Appreciate the way you've thought about this, Nick. I like the suggestions that you bring up to at the end:
What if we could produce compliant configuration snippets for live systems?
What if we could express internal compliance policy in parsable form?
What if we could automatically apply configurations and re-test?
What if automatic attestation was cryptographically signed by both parties?
What if this was so frictionless it could be done daily or on-demand?
Ultimately, security is hard and finding ways to simplify and automate protocols will make everyone better off.