed across the organization, you won’t satisfy auditors or regulators.”
He gave an example of disaster recovery planning where IT might handle technical failover, but business continuity teams must also have plans for longer outages. Compliance requires coordination across people, processes, and technology.
Matt raised an often-neglected topic: how organizations dispose of data.
James and Dan agreed that this is an area where customers often assume that SaaS providers handle deletion automatically, but ultimately, it is the customer’s responsibility to instruct and verify data deletion.
With generative AI rapidly entering enterprise workflows, the panel addressed how teams can adopt AI without compromising compliance.
James cautioned that many organizations may not yet be thinking critically about AI risks and controls, emphasizing privacy considerations first:
Dan added that regulated industries sometimes overreact with excessive caution, which can stifle innovation. He encouraged a balanced approach:
“Test, test, test—not just before deployment, but continuously monitor AI outputs to ensure they operate within defined parameters.”
He reminded listeners that the fundamentals of security and compliance still apply to AI applications, layered with additional controls for AI-specific risks.
The panel also shared common blind spots teams should be aware of:
How do you know your compliance program truly works? The panel’s consensus was clear:
Dan emphasized that cloud environments offer unprecedented visibility and automation, making it easier than ever to prove compliance in real time.
Rethinking GRC in the cloud is not just about meeting regulatory requirements — it’s about leveraging compliance as a foundation for operational strength, resilience, and innovation. As James Ciesielski put it, adopting an infinite mindset on compliance, automating your routine, and focusing on risk enables organizations to build systems that are not only secure and audit-ready, but also agile and customer-trusted.
Dan MacKay’s insights remind us that compliance is a holistic organizational effort, requiring collaboration across IT, security, business continuity, and executive leadership. Similarly, Matt Doar’s focus on people and change management underscores the human element critical to sustainable success.
If you’re ready to rethink your GRC strategy and build true data resiliency in the cloud, start by embedding compliance into your workflows, automating controls, continuously testing your plans, and fostering a culture of shared responsibility.
To learn more about safeguarding the critical data your organization relies on, watch the full webinar recording and learn more about how Rewind can help.
