Compliance Frameworks: SOC 2, PCI-DSS, and HIPAA

Your cluster passes every security scan. Pod Security Standards enforced, RBAC locked down, network policies in place. Then an auditor asks: "Show me your SOC 2 evidence for access control." Silence.

Security and compliance are not the same thing. Security is the control. Compliance is proving the control exists, works, and has been working continuously. Kubernetes gives you the primitives for both, but the gap between having controls and demonstrating them to an auditor trips up teams that never had to think about regulatory frameworks before.