As compliance expectations rise alongside the pace of AI development, many companies are rethinking how governance should work in practice. For Islahul, CTO of Kive, the answer has been to embed compliance directly into the company's workflows rather than treating it as a parallel process.
Kive, a Stockholm-based AI company focused on helping brands scale creativity using AI, has seen growing attention after having 10x'd their ARR in just a few months. We spoke with Islahul about how his team approached ISO processes, why they chose Noru, and what embedded compliance actually looks like in an AI-native company.
Q: Kive operates in a fast-moving AI space. How did compliance fit into that reality?
Islahul: It didn't, initially. Traditional GRC tools assume a slower, more static environment. But we're shipping continuously, integrating new models, and evolving our infrastructure. Compliance couldn't be something we paused to do every quarter - it had to live inside how we already work.
Q: What does embedded compliance mean in your setup?
Islahul: It means compliance is not a separate system or team. It's part of our tooling and workflows. Controls are monitored continuously, policies reflect how we actually operate, and evidence is generated automatically.
We don't prepare for audits in the traditional sense - we're always prepared because the system is always running.
Q: Why did you choose Noru specifically?
Islahul: Two reasons: accessibility of data and flexibility. Most platforms keep compliance data locked inside their UI. With Noru, we could access everything via API. That allowed us to integrate it directly into our internal workflows.
We paired Noru's API with Claude Code to automate large parts of our compliance work - things like control validation, documentation updates, and even parts of the audit preparation process. This helped us embed controls within our codebase so that a translation layer becomes unnecessary and they actually drive security improvements and maintenance. That's not something we could realistically do with other tools.
Q: Can you give an example of what you automated?
Islahul: A lot of the ISO 27001 work is repetitive - collecting evidence, mapping controls, updating documentation. Instead of doing that manually, we built internal workflows where those steps happen automatically based on system data.
For example, when something changes in our infrastructure, it can trigger updates in both controls and documentation. Claude Code helps orchestrate and automate those tasks, while Noru acts as the compliance backbone. We can monitor these changes continuously to see how risks and mitigations evolve over time.
Q: Roughly how much time did this approach save during your ISO process?
Islahul: If we had done this in a traditional way, it would probably have taken a few hundred hours across the team - easily 250-350 hours when you include coordination, documentation, and audit prep. For a team of 4 engineers, it would put this out of scope.
With this setup, we reduced that significantly. A rough estimate would be that we saved around 150-200 hours of work. More importantly, it wasn't just about time saved - it changed the nature of the work. Instead of manual coordination and bookkeeping, we focused on validating that the system was doing the right thing and implementing good governance.
Q: How does this approach change how you think about compliance going forward?
Islahul: It becomes continuous rather than episodic. We're not thinking in terms of getting compliant anymore. We're thinking in terms of maintaining a system that proves trust continuously. That's a much better fit for an AI company.
Q: There's a growing narrative around the AI-native renaissance wo/man - engineers who operate across systems, automation, and governance. Does that resonate with you?
Islahul: To some extent, yes. The role is definitely expanding. You're not just building product - you're shaping infrastructure, security, and compliance as part of the same system. Tools like Noru make that possible because they don't force you into a separate compliance workflow.
You can treat compliance as another layer in your stack.
Q: Final thoughts for other CTOs approaching ISO or similar frameworks?
Islahul: Don't accept the default model. If compliance feels like overhead, it's usually because it's disconnected from how your company operates. The more you can embed it into your systems, the more it becomes a byproduct of good engineering rather than a separate burden.
That shift makes a real difference - both in time and in how your team works.