Interview: Eleanordustinbliss — 2026-05-01
Key Themes
Hardware vs. Software Compliance: A Structural Divide Eleanor’s Sophos experience anchors the most practically useful section of this conversation. Hardware physically moves, responsibility persists post-diversion, and US jurisdiction attaches based on US-sales percentage regardless of where a company is incorporated. The BIS/OFAC framework, product classification filing requirements, and Crimea’s 300-city IP-blocking requirement illustrate that operational complexity is both real and ongoing — not a one-time setup exercise.
Sanctions Are Stable But Edge Cases Are Costly The sanctioned-country list moves slowly — quarterly checks plus outside counsel bulletins describe the current workflow for most public companies. But edge cases (Russia’s ambiguous post-2022 status, Crimea’s sub-city granularity, the Arab Spring ‘Twitter exception’ for SaaS) create compliance surface area that’s easy to miss. The internal compliance owner is often a non-lawyer sitting in finance or sales ops who drifts into legal after something breaks.
Episodic vs. Continuous: Two Distinct Buyer Profiles Smaller companies treat compliance as deferrable — the IPO forcing function is when historical violations must be disclosed and cleaned up, a process that can take a year. Public companies run layered, ongoing programs. This bifurcation maps cleanly onto TBD’s go-to-market challenge: urgency is concentrated in pre-IPO and public companies, not early-stage startups.
Modern Slavery as Supply Chain Diligence Analog UK and Australian modern slavery requirements mandate public filings covering vendor diligence multiple tiers up the supply chain. Eleanor flagged ‘most procurement management is check the box — works until it doesn’t’ as the prevailing posture. This is a direct analog to the semiconductor supply chain mapping problem TBD is exploring.
GC Compensation as Compliance Signal Apple GC Jen Newsted at $77M first grant, Meta replacement at $50M. The role now bundles legal + government relations. Eleanor reads this as confirmation that compliance has moved from back-office cost center to board-level risk — validating premium tooling.
Notable Quotes
- ‘Hardware physically moves. And once it moves to a sanctioned country, you’re still responsible — even if it’s been illegally smuggled in.’
- ‘The time it typically comes up for a software company is when you want to go public. Then all of that has to be fixed.’
- ‘Most procurement management is check the box — works until it doesn’t.’
- ‘Didn’t know how to price SaaS; don’t know how to price AI properly.‘
Surprises
- Eleanor has a direct relationship with Intel’s GC — the warmest possible intro path into TBD’s target buyer persona at a flagship semiconductor company.
- The compliance owner is often not a lawyer; they’re an analyst in finance or sales ops, which significantly affects both buyer persona targeting and product UX requirements.
- Sophos firewalls in Iran, Sudan, and Cuba is a publicly disclosed case study — useful as a concrete reference point in customer conversations.
- Eleanor flagged false positives (ship named ‘Sudan’ triggering sanctions alerts) as a specific, named pain point in existing tools.
Open Questions
- How do top semiconductor companies (Nvidia, Intel, TSMC, Applied Materials) currently manage compliance — in-house build vs. buy?
- What is the actual workflow pain point severe enough to drive near-term adoption and switching behavior?
- Would large semiconductor companies share supplier relationship data even in anonymized or aggregated form, given competitive sensitivity?
- At what company stage does a compliance tool need to be sold, and who exactly is the economic buyer vs. the champion?