Skip to content
Kellwick
← All articles
Vanta / Drata / Sprinto

Vanta is not your ISMS

Compliance platforms collect evidence beautifully. They do not decide whether your scope, risks, control ownership and evidence quality actually make sense. Here is the gap they leave - and how to close it.

By Kellwick Team · June 24, 2026 · 3 min read

Compliance automation platforms - Vanta, Drata, Sprinto and the rest - are genuinely useful. They connect to your cloud, your identity provider and your HR system, and they collect evidence continuously. Green checks everywhere. It feels like being compliant.

But a wall of green checks is not an ISMS. It is a very efficient evidence collector pointed at whatever you told it to watch. The judgment calls - the ones auditors actually test - still belong to you.

What the platform does well

  • Continuous evidence collection. MFA status, encryption settings, endpoint compliance, background checks - pulled automatically and time-stamped.
  • Control-to-evidence mapping. It maps collected signals to framework controls so you can see coverage at a glance.
  • Reminders and workflows. Policy acknowledgements, access review nudges, vendor questionnaires.

For the mechanical, high-volume parts of an ISMS, this is a real upgrade over spreadsheets.

What the platform cannot decide for you

Here is where teams get a false sense of safety. The platform does not know your business, so it cannot make these judgments:

  • Is your scope right? The platform monitors what it is connected to. It has no opinion on whether your scope statement matches how the company actually operates, or whether you quietly left a critical system out.
  • Are your risks real? It can host a risk register. It cannot tell you whether the risks are specific, current, owned, and connected to treatment decisions - or whether they are generic placeholders nobody revisits.
  • Does your SoA make sense? Marking a control "applicable" and attaching an automated check does not mean the control is designed correctly for your environment, or that the justification would survive an auditor's question.
  • Who owns each control? A green check has no owner. When the auditor asks "who is accountable for supplier reviews, and what did they decide about vendor X," the platform cannot answer.
  • Is the evidence actually good? The platform proves a setting is on. It does not prove the setting is the right one, or that the human process around it (access reviews with real decisions, incidents with real root-cause analysis) is happening with judgment rather than as a checkbox.

The audit failure mode

The classic Vanta/Drata failure looks like this: the dashboard is 98% green, everyone relaxes, and then the auditor pulls three controls at random and asks to see how they operate in practice. Suddenly:

  • The risk register has not changed since onboarding.
  • Access reviews are "done" but produce no record of anyone actually removing access.
  • The SoA justifies a control with boilerplate that does not match the real setup.
  • Nobody can say who owns the supplier review process.

None of that shows up as a red check, because none of it is what the platform measures.

What "cleanup" actually means

A compliance workspace cleanup is not about adding more integrations. It is about applying judgment to the parts the tool cannot:

  1. Scope sanity - confirm the boundary matches reality.
  2. Risk register quality - make risks specific, owned and connected to decisions.
  3. SoA review - check each applicable control's design and justification against the real environment.
  4. Control ownership - assign a named human to every control, with an evidence expectation.
  5. Evidence quality - sample controls and check whether the human process behind the green check is real.

Do that, and the platform becomes what it should be: a powerful evidence engine sitting under a management system that a human actually operates.

The one-line version

A compliance platform collects evidence. It cannot decide whether your scope, risks, SoA and control ownership make sense. That decision is the ISMS - and it is still yours. If your dashboard is green but you would not want an auditor pulling controls at random, that is exactly the gap worth closing before they do.

Need a second pair of eyes before the auditor does?

A readiness review shows exactly where your ISMS stands - and what to fix first - while there is still time to act on it.