For years, security programs have relied on point-in-time snapshots to prove control effectiveness. They’ll run a quarterly audit here, a monthly scan there.