What Some Contractor Groups Are Using Instead of Consultants
The divide has been forming for a while, but it became clear in the peer group verifications that ran through recent months.
On one side: contractors who went through the standard compliance process. Hired a consultant. Received a documentation package. Signed their attestation. Paid thousands of dollars depending on the scope. Their compliance is a stack of documents produced by someone else, describing an environment that may or may not still match reality.
On the other side: a smaller group that looked at the same problem and came to a different conclusion. They didn't want documentation that described compliance. They wanted systems that enforced compliance. And they found something.
The something isn't a consultant. It's not a different assessment methodology. It's an emerging category of tool that most of the market hasn't encountered, and how widespread or proven these systems are remains unclear. What some groups have started calling locked verification systems.
The concept is this: instead of a consultant producing documentation about what your systems should be doing, the system itself enforces the required controls and generates continuous evidence that the controls are active. The documentation isn't written by a person. It's generated by the system. The compliance posture isn't a claim someone makes. It's a state the system maintains.
The practical difference shows up in what happens after the initial setup. In a consultant model, compliance degrades from the moment the consultant leaves. Drift is inevitable because the controls depend on people following procedures. In a locked verification model, compliance doesn't degrade because the system doesn't allow the controls to be bypassed.
The contractors who found these systems are not broadcasting the discovery. The same silence pattern that applies to contractors who found gaps applies here: if you found a way to solve the problem that your competitors are overpaying for, you don't announce it. You let them keep paying.
What has leaked out through the peer groups is the general observation: the contractors using locked verification systems have different gap rates on re-verification. The pattern looks different from what the consultant model produces, though the data is still limited and the full picture isn't clear yet. The documentation gap that plagues the consultant model largely doesn't exist in the locked model because the documentation and the implementation are the same thing.
The market implication is uncomfortable for the consulting industry. If a contractor can achieve and maintain verifiable compliance through a system rather than through ongoing advisory hours, the consultant's value proposition changes fundamentally. The consultant is no longer selling compliance. They're selling documentation about compliance. And documentation, as the peer groups have discovered, is not the same thing.
This isn't a niche finding. The contractors who've adopted locked verification tend to be the ones who signed their attestation and then realized what that signature meant. Once you understand the liability, the question of whether your compliance is documented or enforced stops being theoretical.
The contractors who found something different aren't describing what they found. They're describing what changed after they found it.