The policies nobody certifies
When a customer asks whether you're compliant, they're usually asking about a standard. SOC 2 for your controls, ISO 27001 for your security program, HIPAA if you touch health data. Those come with auditors, tooling, and a certificate at the end, and they're the smallest part of the picture. The organizations I've worked with (a law firm and a fintech among them) ran on layers of policy that no certificate covers: internal standards, government regulations specific to their sector, and expectations written into customer contracts.
Two examples show the range. An engineering org decides that every repository must carry a pre-commit config with a specific set of hooks. That's a policy, and someone is supposed to verify it on every repo. A facilities team keeps a standard for what the cafeteria kitchen must stock and how it's maintained. That's a policy too, with a checklist and a person responsible. Code on one end, kitchens on the other, and in between: onboarding steps, access reviews, records retention, vendor requirements. Most of what a company has to enforce looks like this, and none of it comes with an auditor.

