TL;DR: A survey of more than 250 security and compliance professionals found that 93% rate cybersecurity as a top or major priority, yet more than half report one or fewer full-time security staff and three quarters allocate 15% or less of annual budget to security and compliance, according to Secureframe. The gap between priority and capacity is now shaping how teams approach automation, evidence collection, and buyer assurance.
At a glance
What this is: This benchmark preview shows that 2026 security programmes are being asked to do more with less, while AI, manual compliance work, and customer assurance demands all intensify.
Why it matters: For IAM, NHI, and broader security practitioners, the report underscores that governance quality now depends on automation, evidence discipline, and the ability to prove control coverage under resource constraints.
By the numbers:
- 93% of respondents said cybersecurity is a top or major priority within their organization.
- Three quarters still allocate 15% or less of their annual budget to security and compliance.
👉 Read Secureframe's 2026 cybersecurity benchmark report on staffing, AI, and compliance
Context
Cybersecurity benchmark data matters because it shows where programme reality diverges from programme intent. In this case, the primary issue is not a lack of strategic attention but a lack of operational capacity, with security, compliance, and buyer assurance all competing for the same limited teams and budgets.
That pressure also intersects with identity governance. When staff are thin and manual work persists, access reviews, evidence collection, and control attestation become harder to sustain across IAM, PAM, NHI, and emerging AI-related controls. The result is not just slower compliance work, but weaker assurance over who and what can act in production.
Key questions
Q: How should security teams manage cyber programmes when headcount is limited?
A: Security teams should prioritise controls that can be operated and evidenced continuously, not just designed well on paper. That means centralising evidence, reducing duplicate manual tasks, and assigning clear ownership for access reviews, privileged access, and exception handling. Limited headcount exposes process fragility, so the goal is to shrink dependence on ad hoc heroics.
Q: Why do manual compliance processes create security risk?
A: Manual processes create risk because they slow down evidence production, introduce inconsistency, and make it harder to verify current control state. When audit records are assembled after the fact, teams can miss access drift, stale approvals, or unreviewed exceptions. In identity-heavy environments, that delay can weaken assurance over both human and non-human access.
Q: What do organisations get wrong when they adopt AI for security?
A: Organisations often assume that AI capability automatically means security value. In practice, the mistake is failing to define the boundary between decision support and delegated action. If the organisation cannot explain what the AI is allowed to do, it cannot govern the risk it introduces into identity and response workflows.
Q: How can teams prove cybersecurity assurance to customers without adding more manual work?
A: Teams should build a repeatable evidence model that ties controls to current data, not static documents. That means using standard control mappings, automated exports from core systems, and a single source of truth for certifications, access governance, and exceptions. Buyers want fast proof, so assurance has to be always available rather than assembled on demand.
Technical breakdown
Why cybersecurity priorities do not translate into capacity
A programme can be labelled a top priority and still be under-resourced. That gap appears when security owns more controls than it can operationalise, especially when compliance, risk, and customer assurance all draw from the same team. In practice, the constraint is not only headcount. It is also time, process maturity, and the ability to standardise evidence across frameworks. For identity-led programmes, this matters because access governance, secret handling, and lifecycle controls degrade first when teams are stretched.
Practical implication: map control ownership against staffing and stop assuming priority status equals execution capacity.
How AI changes both attack surface and control work
The report captures a dual shift. AI is being used to accelerate repetitive security tasks, but it is also expanding the threat landscape through deepfakes, automated phishing, and adaptive malware. That combination changes programme design because defenders must evaluate AI not just as a productivity layer, but as a governance object with its own risk profile. Where AI systems touch identity, the question becomes who authorises, monitors, and constrains the actions that AI-assisted workflows can trigger.
Practical implication: treat AI-assisted workflows as governed systems and define access, review, and oversight before scaling them.
Why manual compliance work becomes a security weakness
Manual evidence collection and audit preparation are not just inefficient. They create drift, inconsistency, and blind spots because the control record is assembled after the fact rather than continuously maintained. That weakens assurance across identity and broader security programmes, especially where recurring access reviews, exception handling, or policy attestations depend on accurate current state. Automation does not remove accountability, but it reduces the gap between control operation and control proof.
Practical implication: centralise evidence and automate recurring control checks so audit readiness is continuous, not seasonal.
Threat narrative
Attacker objective: The attacker objective is to exploit scaled social engineering and slow governance processes to gain access and reduce the organisation's ability to prove control integrity.
- Entry begins with AI powered attacks such as deepfakes and automated phishing, which expand the volume and believability of initial compromise attempts.
- Escalation follows when limited staff and manual controls slow detection, evidence correlation, and access review, giving attackers more room to exploit process gaps.
- Impact lands in delayed assurance, weakened control coverage, and increased exposure across identity, compliance, and customer trust workflows.
NHI Mgmt Group analysis
Resource pressure is now a governance problem, not just an operating constraint. When more than half of organisations have one or fewer full-time security staff, programme maturity is no longer limited by policy design alone. It is limited by whether controls can be executed, evidenced, and re-validated at scale. For identity programmes, that means lifecycle, privileged access, and non-human access controls must be designed for low-friction operation, not heroic manual maintenance.
AI security work is converging with identity governance faster than most programmes are prepared for. The report's split between AI-enabled defence and AI-enabled attack shows that AI systems are becoming both tools and subjects of control. That creates a governance debt where access, approval, and monitoring models have to cover humans, machine identities, and AI-assisted workflows together. Practitioners should treat this as an identity governance expansion, not a separate innovation track.
Manual assurance is the weak link in multi-framework compliance. When audit preparation consumes significant weekly effort, the issue is not merely efficiency. It is that evidence quality, control consistency, and exception tracking degrade across frameworks, especially where access governance depends on current state data. The named concept here is assurance lag: the gap between control operation and the proof needed to demonstrate it. Security teams should shrink that lag before it becomes a trust problem.
Security buyer expectations are turning compliance into an access-control adjacent discipline. If nearly half of respondents say certification gaps delay sales cycles, then trust centres, evidence packs, and assurance workflows are part of the external control surface. That matters for identity teams because customers increasingly want proof of who can access what, how that access is governed, and whether machine identities are controlled with the same rigour as human users.
Identity programmes should read this report as an operating model warning. The organisations that will cope best are not simply the ones with more tools. They are the ones that standardise control evidence, reduce manual review effort, and make access governance measurable across humans, service accounts, and emerging AI-driven processes. That is now a baseline requirement, not a maturity aspiration.
What this signals
Assurance lag will become a visible programme risk as security teams try to satisfy more buyers with fewer staff. Organisations that still rely on manual evidence assembly will find that access reviews, exception handling, and control attestations fail at the same time, which is where identity governance and operational resilience start to overlap.
The next maturity step is not more policy volume. It is tighter control instrumentation across IAM, PAM, NHI, and AI-assisted workflows so evidence is generated as a by-product of operations. That is the practical route to reducing audit friction, improving customer trust, and making compliance a continuous condition rather than a recurring scramble.
For practitioners
- Standardise control ownership across security and compliance Create a control-to-owner map that shows which team is responsible for access reviews, evidence collection, exception handling, and attestation, then identify where one person currently covers multiple critical functions.
- Automate recurring evidence collection Move audit artefacts, access logs, and approval records into a central evidence workflow so control proof is continuously updated instead of rebuilt during audit season.
- Extend governance to AI-assisted workflows Define approval boundaries for generative AI and other AI powered tools when they support risk assessments, policy drafting, or monitoring, and record where human review remains mandatory.
- Reduce manual work in identity assurance Prioritise automation for access recertification, privileged access review, and non-human identity tracking so constrained teams can maintain control coverage without expanding headcount.
Key takeaways
- Cybersecurity prioritisation is not the same as cybersecurity capacity, and the gap is now shaping programme quality.
- AI is amplifying both attacker tactics and defensive workflows, which means governance must cover the systems that create evidence as well as the systems that consume it.
- Manual compliance processes create assurance lag, and teams that cannot shrink that lag will struggle to prove control coverage to customers and auditors.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST AI RMF set the technical controls, while ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OC-03 | The report is about organisational priority, capability, and governance context. |
| NIST SP 800-53 Rev 5 | AU-6 | Manual evidence work makes audit review and accountability central to the topic. |
| CIS Controls v8 | CIS-17 , Incident Response Management | AI-powered attacks and operational pressure make response readiness part of the discussion. |
| NIST AI RMF | GOVERN | AI is both a defensive tool and a risk factor in the article. |
| ISO/IEC 27001:2022 | A.5.15 | The article's compliance and assurance themes map to access control governance. |
Test response and evidence workflows under constrained staffing and heavy automation.
Key terms
- Assurance Lag: The delay between a control operating in the environment and the organisation being able to prove that it operated correctly. In practice, this appears when evidence is collected manually, inconsistently, or too late for audits, customer reviews, or incident response needs.
- Control Evidence: The records and signals used to demonstrate that a security control is functioning as intended. Good evidence is current, repeatable, and tied to the control itself, not assembled as a one-off document package after a request arrives.
- AI-assisted workflow: A workflow in which a person uses AI to draft, classify, summarise, or recommend actions as part of normal work. The human may remain accountable, but the machine changes how decisions are formed and how much of the output is generated before review.
- Identity Governance: The set of policies, controls, and operating routines used to manage who and what has access, for how long, and under what approval conditions. It applies to human users, service accounts, tokens, and increasingly AI-driven systems that can initiate actions.
What's in the full report
Secureframe's full benchmark report covers the operational detail this post intentionally leaves for the source:
- Industry-by-industry benchmark breakdowns that show how staffing, budgets, and AI adoption differ across organisations.
- Multi-framework maturity insights that help teams compare their control posture against peers with similar compliance pressure.
- Trust centre, audit report, and RFP workflow detail for teams trying to reduce deal friction through better assurance.
- Best-practice recommendations for 2026 that go beyond the preview findings and into implementation choices.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It gives practitioners a practical foundation for applying identity control discipline across modern security programmes.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org