TL;DR: Compliance programmes are becoming more strategic, but 70% of corporate risk and compliance professionals say the shift from check-the-box compliance is only recent, while 69% of service organisations must prove alignment to at least six frameworks, according to Zluri’s roundup of compliance statistics. The practical lesson is that identity governance, audit evidence, and third-party oversight now need to be managed as one operating problem, not separate tasks.
NHIMG editorial — based on content published by Zluri: IT Teams Key Compliance Statistics & Insights For 2026
By the numbers:
- 70% of corporate risk and compliance professionals have noticed a significant shift from basic check-the-box compliance to a more strategic approach.
- Nearly 70% of service organizations reported the necessity to demonstrate compliance or conformity to at least six different frameworks covering information security and data privacy.
- 48% of organizations do not have a comprehensive list of all third parties with access to their network.
Questions worth separating out
Q: How should security teams manage access reviews across multiple compliance frameworks?
A: They should standardise the review workflow, the evidence captured, and the ownership model before trying to satisfy each framework separately.
Q: Why do third-party identities create so much compliance risk?
A: Because third-party access extends your control boundary beyond employees and into relationships you do not fully operate day to day.
Q: What breaks when compliance evidence is spread across too many systems?
A: Auditability breaks first, followed by accountability.
Practitioner guidance
- Unify access evidence collection Map approvals, access reviews, removals, and exception handling into one evidence model so auditors can trace a control from request to revocation without manual reconstruction.
- Inventory all third-party identities Create and reconcile a complete list of vendors, contractors, and partners with access, including the applications and privileges each one holds, then assign a named owner for every entry.
- Automate recurring compliance workflows Use workflow automation for recurring access reviews, attestation reminders, and reporting so control execution is repeatable across systems rather than dependent on manual follow-up.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- The full breakdown of compliance statistics across multiple industry surveys and benchmarks.
- The specific percentages behind risk, regulatory action, outsourcing, and automation adoption trends.
- The broader compliance and ESG context that sits outside identity governance strategy.
- The article's vendor commentary on access review tooling and compliance operations.
👉 Read Zluri’s compliance statistics roundup for 2026 planning →
Compliance statistics and the identity governance gap for IAM teams?
Explore further
Compliance has become an identity surface problem, not just a policy problem. Once organisations must prove access control across multiple frameworks, the quality of identity data determines the quality of compliance evidence. If entitlements, owners, and review outcomes are fragmented, the organisation may still have controls on paper but cannot demonstrate them in practice. The implication is that identity governance now functions as a control plane for compliance evidence, not a downstream admin task.
A few things that frame the scale:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means most teams are still operating with incomplete identity inventory.
A question worth separating out:
Q: Who should own identity-related compliance controls in practice?
A: Ownership should sit with the teams that can actually execute and prove the control, usually IAM, IGA, PAM, and application owners working with compliance. Legal and audit can set requirements, but identity teams must maintain the evidence path, the lifecycle process, and the operational follow-through that make those requirements defensible.
👉 Read our full editorial: Compliance statistics for 2026 show identity governance pressure