TL;DR: Compliance programmes are becoming more strategic, but 70% of corporate risk and compliance professionals say the shift from check-the-box compliance is only recent, while 69% of service organisations must prove alignment to at least six frameworks, according to Zluri’s roundup of compliance statistics. The practical lesson is that identity governance, audit evidence, and third-party oversight now need to be managed as one operating problem, not separate tasks.
At a glance
What this is: A compliance statistics roundup that shows how regulatory burden, third-party risk, and compliance tooling are converging into a governance problem with identity at the centre.
Why it matters: It matters because IAM, NHI, and security teams now have to produce defensible access evidence across more frameworks, more systems, and more third parties than traditional compliance models were built to handle.
By the numbers:
- 70% of corporate risk and compliance professionals have noticed a significant shift from basic check-the-box compliance to a more strategic approach.
- Nearly 70% of service organizations reported the necessity to demonstrate compliance or conformity to at least six different frameworks covering information security and data privacy.
- 48% of organizations do not have a comprehensive list of all third parties with access to their network.
👉 Read Zluri’s compliance statistics roundup for 2026 planning
Context
Compliance pressure is increasingly an identity governance problem because organisations now have to prove who can access what, through which systems, and under which controls. In practice, the challenge spans human users, service accounts, and third-party access, especially where access reviews, audit evidence, and entitlement ownership are handled in separate workflows.
The article’s core point is that compliance is no longer a back-office documentation exercise. Regulatory overlap, multi-system operations, and external access have turned it into a continuous control problem, which is why identity teams, not only legal or audit teams, now sit inside the compliance path.
Key questions
Q: How should security teams manage access reviews across multiple compliance frameworks?
A: They should standardise the review workflow, the evidence captured, and the ownership model before trying to satisfy each framework separately. A single control record should show the entitlement, approver, review result, and remediation status. That reduces duplication, improves audit readiness, and makes it easier to prove consistent governance across systems.
Q: Why do third-party identities create so much compliance risk?
A: Because third-party access extends your control boundary beyond employees and into relationships you do not fully operate day to day. If you cannot inventory those identities, tie them to owners, and revoke them promptly, you cannot demonstrate reliable governance. The risk is strongest where vendor access survives the business relationship that created it.
Q: What breaks when compliance evidence is spread across too many systems?
A: Auditability breaks first, followed by accountability. When approvals live in one tool, reviews in another, and revocations somewhere else, teams spend time reconstructing control history instead of managing the control itself. That fragmentation also increases the chance of missed deadlines, incomplete attestations, and inconsistent reporting.
Q: Who should own identity-related compliance controls in practice?
A: Ownership should sit with the teams that can actually execute and prove the control, usually IAM, IGA, PAM, and application owners working with compliance. Legal and audit can set requirements, but identity teams must maintain the evidence path, the lifecycle process, and the operational follow-through that make those requirements defensible.
Technical breakdown
Why multi-framework compliance strains identity evidence
Modern compliance environments rarely map to a single standard. When an organisation must satisfy GDPR, privacy requirements, sector rules, and internal policy at the same time, the evidence problem becomes harder than the control problem. Access records, approvals, review results, and remediation actions all need to line up across tools that were never designed to share a common governance model. That is why identity data becomes the anchor for auditability: it is the one layer that can tie users, service accounts, and privileged access back to a control owner and a business process.
Practical implication: build a single evidence model for access, reviews, and revocation before audit season forces ad hoc reconciliation.
How third-party access expands compliance scope
Third-party access changes compliance from internal governance to extended enterprise governance. Once vendors, contractors, or partners hold credentials, the organisation inherits review obligations, offboarding risk, and evidence gaps it may not fully control. The article’s third-party data shows why this is so difficult: many organisations cannot even enumerate all external parties with access. That means the problem is not only access approval, but inventory integrity, ownership, and timely revocation when relationships change.
Practical implication: maintain a continuously reconciled inventory of third-party identities and tie every external access path to an accountable owner.
Why automation matters for compliance operations
Manual compliance work does not scale well when the control set spans multiple applications, teams, and frameworks. Automation helps by turning repetitive tasks such as access reviews, evidence capture, and policy tracking into repeatable workflows with timestamps and artefacts. The deeper value is not speed alone. It is consistency. Automated controls produce a defensible trail, reduce missed revocations, and make it easier to prove that governance actions happened on time and by the right approver.
Practical implication: automate review, reporting, and attestation workflows where the same control must be proved across many systems.
NHI Mgmt Group analysis
Compliance has become an identity surface problem, not just a policy problem. Once organisations must prove access control across multiple frameworks, the quality of identity data determines the quality of compliance evidence. If entitlements, owners, and review outcomes are fragmented, the organisation may still have controls on paper but cannot demonstrate them in practice. The implication is that identity governance now functions as a control plane for compliance evidence, not a downstream admin task.
Third-party access without complete inventory is a governance blind spot, not an edge case. If nearly half of organisations cannot list every external party with network access, then offboarding, recertification, and accountability are already incomplete before the audit begins. That is a structural failure in lifecycle governance, because access that cannot be enumerated cannot be reviewed or revoked reliably. Practitioners should treat third-party identity inventory as a prerequisite for any defensible compliance programme.
Automation is changing compliance from document production to control verification. The article’s emphasis on technology adoption reflects a broader shift toward evidence-driven governance. Manual reporting may still satisfy a small programme, but large multi-framework environments need repeatable artefacts, consistent timestamps, and auditable workflows. That is where identity platforms, access review systems, and policy automation converge. Practitioners should design for verifiable control execution, not just policy intent.
Identity lifecycle discipline is now a compliance dependency across human, NHI, and external access. The same oversight gap appears in users, service accounts, and vendor credentials when joiner, mover, and leaver processes are fragmented. Offboarding delays, stale access, and unclear ownership all become audit findings once the organisation has to prove who retained access and why. The practical conclusion is that lifecycle governance must be treated as a compliance control family, not a narrow operational process.
Named concept: compliance evidence fragmentation. This article shows how evidence gets split across access tools, compliance systems, and business owners until no single team can reconstruct a complete control story. That fragmentation increases audit friction and weakens accountability even when individual controls exist. Practitioners should think in terms of evidence continuity, because compliance fails when proof is scattered across disconnected systems.
From our research:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means most teams are still operating with incomplete identity inventory.
- If you need the governance context behind that gap, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for the lifecycle controls that make access review and offboarding defensible.
What this signals
Compliance teams should expect identity governance to absorb more of the audit burden as regulatory scope widens and external access expands. The practical signal is that access evidence, not policy text, will increasingly decide whether controls are accepted by auditors and regulators.
Compliance evidence fragmentation: the next phase of programme maturity is less about adding more controls and more about connecting the proof of existing controls. That means identity, GRC, and security operations need a shared evidence trail that survives framework changes and organisational change.
With 91.6% of secrets still valid five days after notification, per Ultimate Guide to NHIs, compliance delays are now operational risks as well as audit risks. Teams should treat delayed revocation as a measurable governance failure, not just a process inconvenience.
For practitioners
- Unify access evidence collection Map approvals, access reviews, removals, and exception handling into one evidence model so auditors can trace a control from request to revocation without manual reconstruction.
- Inventory all third-party identities Create and reconcile a complete list of vendors, contractors, and partners with access, including the applications and privileges each one holds, then assign a named owner for every entry.
- Automate recurring compliance workflows Use workflow automation for recurring access reviews, attestation reminders, and reporting so control execution is repeatable across systems rather than dependent on manual follow-up.
- Tie offboarding to revocation checks Require evidence that access was removed when an employee, contractor, or partner relationship ended, and flag any account that remains active after the relationship owner closes the case.
Key takeaways
- Compliance is increasingly governed through identity data, because audit evidence now depends on who has access, who approved it, and who removed it.
- Third-party access is one of the clearest weak points in compliance programmes, especially when organisations cannot maintain a complete inventory of external identities.
- Automation and lifecycle discipline are no longer optional efficiency measures, they are the controls that make multi-framework compliance provable.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Identity access governance underpins evidence for compliance across systems. |
| NIST CSF 2.0 | GV.RM-01 | The article frames compliance as a risk management and governance issue. |
| NIST Zero Trust (SP 800-207) | Zero Trust depends on continuous verification of access and accountability. |
Tie identity governance controls to risk ownership and escalation paths, not only policy statements.
Key terms
- Compliance Evidence: Compliance evidence is the artefact trail that proves a control operated as intended. In identity programmes, that usually includes approvals, review outcomes, revocation records, and exception handling. Strong evidence is time-bound, attributable, and reusable across audits instead of being rebuilt manually for each framework.
- Third-Party Identity: A third-party identity is any non-employee account or credential used by a vendor, contractor, or partner to access organisational systems. These identities are high risk because ownership is split across organisations, lifecycle events are harder to track, and revocation depends on the business relationship staying visible.
- Access Review: An access review is a recurring governance check that confirms an identity still needs the access it holds. For human, NHI, and external identities alike, the value comes from timely challenge and revocation, not from the review event itself. Without follow-through, a review becomes documentation rather than control.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Zluri: IT Teams Key Compliance Statistics & Insights For 2026. Read the original.
Published by the NHIMG editorial team on 2025-12-25.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
