TL;DR: IT compliance audits check whether security controls, policies, and evidence align with laws and frameworks such as HIPAA, PCI-DSS, SOC 2, ISO, and GDPR, according to Zluri. The governance lesson is bigger than certification: audit readiness depends on provable access control, periodic review, and remediation discipline across human, workload, and service identities.
NHIMG editorial — based on content published by Zluri: Security & Compliance IT Compliance Audit - A Comprehensive Guide in 2026
By the numbers:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
Questions worth separating out
Q: How should teams make IT compliance audits work across human and non-human identities?
A: Teams should use one governance model for all identity types, then vary the controls by subject.
Q: Why do compliance audits often expose NHI problems before they expose human IAM issues?
A: NHIs usually accumulate faster, are reviewed less often, and persist longer than human accounts.
Q: What should organisations do when audit evidence does not match actual access state?
A: They should treat the mismatch as a control failure, not a reporting problem.
Practitioner guidance
- Inventory every privileged identity and assign a named owner Build a complete register of human admin accounts, service accounts, API keys, tokens, and certificates, then attach business purpose, system scope, and review cadence to each one.
- Connect access reviews to actual entitlement changes Do not let certification end at approval.
- Track secrets outside approved vaults as audit exceptions Identify credentials stored in code, config files, CI/CD tools, and shared documents, then treat each location as a control exception until it is removed or formally justified.
What's in the full article
Zluri's full guide covers the operational detail this post intentionally leaves for the source:
- Framework-by-framework audit checklist for HIPAA, PCI-DSS, SOC 2, ISO, and GDPR so teams can map requirements to controls.
- Step-by-step access review and auto-remediation workflow detail for operational teams that need to turn governance into action.
- Examples of access directory, access privilege, and activity alert workflows that support evidence collection during an audit.
- Practical certification process guidance for organisations trying to formalise compliance reporting and remediation.
👉 Read Zluri's guide to IT compliance audit controls and frameworks →
IT compliance audits and access controls: what IAM teams miss?
Explore further
Compliance audits fail where identity governance is treated as documentation instead of control execution. The article correctly frames audits as a way to verify adherence, but the deeper lesson is that access governance only matters when entitlements, reviews, and revocation happen in the live environment. In identity terms, a clean policy without operational removal is not compliance. Practitioners should treat audit readiness as proof of control closure, not evidence collection alone.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why audit evidence often breaks at the ownership and scope layer.
A question worth separating out:
Q: Who is accountable when an audit finds unmanaged service accounts or secrets?
A: Accountability should sit with the system owner, the identity governance function, and the security team together, because unmanaged non-human identities cut across all three. The auditor will usually care less about who created the issue than whether the organisation can prove ownership, remediation, and ongoing control. That is the accountability chain to document.
👉 Read our full editorial: IT compliance audits expose access-control gaps in identity programmes