How can compliance be tested? Corporations must comply with a dizzying array of laws and regulations. To accomplish this complex task, corporations increasingly turn not just to the legal department and outside counsel but also an in-house group composed of non-lawyer specialists who seek to educate and motivate personnel with respect to their obligations under the law and the corporation’s code of conduct. How can prosecutors, enforcers, companies, or the public know whether compliance is effective or merely cosmetic? In this Article, we argue that hope-based compliance — a mentality that leads insiders and outsiders to assess compliance programs by examining how many resources organizations are devoted to the effort and whether the programs appear well-intentioned or comply with accepted “best practices” within an industry — predictably arises from the incentives and practices evident under current laws. We describe the “compliance trap”: that efforts to validate compliance are not encouraged by enforcers or regulators. Such entities should want companies to share sound compliance practices to improve standards in industry. Individual companies, however, have incentives not to share information about compliance failures, lest they risk liability. Nor do companies have strong incentives to share information about compliance successes, lest competitors use their strategies too. Rather than address this problem, regulators and enforcers, as we will explore, have exacerbated it. We propose a set of legal reforms that would create the conditions for a move to evidence-based compliance. We describe a range of ways that companies can audit employees, using data analytics but also inexpensive and simple experimental approaches drawn from organizational psychology. We call for a scientific approach towards regulating compliance through testing, in which compliance data must be made public, and empirically validated.