...
Examples of compliance mechanisms are top-level security policies, service provider agreements, and terms of service that allow the organization to enforce policies for entities bypassing the model. For example, a service provider setting up a gateway which bypasses authentication and authorization by sharing an account might be cut off from resources for breaking the model.
[OS2]
A process that ensures that security patches in operating system and application software are applied in a timely manner, and that patch application is recorded and communicated to the appropriate contacts.
A simple patch management process might be regular vulnerability scans, with a process to assign tickets to owners, and regular reviews of tickets to ensure that they are resolved within timelines following security policies. Sometimes this may be the responsibility of the the distributed infrastructure, but other times it may be part of the the service operators. Patch management policies may differ for different classes of resources.
Recording and communication could be as simple as assigning tickets to appropriate service operators.
...
Some explanations from Dave Kelsey (my personal views - recalling the history)
...