This page isn't for the companies that have learned to profit from regulations they don't have to follow. It's for the ones trying to win by actually being faster, better, and harder to replicate.
Innovation speed in regulated industries isn't about choosing between compliance and agility. The companies moving fastest aren't trading one for the other. They've stopped treating compliance as a layer on top of operations and started treating it as an engineering problem—asking what risk each requirement exists to prevent, then building systems that prevent it faster and more reliably than any framework would. Compliance becomes invisible because it's structural. Speed becomes possible because the overhead is gone.
There are companies in regulated industries that have learned to extract value from the regulations themselves—from ambiguity, from complexity, from the gap between what the contract says and what anyone actually has to deliver. They've optimized for the system as it exists.
And then there are the companies that are winning right now by doing something different. They're not gaming the system. They're outrunning it. They're moving faster, building better, and making the incumbents look like they're standing still—because they are.
This page is written for the insurgents—the ones who want to win on merit, on speed, on capability. If you're optimizing the other posture, there are plenty of consultants who can help you do that. This isn't that conversation.
Every compliance requirement exists because something went wrong somewhere. A system failed. People were harmed. A risk that wasn't managed produced a consequence that couldn't be ignored. The regulation is the institutional memory of that event—a codified answer to the question: what do we need to prevent this from happening again?
Most organizations never ask that question. They read the requirement, add a checkpoint, assign someone to own it, and move on. The checkpoint costs time and creates and artifact. The artifact has to be managed. The ownership costs headcount. The audit looks at artifacts divorced from the value and costs more time. And the risk the requirement was designed to prevent? Still there—because a checkbox isn't a prevention system.
I solved the agile-CMMI rift in 2001 by asking a different question. Not "how do we map agile practices to CMMI requirements?" But: "what risk does each requirement exist to prevent—and are your agile practices already preventing it?" That question changes everything.
When you ask what the requirement is actually trying to prevent, you stop treating compliance as a layer and start treating it as a design constraint. You build the prevention in. The documentation is how you institutionalize lean value creation. The work becomes evidence of something real, not proof of a process nobody believes in. The audit becomes a confirmation, a learning event, not a performance.
And the speed comes back—not because you cut corners, but because you eliminated the overhead—the Compounding Strategic Drag—that was never preventing anything in the first place.
Most regulated companies trying to move faster are focused on time—staff hours, due dates, Gantt charts, schedule compression. They treat speed as a resource allocation problem. It isn't. It's a friction problem.
Time is fixed. Every organization gets the same 24 hours. What separates fast organizations from slow ones isn't how they allocate time—it's how much of their time is consumed by friction: delay, rework, waiting, manual work, context switching, decisions made at the wrong level, information that lives in someone's head instead of the system.
Friction is the enemy. Not regulations. Not complexity. Not the pace of the acquisition system. Those are real—but they're constraints, not causes. The friction that's actually slowing you down was created inside your own operation, by the same decisions that created your Compounding Strategic Drag.
Eliminate the friction, and you move faster inside whatever regulatory envelope you're operating in. Build your operation to run as fast as it can—with psychological safety, automation, decisions pushed to those doing the work, transparency and shared accountability—and compliance becomes a byproduct of how you operate, not a tax you pay on top of it.
Product companies in aerospace and defense manufacturing, software, medical devices, and related regulated industries—typically founder-run or CEO-led, $5M to $500M—who are trying to compete on capability, not on incumbency.
The companies that win in regulated industries are not the most compliant. They're the ones where compliance is invisible—woven into how the company operates, not layered on top of it as an additional cost of doing business.
In 2001 Hillel Glazer published the first peer-reviewed work on reconciling agile with CMM in CrossTalk, the Journal of Defense Software Engineering—years before the industry broadly recognized the question existed.
The SEI white paper "CMMI or Agile: Why Not Both!?" came in 2008. It provided institutional legitimacy to what practitioners had already established. It confirmed the direction. It didn't originate it.
The book High Performance Operations: Leverage Compliance to Lower Costs, Increase Profits, and Gain Competitive Advantage (FT Press, 2011) laid out the full argument: compliance, properly integrated, is not a cost center. It's a competitive lever. The companies paying twice—once to do the work, again to prove they did it—are the ones who never asked what the requirement was actually trying to prevent.
Fill out a short intake before we talk. The questions are direct. Your answers tell me whether I can actually help—and where the friction is coming from.
Start HereNo sales call. No deck. A conversation about whether and how to proceed.