[raesene9]

So there are various commercial systems that fall under CSPM (or KSPM sometimes) that are designed to assess compliance with different standards.

My purely personal opinion on this is that it's difficult to do well as even with compliance standards automating assessment isn't always possible

For example the CIS benchmark for k8s can't say "Never use cluster-admin" as there are some legitimate use cases, so instead it says "minimize the use of cluster-admin" which can't be fully automated as a check.

To do it well, a company should come up with their own spin on applicable standards, automate where possible (either with 3rd party or internal tooling) and then manually review the things that can't be automated on a periodic bassis (either with internal resource, or consultants)