Compliance isn’t dead—but the checkbox era is.
The “Run GRC” session block at Prodacity 2025 brought clarity, candor, and even a little swagger to one of the most misunderstood topics in digital transformation: governance, risk, and compliance. What has historically been overhead was reframed here as strategic infrastructure—something that, when done correctly, accelerates delivery and deepens trust.
With sharp takes from Andrés Vega, Donnie Hasseltine, and a no-fluff panel of cyber leaders—Chris Hughes, Mackenzie Wartenberger, Will Kline, and Brian Panarello—this session made one thing clear: you can’t deliver real transformation without real risk management.
1. Security Theater Is Dead. Run-Time Assurance Is the Standard.
“If your controls are only happening at ATO time, they’re already obsolete.” – Andrés Vega
Andrés Vega brought the technical firepower and broke down the failure of static compliance. When risk is assessed annually, or even quarterly, security controls aren’t protecting anything. Real assurance happens in real time.
Vega’s key insight: treat security controls like product features. They need:
- Fast feedback loops
- Shared ownership across dev, ops, and security
- Continuous validation in production environments
He also called out a critical shift: modern governance must decouple from monolithic ATO processes and move toward composable, contextual controls.
What federal teams can do:
- Build security into CI/CD pipelines, not just documentation workflows
- Shift from detective controls to preventative architecture
- Treat compliance as code, not ceremony
2. Trust Is a System, Not a Slogan
“Risk isn’t the enemy. It’s what makes innovation possible.” – Donnie Hasseltine
Donnie Hasseltine reframed risk not as something to be eliminated, but as something to be understood, shared, and managed in motion. Drawing on national security experience and startup grit, he made a clear case: we’ve confused “security” with “safety,” and in doing so, we’ve stripped teams of trust.
His advice was pragmatic and precise:
- Build minimum viable security for experimentation instead of exhaustive controls for systems that don’t yet exist
- Define risk tolerance upfront, and let teams operate within it
- Empower teams with the tools to escalate when they’re approaching a boundary
“You can’t tell teams to move fast and then punish them for crossing invisible lines.”
3. The New CISO Is a Systems Thinker, Not a Gatekeeper
“You can’t build a DevSecOps culture when security shows up at the end.” – Chris Hughes
The panel session pulled no punches. Chris Hughes and Mackenzie Wartenberger were especially blunt: security isn’t working when it’s bolted on. It needs to be designed in, with real-time observability, actionable thresholds, and platform-level capabilities that reduce toil.
The modern CISO, they argued, should be:
- A partner in delivery, not a blocker
- Fluent in architecture and developer workflows
- Capable of operationalizing policy into platforms
Brian Panarello added that shifting left doesn’t mean shifting all responsibility to developers—it means designing better interfaces between mission, engineering, and risk.
Key takeaways from the panel:
- GRC should be self-service, not static
- Policy must be expressible in code
- Platform engineering and security must grow up together
4. Compliance That Moves at the Speed of Dev
The biggest unifying idea across all three talks? GRC must evolve from static snapshots to dynamic systems. The days of extensive, manual checklists and post-hoc audits are gone. In their place: automated evidence generation, modular control libraries, and compliance-as-code patterns.
What it takes:
- Embedded telemetry across environments
- Policy engines that evaluate compliance in real time
- Collaboration between product, compliance, and operations from Day One
“We can’t keep shipping software every day and only evaluating compliance every six months.” – Will Kline
In short: Run GRC isn’t about checking boxes. It’s about building resilience, trust, and speed into the system itself.
TL;DR: What This Means for Federal Agencies
- Stop measuring compliance in documents. Measure it in delivery pipelines.
- Define and share risk tolerance upfront—it’s the only way to move fast with trust.
- Evolve security into a product function, not a gatekeeping organization
- Make compliance observable, automated, and developer-aligned.
About the Prodacity 2025 Blog Series
This blog is part of the Prodacity 2025 Blog Series, capturing insights from the conference’s most impactful voices. This post highlights the “Run GRC” session block featuring Andrés Vega, Donnie Hasseltine, and a panel with Chris Hughes, Mackenzie Wartenberger, Will Kline, and Brian Panarello.
Security isn’t a blocker to innovation—it’s the system that makes it possible. Let’s build it that way.
