There’s a specific kind of compliance theater that anyone who’s worked in enterprise security will recognize. It’s quarterly access review season. A manager opens their inbox, sees 400 certification tasks due by Friday, and starts clicking “Approve” — not because they’ve reviewed anything, but because the deadline is real and the access list is incomprehensible. By Friday afternoon, the IGA platform shows 100% completion. The audit passes.
Nothing about that process made the environment more secure. But it generated artifacts that look like governance.