As more industries digitize everything from patient records to purchase orders, the dominant mindset around regulatory compliance is getting harder to defend. Treating compliance like a finish line — pass the audit, file the paperwork, move on — no longer holds up to scrutiny The gap between written requirements and working IT controls is where the real risk lives, and it is where Shannon Noonan, CEO and founder of HiNoon Consulting, has built her career.
“No one wants to spend the money,” Noonan says, explaining why so many organizations default to checkbox compliance. IT controls can feel like a tax on progress, especially when technology is viewed as back-office infrastructure rather than a source of revenue. The premise is outdated. As operations become more electronic and systematic, controls stop being overhead and start becoming the foundation that lets companies scale without accumulating hidden liabilities.
When compliance is treated as overhead, risk becomes the business model
Noonan has spent more than 15 years advising enterprises on governance, risk, and regulatory programs, with deep experience across frameworks such as GDPR, SOC, ISO, and FedRAMP.
“They might be doctor’s offices, they might be dentists, they might be labs, they might be construction,” she says. “Where in any of that is IT compliance a priority? It’s a priority in every essence, but it’s the behind-the-scenes priority.”
That separation between the core business and the systems that now run it is one reason controls get postponed. A clinic that once relied on paper charts is now recording sessions, documenting care on laptops and moving data through multiple vendors. Construction firms still do some work manually, but ordering, processing, and coordination have shifted to email, messaging, and digital workflows. Technology is no longer an accessory to the business; it is embedded in how the business functions.
The problem, Noonan says, is that leaders often treat compliance as something to bolt on later. That is how organizations end up spending twice. Once to build quickly, and again to retrofit controls after the fact.
The “duct tape and glue” phase is expensive and avoidable
When compliance is layered on instead of engineered in, teams rush, rework, and introduce gaps that are hard to see until a customer, regulator, or auditor forces the issue. “Duct tape and glue is the most common implementation mistake.”
“If you don’t bake [compliance] into the system, you have to figure out how to put it in after the fact,” she says. “Then you’re usually rushing. You make mistakes. You have to do things twice instead of once.”
This pattern shows up frequently in early stage companies. Founders start with a strong product idea or land a contract that suddenly comes with stringent requirements. Healthcare, fintech, and government-adjacent work can trigger a rapid escalation in expectations around security, privacy, and audit readiness.
“If you look at organizations, what do they spend the most money on?” Noonan says. “They’ve got to drive revenue.” So budgets flow to sales, engineers, frontline labor, and basic accounting. Compliance isn’t usually staffed early, and many organizations rely on outsourced or fractional support that is not deeply embedded in day-to-day decision-making.
But this supposed trade-off is false. Engineering controls early prevents growth from turning into a cleanup project.
AI: making the compliance gap visible, and the consequences faster
AI has magnified long-standing weaknesses in governance because it increases both speed and exposure. Noonan’s view is not that AI introduces entirely new risks, but that it makes existing ones easier to trigger.
“A lot of organizations are extremely reactive when the bad happens,” she said. “Why am I going to do this if it’s never happened before?”
That reactive posture is dangerous in an environment where employees are already using generative tools as a daily utility. “Everyone’s using it,” Noonan says. “Everyone’s using it to rewrite their emails. Everyone’s using it to help with calculations, create ideas, you name it.”
The question for leadership is not whether AI will show up in workflows, but whether it will be contained and governed. “People are very worried about losing IP… customer information, personal data being leaked,” she said. “And it is being leaked.”
In Noonan’s model, responsible AI starts with operational choices. Companies should decide which tools they will permit, which they will block, and what technical controls enforce those decisions. “If you are preventing people from using ChatGPT then you need to block it from the people in the company using it,” she says, noting that policies without enforcement invite shadow usage.
Just as important is training, with Noonan describing a widening knowledge gap across generations, from older adults targeted by AI-powered scams to children who can navigate technology quickly without understanding what they are accessing. “We’re still in that early phase where people need to be trained,” she said. “Most people have no idea what they’re using or what is capable of doing or tracking.”
Start with access, then build controls that match how the business actually runs
Access management is a foundational control. “You do not want to give everyone access to the kitchen sink if it’s not part of their everyday role,” says Noonan. Access is also the first line of defense against modern threats. Hackers often gain entry by targeting individuals and prompting them to click malicious links. If those individuals do not have expansive permissions, a breach is less likely to cascade across systems.
Least privilege is a familiar concept, but it becomes difficult in small teams where everyone wears multiple hats. Noonan emphasizes that growth requires a deliberate shift: deciding when to stop defaulting to broad permissions and how to operationalize secure access without breaking velocity.
For example, accounting systems should be limited to the owner and accountant. Engineering teams do not need everyone to be an administrator. IT teams can use tools that grant administrative access temporarily and with oversight, rather than baking permanent privilege into roles.
From there, controls should be aligned to what Noonan calls the organization’s “secret sauce,” the data, processes, and relationships that make it distinct. Protecting everything equally is unrealistic. Protecting what makes the business scalable is strategic.
The advantage of doing it right the first time
Compliance becomes scalable when it is designed as part of how work gets done: who has access, how data moves, what is logged, and what employees are trained to do when technology fails.
“It should be right the first time period,” she says. Building controls early reduces rework, speeds future certifications, and prevents the scramble that follows a major customer demand or breach.
The organizations best positioned for the next wave of regulation will be the ones that treat governance as a design constraint, not a documentation task, and that translate requirements into systems that can grow without becoming brittle.
