How would you assess whether a cloud environment meets compliance standards like CIS or SOC 2 at Moody's?