A Q&A with Jimmy Conner, Principal Customer Advocate at CIQ Compliance doesn’t have to be painful. In this Q&A, we explore how Ascender Pro transforms compliance from a time-consuming burden into an automatic byproduct of your infrastructure automation.

The Compliance Problem

Q: What makes manual compliance tracking so problematic?

A: There are three major issues: Time cost: Industry research shows technical teams spend 20-30% of their time on compliance activities. That’s one or two full days per week that could be spent on innovation, improvement, or addressing technical debt. Risk: Manual processes are inherently error-prone. You miss a system, you have an outdated spreadsheet, you mistype a command and suddenly you’ve got a compliance gap that auditors will find and regulators will penalize. Stress: There’s this constant baseline anxiety of “Are we compliant?” And when audit season arrives, that stress intensifies dramatically. It affects team morale and retention.

Q: Why can’t traditional approaches keep up with modern compliance requirements?

A: The traditional approaches simply don't scale: running scripts, manually aggregating data, maintaining static documentation. It also doesn’t provide the real-time visibility that modern compliance frameworks demand. Regulatory requirements are increasing, infrastructure is growing more complex, and auditors expect more detailed evidence than ever before. Meanwhile, technical teams aren’t getting any bigger. Something has to give.

The Ascender Pro Solution

Q: How does Ascender Pro approach compliance differently?

A: The fundamental insight is this: If you’re already using automation to manage your infrastructure, you’re generating a complete audit trail of every change to every system. You just need to capture and present that data effectively. That’s what Ascender Pro does. It automatically captures every piece of automation that runs across your infrastructure—no special configuration required, no additional playbooks, zero setup. Whether it’s patching servers, deploying configurations, or checking system states, every time automation runs Ascender Pro automatically captures:

• What changed
• When it changed
• Who initiated the change
• Which systems were affected
• Whether it succeeded or failed
• The exact before-and-after state

Q: How does it work so easily?

A: The key is that automation systems like Ansible already track what they’re doing and it is core to how they work. Every task reports back whether it made a change, what the change was, and whether it succeeded. Most organizations were just throwing those logs away or storing them in a hard-to-use format. Ascender Pro structures that data and makes it incredibly easy to search, filter, and report on.

Q: Can you give me a concrete example of what information you can pull out?

A: Sure. Let’s say an auditor asks, “Show me all configuration changes to production web servers in Q3.” With traditional approaches, you’d be digging through logs, grepping for specific hosts, trying to piece together a timeline. With Ascender Pro, you:

• Filter by host
• Set set the start and end dates to align to Q3
• Get instant results
• You see a list of every change, with timestamps, who made it, what was modified, and visual diffs showing exactly what changed in configuration files.

Q: Visual diffs? Tell me more about that.

A: Instead of just seeing “nginx.conf changed,” you see the actual lines that were added, removed, or modified. It’s standard diff format: red for removed lines, green for added lines. This is incredibly useful for understanding the impact of changes and demonstrating compliance with change control policies.

Q: What other types of queries can it handle?

A: The filtering is extremely flexible. Here are some examples:

• “Which systems don’t have the latest security patch?” Search by package name, see which hosts are missing it.
• “Show me all failed automation runs in the last month.” Filter by status, get the complete list with error details.
• “Did any systems change outside our approved maintenance windows?” Filter by date and time, see any unexpected changes.
• “Which systems have a specific CVE vulnerability?” Search by CVE number, get a list of affected hosts with package details.

You can combine multiple criteria, save filters for reuse, and drill down into specific systems or specific changes.

Self-Service Compliance

Q: You mentioned this is your favorite feature. What is self-service compliance?

A: Self-service compliance means giving auditors direct access to your compliance data in Ascender Pro itself with read-only permissions. There is no access to your systems. Think about the traditional audit process: Auditors ask questions. The team scrambles to gather data. Generate reports. Send them back. Auditors have follow-up questions. The cycle repeats dozens or hundreds of times during an audit. What if auditors could answer their own questions instead?

Q: Is there a risk in giving auditors direct access to your data?

A: It is a benefit and actually changes the entire dynamic of the relationship. Organizations that have implemented this approach - particularly in highly regulated industries like government hosting, financial services, and healthcare - consistently report the same transformation. Instead of being defensive and trying to prove they’re doing their jobs, they become proactive. They show auditors the self-service portal and say, “Here’s everything you need. We’re an open book.” The auditor’s entire demeanor changes. They can see the organization is serious about compliance and transparency. They start treating technical teams like partners. We’ve seen audits go from three-week ordeals to four-day focused reviews. One Qualified Security Assessor (QSA) told a customer it was the most complete and accessible compliance documentation they’d seen in their career.

Q: What’s the benefit for your technical team?

A: It frees up enormous amounts of time. No more endless report generation requests. No more spending hours explaining methodology or formatting spreadsheets. Your time is freed up to focus on actual work instead of documenting work you’ve already done.

Q: And for auditors?

A: They get immediate access to current data instead of reports that might be outdated. They can explore follow-up questions independently. They can verify compliance in real-time rather than relying on static point-in-time reports. Everyone wins.

Real-World Examples

Q: Can you share some real-world use cases?

A: I’ve got three great examples across different industries. Financial Services: PCI-DSS Compliance We worked with a payment processing company that needed to demonstrate PCI-DSS compliance for its card data environment. They needed to:

• Log all access to system components
• Track configuration changes with audit trails
• Demonstrate security patches were deployed on time
• Prove no unauthorized changes occurred

Using Ascender Pro, they automated patch deployment, captured complete audit trails, set up scheduled reports showing patch timelines, and granted their Qualified Security Assessor (QSA) read-only access to Ascender Pro.

Result: Their annual PCI audit went from a three-week ordeal involving dozens of report generation requests to a four-day focused review. The assessor commented that it was the most complete and accessible compliance documentation they’d ever seen. Healthcare: HIPAA Compliance

A healthcare SaaS provider needed to maintain HIPAA compliance for infrastructure hosting Protected Health Information (PHI). Critical requirements included:

• Audit controls that record activity in systems containing PHI
• Regular review of system activity logs
• Logging of user access and modifications

They implemented Ascender Pro to automate configuration management, log every change with user attribution, create scheduled reports showing no unauthorized access, and establish baselines with drift alerts. Result: During their HIPAA review, auditors were granted direct access to Ascender Pro. Auditors independently verified that controls were working, changes were logged, and configurations remained compliant. What historically took 40+ hours of IT staff time was reduced to less than 10 hours - a 75% time reduction.

Enterprise IT: SOC 2 Type II A SaaS company preparing for its first SOC 2 Type II audit needed to demonstrate operational effectiveness of its security controls over time, not just their design. Using Ascender Pro, they automated security configuration enforcement, captured 12 months of continuous compliance data, demonstrated their change management process was consistently followed, and provided filtered views showing only security-relevant changes. Result: Their auditor noted that having automated, continuous compliance data was significantly more persuasive than typical point-in-time evidence. The automation itself demonstrated control effectiveness in a way that manual documentation never could.

Q: What’s the common thread in these examples?

A: In every case, compliance shifted from a reactive scramble to a proactive, continuous process. Teams went from spending days or weeks preparing for audits to being perpetually audit-ready. And the quality of evidence improved dramatically—from static snapshots to continuous, verifiable records.

Key Capabilities at a Glance

Beyond automated audit trails and self-service access, Ascender Pro provides: Visual compliance dashboards: Color-coded charts showing compliance status. Perfect for simplifying communication to leadership. Drift detection: Tracks system state over time and alerts when manual changes occur outside automation workflows Baseline comparison: Define standard configurations and instantly identify deviations Scheduled reports and alerts: Automated weekly, monthly, or quarterly reports with real-time alerts for critical changes

The Bottom Line

Q: If you had to summarize the key benefit in one sentence, what would it be?

A: Compliance becomes an automatic byproduct of the infrastructure automation you’re already doing - or should be doing - rather than a separate, manual burden.

Q: Who is Ascender Pro’s compliance automation right for?

A: Any organization that: Faces recurring compliance audits (SOC 2, PCI-DSS, HIPAA, ISO 27001, etc.) Spends significant IT time on compliance reporting Struggles to demonstrate continuous compliance rather than point-in-time snapshots Wants to shift from reactive audit responses to proactive compliance monitoring Needs to scale their compliance processes as infrastructure grows If you’re managing more than a handful of systems and facing any kind of compliance requirements, there’s value here.

Q: What if we’re skeptical?

A: Many IT leaders are skeptical at first. They’ve spent years doing compliance the hard way with weekends lost to audit prep, endless report generation, constant stress about whether they’ll pass audits. The idea that it could be simple feels too good to be true. But here’s the reality: compliance will always be a requirement. You can’t make it go away. What you can do is make it a natural byproduct of the work you’re already doing. If you’re managing infrastructure at scale, you need automation. That automation generates data. Ascender Pro just makes that data useful for compliance. Instead of compliance being a burden that pulls your team away from value-generating work, it becomes a checkbox that’s already checked. You’re always audit-ready. You’re proactive instead of defensive. Your team can focus on innovation instead of report generation.

About the Expert

Jimmy Conner is a Principal Customer Advocate at CIQ, where he focuses on infrastructure automation and compliance. With years of experience in IT infrastructure, Jimmy has personally experienced the evolution from manual compliance processes to fully automated compliance tracking. He’s passionate about helping organizations leverage automation not just for operational efficiency, but for improved security and compliance outcomes.

About CIQ and Ascender Pro

CIQ provides enterprise-grade automation solutions that help organizations scale their infrastructure management while maintaining security, compliance, and operational excellence. Ascender Pro is a commercially supported automation platform built on the open-source Ascender project, providing stability, commercial support, and advanced capabilities including integrated compliance tracking. Learn more at ciq.com/products/ascender-pro