Compliance statistics and the identity governance gap for IAM teams

TL;DR: Compliance programmes are becoming more strategic, but 70% of corporate risk and compliance professionals say the shift from check-the-box compliance is only recent, while 69% of service organisations must prove alignment to at least six frameworks, according to Zluri’s roundup of compliance statistics. The practical lesson is that identity governance, audit evidence, and third-party oversight now need to be managed as one operating problem, not separate tasks.

NHIMG editorial — based on content published by Zluri: IT Teams Key Compliance Statistics & Insights For 2026

By the numbers:

• 70% of corporate risk and compliance professionals have noticed a significant shift from basic check-the-box compliance to a more strategic approach.
• Nearly 70% of service organizations reported the necessity to demonstrate compliance or conformity to at least six different frameworks covering information security and data privacy.
• 48% of organizations do not have a comprehensive list of all third parties with access to their network.

Questions worth separating out

Q: How should security teams manage access reviews across multiple compliance frameworks?

A: They should standardise the review workflow, the evidence captured, and the ownership model before trying to satisfy each framework separately.

Q: Why do third-party identities create so much compliance risk?

A: Because third-party access extends your control boundary beyond employees and into relationships you do not fully operate day to day.

Q: What breaks when compliance evidence is spread across too many systems?

A: Auditability breaks first, followed by accountability.

Practitioner guidance

• Unify access evidence collection Map approvals, access reviews, removals, and exception handling into one evidence model so auditors can trace a control from request to revocation without manual reconstruction.
• Inventory all third-party identities Create and reconcile a complete list of vendors, contractors, and partners with access, including the applications and privileges each one holds, then assign a named owner for every entry.
• Automate recurring compliance workflows Use workflow automation for recurring access reviews, attestation reminders, and reporting so control execution is repeatable across systems rather than dependent on manual follow-up.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

• The full breakdown of compliance statistics across multiple industry surveys and benchmarks.
• The specific percentages behind risk, regulatory action, outsourcing, and automation adoption trends.
• The broader compliance and ESG context that sits outside identity governance strategy.
• The article's vendor commentary on access review tooling and compliance operations.

👉 Read Zluri’s compliance statistics roundup for 2026 planning →

Compliance statistics and the identity governance gap for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →