Skip to content
Draffin.ai
← All articles

Operating GRC at AI Speed · Episode 6

May 25, 2026

Choose compliance certifications from your sales pipeline, not the framework

By Ben Draffin · Director of Security at Decagon

GRC Certifications SOC 2 Strategy

Every security leader has seen the same slide: a maturity ladder with SOC 2, ISO 27001, PCI, FedRAMP, and half a dozen acronyms arranged in a sensible-looking order. Consultants sell the ladder. Frameworks imply it. Your board may already have a version pinned to a quarterly goal.

The ladder is not wrong. It is just misaligned with how revenue actually arrives at an AI-native company selling into enterprise.

When three active deals name PCI in the security review, a generic ISO timeline does not help you close Q3. When every financial-services prospect asks for SOC 2 Type II evidence and your Type I report is six months old, “we’ll get to it next year” is a forecast problem, not a compliance problem. Certification sequencing should follow customer pull, not framework gravity.

Pipeline-driven vs. calendar-driven sequencing

Calendar-driven sequencing picks the next cert because it is the “logical” next step, because a peer company did it, or because an advisor said so. The output is a tidy roadmap that may have nothing to do with deals in flight.

Pipeline-driven sequencing asks a different question: which attestation, if we finished it in the next two quarters, unblocks the most revenue we can name?

Approach Primary input Typical failure mode
Calendar-driven Framework maturity, peer benchmarks Cert finishes; no deal was waiting for it
Pipeline-driven Named prospects, segment patterns, lost-deal reasons Cert choice feels “messy” but maps to ARR

Messy is fine if it is honest. Enterprise buyers rarely care that your roadmap is elegant.

How to read your pipeline as a cert queue

You do not need a perfect CRM export. You need repeatable asks from deals that matter.

1. Tag every security review outcome

For each enterprise opportunity in the last two quarters, note what blocked or slowed the review: missing SOC 2 Type II, PCI scope questions, ISO certificate, AI-specific questionnaire gaps, subprocessors, data residency, or something else. Lost deals count. Stalled deals count twice.

2. Weight by revenue and repeatability

One bespoke ask from a single small logo is noise. The same ask from three logos in the same segment is a signal. Weight by deal size and by how often the ask reappears in your segment—not by how scary the framework sounds in a board deck.

3. Map cost of delay

For the top two asks, estimate revenue exposure: pipeline value waiting on that attestation, plus reputational cost if your largest customer renews while you are still “in progress.” That number is your prioritization budget. It often makes PCI ahead of ISO—or SOC 2 Type II ahead of everything else—obvious in a way framework checklists never will.

4. Pick one primary cert for the next two quarters

Not three. One primary attestation with a named finish line, plus maintenance on what you already have. Parallel cert programs are how mid-stage teams burn security capacity without finishing anything buyers can cite.

A pattern I see in AI-native enterprise sales

Financial services and healthcare segments often pull PCI or PCI-adjacent controls earlier than generic SaaS playbooks suggest—especially when customer data, payment flows, or strict subprocessors show up in diligence even if you are not “a payments company.”

Meanwhile, SOC 2 Type II remains the default table stakes for horizontal enterprise SaaS, but the Type I → Type II gap is where many AI companies stall: strong on product security, weak on sustained evidence over the observation window.

ISO 27001 still matters for global logos and RFP language, but it is often second or third in the queue unless EMEA revenue is already material.

The point is not to rank frameworks in the abstract. It is to notice which document your active buyers keep asking for and treat that as the next program.

What to say internally and externally

Internally, frame the choice in revenue terms: “We are pursuing PCI because $X in named pipeline requires it by Q3,” not “PCI is best practice.” That keeps engineering and GRC aligned when scope decisions get hard.

Externally, be precise about status. “In progress” without a date erodes trust faster than “not in scope yet, here is what we do instead.” Enterprise buyers have seen enough roadmap slides to know the difference.

Closing the loop with everything else in this series

Certification choice is not separate from the rest of your GRC operating model. Vendor contracts show you what the market already expects. Redlines tell you whether your program reads as mature on paper. Policy–control loops determine whether the attestation you finish is backed by evidence that survives an auditor interview—not just a report cover page.

Pick the cert your pipeline is already asking for. Finish it. Then let the next deal tell you what comes after.

Previous: Policies and controls two-way loop

Series

Newsletter

Email when I publish.

You'll get a confirmation email first.

Share on LinkedIn · Pushback? LinkedIn is fine.