.png)
Automating Governance & Compliance in the Software Supply Chain
Stop trading velocity for compliance. You can have both.
For most financial institutions, "Audit Season" means weeks of manual screenshot gathering, halted deployments, and friction between Engineering and Risk.
It doesn’t have to be this way. Join George Kichukov (GitLab) and Michael Long (Kosli) to define the new industry standard for "Controls as Code." Learn how to map your internal policies to a unified framework that satisfies regulators (OSFI, NIST) while letting your developers deploy continuously.
Workshop Description
In regulated industries, delivering software quickly and securely is a constant balancing act between enterprise policies and developer experience. Compliance requirements introduce friction, making automation and security more complex.
In this workshop, we will introduce the Open SDLC Controls Framework working group and have an interactive discussion on industry challenges, common regulatory requirements for software delivery controls and strategies for success.
Last year we established a working group to create a standardized framework for software delivery governance that could transform how financial institutions define their SDLCs.
Building on the success of the Common Cloud Controls and the AI Governance Framework, this initiative aims to develop a shared, composable, and technology-agnostic vocabulary for SDLC controls—a common language that the entire industry can adopt and build upon.
Who Should Apply?
This session is designed to bring the "Three Lines of Defense" together in one room:
- DevOps & Platform Architects: Who are tired of building custom compliance hacks for every pipeline.
- Internal Audit (Tech) Leads: Who want to move from "Sampling" to "Continuous Monitoring."
- Risk & Compliance Officers: Who need to map SDLC controls to specific regulations (OSFI B-13, DORA, SSDF).
- Engineering Managers: Who want to reduce the "Audit Tax" on their team's time.
What You Will Walk Away With:
- A Shared Vocabulary: How to define "Segregation of Duties" or "Code Review" in a way that both Auditors and Git pipelines understand.
- Automated Evidence Strategy: Practical approaches to replacing manual evidence collection with cryptographic attestation.
- Regulatory Mapping: Insights into how the Open SDLC Framework aligns with upcoming regulatory shifts in Canada and globally.
Prerequisites
- Laptop Required: Recommended for reviewing framework documentation.
- Domain Knowledge: Familiarity with CI/CD concepts or IT Risk Management frameworks (NIST/ISO) is helpful.
Logistics & Application
- Date: Monday, April 13, 2026
- Time: 1:00 PM – 5:00 PM ET
- Location: Toronto Financial District (Venue details provided upon acceptance)
- Cost: Free for approved applicants (Standard Value: $500)
Note: Due to the hands-on nature of this session, seating is strictly limited to 40 participants. Priority will be given to individuals from FINOS Member financial institutions and regulated industries.
