Automated Governance Is the Evidence Factory MedTech Has Been Missing

Michael Edenzon built Fianu to replace weeks of manual compliance work with continuous, objective evidence collection baked into how software gets built

In a regulated industry like MedTech, every software release carries an auditable promise. Did the code get tested? Were vulnerability assessments completed? Were residual software risks evaluated? These aren't optional steps — they're commitments embedded in a quality system, and a manufacturer is responsible for proving every one of them was fulfilled before software ships to patients.

The problem is that most of this proof is still collected manually. Engineers pull screenshots. Teams assemble Word documents. Compliance reviewers check boxes. The result is weeks — sometimes months — of lead time between a software release candidate and the moment it reaches users. For a person with Type 1 diabetes waiting on a bug fix for their insulin pump, that gap is not abstract.

Michael Edenzon, co-founder and CEO of Fianu, has spent his career building the alternative. Fianu is a software company that automates evidence collection for regulated software development — embedding compliance directly into the DevSecOps environment so that evidence is captured continuously as developers work, not assembled manually before every release.

[00:04:00] I spoke with Michael about how automated governance works, what it's produced for medical device companies, and why he thinks objective, deterministic evidence should become the new regulatory standard.

But first — a story about a screenshot.

One developer. Eighteen months. The same screenshot uploaded every single time.

The policy said software couldn't ship unless unit test coverage exceeded 80%. For a year and a half, one developer maintained exactly 81.7% coverage — just above the threshold — by uploading the same screenshot from a test run that was long out of date. Nobody caught it. The manual review process wasn't designed to catch it. Eventually, Fianu did.

That story isn't about a bad actor. It's about a system that creates the conditions for that behavior.

The Factory Floor Problem

[00:05:30] Michael spent years as a director of DevOps at a large financial institution. His vantage point: watching thousands of developers build and ship software while spending hundreds of hours per release manually documenting evidence of the requirements they were supposed to meet.

DevOps promised speed. Automated builds, automated provisioning, automated deployments. But in regulated institutions, that promise hit a wall. The assembly line was automated. The compliance work required to use it wasn't.

"The compliance work required to ship the software was still manual," he told me. "While the software had been automated, the documentation process was still a bottleneck."

[00:07:50] The solution he landed on was straightforward in concept: automated governance. Fianu watches developers as they work, captures evidence of what they actually did, and either clears software for release or blocks it — automatically. No screenshots. No manual attestations. No weeks of document assembly before a release.

What Developers Actually Do When Nobody's Watching

[00:08:35] The screenshot story is instructive not because the developer was dishonest, but because the system made that path of least resistance possible. Manual evidence review depends on humans catching anomalies that aren't always obvious. Eighteen months of identical test coverage numbers? Suspicious in retrospect. Easy to miss in a review queue.

Michael's framing: "The systems determine the behavior."

[00:11:45] When developers know that Fianu is capturing what actually happened — not what they self-report — their behavior changes. They can't hide incomplete work. So instead of working around requirements, they explain gaps. That explanation prompts a conversation. The conversation gets in front of the right stakeholders. Decisions get made by people who have the full picture.

"Automated governance in an organization will show, in a very short amount of time, that your developers are your best collaborators — as soon as transparency is in their best interest."

The Medical Device Case Study

[00:24:40] One of Fianu's first medical device customers was a blood glucose monitoring company. When Fianu came in, the company was spending weeks before every software release assembling a Microsoft Word document — pulling information from different systems, filling in evidence, exporting to PDF, uploading to a regulatory portal. Every single release.

[00:27:00] The engagement started with a room full of stakeholders: AppSec, QA, V&V, engineering, risk. Michael asked a simple question: when you go and assemble that Word document and decide the software is sufficient to ship, what are you actually looking for?

For some, it was the first time anyone had asked.

[00:27:25] Fianu took their existing policies, controls, and procedures and automated them. Developers went about their day-to-day work. Evidence was captured continuously. When it came time to release, a single click produced the PDF.

The results, about a year in: four weeks shaved off every release cycle — an 85% reduction in lead time. And their time to respond to an FDA software recall dropped from 180 days to under 30.

[00:28:19] The marketing team heard about that second number during an all-hands and started using it to sell against competitors.

The Nuance Most Automation Projects Miss

[00:30:50] I've worked with medical device companies and government agencies on process automation long enough to recognize a common failure mode: the instinct to automate to a higher standard than you're currently operating at. It sounds like the right thing to do. In practice, it breaks the implementation.

Fianu took a different approach. When they went into the blood glucose company, they didn't arrive with opinions about what the quality bar should be. They took what the company was already doing and made it faster.

[00:31:20] "We didn't come in with opinions about how they should be evaluating their software. We were able to take their existing policies and controls and automate them right in the system."

The same principle shows up in how Fianu handles policy changes. One customer wanted to raise their unit test coverage requirement from 50% to 80% for internet-facing software — reasonable on the merits. Fianu modeled the impact first: that policy would have blocked 15 of their last 20 releases.

[00:34:20] Instead of blocking or abandoning the goal, they built a graduated path. Monthly 5% improvement targets. The policy was set. The deadline was flexible. Eventually the software would reach the threshold and stay there. Evolution, not revolution.

Risk Acceptance as a Feature

[00:36:40] One of the things I found most interesting about Fianu is how they handle the moments when compliant isn't achievable right now but shipping still needs to happen.

Medical device development sometimes runs into this. A fix is needed. The software isn't fully compliant. The risk of not shipping may outweigh the risk of shipping with a known gap. That decision should be made consciously, by the right people, with full documentation — not by a developer quietly working around a manual check.

[00:37:10] Fianu built what they call annotations: digitally signed, immutable artifacts where a developer acknowledges a failing control and explains why. The organization defines what information is required. The decision gets made. It's auditable. It's traceable. And it doesn't grind the factory floor to a halt.

This is a version of a problem I think about often in medical device development: the FDA makes decisions for populations. Individual manufacturers and patients sometimes have different tolerance for specific trade-offs. Fianu's annotation feature at least ensures that when a gap is accepted, it's accepted with full transparency and a record that can't be edited later.

The Bigger Argument

[00:49:10] Toward the end of our conversation, I asked Michael what he'd change about how regulation works if he could. His answer was direct: make objective, deterministic evidence the standard. Not self-reported screenshots. Not attestations that depend on human memory and honesty. Evidence that captures what actually happened, is reproducible, and is auditable at any point.

He pointed to a 2019 white paper on automated governance reference architecture — the inspiration for Fianu — and made the case that this methodology should become the bar for regulated software development across industries.

[00:50:05] His argument for MedTech specifically: once that standard is set, organizations will start to innovate and respond to customers faster. The compliance work that currently adds weeks to every release becomes continuous background infrastructure instead of a pre-release bottleneck.

The blood glucose company's recall response time — 180 days to under 30 — is what that looks like in practice.

Who Should Be Calling Fianu Right Now

[00:40:30] Michael's ideal customer: organizations with hundreds or thousands of developers who are required to enforce compliance policy prior to every software release and are committed to DevOps practices. Companies that are bought into shipping software the right way, in a compliant fashion, and fast.

[00:43:30] The organizational structure doesn't need to be clean. Fianu is specifically designed for companies with multiple pipeline platforms, multiple source code systems, dozens of scanning tools — the kind of fragmented technical environment that results from acquisitions and fast growth. Over 60 integrations, updated daily. Everything feeding into one normalized data set, evaluated against policy.

[00:45:30] Who shouldn't call: companies that aren't bought into DevOps yet, or where there's organizational resistance to the level of visibility automated governance creates. "Call us in a year or two."

What This Has to Do With AI

[00:50:20] I had to ask. The short answer: automated governance is not the place for AI, and Michael was clear about why. Audit compliance requires determinism — the same input should produce the same output, every time. AI, in its current form, isn't that.

But for companies using AI in their products, Fianu becomes a tool for monitoring model quality and efficacy in production. The traceability from code commit to runtime behavior is the same infrastructure needed to govern AI-driven features responsibly.

[00:54:20] Michael's forward-looking opportunity: applying DevOps traceability to the assembly of AI models themselves. Data scientists don't always work with the repeatability and determinism standards that software engineering has developed. That gap is going to matter more as AI in medical devices becomes a serious regulatory question. Listen to the full episode: https://creators.spotify.com/pod/profile/shannon-lantzy

Michael Edenzon is co-founder and CEO of Fianu. You can find him on LinkedIn or at fianu.io.

This post was generated from the full episode transcript with AI assistance to capture and synthesize the key insights from the conversation.