National governments increasingly employ private governance—firm-level self-regulation structures—to shape global business operations. For companies, private governance entails material and organizational costs that constrain business activities. For national governments, corporate self-regulation often lacks credibility as a commitment to compliance, as firms may use it as mere "window-dressing." Why, then, do states entrust global firms with the responsibility of self-policing in regulatory enforcement? I present a model where corporate self-regulation functions as a costly mechanism revealing business operational information. For states, private self-regulation enables probabilistic enforcement, conserving investigative resources while identifying some risky firms. Without this arrangement, states may engage in over- or under-enforcement, depending on their prior beliefs about firms' risk profiles. Firms at risk of regulatory violations may adopt costly self-regulation when state enforcement is uncertain, as this effort can reduce future non-compliance penalties. The model predicts that the likelihood of self-regulation increases with firms' risk level, while low-risk firms avoid self-regulation altogether, irrespective of state enforcement strategies. I illustrate the theoretical mechanisms in the context of private national security governance, an increasingly critical domain of global regulatory enforcement. Specifically, I examine two counterintuitive enforcement designs: the "risk-based" principle and effort-based leniency in post-violation penalties. This model contributes to understanding strategic state-business interactions across regulatory domains and advances the debate on public and private authority in global regulatory politics.