Shipping Fast Means You're Borrowing Against The Future

I've been building something lately. Using AI to move fast, the way everyone is right now. Features come together quickly. The momentum feels good. You get into a rhythm and it's hard to stop.

Then I sat down with Sandra Peterffy for a With Wunder webinar, a conversation about compliance as a strategic advantage, and something she said made me put down what I was doing and think about it differently. Not about the product. About where I might want to take it. Who might buy it. What that buyer would need to see before they'd say yes.

The full conversation with Sandra is embedded below. I'd encourage you to watch it, especially if you're building something right now.

Technical Debt Has a Cousin Nobody Puts on the Roadmap

Every developer knows technical debt. You make a shortcut to ship faster and you accept the cost of cleaning it up later. The whole industry has shared language for it. Sprints get allocated for refactoring. Tech leads flag it in planning sessions. It's a known quantity.

Compliance debt works exactly the same way. You make a decision, or more often a non-decision, early in the build, and it sits quietly inside the architecture. It doesn't announce itself. It doesn't slow anything down while you're in build mode. It waits.

It shows up the first time you try to sell commercially to an enterprise buyer. Or when a procurement team sends over a vendor questionnaire you can't answer. Or when you're three weeks from closing a deal in a regulated market and someone in legal asks how you handle user data.

Sandra has watched this play out across 20 years of working with startups and scaling companies. The pattern is consistent: founders who treat compliance as a future problem find it's already a present one by the time they notice. "If you want to make money, if you want to get investment, if you want your product to go to market," she said, "you need to think about compliance at some point."

"The question isn't whether you'll deal with it. It's how much it'll cost you when you do."
- Sandra Peterffy

The Moment Your Intent Changes, Your Risk Profile Does Too

There's a version of building where compliance barely comes up. You're working on something for a small, closed audience. Nothing commercially sensitive. The risk you're carrying is low, and moving fast makes sense.

The problem is that intent changes. A side project becomes a product. A tool built for one client gets interesting enough to sell to ten. The moment that happens, everything built under the old assumptions gets stress-tested against a new reality.

I felt this in my own build. The conversation with Sandra made me think about the go-to-market questions I hadn't fully sat with yet. Not the features, the markets. Specifically: who could actually buy this, and what would they need from me before they could say yes?

At Third Wunder, we've had a version of this conversation with clients, too. A map based app we're builing for the CHSSN is a useful example. We built a custom application with the Community Health and Social Services Network to help service providers across Quebec visualise where English-language health and social services exist and where they're missing. The app doesn't collect personal data, so the privacy compliance questions that Sandra talks about didn't apply here. But we did have real conversations with CHSSN stakeholders about access, usage, and who the tool was actually for.

Who should be able to see what. How the data would be used and by whom. Those conversations shaped decisions about access controls and audience design that we'd have had to undo and redo had we left them until later. They're the kind of questions that belong in the room early, not after the product is already in someone's hands. (The full story is in the case study and this piece I wrote about the project.)

Sandra's framing is the right one: you don't have to have all the answers on day one. But you do need to know where your product is going in the next five years.

"What's your North Star? How are you going to achieve that? Because some of that answer is going to be: you can't sell to certain markets until you've addressed certain things."
— Sandra Peterffy

Compliance Doesn't Live in Engineering. It Lives at the Top.

This is the part of the conversation I keep coming back to.

Sandra made a pointed observation about culture: when founders and executives visibly treat compliance as a burden, the whole organisation internalises that signal. Engineers deprioritise it. Product managers don't build it into sprints. Nobody owns it, because leadership implicitly communicated that it doesn't matter.

She's seen it in startups across fintech, SaaS, and MedTech. The GRC team works hard to embed the right controls, explain the principles, and set up the processes. But if the CEO rolled their eyes at the last all-hands when compliance came up, none of that work lands the way it should. The team heard the real message.

"As soon as you start dismissing compliance outwardly to your teams, the teams actually listen. And then they don't care."
— Sandra Peterffy

The consequence is that compliance becomes centralised in a silo, treated as a security team problem rather than an organisational one. And that's precisely where it stops working. Controls that live only in the security or GRC team aren't really organisational controls. They're a bottleneck waiting to happen.

The practical implication: these conversations need to come from leadership. Not from engineering flagging a risk. Not from a consultant brought in the week before a deal closes. The founder asking, "Have we thought about where this is going and what that means for how we're building it?" That's the conversation that changes the trajectory. And it needs to happen before the moment it becomes urgent.

You Don't Build for a Million Users on Day One

One of the most useful things Sandra said, and one you won't find in most compliance guides, is this: nobody is ever 100% compliant all the time. The goal is proportion, not perfection.

The risk you accept depends on where you are. Early stage, small audience, nothing commercially sensitive? You can carry more risk and move fast. But if you're pointing the product at enterprise buyers, regulated industries, or international markets, especially Europe, the calculus changes quickly. The gates appear sooner than you think.

For most startups, SOC 2 is the right entry point. It's principle-based and risk-tolerant. It doesn't require a full ISO overhaul or a compliance programme that grinds the product roadmap to a halt. It maps credibly to the frameworks enterprise buyers recognise. And it can get you far enough to have the conversation without getting stopped in procurement.

Good engineers already think this way about architecture. You don't build for a million users on day one. But you also don't build something that collapses at a thousand because you never thought past the MVP. The biggest lesson from 15 years in this industry holds here the same way it holds everywhere else in tech: plan ahead, engineer for the future, and do what you can with what you have now. You make intentional choices about what you're deferring and why, and you build in a way that doesn't make those future choices impossible.

Compliance is the same muscle.

Final Thoughts

Building something of your own changes how you think about advice you've given a hundred times to clients. I've sat across from founders and told them to plan ahead, to think about where the product is going before the architecture makes that harder. Good advice. Advice I believed.

Then I started building my own thing, with AI moving fast underneath me, and I caught myself doing exactly what everyone does. I was focused on the features, excited about the momentum, and not fully sitting with the question of where this goes commercially, and what that means for how it needs to be built right now.

That's the honest version of what this conversation with Sandra opened up for me.

For the app I'm working on, there are now questions on the table that weren't there before. Not panic. Not a compliance overhaul before I've shipped anything. Just the right questions, asked at the right time, while there's still room to make intentional choices.

And for every custom build we take on at Third Wunder going forward, the compliance conversation starts at the beginning. Not because a client asked for it. Because we know what it costs when it starts anywhere else.