.jpg)
On December 4, Cantina and SOL Strategies sat down to answer a hard question that many teams on Solana are facing right now.
How do you meet institutional expectations for security and compliance without slowing the product down or losing what makes Solana unique?
Max Kaplan (CTO) and Justin Nadile (Head of Growth) from SOL Strategies brought the institutional lens. Hari Mulackal, Cantina’s CEO brought the security and implementation angle. Together, the conversation turned into a blueprint for how Solana projects can grow up fast, without growing rigid.
Why this moment on Solana is different
The starting point was simple: institutional activity on Solana is no longer a future scenario.
Custody providers now support Solana at scale. Staking operations are professionalizing. Real world assets and structured products are moving onto Solana rails. Digital asset funds and corporate treasuries are asking more detailed questions.
That shift changes the bar.
Institutional teams want to know who controls upgrades, how keys are managed, how access is approved, and what happens when something goes wrong. They expect monitoring, logs, and a clear story on KYC and AML where it applies.
During the webinar, we agreed on one thing early. Compliance is not a parallel track to the business. It is one of the main ways you unlock distribution, deeper partnerships, and larger checks.
From policy to reality on Solana
The heart of the session focused on a practical problem.
Most organizations understand the words security and compliance. The hard part is turning those words into a real architecture on Solana. We walked through how to do that in layers.
The first layer is obligations. What regulators, banking partners, and internal risk teams care about. That includes access control, governance, custody of client assets, KYC and AML in permissioned flows, business continuity, and incident response.
The second layer is controls. The decisions you make in code, infrastructure, and process. Who can pause a protocol. How program upgrades are approved and executed. How treasury and validator keys are created, stored, and rotated. Where you place identity checks if you work with regulated capital.
The third layer is evidence. The logs, reports, and artifacts that prove those controls exist and are followed.
For Solana teams, these layers show up in very specific ways. Governance programs with transparent upgrade authorities. Multisigs or MPC for critical actions. Segregation between operational wallets and treasury wallets. Monitoring on chain events and off chain infrastructure in one place.
The takeaway was clear. The best projects design for security and compliance at the same time as they design for throughput and latency. They do not wait for a listing conversation to start thinking about it.
What institutions actually look for
Justin and Max shared how these decisions look from an institutional side.
When an allocator or enterprise partner reviews a Solana project, the questions converge fast.
Who can change the rules.
What happens if there is an incident.
How fast can you respond without creating more risk.
How do you prevent bad actors from using the system when the law requires screening.
Most of that evaluation happens before the relationship even feels serious. A team that can answer with specific details moves through diligence faster. A team that answers with marketing language stalls.
We explored how this changes go to market strategy. Strong security and compliance foundations shorten listing timelines, reduce legal back and forth, and make it easier for conservative institutions to justify a Solana allocation internally.
In other words, controls are not just cost. They are part of the product that institutions are buying.
Building an operating model, not a binder
Another theme that came up repeatedly was operational maturity.
Security and compliance do not live in a static document. They live in the way a team works when something unexpected happens.
We covered what that looks like in practice on Solana. Clear ownership for key areas. A defined path for upgrades and parameter changes. Real incident runbooks for different scenarios, from a front end compromise to a protocol level issue. Communication plans that respect users and partners as events unfold.
This is the point where security starts to reinforce trust instead of fear.
When teams explain their operating model calmly and concretely, it can help address institutional concerns about operational risks.
Q&A: where teams are feeling the pressure
The audience questions clustered around three themes.
The first was where to start if you are still early. Our answer was to start with governance and key management. Decide who controls what, document it, and make it visible. Institutions understand that features will ship and change. Sudden, opaque changes to core control surfaces are much harder to accept.
The second was how to handle KYC and AML without weakening the user experience. We talked about separating flows. Some markets or pools will remain fully permissionless. Others, aimed at regulated capital, will need strong identity and screening at the edge or in dedicated venues. The key is being explicit about which is which and designing accordingly.
The third was about ownership. Who should drive this work. We suggested a cross functional approach. Legal and compliance define obligations. Engineering and security design controls and monitoring. Leadership aligns incentives so that closing a deal never means bypassing the controls that protect the business.
From webinar to community guide
We did not want the conversation to end when the call wrapped up.
Our teams have pulled the main ideas, patterns, and starting points into a practical guide for Solana builders who are serious about institutional adoption. It covers how to translate obligations into architecture, how to design governance that institutions trust, and how to prepare for the kinds of questions that now show up in every serious conversation.
You can read and share the guide with your team here.
Organizations interested in discussing institutional-grade security and compliance for Solana can contact us here.