All Posts
Delivery Excellence

Compliance as a Delivery Concern

3 February 20262 min read

The traditional model is broken: teams build features for months, then scramble to satisfy compliance requirements before release. I have watched this pattern destroy timelines, burn out engineers, and produce compliance artifacts that are technically accurate but practically useless.

The Integration Approach

I treat compliance requirements the same way I treat functional requirements. They go into the backlog, get estimated, get prioritized, and get delivered incrementally. An audit requirement is a user story. A data retention policy is a technical spike. A penetration test is a sprint deliverable.

How This Works in Practice

At the start of every program, I map regulatory requirements to delivery milestones. If we are building a feature that handles personal data, GDPR compliance tasks appear in the same sprint as the feature development. Not three sprints later. Not during a "compliance hardening" phase that never has enough time allocated.

Sprint planning includes compliance stories. Every sprint has capacity reserved for compliance work. I typically allocate 15-20% of sprint capacity to governance and compliance tasks. Teams push back initially, but they stop pushing back after the first release goes smoothly through audit.

Definition of done includes compliance criteria. A feature is not done when it works. It is done when it works, is tested, is documented, and satisfies the applicable compliance requirements. This means the compliance review happens during sprint review, not during a separate governance meeting weeks later.

Auditors get invited to demos. I bring compliance stakeholders into sprint demos quarterly. They see progress incrementally rather than being confronted with a massive review package at the end. This builds trust and catches issues early.

The Result

Teams that integrate compliance into delivery move faster, not slower. They avoid the late-stage scramble. They build confidence with auditors. And they ship with fewer surprises. Compliance is not the enemy of agility. Bad planning is.

Back to all posts