How can we reconcile the light touch approach of agile development teams to the governance and information security requirements such as Data Privacy and Regulatory Compliance? I discuss how to bring together the apparently conflicting needs of information security and agile, and show by example how agile teams actually approach tough regulatory requirements and good governance.