Somewhere around 2015, a wave of well-funded software companies set out to solve compliance. They were founded by engineers, backed by venture capital, and built their products for the customers they knew best: technology startups trying to win enterprise contracts by demonstrating security credentials.
The result was a category of tools - now worth billions - that does one thing exceptionally well. If you are a SaaS company that needs SOC 2 Type II or ISO 27001, there are half a dozen polished platforms that will walk you through every step, automate your evidence collection, and have you audit-ready in 90 days.
These tools are genuinely good. They just solve the wrong problem for most of the economy.
Compliance automation software currently serves roughly 10% of the businesses that need it. The other 90%; manufacturers, food producers, healthcare providers, construction firms - have been left with spreadsheets, consultants, and a collection of disconnected point solutions that do not talk to each other.
What Silicon Valley Compliance Looks Like
The cybersecurity GRC category was built around a specific set of assumptions. The business operates primarily in digital infrastructure. Its main compliance concern is protecting customer data and demonstrating security controls to enterprise buyers. The frameworks it needs - SOC 2, ISO 27001, GDPR - are well-documented, widely understood, and relatively stable.
These assumptions are reasonable for a cloud software company. They describe almost nothing about the compliance reality facing a food manufacturer in Waikato, a construction firm in Christchurch, or a pharmaceutical packager in Melbourne.
For those businesses, compliance is not primarily a digital concern. It is physical. It is operational. It touches the factory floor, the cold chain, the chemical store, the seasonal workforce, the export container, and the supplier audit programme. It spans domains that have nothing to do with each other, except that they all land on the same operations manager's desk at the same time.
The Compliance Reality for Manufacturers and Food Businesses
A mid-size NZ food manufacturer does not manage one compliance framework. It manages somewhere between 12 and 20, spanning at least six separate domains.
Workplace safety means WorkSafe NZ, and potentially ISO 45001. Serious harm incidents carry penalties of up to $600,000 for a company under current NZ legislation. WorkSafe visits do not give advance notice.
Food safety means HACCP as a baseline, plus whatever GFSI-recognised scheme your customers or export markets require. BRC, FSSC 22000, and SQF are the most common. Each has its own audit cycle, evidence requirements, and nonconformance grading system.
Environmental means compliance with the Resource Management Act, regional council consents, and potentially ISO 14001 if you are working toward certification or responding to customer expectations.
Employment law means the Employment Relations Act, the Holidays Act, health and safety obligations under HSWA, and, for businesses employing seasonal workers, additional obligations under the Recognised Seasonal Employer scheme.
Export compliance means MPI requirements, phytosanitary certificates, health attestations, and the specific import standards of every market you sell into. The EU, UK, US, and Japan each have their own requirements, and they are not the same.
Quality management means ISO 9001 if you are supplying into industrial or retail chains that require it, or GMP if you are in food, pharmaceutical, or cosmetic manufacturing.
That is six domains. None of the compliance software built for Silicon Valley touches more than one of them.
The Tools That Exist and What They Miss
The compliance software landscape is not empty. It is fragmented.
Cybersecurity GRC tools like Vanta, Drata, and Sprinto are well-built and well-funded. They cover SOC 2, ISO 27001, GDPR, and related frameworks with genuine depth. They were not designed for, and do not serve, any of the domains above.
EHS platforms like Intelex, Cority, and VelocityEHS cover workplace safety and environmental compliance with reasonable capability. They do not touch food safety, cybersecurity, employment law, or quality management.
Food safety platforms like SafetyChain and FoodDocs handle HACCP and some GFSI schemes. They do not cover workplace safety, employment law, or cybersecurity.
Quality management platforms cover ISO 9001 and related standards. They generally do not extend into safety, environmental, food, or employment domains.
The result for a food manufacturer or industrial business trying to manage compliance properly is a stack of four to six disconnected platforms, each covering one domain, none of them aware of the others. Evidence gets uploaded multiple times. Audit preparation happens in parallel across systems. When frameworks share obligations, and they do share a great deal, nobody captures that overlap. The work gets done twice, or four times, or not at all.
| Platform Category | What It Covers | What It Misses |
|---|---|---|
| Cybersecurity GRC | SOC 2, ISO 27001, GDPR | Safety, environment, food, quality, employment |
| EHS / Safety | Workplace safety, environmental | Cybersecurity, food safety, employment, quality |
| Food safety | HACCP, BRC, FSSC 22000 | Safety, cybersecurity, employment, environmental |
| Quality management | ISO 9001, GMP | Cybersecurity, safety, employment, food safety |
| HR compliance | Employment law basics | All other domains |
No single platform connects them. No platform maps the relationships between them. And no platform tells you that the management review meeting you just ran satisfied Clause 9.3 across ISO 9001, ISO 14001, ISO 45001, and ISO 27001 simultaneously.
Why This Happened
The compliance software industry did not ignore manufacturers and food businesses out of malice. It followed the money and the familiar.
Venture-backed software companies are built in cities, by founders with technology backgrounds, for customers they can reach through the networks they already have. A San Francisco startup selling compliance tools will close its first hundred customers through warm introductions, content marketing, and product-led growth loops. Those customers will be other San Francisco startups.
The result is a category that got very good at a narrow problem. SOC 2 automation is genuinely impressive. The tooling is sophisticated, the integrations are deep, and the customer experience is polished.
Meanwhile, the businesses carrying the heaviest compliance burden, the ones facing WorkSafe audits, BRC inspections, MPI export checks, and customer supply chain questionnaires simultaneously, have been managing with spreadsheets and consultants at $200 to $500 an hour.
Regulatory fines increased 417% in the first half of 2025 compared to the same period in 2024. The average annual cost of non-compliance across penalties, legal fees, and reputational damage is $15 million. The businesses most exposed to that risk are precisely the ones the compliance software industry forgot to build for.
What a Universal Compliance Platform Actually Requires
Solving compliance for manufacturers and food businesses is harder than solving it for technology companies. The regulatory domains are more numerous, the physical evidence requirements are more complex, and the frameworks vary more significantly across jurisdictions.
A platform that genuinely serves these businesses needs to do several things that no existing tool does.
It needs to hold deep knowledge across all six compliance domains, not just one. Safety regulations are structurally different from food safety standards, which are structurally different from employment law. A system that treats them as equivalent is not useful for any of them.
It needs to understand the relationships between those domains. OSHA chemical handling requirements relate to EPA Tier II reporting and ISO 14001 environmental aspects. An employee background check policy satisfies ISO 27001 screening requirements, employment law obligations, and customer contract clauses simultaneously. These connections are not obvious, they require a cross-domain regulatory knowledge graph, not just a checklist tool.
It needs to work for operations people, not just compliance specialists. The food safety manager at a 60-person producer is not a GRC professional. They need a system that tells them what they need to do, what evidence they already have, and what is missing, without requiring them to become an expert in every framework they are managing.
And it needs to hold knowledge permanently. One of the most consistent and costly problems we hear from compliance managers is that expertise walks out the door when people leave. A system that captures compliance knowledge in a structured, searchable, transferable form is not a nice-to-have for businesses where the quality manager has been in the role for twelve years and is the only person who knows why certain procedures are the way they are.
The Gap Is Closing
The 90% problem is not a permanent feature of the landscape. It is a market gap that existed because the technology to bridge it - specifically, the AI capability to build and maintain a cross-domain regulatory knowledge graph - was not mature enough to make a universal platform viable until recently.
That is changing. The combination of large language models and semantic reasoning now makes it possible to build a system that understands how HACCP relates to BRC relates to WorkSafe relates to ISO 9001 - and surfaces those relationships automatically, in real time, for the operations manager who does not have time to map them manually.
For the manufacturers, food producers, and industrial businesses that have been patching together spreadsheets and disconnected tools for years, that shift matters. The compliance burden does not have to be as heavy as it currently is. The redundant work is real, but it is not inevitable.
Tools are now catching up.