Three days of code, six weeks of compliance — the math behind why

If you have shipped into a regulated industry, you know this ratio. Engineering ships a feature in three days. Compliance setup around the feature takes six weeks. Some founders get used to it. The right reaction is: the ratio is the bug.

This post is for the CEO / CTO who reads "What $1.4M of compliance work looks like in 14 hours" and wants to understand the mechanism — why six weeks specifically, and where in those weeks an LLM can save time without anyone getting sued.

Where the six weeks actually go

I priced this out properly the last three times I lived it as a CTO-for-hire. Numbers below are typical for a voice-AI or fintech feature shipping in 2025-2026.

Phase	Median hours	Hourly rate	Subtotal
Identify which regulations apply	8	$200 (senior legal)	$1,600
Read primary regulation text	12-16	$200	~$2,800
Map regulation → your stack	16-24	$250 (compliance consultant)	~$5,000
Draft threat model	32	$250	$8,000
Draft consent flow + UX changes	16-24	$180 (senior PM + senior frontend)	$3,600
Implement consent + audit log	40	$180	$7,200
Internal legal review of threat model	8	$400 (general counsel)	$3,200
External auditor pre-meeting + Q&A	10	$350 (specialist)	$3,500
Revisions, second pass	16	mixed	~$3,500
Final sign-off	4	$400	$1,600
Total	~190 hours	mixed	~$42,000

This is a single regulated feature. Multi-jurisdictional (US + EU + India + state-level US) doubles or triples it. Multi-feature (a startup shipping into a regulated industry has 8-15 such features in the first six months) makes the aggregate $300K-$500K of consulting before the product exists in production.

Where an LLM helps

Not all of those 190 hours are equal. Some are mechanical, some require judgment, some require relationships.

Mechanical (can be 80-90% automated):

• Reading primary regulation text. The CFR is plain text. The EU AI Act Annex III is plain text. LLMs read 200 pages faster than any human can think. Replaces ~12-16 hours.
• Mapping regulation to stack. "Does our PCI-DSS scope include the webhook signature verifier?" is a deterministic question with a regex-and-citation answer. Replaces ~12-18 hours of the 16-24.
• Drafting threat model. Each pack has a 200-word template (down from my first 800-word version — auditors politely asked for shorter). LLM fills it in using regulation text + your ARCH.md. Replaces ~24-28 hours of the 32.
• Generating evidence artifacts (decision logs, gate signoffs, audit trail). The pipeline emits these as side effects, not as a separate phase. Replaces ~6-8 hours.

Judgment (human time stays roughly constant):

• Identify which regulations apply. Mostly mechanical, but the "is this an edge case" call is human. Reduces from 8h to ~2-3h of review.
• Drafting consent flow UX. Pure product judgment. The LLM writes a first pass you can react to in 15 minutes instead of authoring from scratch in 4 hours. Reduces from 16-24h to ~4-6h.
• Implementation. Coding is faster with LLM assistance, but the gates are real. Reduces from 40h to ~10-15h.

Relationship (cannot be automated, and pretending otherwise is malpractice):

• Internal legal review. Your GC has to sign. Their time is your time. Unchanged at 8h.
• External auditor pre-meeting. The auditor wants a human on the other end of the phone who can defend the threat model under questioning. The LLM-generated threat model is the document the auditor reads. The conversation about it is yours. Unchanged at 10h, but the auditor reads a tighter document faster, so call it 6-8h net.

New math:

Phase	Old	New	Saved
Identify regs	8h	2-3h	~6h
Read regs	12-16h	1-2h	~13h
Map to stack	16-24h	3-4h	~17h
Threat model	32h	4-6h	~27h
Consent UX	16-24h	4-6h	~15h
Implementation	40h	10-15h	~28h
Internal legal	8h	8h	0
External auditor	10h	6-8h	~3h
Revisions	16h	6-8h	~9h
Final signoff	4h	4h	0
Total	~190h	~50-65h	~125-140h

Wall-clock compresses from six weeks to about ten working days, partly because removed work and partly because the work that remains can run in parallel (the LLM drafts while the auditor pre-meeting is scheduled).

Cost compresses from ~$42K to ~$15-18K (LLM bill ~$50-150, human time the rest). Median compression I have measured: ~60% on cost, ~67% on wall-clock.

Why this is not "AI replaces compliance consultants"

The compliance specialist of 2027 is someone who knows which regulation applies in which jurisdiction and can operate a pipeline to do the reading and templating for them. Same depth of judgment. Five times the productivity.

That person is going to win market share against the consultant still billing by the hour to read 200 pages of regulation. Not because their judgment is better — it is the same. Because their cost-per-judgment is one-fifth.

The judgment is the moat. The reading and templating around the judgment has been commoditized. This is the same transition that happened to junior associates in law firms when document-review tools landed in 2010-2015. Senior partners did not disappear; they got faster.

What does not compress

External calendar time. The auditor still books two weeks out. The FDA pre-submission meeting is still 60-90 days. IRB approval is still 8-12 weeks. Internal work compresses 5-25×; external-dependency work does not move.

If your runway is 18 months and you ship into a regulated industry, the realistic plan is:

1. Compress internal compliance work from 6 weeks to 10 days.
2. Use the recovered 4 weeks to run the external cycles in parallel with the next feature.
3. End up with one external cycle per quarter, not one every two quarters.

That math doubles the number of features that ship through compliance per year for the same runway. For an early-stage AI startup, that is the difference between catching the wave and missing it.

---

About: I build GreatCTO — a multi-agent SDLC plugin for Claude Code with 10 compliance packs. MIT, runs locally. The cost-by-pack breakdown is in the W21 deep-dive.