Thoropass’ recent report, 2026 State of Audit and Compliance Report, reveals that AI adoption has rapidly become the most significant new source of IT security compliance risk. Almost 7 in 10 security and compliance leaders say AI adoption is outpacing their security and compliance controls, signaling a growing governance gap.
Most organizations are losing the race to control the use of corporate and personal AI solutions in the workplace, increasing the “governance gap”. AI-related concerns now eclipse traditional security threats in both perceived likelihood and impact
The report, based on a survey of more than 500 security, IT, and compliance professionals, shows that while compliance programs are more mature than ever, they are under increasing strain from multi-framework audits, evidence management overhead, and the fast rise of AI-related risk.
“AI has moved faster than governance,” said Sam Li, CEO of Thoropass. “Most organizations didn’t plan for how quickly employees and teams would adopt AI tools, and compliance programs are now racing to catch up. What we’re seeing is a widening gap between innovation and oversight.”
AI is becoming integral not just to organizations’ technology stacks, but to how companies operate. That same technology can and should be used to help organizations run smoother, more efficient audits, empowering them to eliminate manual effort, improve evidence quality, and give teams confidence as audit expectations evolve.”
Key findings from the research include:
AI Has Become the Leading Compliance Risk
AI-related concerns now eclipse traditional security threats in both perceived likelihood and potential regulatory impact:
- 69% of respondents stated that adoption of AI tools in the organization is outpacing their ability the security and compliance controls
- 55% say that AI-related data exposure or misuse as their top breach concern – a higher rate than ransomware, IAM failures, or cloud misconfigurations
- 57% believe AI-related incidents are the most likely to trigger regulatory action or customer fallout in 2026
- Only 18% say they are not concerned about AI-related compliance risk
Compliance Maturity Is High, but Audit Friction Persists
Even as organizations report mature compliance programs, operational inefficiencies remain widespread:
- Challenges related to collecting evidence across multiple tools is the most common bottleneck in the audit process, cited by 53% of respondents
- 91% say they must resubmit audit evidence at least sometimes due to miscommunication or shifting auditor expectations
- The top compliance challenges are managing multiple frameworks and keeping evidence continuously audit-ready
The report finds that compliance is increasingly viewed as an ongoing risk management function – driven by security posture, insurance requirements, and customer trust – rather than a once-a-year certification exercise.
“The audit model itself is changing. Organizations don’t just need more controls — they need audits that operate continuously and keep pace with how modern systems actually work. The future of audit is less manual collection and more real-time assurance,” continued Li.
What This Means for IT Audit in 2026
The definition of “audit-ready” is changing. Organizations that can consolidate compliance workflows, maintain up-to-date evidence, and integrate AI governance into existing frameworks will be better positioned for both upcoming audits and regulatory scrutiny.
Leave a comment