Conventional compliance management approaches employees as risk factors. Their capacity to contribute to the maintenance of social norms is overlooked. This can be fixed, by focusing less on surveillance and control, and more on supporting self-governance.