How can strongly regulated industries such as the financial or healthcare sectors use GitOps to help with compliance and governance in today’s modern development world?

This blog looks back at a critical topic such as compliance and governance which was covered during the inaugural GitOps Days (May 2020) and GitOps EMEA Days (Nov 2020) events.

Michael Hausenblas (Product Developer Advocate at AWS), delivered a talk on “Everything C-levels want to know about Regulatory Compliance with GitOps,” which explores how GitOps makes all changes observable, verifiable, and auditable. These capabilities make GitOps essential to manage compliance.

Taking a monolith stack and splitting it into a containerized microservices setup gives you certain advantages such as:

  • enhanced developer velocity
  • faster shipping of new features
  • bug fixes in production
  • leveraging multiple programming languages & data stores
  • partial “high availability”

But there are often many external regulatory compliance issues that arise such as, but not limited to:

  • NIST SP 800-190 - special publication around containerized application security
  • PCI Security & Compliance - Payment Card Industry Security Standards
  • PII - Personally Identifiable Information
  • GDPR - European data protection & privacy regulations


Michael suggests building policy validation into your supply chain using GitOps for automation:

  1. Start with your IDEs: It’s prudent to have a plugin here that supports validating or verifying policies
  2. Make it part of the repository & CI pipeline with bots or agents that watch certain events and then react
  3. Make it part of the runtime (Kubernetes)
“If you can automate it, do automate it - because humans are not necessarily good at certain things and bots/agents are!” – Michael Hausenblas, AWS

In summary, if you’re an architect, C-Level, senior or principal engineer and are in a highly regulated industry (financial, healthcare, etc.) you should be considering implementing GitOps.


Essential benefits for compliance include:

  • Git is the single source of truth
  • Agents automate state convergence
  • Enables high velocity and safe deploys
  • Captures who requested/approved change
  • Auditing across the supply chain possible

View the full presentation

For more talks, check out the GitOps + Compliance & Governance Playlist.

To learn more about how to move the needle with GitOps in your organization, check out the GitOps Conversation Kit.