Understanding the current risk and compliance landscape is no longer the responsibility of just one team like IT or legal—it’s a strategic imperative for growth, resilience, and trust that should involve the entire organization. 

Drawing from the latest research from authorities including Navex, Thomson Reuters Institute, Gartner, A-LIGN, PwC, World Economic Forum, and IBM, this post curates the most current compliance statistics to give leaders a clear picture of how the regulatory landscape is evolving and compliance programs and professionals are adapting—and what that means for your strategy, budget, audits, third-party oversight, and AI governance moving into 2026 and beyond.

Key findings

Here are some of the most significant takeaways and compliance statistics pulled from the list below:

• Compliance is a strategic enabler: 77% of global C-suite leaders say compliance contributes significantly or moderately to company objectives.
• Noncompliance is costly: Breaches with a noncompliance factor cost $174K more on average and $4.61M overall in 2025.
• Non-financial compliance risk is real: Adverse media, reputational damage, and employee litigation were each reported as compliance issues by 14% of risk and compliance professionals. This total (42%) rivaled those that reported traditional concerns of privacy breaches and regulatory actions (45%).
• Audit cadence keeps rising: 58% of organizations conducted 4 or more audits in 2025; 35% of enterprises conducted more than 6 on average. 
• ISO 27001 momentum gaining over SOC 2: 81% of organizations report current or planned ISO 27001 certification in 2025—up from 67% in 2024—and more often ranked ISO 27001 or SOC 1 as the most important audit for their business over SOC 2.
• Most compliance programs are maturing: 57% describe their programs as “managing” or “optimizing,” the two highest maturity levels.
• AI is becoming more prevalent in compliance programs and roles: Nearly two-thirds of organizations say AI is important to their compliance program, and the same amount (65%) of compliance teams are involved in how AI is used.
• Regulatory fragmentation and third-party oversight remain challenges: 69% of organizations find regulations too complex or too numerous, or experience difficulty verifying whether third-party suppliers are complying with the requirements.

These findings make one thing clear: manual, spreadsheet-driven compliance can’t keep pace with 2026’s audit cadence, AI governance needs, and vendor oversight challenges. Download our Compliance Automation Platform Buyer’s Guide to see how automation can solve common pain points, compare vendors, and use the included evaluation form to fast-track your selection.

The current state of compliance

New priorities, risks, technologies, and regulations have emerged and affected the state of cybersecurity compliance. Find out how the industry has changed and increased in complexity in recent years. 

1. 69% of risk and compliance professionals said that keeping their organization compliant with all relevant laws, policies, and regulations was most important to their organization when making decisions. (Navex Global’s 2025 State of Risk & Compliance Report)

2. 77% of global C-suite leaders believe compliance, as an enabling function, contributes significantly or moderately to their overall objectives. (Thomson Reuters Institute 2025 C-Suite Survey)

3. 78% of CISOs agree that cyber and privacy regulations are effective in reducing their organizations’ cyber risks in 2025. This is a noticeable increase from the 61% who agreed with the same statement in 2024 and the much lower 39% that agreed in 2022. (World Economic Forum's Global Cybersecurity Outlook 2025)

4. An even larger percentage (87%) of CEOs agree that cyber and privacy regulations are effective in reducing their organizations’ cyber risks. (World Economic Forum's Global Cybersecurity Outlook 2025)

5. On average, 24% of organizations of all sizes said that increasing revenue/winning new clients is the driving force behind their compliance program. (A-LIGN’s 2025 Compliance Benchmark Report)

6. Client acquisition (ie. “increasing revenue/winning new clients”) was cited as the top driving force behind the compliance programs of enterprise organizations with over $1 billion in revenue, reported by 35% of respondents. (A-LIGN’s 2025 Compliance Benchmark Report)

7. Small and medium companies rank board-level or C-suite mandates as the top driving force behind their organization’s compliance program, reported by 21% and 24% respectively. (A-LIGN’s 2025 Compliance Benchmark Report)

8. Small businesses rank the following reasons as direct drivers of their organization’s compliance program:

• Board-level or C-suite mandates (21%)
• To increase revenue/win new clients (17%)
• To validate effectiveness of controls (16%)
• Regulatory requirement(s) (15%)
• To establish trust with existing and new clients (14%). (A-LIGN’s 2025 Compliance Benchmark Report)

9. More than half of surveyed business and risk leaders identified cybersecurity and data protection and privacy as top compliance priorities, at 51% each. (PwC’s Global Compliance Survey 2025)

10. 60% of risk and compliance professionals indicate that Cybersecurity is a planned training topic over the next two-to-three years. This was the third commonly indicated compliance training topic, whereas it was the first in 2023 and second in 2024. (Navex Global’s 2025 State of Risk & Compliance Report)

11. 85% of executives feel that compliance requirements have become more complex in the last three years. (PwC’s Global Compliance Survey 2025)

12. As a result of the increasing complexity of compliance requirements, 3 out of 4 executives said that their company had been negatively impacted to some or a great extent in the following five areas that can drive growth:

• Implementing and maintaining IT systems (89%)
• Resource capacity (83%)
• Senior management attention and focus (82%)
• Business transformation and change (82%)
• Establishing and maintaining third-party relationships. (76%). (PwC’s Global Compliance Survey 2025)

13. 76% of CISOs report that fragmentation of regulations across jurisdictions greatly affects their organizations’ ability to maintain compliance. (World Economic Forum's Global Cybersecurity Outlook 2025)

14. 69% of organizations find regulations too complex or too numerous, or experience difficulty verifying whether third-party suppliers are complying with the requirements. (World Economic Forum's Global Cybersecurity Outlook 2025)

15. 47% of compliance professionals are focused on simply finding a better, easier way to alleviate the burden of the legal requirements of compliance, while only 16% are ready to go beyond checking a box and adopt a strategic approach to compliance. (FloQast's 2024 Exploring Strategic Compliance: The Next Frontier)

16. 80% of compliance professionals in strategic roles are focused on helping their organizations identify appropriate risks, while 79% are dedicated to providing greater visibility to senior management, highlighting the growing importance of compliance in driving strategic decision-making and risk management. (FloQast's 2024 Exploring Strategic Compliance: The Next Frontier)

17. When asked about the significance of enabling functions, such as customer success, technology, and compliance, on their overall objectives, C-Suite executives said compliance contributes:

• Significantly (31%)
• Moderately (46%)
• A little (20%)
• Not at all (1%)
• My organization does not have this function (2%). (Thomson Reuters Institute 2025 C-Suite Survey)

18. When risk and compliance professionals were asked where their organization's compliance function is housed, the top answers were:

• It is an independent function reporting to the CEO and/or board of directors (22%)
• It is split across multiple departments (17%)
• Within the legal department (15%)
• Within the risk department (12%)
• Within IT/data security/data privacy (11%)
• Within the human resources department (7%)
• Within the internal audit department (5%)
• Within the finance department (5%). (Navex Global’s 2025 State of Risk & Compliance Report)

19. 47% of risk and compliance professionals said that ensuring their organization builds and maintains an ethical culture of compliance was a very important or absolutely essential consideration in its decision-making processes—down from 76% in 2023. (Navex Global’s 2025 State of Risk & Compliance Report)

20. The three factors companies consider most important in creating a strong compliance culture are:

• Senior management sponsorship/’tone at the top’ (55%)
• Employee training and communication (48%)
• Coordination with compliance teams (37%). (PwC’s Global Compliance Survey 2025)

21. According to executives, the most important skill required to maintain effective compliance at their organization was specialist compliance/regulatory, risk, legal, audit, (or similar) experience, cited by more than half (53%) of respondents. (PwC’s Global Compliance Survey 2025)

22. Despite the belief that cyber regulations are helping the organization, there’s a significant difference between CEO and CISO/CSO confidence in their ability to comply with these regulations. For example, 67% of CEOs are confident in their organization's regulation compliance with AI compared to 54% of CISO/CSOs. (PwC's 2025 Global Digital Trust Insights)

23. Two-thirds (67%) of risk and compliance professionals said they were either most concerned about “lack of visibility to risks across our organization” or “gaps in implementation of compliance controls” in respect to AI risks. (Navex Global’s 2025 State of Risk & Compliance Report)

24. 28% of organizations said the AI risk they were most concerned about in their compliance program was “changes in regulations that are missed in our program.” (Navex Global’s 2025 State of Risk & Compliance Report)

25. The top three priorities for legal and compliance leaders are:

• Strengthening their personal impact on company strategy (42%)
• Improving third party risk management (40%)
• Ensuring compliance programs can keep pace with fast-moving regulatory requirements (39%). (Gartner for Legal, Risk & Compliance Leaders July 2025 Survey)

The risk of non-compliance

Turning your compliance program into a well-oiled machine can be a daunting task. But the risk of not having such a program in place far outweighs any hesitations you may have. If you need a reminder of just how high the risks associated with poor compliance management practices can be, look no further than the data points below. 

26. A privacy/cybersecurity breach was the most common compliance issue reported in 2025 by 28% of risk and compliance professionals. (Navex Global’s 2025 State of Risk & Compliance Report)

27. Breaches cost almost $174,000 more on average when noncompliance with regulations was indicated as a factor in the event. (IBM's Cost of a Data Breach Report 2025)

28. Data breaches involving noncompliance with regulations cost $4.61 million on average in 2025. This is 4% higher than the global average cost of a data breach. (IBM's Cost of a Data Breach Report 2025)

29. When asked what compliance issues they've experienced in the past three years, 17% of risk and compliance professionals said legal or regulatory action taken against the organization by a governing body. This was the third most common compliance issue reported in 2025. It had been the #1 issue reported in 2023. (Navex Global’s 2025 State of Risk & Compliance Report)

30. Risk and compliance professionals said they experienced the following compliance issues in the past three years:

• A privacy/cybersecurity breach (28%)
• Third-party ethics or compliance failure (18%)
• Legal or regulatory action taken against the organization by a governing body (17%)
• Difficulty meeting regulatory obligations around EU regulations (16%)
• Adverse media coverage of an ethics or compliance issue (14%)
• Substantiated employee litigation against the organization (14%)
• Reputational damage due to executive misconduct (14%). (Navex Global’s 2025 State of Risk & Compliance Report)

31. While privacy breaches and regulatory actions remain leading compliance issues cited by 45% of respondents, nearly as many (42%) risk and compliance professionals reported adverse media coverage, reputational damage, or employee litigation, showing that non-financial risks now rival traditional compliance concerns. (Navex Global’s 2025 State of Risk & Compliance Report)

32. In 2025, privacy or cybersecurity breaches (28%), third-party failures (18%), and regulatory actions (17%) were reported as the most common compliance issues organizations experienced in the past three years. (Navex Global’s 2025 State of Risk & Compliance Report)

33. In 2025, 57% of government-affiliated organizations reported conducting audits specifically to meet contract requirements, up from 40% in 2024. (A-LIGN’s 2025 Compliance Benchmark Report)

34. The top three areas in which the compliance function was reported as highly or moderately engaged in 2025 were:

• Risk assessment and management (94%)
• Data breach (85%)
• Reputational harm (83%). (Navex Global’s 2025 State of Risk & Compliance Report)

35. 72% of executives said that the increasing complexity of compliance requirements over the last three years has negatively impacted their company’s profitability to some or to a great extent. (PwC’s Global Compliance Survey 2025)

36. As a result of the increasing complexity of compliance requirements over the last three years, executives reported a range of negative effects on the company’s revenue and growth, including: 

• Launching new products and services (73%)
• Conducting deals and corporate transactions (72%)
• Profitability (71%)
• Market expansion/entering new markets (68%)
• Availability of cash/funds (58%). (PwC’s Global Compliance Survey 2025)

Compliance audit frequency, costs, and trends

Audit management continues to be one of the most resource-intensive aspects of compliance. Discover how organizations are approaching audits and attestations today, including how often they’re conducting them, how much they’re spending, and which frameworks are being prioritized.

37. In 2025, 92% of organizations reported conducting at least two audits or assessments. (A-LIGN’s 2025 Compliance Benchmark Report)

38. More than half (58%) of organizations reported conducting four or more audits in 2025. (A-LIGN’s 2025 Compliance Benchmark Report)

39. 35% of enterprise organizations reported conducting six or more audits or assessments per year, compared to 15% of small, medium, and large organizations that reported the same. (A-LIGN’s 2025 Compliance Benchmark Report)

40. Enterprise organizations are more than twice as likely than smaller businesses to conduct six or more audits per year. (A-LIGN’s 2025 Compliance Benchmark Report)

41. In 2025, the modal (most common) number of audits or assessments completed per year by company size was:

• Small: 2-3
• Medium: 4-5
• Large: 4-5
• Enterprise: 6 or more (A-LIGN’s 2025 Compliance Benchmark Report)

42. 71% of enterprise companies spend over $100,000 on audits each year, compared to only 19% of small companies, 42% of medium companies, and 57% of large organizations that say the same. (A-LIGN’s 2025 Compliance Benchmark Report)

43. The average US firm spends between 1.3 and 3.3% of its total wage bill on regulatory compliance. (The Cost of Regulatory Compliance in the United States 2024)

44. When asked what the most important audit, attestation, or assessment for their business was in 2025, the top three frameworks mentioned were ISO 27001, SOC 1, and SOC 2.  (A-LIGN’s 2025 Compliance Benchmark Report)

45. In the 2025 survey, organizations more often ranked ISO 27001 and SOC 1 as the most important audit, attestation, or assessment for their business over SOC 2. (A-LIGN’s 2025 Compliance Benchmark Report)

46. ISO 27001 adoption continues to grow, with 81% of organizations reporting a current or planned ISO 27001 certifications in 2025 compared to 67% in 2024—a 14% year-over-year increase across all companies surveyed. (A-LIGN’s 2025 Compliance Benchmark Report)

47. 53% of organizations said they plan to pursue an AI audit or certification in the next 12 months, and another 23% intend to do so within the next 24 months. (A-LIGN’s 2025 Compliance Benchmark Report)

48. When asked what the most important audit, attestation, or assessment for their business was in 2025, the top three frameworks mentioned were ISO 27001, SOC 1, and SOC 2.  (A-LIGN’s 2025 Compliance Benchmark Report)

49. 70% of organizations rated report quality as “extremely important” to their compliance programs. This is consistent with 2024 results and reinforces that quality is a core benchmark in audit processes. (A-LIGN’s 2025 Compliance Benchmark Report)

50. An experienced audit team and report quality were the two most important factors organizations said when it comes to choosing an auditor.  (A-LIGN’s 2025 Compliance Benchmark Report)

51. In 2025, organizations ranked the number of controls tested and length of the report as the top indicators of a high-quality audit—replacing auditor trust, which was the leading indicator in 2024.  (A-LIGN’s 2025 Compliance Benchmark Report)

52. Reports featuring best practices or thought leadership, which were once highly valued, now rank among the lowest quality indicators. This reflects how the definition of “quality” in compliance reporting is shifting toward technical rigor and thoroughness. (A-LIGN’s 2025 Compliance Benchmark Report)

Compliance management statistics

Many organizations have begun to automate aspects of their compliance strategy. Find out what practices are becoming the norm within the risk and compliance industry below. 

53. 56% of risk and compliance professionals said their organization had experienced at least one compliance issue in the past three years, and 36% said their organization had experienced more than one. (Navex Global’s 2025 State of Risk & Compliance Report)

54. 35% of respondents said their organization has not experienced any compliance issues in the past three years. (Navex Global’s 2025 State of Risk & Compliance Report)

55. When asked what information an organization uses to review, test, and improve its risk and compliance program, the top five answers were:

• Risk assessment results (61%)
• Compliance program audits (57%)
• Guidance and frameworks (54%)
• Changing or updated regulations (51%)
• Lessons learned from misconduct (own and/or peers) (46%). (Navex Global’s 2025 State of Risk & Compliance Report)

56. More than half (57%) of risk and compliance professionals described their programs as mature—“managing” or “optimizing”—in 2025, an increase of 7% from the previous year. (Navex Global’s 2025 State of Risk & Compliance Report)

57. Less than half (44%) of risk and compliance professionals placed their programs in the bottom 3 maturity tiers in 2025. (Navex Global’s 2025 State of Risk & Compliance Report)

58. 6% of risk and compliance professionals described their program as underdeveloped, or the least mature——a figure that has remained consistent for the past three years. (Navex Global’s 2025 State of Risk & Compliance Report)

59. In light of US policy and enforcement shifts, many organizations have made, or are considering making, changes to elements of their risk and compliance program. The most common changes were to:

• Policies (58%)
• Risk assessment (56%)
• Training plan and priorities (54%). (Navex Global’s 2025 State of Risk & Compliance Report)

60. 52% of risk and compliance professionals said their organization did not plan any decreases to staffing and resources, making it the least likely change to be made in light of US policy and enforcement shifts. (Navex Global’s 2025 State of Risk & Compliance Report)

61. While 38% said they had, or were considering, increasing staffing and resources in response to US policy and enforcement shifts, a larger majority (45%) said they had not and weren’t considering any increases. (Navex Global’s 2025 State of Risk & Compliance Report)

62. In 2025, compliance and risk professionals were most likely to rate their compliance program’s performance as excellent or very good at developing policies that reflect and deal with legal and regulatory risks more than any other area in policy and procedure management. (Navex Global’s 2025 State of Risk & Compliance Report)

63. More than half (58%) of organizations are concerned about the impact of AI on compliance in their organization. (A-LIGN’s 2025 Compliance Benchmark Report)

64. Time-consuming compliance and reporting tasks was most frequently cited by C-suite leaders (68%) as “significantly” or “moderately” hindering the ability of enabling functions to contribute toward broader objectives. (Thomson Reuters Institute 2025 C-Suite Survey)

65. 55% of CFOs and 50% of audit committees and boards are asking internal audit teams to do more work around risk, yet teams are currently only able to allocate 15% of their time to advisory-related work focused on capabilities like enterprise risk management and continuous control monitoring and testing. The rest of their time is spent on traditional audit and SOX work. (AuditBoard's Internal Audit’s Expanding Role: The Foundation for Connected Risk 2024)

66. The top three opportunities identified by C-Suite leaders to improve how enabling functions contribute to the business’s overall objectives were:

• Simplified compliance and reporting
• Technology and automation
• Risk management and mitigation. (Thomson Reuters Institute 2025 C-Suite Survey)

67. 63% of executives said that the complexity and disaggregated nature of data across the organization has made compliance more difficult. (PwC’s Global Compliance Survey 2025)

Compliance tools statistics

As the industry evolves, new compliance management technologies and tools are introduced to streamline and improve processes. When companies incorporate these technologies and tools in a proactive compliance strategy, they find it saves them money and improves their overall security posture. 

68. 42% of executives said that investments in technology have helped them identify and respond to regulatory changes more quickly.  (PwC’s Global Compliance Survey 2025)

69. As a result of investing in compliance technology, executives report the top 5 benefits as:

• Better visibility of risks and risk management activities (64%)
• Faster identification and proactive response to compliance issues (53%)
• Higher quality/more insightful reporting (48%)
• Faster/more confident decision-making (46%)
• Increased productivity, efficiencies, and cost savings (43%). (PwC’s Global Compliance Survey 2025)

70. 82% of companies plan to invest more in technology to drive compliance activities.  (PwC’s Global Compliance Survey 2025)

71. 2025 is the first year in which a majority of organizations said they use purpose-built technology to administer the various aspects of their ethics and compliance programs. (Navex Global’s 2025 State of Risk & Compliance Report)

72. 66% of organizations said they use purpose-built technology to manage compliance risk in 2025. (Navex Global’s 2025 State of Risk & Compliance Report)

73. The most common ethics and compliance program aspects that organizations use purpose-built technology to administer are:

• Ethics and compliance training (78%)
• Policy and procedure management (73%)
• Hotline and incident management (71%)
• Risk assessment/management (70%). (Navex Global’s 2025 State of Risk & Compliance Report)

74. Almost two thirds (65%) of risk and compliance professionals said AI is important to their compliance program. (Navex Global’s 2025 State of Risk & Compliance Report)

75. While most legal, accounting, audit, and risk and compliance professionals (80%) believe AI will have a high or even transformational impact on their work over the next five years, only 38% expect to see those changes in their organization this year. (Thomson Reuters 2025 Future of Professionals Report)

76. 32% of organizations are not currently piloting or using AI for any compliance activities. (PwC’s Global Compliance Survey 2025)

77. Nearly one-third of C-Suite leaders believe their organization is moving “too slowly” when it comes to adopting AI. Among the 5 biggest barriers to faster adoption were:

• Regulation of AI-powered technology use (47%)
• Demonstrable data security of AI-powered technology (44%). (Thomson Reuters Institute 2025 C-Suite Survey)

78. Almost half of risk and compliance professionals expect AI to bring transformational or high levels of change within their departments this year, but less than one-in-five say their departments have an AI strategy in place. (Thomson Reuters 2025 Future of Professionals Report)

79. 42% of executives said that investments in technology have resulted in increased trust from stakeholders in compliance abilities. (PwC’s Global Compliance Survey 2025)

80. The most prominent reason for adopting new risk and compliance automation and technology solutions in 2024 was to reduce risks (41%). (Navex's 2024 State of Risk & Compliance Report)

81. The second most prominent reason for adopting new risk and compliance automation and technology solutions was to meet regulatory requirements (32%). (Navex's 2024 State of Risk & Compliance Report)

82. 19% of risk and compliance professionals indicated they are adopting new automation and technology solutions to reduce costs. (Navex's 2024 State of Risk & Compliance Report)

83. Only 7% of risk and compliance professionals said their organization does not use automation and technology solutions for their risk and compliance program. (Navex's 2024 State of Risk & Compliance Report)

84. Roughly 1 in 5 of risk and compliance professionals identified the following reasons for adopting automation and technology solutions:

• Automate practices and procedures (23%)
• Help reach organizational objectives (23%)
• Integrate program components (e.g., incident management, risk management, policy & procedure management, etc.) (21%)
• Increase reporting capabilities (21%)
• Improve program analytics (20%)
• Streamline workflows/reduce redundancy (20%)
• Reduce spent time on managing risk and compliance tasks (19%). (Navex's 2024 State of Risk & Compliance Report)

85. Almost two-thirds (65%) of compliance teams are involved in how AI is used at their organization. (Navex Global’s 2025 State of Risk & Compliance Report)

86. Respondents from mature risk and compliance programs were more likely to be “very involved” in AI decision making (40%) compared to less-mature organizations (19%). (Navex Global’s 2025 State of Risk & Compliance Report)

87. 70% of compliance and risk management leaders said they believe AI will have a transformative or major impact on their functions within the next one to five years. (Moody's 2024 Navigating the AI landscape: Insights from compliance and risk management leaders)

88. 82% of supply chain professionals indicate technology advancements, specifically in AI and machine learning, will have a significant impact on the supply chain over the next five years. However, only 24% of companies have integrated AI into their operations. (Inspectorio's State of Supply Chain Report 2024)

89. The majority of risk and compliance professionals (39%) said IT was responsible for developing AI policies at their organization. The next most common responses were Information Security (10%) and Compliance (6%). (Navex Global’s 2025 State of Risk & Compliance Report)

90. A majority of organizations (72%) employ some level of security AI and automation, with 32% reporting they use it extensively in their operations. (IBM's Cost of a Data Breach Report 2025)

91. ​​Organizations that used security AI and automation extensively reported USD 1.9 million lower data breach costs and time savings of 80 days identifying and containing breaches compared to organizations that didn’t use AI and automation. (IBM's Cost of a Data Breach Report 2025)

The importance of vendor compliance and risk management 

As organizations rely more on third parties, managing vendor compliance has become essential for reducing legal, financial, and reputational risk. With third-party breaches increasing, 

compliance leaders are increasingly focused on vendor oversight and prioritizing stronger due diligence, ongoing monitoring, and governance measures.

Look at how organizations are handling their vendor risk management and compliance with the statistics below. 

92. 48% of participating CISOs indicated that ensuring third-party compliance with their security requirements is the main challenge to effectively implementing cyber regulations. (World Economic Forum's Global Cybersecurity Outlook 2025)

93. 49% of organizations have made, or are considering making, changes to their third-party oversight in light of US policy and enforcement shifts. (Navex Global’s 2025 State of Risk & Compliance Report)

94. When asked what compliance issues they've experienced in the past three years, 18% of risk and compliance professionals said third party ethics or compliance failure. (Navex Global’s 2025 State of Risk & Compliance Report)

95. 76% of executives said that the increasing complexity of compliance requirements over the last three years has negatively impacted their company’s ability to establish and maintain third-party relationships. (PwC’s Global Compliance Survey 2025)

96. Maintaining an ethical and compliant supply chain was cited as an important consideration when making decisions by 24% of organizations. (Navex Global’s 2025 State of Risk & Compliance Report)

97. In 2025, the majority of respondents who are knowledgeable about ethics and compliance (84%) “strongly” or “somewhat” agreed their third-party due diligence program significantly reduces their legal, financial and reputational risks. (Navex Global’s 2025 State of Risk & Compliance Report)

98. Only one-third of risk and compliance professionals who are knowledgeable “strongly” agreed their third-party due diligence program significantly reduces their legal, financial and reputational risks. More than half “somewhat” agreed. (Navex Global’s 2025 State of Risk & Compliance Report)

99. Respondents who placed their organization in one of the top two rankings of the ECI maturity scale were most likely (42%) to strongly agree their third-party screening significantly reduces risks. At the lower end of the scale, only 19% said the same. (Navex Global’s 2025 State of Risk & Compliance Report)

100. Only 58% of risk and compliance professionals said their organization screens third parties for regulatory risk and only 33% use a riskweighted approach in that screening. (Navex Global’s 2025 State of Risk & Compliance Report)

101. 41% of CISOs said that enhancing visibility of third-party dependencies is the top priority for improving supply chain cyber resilience. (World Economic Forum's Global Cybersecurity Outlook 2025)

102. More than half (56%) of organizations said they use purpose-built technology to manage third-party risk in 2025. (Navex Global’s 2025 State of Risk & Compliance Report)

103. 40% of legal, compliance, and privacy leaders selected "strengthening third-party risk management processes and/or technology" as one of their top five priorities. 6% selected it as their #1 priority. (Gartner for Legal, Risk & Compliance Leaders July 2025 Survey)

104. Only 69% of risk and compliance professionals said their organization was at least “good” at engaging in ongoing monitoring and risk management throughout the course of a relationship with a third-party. (Navex's 2024 State of Risk & Compliance Report)

105. 11% of risk and compliance professionals went as far as to say their program was “poor” with respect to ongoing monitoring of third parties. (Navex's 2024 State of Risk & Compliance Report)

106. 40% of supply chain professionals consider risk management and supply chain resilience as their primary concern, followed by 37% focusing on regulatory and compliance pressures. (Inspectorio's State of Supply Chain Report 2024)

107. 35% of business and tech executives find third-party breaches to be one of the most concerning cyber threats, and 28% feel least prepared to address this threat. (PwC's 2025 Global Digital Trust Insights)

Compliance trends for 2026

When it comes to the future of the compliance industry, businesses have been forced to rethink their operational resilience. With the disruption organizations continue to face due to AI, cyber threats, and increasing regulatory scrutiny, companies have seen first-hand the need for — and benefits of — a well run compliance management program.

We’ve rounded up a few of the compliance trends industry experts predict for the coming year.

108. 8 of 10 legal, accounting, audit, and risk and compliance professionals believe AI will have a high or even transformational impact on their work over the next five years. (Thomson Reuters 2025 Future of Professionals Report)

109. 76% of organizations plan to pursue an AI audit or certification within the next two years. (A-LIGN’s 2025 Compliance Benchmark Report)

110. In 2025, 53% of organizations said they intend to pursue an AI audit or certification within the next year. Among software firms, that number climbs to 61%, highlighting growing momentum around AI compliance. (A-LIGN’s 2025 Compliance Benchmark Report)

111. 21% of C-Suite executives reported that their top strategic priority over the next 18 months was regulatory compliance—this is a huge jump from 2% in 2024. (Thomson Reuters Institute 2025 C-Suite Survey)

112. When surveyed, nearly one thousand compliance and risk professionals ranked their most important compliance issues as data privacy, protection, and security (56%) and regulatory compliance (55%). (Navex Global’s 2025 State of Risk & Compliance Report)

113. More than half of professionals (59%) believe the rapid pace of regulatory change will have a high or transformational impact on their work over the next five years. (Thomson Reuters 2025 Future of Professionals Report)

114. 71% of executives expect to undertake digital transformation initiatives over the next three years that require the support of Compliance. (PwC’s Global Compliance Survey 2025)

115. Executives believe their company will have a skills gap or shortage in the following areas which they deemed critical to maintaining effective compliance at their organization in the next 12 months:

• AI skills (73%)
• Data management and analytic skills (57%)
• Technology capabilities (55%)
• Sustainability/ESG/climate experience (54%)
• Transformation and business change experience (53%)
• Specialist knowledge (51%). (PwC’s Global Compliance Survey 2025)

116. Only 7% of executives currently consider their organizations to be leading transformation in compliance maturity, yet 38% aim to be leading within three years.  (PwC’s Global Compliance Survey 2025)

117. When asked about compliance topics their organization planned to provide training for in the next two-to-three years, the top 5 answers were:

• Ethics & code of conduct (63%)
• Data privacy (62%)
• Cybersecurity (60%)
• Harassment & discrimination (52%)
• Artificial intelligence (48%). (Navex Global’s 2025 State of Risk & Compliance Report)

118. Nearly one third of professionals (32%) believe the focus on sustainability and ESG will have a high or transformational impact on their work over the next five years. (Thomson Reuters 2025 Future of Professionals Report)

119. 22% of C-Suite executives reported that their top strategic priority over the next 18 months was developing or demonstrating ESG practices and standards—a slight dip from 25% in 2024. (Thomson Reuters Institute 2025 C-Suite Survey)

120. 67% of global executives believe that ESG regulation is too complex, while 70% want more guidance from regulators. (Beazley's Spotlight on Boardroom Risk 2024)

History of compliance: Landmark statistics that shaped today’s trends

While some of the following statistics come from earlier benchmark reports, they remain valuable for understanding how the compliance landscape has evolved over time. These foundational insights—from 2023 reports by Thomson Reuters, Coalfire, and others—capture key shifts in how organizations have approached compliance, regulatory change, and technology in recent years.

121. 70% of corporate risk and compliance professionals said they have noticed a shift from check-the-box compliance to a more strategic approach over the past two to three years. (2023 Thomson Reuters Risk & Compliance Survey Report)

122. Three in five corporate risk and compliance professionals said they feel confident in their ability to address compliance risks, though the top obstacles were a lack of skilled personnel, limited resources, and poor company culture. (2023 Thomson Reuters Risk & Compliance Survey Report)

123. Compliance officers said their top areas of involvement were implementation of a demonstrably compliant culture (58%), the setting of risk appetite (51%), and assessing the effectiveness of corporate governance arrangements (48%). (Thomson Reuter's Cost of Compliance Report 2023)

124. 77% of security and IT leaders said they plan to transition to updated frameworks, like PCI DSS 4.0, in the next 18 months. (Coalfire Compliance Report 2023)

125. While over 3 in 4 organizations have plans to transition to the next revision of applicable frameworks within the allowable periods, 21% of organizations plan to do nothing until a required audit or wait for external party findings. (Coalfire Compliance Report 2023)

126. 23% of security and IT professionals said staying aware and interpreting new requirements and regulations affecting the organization was the top compliance program challenge. (Coalfire Compliance Report 2023)

127. Almost two-thirds (62%) of compliance officers reported that in an average week they spend between 1 and 7 hours tracking and analyzing regulatory developments. This amount of time makes sense given that 76% of compliance managers in 2021 said they manually scanned regulatory websites to track changes and assess the impact on their organization. (Thomson Reuter's Cost of Compliance Report 2023)

128. Risk and compliance professionals spent the most time identifying and assessing risk (56%) and monitoring compliance (52%) in 2023. (2023 Thomson Reuters Risk & Compliance Survey Report)

129. 60% of GRC users still manage compliance manually with spreadsheets. (Coalfire Compliance Report 2023)

130. Nearly two-thirds (65%) of corporate risk and compliance professionals said using technology to streamline and automate manual processes would help reduce the complexity and cost of risk and compliance. (2023 Thomson Reuters Risk & Compliance Survey Report)

131. When asked what would help reduce the complexity and cost of the risk and compliance process, almost half (49%) of respondents said standardizing risk and compliance frameworks across their organization. (2023 Thomson Reuters Risk & Compliance Survey Report)

132. 62% of security and IT leaders cited mapping controls and systems across frameworks as their preferred method to manage overlapping compliance requirements, and 64% of large enterprises named enhanced evidence mapping as the top way to prove compliance. (Coalfire Compliance Report 2023)

133. In 2023, 58% of security and IT professionals said they need larger compliance budgets, while 61% of organizations expect senior compliance officer costs to rise—driven by higher demand for expertise and growing regulatory volume. (Coalfire Compliance Report 2023)

134. Two-thirds of corporate risk and compliance professionals agreed that their organization has a duty to address ESG-related issues. (2023 Thomson Reuters Risk & Compliance Survey Report)

135. 21% of risk and compliance professionals said regulatory or stakeholder demand for ESG transparency and reporting was a compliance issue they’ve experienced in the past three years. This was the second most common compliance issue reported after a breach. (Navex Global's 2023 Definitive Risk & Compliance Benchmark Report)

136. Only 22% of organizations perform regular compliance audits on third parties, with only 11% reporting annually and 11% reporting less frequently. 40% of organizations report auditing third parties only based on triggering events. (2023 Global Compliance Risk Benchmarking Survey)

137. 45% of companies expect more compliance involvement in cyber resilience in the coming years. (Thomson Reuter's Cost of Compliance Report 2023)

138. 57% of corporate risk and compliance professionals said compliance roles in their companies had become more specialized, and 53% said they were addressing increased regulatory scrutiny with more sophisticated technologies. (2023 Thomson Reuters Risk & Compliance Survey Report)

Top 5 takeaways for organizations to improve compliance management in 2026

1. Make compliance a strategic growth lever

Compliance isn’t only about avoiding penalties—it’s about enabling revenue, market access, and trust. With 77% of C-suites crediting compliance for advancing objectives, elevate the function with executive-level KPIs, board reporting, and clear ties to pipeline, customer requirements, and procurement wins.

What to do now:

• Get executive buy-in and sponsorship for compliance
• Track sales deals that are blocked by security concerns and unblocked by compliance reports and attestations
• Share real-time compliance statuses and data using dashboards and trust centers with the board, customers, prospects, and other stakeholders

2. Plan ahead for rising audit cadence

A majority of organizations now conduct 4 or more audits per year, with enterprises commonly conducting more than 6 to meet regulatory and customer requirements. Despite this number rising, most organizations (45%) said they had not and weren’t considering increasing staffing or resources. 

That means most organizations need to use their existing headcount wisely to avoid audit fatigue and escalating costs. Having a clear roadmap, processes for reusing work where possible, and technologies to provide visibility and reduce manual work are essential. 

What to do now:

• Plan ways to future-proof your audit and compliance program that meet your budget and resource constraints
• Consolidate audits where possible, like a SOC 2 + HIPAA package
• Ensure your compliance roadmap aligns with customer expectations (ex: ISO 27001 vs SOC 2)

3. Automate tedious and error-prone compliance workflows

Manual processes involving spreadsheets still slowed down teams and inflated audit costs as recently as 2023, but most organizations in 2025 are using purpose-built tech for different aspects of a compliance program—and 65% say automation is the most effective way to cut the complexity and cost of compliance.

Using automation for particularly laborious parts of audit management—like standardizing and mapping controls across frameworks, centralizing evidence, and monitoring controls continuously—can significantly reduce duplicate work as your compliance program scales and audit fatigue kicks in. 

What to do now:

• Automate evidence collection and document management
• Map controls and tests across frameworks
• Adopt automated continuous monitoring

4. Build AI governance with compliance in the room

AI is already reshaping compliance programs and its influence is only expected to grow. 65% of risk and compliance professionals already say AI is important to their compliance programs, and 80% believe AI will have a high or even transformational impact on their work over the next five years.

But already these professionals are worried about the downsides of this technology, with 67% most concerned about a lack of visibility to risks across our organization or gaps in implementation of compliance controls in respect to AI risks.

Having a formal AI policy and risk assessment process in place can help mitigate these risks and stay ahead of evolving AI regulations.

What to do now:

• Create or refine your AI and acceptable use policy
• Add AI-specific risk assessments to your risk management program
• Align with leading AI frameworks like NIST AI RMF and ISO 42001

5. Close vendor compliance and risk management gaps

Vendors remain a major exposure in 2025. Half of organizations are changing their third-party oversight due to U.S. enforcement shifts, and 56% now use TPRM tech—but only 58% screen for regulatory risk and just 33% use risk-weighted methods. That mismatch leaves a gap for third-party breaches and other compliance failures that come with adverse media and reputational harm. 

What to do now:

• Require risk-weighted screening for third pirates
• Include compliance audit and attestation requirements in vendor contracts
• Automate ongoing monitoring for your third-party ecosystem

How Secureframe automation and AI can future-proof your compliance program in 2026

Regardless of industry, managing compliance and risk is crucial to running a company in today’s regulatory and threat landscape. 

A compliance automation platform can help your organization reap the benefits of compliance and risk management while reducing the costs and complexity associated with it. 

Here’s how Secureframe can help you improve your overall security posture while completing audits and assessments at speed and scale:

• Continuously monitor controls, flag misconfigurations, and guide remediation so your posture keeps pace with change.
• Automate evidence and control mapping across 40+ frameworks to cut duplicate work and audit fatigue.
• Operationalize AI & policy governance with policy management workflows that automate development, updates, distribution, and employee acceptance. 
• Simplify vendor risk with automated questionnaires, screening, and ongoing monitoring to strengthen your supply chain.
• Accelerate audits with centralized documentation, real-time readiness, and dedicated auditor modules.

Want to see how risk and compliance leaders are reducing complexity and cost while improving time-to-audit? Schedule a demo.

This post was originally published in December 2021 and has been updated for comprehensiveness.