Ask a room of founders what makes a defensible business and you will hear the classics: network effects, switching costs, proprietary data, brand. Rarely does anyone say compliance. Compliance is the boring department, the cost centre, the thing you bolt on before the enterprise deal closes.
The last eighteen months in American healthcare technology argue the opposite. In one of the largest software markets you have never thought about, compliance capability has become the primary buying criterion, the fastest-growing product surface, and the moat that decides who survives. The story is worth every founder’s attention, because the pattern is coming to your industry next.
Table of Contents
A market rebuilt by enforcement
The market in question is risk adjustment: the systems US health insurers use to document how sick their members are, which determines billions in government payments. For fifteen years, the pitch from vendors in this space was pure growth. Our software finds more diagnoses, more diagnoses mean more revenue, buy us and watch your payments climb.
Then the enforcement wave hit. The Department of Justice extracted a 117.7 million dollar settlement from a major insurer in March 2026, arguing its diagnosis-review programme was designed to add codes without removing wrong ones. Federal auditors published findings that 81 to 91 percent of certain high-risk codes at audited plans lacked supporting records. The government scaled its audit workforce from around forty coders to roughly two thousand and moved to quarterly audit cycles.
Overnight, the buying question flipped. Chief financial officers stopped asking “how much revenue will this find?” and started asking “will this survive an audit?” Every vendor whose product was built around the first question is now scrambling to answer the second. Several will not make it.
The anatomy of a compliance moat
What separates the winners is instructive. The vendors gaining share did something unfashionable years ago: they built for defensibility before the market demanded it.
Concretely, that meant products where every automated suggestion links to its evidence. If the software proposes a diabetes code, it shows the exact sentence in the doctor’s note that supports it and the clinical rule it satisfies. It meant two-way review, flagging codes that should be removed with the same energy as codes that could be added, even though removals cost the customer money in the short run. It meant audit trails, explainable AI instead of opaque models, and certifications that take years to earn.
None of that demos as well as a revenue dashboard. All of it is brutally hard to retrofit. A competitor whose architecture assumes one-directional code mining cannot bolt on bidirectional evidence trails in a quarter. The technical debt is strategic debt. Buyers evaluating risk adjustment software now walk through evidence-linking, audit workflow, and explainability line by line, and products built revenue-first simply cannot check the boxes.
That is a moat. Not a patent, not a network effect. A multi-year architectural head start on the thing regulators just made mandatory.
The generalisable pattern
Here is why this matters outside healthcare. The same sequence, incentive distortion, scandal, enforcement, compliance-as-criterion, is playing out in industry after industry.
Fintech lived it first: the neobanks that treated compliance as friction are gone or consolidated, and the infrastructure players who built KYC and audit rails early now sell them as products. AI is entering the cycle now, with the EU AI Act and sector regulators demanding explainability, documentation, and human oversight. Data privacy went through it with GDPR. Crypto is mid-collapse in exactly this pattern.
The playbook for founders is consistent across all of them:
First, map the incentive distortion in your market. Wherever your customers make money from a measurement, someone is gaming the measurement, and enforcement eventually follows. Sell into that future.
Second, build evidence into the product, not alongside it. Logs, trails, and explanations bolted on later are always worse and always obvious. The vendors winning in healthcare made “show your work” a core architecture decision.
Third, accept short-term revenue pain for positioning. Two-way reviews cost healthcare vendors money with every customer, right up until it became the reason customers chose them. Features that protect the buyer from their own worst incentives feel like anti-sales. They are trust, productised.
Fourth, treat certifications and audits as marketing. Boring credentials close enterprise deals faster than case studies once procurement is scared.
The uncomfortable question
The founders who resist this usually make the same argument: regulation lags, growth wins, we will fix compliance when we are big. Sometimes that works. But notice who is making the opposite bet. The buyers. Enterprise procurement in any regulated industry is now trained by a decade of scandals to ask the audit question first. You are not selling against your competitors’ features anymore. You are selling against their liability.
The healthcare audit wave will produce its own crop of case studies, consolidations, and cautionary tales. But the strategic lesson is already clear, and it fits on an index card: in any market where money follows measurement, the durable business is the one that can prove its numbers. Build the receipts before anyone asks for them, and the asking becomes your moat.
