Does Compliance Work Have a Lifecycle? I Think It Does.

Does Compliance Work Have a Lifecycle? I Think It Does.

A few days ago, Anne DeTraglia published a thought-provoking piece, Is My Job Bullshit? Why AI Might Actually Have the Answer, exploring whether certain corporate roles deliver genuine value, and whether AI might help us find out. Her framing draws on anthropologist David Graeber's concept of "bullshit jobs" and lands on an encouraging note: bring your humanity to the work, exercise judgment, lean on relationships, and the work becomes meaningful.

I found it genuinely thought-provoking. And it surfaced a framework I developed early in my career that I've been refining ever since. It tries to answer a related but different question: not whether compliance professionals are valuable, but whether compliance work delivers value, and when.

---

The Framework I Wish I'd Had Earlier

Compliance work has a lifecycle. Its value to an organization isn't fixed. It peaks, plateaus, and sometimes quietly declines depending on where the company is in its journey.

The clearest example is the pre-IPO company. You see it often in high-growth private firms: they hire teams, invest in SOC certifications, stand up SOX processes. Not because they love compliance, but because it stands between them and the capital markets. The IPO is where early investors get rewarded, where growth capital gets unlocked, where years of risk-taking get validated. Compliance at that moment isn't overhead. It's a gate. It may be the most valuable this type of work ever is.

Then the company goes public. The gate opens. And over time, without new pressure to drive toward, the same function that was mission-critical can drift into maintenance mode. Manual processes accumulate. Institutional muscle memory substitutes for genuine risk thinking. The work starts to feel like a burden rather than a value-unlocking exercise, because for that organization at that stage, it sometimes is.

---

A Pyramid, But Not Always the Same One

I've long thought about audit and compliance as a pyramid: Advisory at the top, Assurance in the middle, Compliance at the base. Advisory work, acting as an internal consultant and helping the business identify and unlock untapped value, is where the function can have its highest impact in a mature organization. Assurance sits in the middle, protecting value through objective review. Compliance at the base is necessary, but increasingly commoditized.

But I've since come to think that framing is the *final state* view. It describes a company that's been public for years and has the luxury of evolving its internal audit function toward higher-value work for that stage.

For a pre-IPO company, the pyramid inverts. Compliance sits at the top because it's the bottleneck. The company is already in growth mode. It doesn't need internal audit consulting on strategy. It needs someone to close the SOX gap before the S-1 is filed.

The shape of the pyramid isn't permanent. It reflects where the organization is, and smart audit leaders should be honest about which version they're actually operating in.

---

Trigger Events, Not Just Lifecycle Stage

The shift in value isn't just about lifecycle stage. It's also about specific trigger events that temporarily raise the stakes of compliance and assurance work.

I started my career at MCI WorldCom, where one of the storied frauds of that era took place. My first internal audit role came afterward, in the early years following the passage of Sarbanes-Oxley. Public and private companies of all sizes scrambled to implement SOX controls. Not because the work was exciting, but because a new regulation had changed the stakes overnight. That was a trigger event. The compliance work that followed was genuinely valuable because the environment had shifted and organizations had to catch up.

The same pattern repeats: M&A activity, entry into a new regulated market, a material control failure, a significant regulatory change such as Data Privacy or AI Governance. Each creates a moment where the function has outsized relevance, regardless of how mature the company is. Between those moments, the drift toward checkbox compliance is real and probably inevitable without deliberate leadership choices.

The failure I've seen repeat is this: organizations build a compliance team for one of these inflection points and then never rebuild it for what comes next. The team, the mandate, and the tooling all get frozen in stone. Years later, you have a function optimized for a gate that's already been crossed. The best audit leaders respond to these moments differently. Rather than stacking more controls on top of outdated ones, they raise the maturity of the entire control environment, asking not just whether controls exist but whether they're still the right controls for where the business is today.

---

What About Heavily Regulated Industries?

There's an important carve-out here: industries where the downside of non-compliance isn't a fine or a restatement. It's lives lost, a license revoked, or systemic failure.

Airlines. Nuclear. Pharma. Banking. In these industries, compliance functions more like infrastructure than overhead. It's load-bearing. Remove it, and the business doesn't just incur cost. It ceases to be allowed to operate, or it causes harm that society won't absorb quietly.

A useful test: If this compliance function disappeared for a quarter without anyone noticing, would the business be meaningfully at risk? In a heavily regulated industry, the answer is almost always yes, because the consequences of failure are external, irreversible, and public. In a mature tech company running the same SOC 2 process it stood up six years ago, the honest answer might be more complicated.

That doesn't mean all compliance in regulated industries is equally valuable. An airline's safety compliance is categorically different from its accounts payable controls. The regulated industry multiplier applies to the work that's actually tied to the license-to-operate question, not to everything the compliance team touches.

---

The Real Question Worth Asking

Anne's article ends on an encouraging note for compliance professionals, and I think that's right. The people in these roles are often thoughtful, skilled, and genuinely committed to the work.

But I'd add a harder question alongside it: *Is the work itself load-bearing right now, for this organization, at this stage?* The same function can be genuinely essential and quietly vestigial at different points in time. The leaders who navigate that honestly, who can distinguish between a gate and a habit and who are willing to rebuild the function when the moment calls for it, are the ones who drive lasting value.

AI may eventually surface which processes are structurally necessary versus which ones have outlived their purpose. But most audit and compliance leaders already have a sense of the answer. The question is whether they're willing to act on it.