Most organizations think about compliance as something to get through, not something to build on. That mindset leaves significant value on the table, and the data makes that clear.

To better understand how certifications shape business outcomes, A-LIGN surveyed 500 senior information security, governance, and compliance leaders across the US and Europe.

The results showed that the certifications companies pursue to meet customer requirements and pass vendor reviews do more than check a box. They can also help unlock new revenue, open doors to new markets, reduce the likelihood of a costly breach, and in many cases, make entire customer segments accessible that would otherwise be out of reach.

Compliance drives revenue growth

On average, organizations unlock between $250M and $770M in new revenue streams through compliance initiatives. That’s because many customers, especially in enterprise and regulated industries, won’t sign a contract until they see the right certifications in place.

SOC 2 and ISO 27001 are the certifications most commonly tied to this growth, consistently ranking as the top frameworks for expanding into new regions, industries, and customer segments. Among organizations with ISO 27001, roughly half say more than half of it would have been more difficult to expand into new geographies without it.

Here’s a breakdown of the ROI associated with each certification:

• ISO 27001: $2.2M in average customer revenue unlocked, with a net upside of +$2.18M after certification costs
• SOC 2: $1.5M in average customer revenue unlocked, with a net upside of +$1.48M
• HITRUST: $1.5M in average customer revenue unlocked, with a net upside of +$1.46M
• ISO 42001: $1.4M in average customer revenue unlocked, with a net upside of +$1.36M
• FedRAMP: $1.4M in average customer revenue unlocked, with a net upside of +$1.3M

Across every major framework, the value returned exceeds the cost of certification.

ISO 27001 and SOC 2 unlock market access

For companies pursuing international growth, ISO 27001 and SOC 2 aren’t just certifications — they’re what’s going to get a buyer to consider you. According to our survey, ISO 27001 leads all frameworks in enabling geographic expansion, with strong adoption across North America, Europe, and Latin America. In many European markets, ISO 27001 is expected before a buyer will engage, with SOC 2 playing a similar role in North America.

Both certifications communicate the same thing to a prospective customer: an independent third party has assessed your security controls and found them to hold up. For companies evaluating vendors, that matters. Without that validation, many deals never move forward.

Compliance lowers breach risk and cost

Organizations with major compliance certifications report approximately 50% fewer security breaches than those without them. That finding holds across every major framework: SOC 1, SOC 2, ISO 27001, HITRUST, FedRAMP, and PCI. Given that the average breach costs $4.4 million, the reduction in financial exposure is significant.

Another often-overlooked benefit is cyber insurance leverage. Insurers are increasingly tying premiums and coverage terms to proven security practices, and holding a current certification gives organizations concrete evidence to strengthen their position in those conversations.

Why audit quality determines your ROI

The revenue, market access, and risk reduction benefits of compliance only materialize if the report is accepted. Low-cost audit providers may look appealing, but the savings disappear quickly if a customer rejects the final report. About 12% of organizations surveyed said they have had a compliance report rejected, and each rejection costs roughly $70,000 and three months of remediation time. Once remediation labor is factored in, the total cost is closer to $100,000.

Most rejections aren’t caused by technical complexity. They stem from incomplete scoping, inconsistent findings, and documentation gaps. These are execution issues, and all of them point back to audit quality. A high-quality audit produces a report that stands up to customer scrutiny and supports the business outcomes compliance is supposed to unlock. A low-quality audit can delay deals, stall expansion, and weaken the return on the investment.

How to get more from your compliance program

The data makes the case clear: organizations that treat compliance as a strategic priority are seeing returns that far outweigh the investment. In many cases, the difference between compliance that delivers business value and compliance that doesn’t is the quality of the audit behind it.

A-LIGN has completed more than 31,000 audits for over 6,400 customers globally, with zero report rejections. Our audit process combines experienced audit teams with technology that enforces consistency, strengthens audit quality, and drives efficiency.

If you’re looking to get more out of your compliance program, reach out to the A-LIGN team.

Compliance reports might look the same from the outside. Same cover page, same certification logos, same general structure. That uniformity creates a false sense of equivalence — and it’s costing organizations more than they realize. 

To better understand how buyers evaluate audit quality, A-LIGN surveyed more than 500 senior information security, governance, and compliance leaders across the U.S. and Europe. What we found reveals a significant gap between perception and reality: most buyers believe audit quality is largely the same across providers, yet the consequences of a poor-quality audit can reach six figures and derail the deals that matter most. 

The quality perception problem 

According to the survey, 93% of buyers see little to no meaningful difference in audit quality across providers. Most assume that if a firm is accredited and a report is issued, the quality is roughly equivalent. 

That assumption is wrong, and expensive. 

As we covered in a previous blog in this series, the cost of a rejected report can total an average of $70,000 in direct expenses, plus an additional $30,000 in remediation labor, for a total exposure of approximately $100,000 per rejection. And the organizations most likely to reject a report, enterprises (1,000 to 5,000 full-time employees) and strategic organizations (more than 5,000 full-time employees), are exactly the ones most companies are trying to sell to. 

The disconnect is clear: buyers can’t distinguish quality, but quality determines outcomes. That’s a market maturity problem with real business consequences. 

What quality actually looks like 

If most buyers can’t differentiate audit quality, what signals should they be looking for? 

The survey data is direct on this. Technology is the single most important auditor selection criterion, ranking above cost, brand, and even years of experience. According to respondents, 88% of buyers agree that tools and technology improve audit quality. This is reinforced by the top indicators of a high-quality audit experience: use of modern tools and automation, timeliness of delivery, and thoroughness of testing. 

On the flip side, the top red flags buyers associate with low-quality firms are equally telling: lack of technology investment, high error and rework rates, and inconsistent quality across engagements. 

This isn’t about bells and whistles. A tech-enabled audit produces more consistent evidence collection, reduces the risk of documentation gaps, and creates a more defensible final report — the kind that holds up when a sophisticated buyer reviews it. 

The criteria buyers use — and the ones they should 

There’s a gap between how buyers say they evaluate auditors and what they’re actually measuring. Technology, client satisfaction, and industry experience rank as the top three auditor selection criteria in the survey data. In practice, however, many buyers default to cost and brand recognition when making their decision. These factors don’t reliably predict whether a report will be accepted by a demanding customer. 

The buyers who can evaluate quality have a framework for it. They cross-check evidence, review auditor methodology, and confirm accreditation. But that’s a small portion of the market. Most organizations are selecting audit providers without the education to discern the quality of their audit partner’s experience and report. 

That gap creates the conditions for report rejection. Buyers who can’t evaluate quality make decisions based on price. They receive a report that looks complete. And then they find out, often at the worst possible moment, that it doesn’t hold up. 

What a quality audit produces 

A high-quality audit isn’t just a cleaner PDF. The difference shows up in specifics: 

Depth and specificity of control testing. A quality auditor doesn’t just confirm controls exist, they test rigorously and document thoroughly. Shallow testing is one of the most common reasons reports get rejected. 

A report tailored to your organization. Cookie-cutter reports are a signal, not just an aesthetic problem. A report that reads like it could belong to any company in any industry is one that sophisticated buyers will scrutinize and often reject. 

Findings that strengthen your posture. A quality audit surfaces recommendations specific to your environment. If your report has no findings or no meaningful observations, that’s not a clean bill of health, it’s a sign of insufficient rigor. 

Technology isn’t optional anymore 

The survey finding that technology is the number one auditor selection criterion isn’t a preference; it’s a forecast. As AI and automation raise the baseline for what an efficient, consistent audit looks like, providers that can’t demonstrate a modern process will find themselves disqualified earlier in the conversation. 

Buyers already associate technology use with quality. According to our survey, 83% of respondents have a positive perception of AI use in audits overall. What they want isn’t AI replacing judgment — it’s AI augmenting it. The top cited benefits are greater efficiency and speed, enhanced data coverage and analysis, and improved anomaly detection. The concerns are about oversight: security and data privacy, transparency, and the risk of algorithmic bias. 

The providers that win in this environment are those that can show how their technology works, why it improves quality, and where experienced human judgment remains in the loop. 

The bottom line for buyers 

If you’re choosing an auditor based primarily on price, you may be selecting the most expensive option in disguise. A rejected report costs roughly five times the savings that a discounted audit fee represents. And that’s before accounting for the reputational cost of a deal that stalls because a customer won’t accept your report. 

The organizations that get the most from their compliance investment are those that evaluate audit quality as rigorously as they evaluate anything else with a six-figure risk profile. That means asking about methodology, technology, industry experience, and what the firm’s track record looks like with companies similar to yours.  

Quality isn’t obvious from the outside. But the signals are there if you know what to look for. For more on how to ask the right questions to evaluate quality, download our checklist, How to Choose a Quality Auditor. 

Why A-LIGN

A-LIGN is the #1 SOC 2 auditor in the world and the only global provider to offer tech-enabled compliance services that reduce control overlap across frameworks. With more than 31,000 audits completed, 96% customer satisfaction, and zero report rejections, we’ve built our reputation on the quality that sophisticated buyers demand. 

Reach out today to learn what a high-quality audit experience looks like — and what it means for your compliance outcomes.

The inefficiencies that make audits slow and resource-intensive are familiar to most compliance teams. Evidence submitted last year gets requested again. Context from prior audit cycles doesn’t carry forward. Teams running multiple frameworks simultaneously end up managing separate processes despite control overlap between them. And by the time gaps surface, fieldwork has already started.

These problems tend to be structural, and they’re consistent enough that most compliance teams have come to treat it as the cost of doing audits.

A-SCEND was built to change that.

Why most audit tools don’t solve the underlying problem

Most compliance technology is built around evidence collection and readiness monitoring, helping organizations prepare before an audit begins. That’s useful, but it often covers only the preparation phase before the audit firm enters the picture.

What happens next — the actual audit execution, the evidence review, the back-and-forth between clients and auditors, the management of requests across frameworks, the translation of audit work into a final report — typically happens outside those tools. Auditors use their own systems. Clients use email threads and spreadsheets to track status. Evidence submitted in one tool may need to be resubmitted in another. The audit itself introduces a new layer of fragmentation on top of whatever prep process was already in place.

A-SCEND is built for the other side of that divide. It’s the audit management environment. The platform where evidence gets reviewed, requests get managed, and the audit runs from preparation through report delivery. Because A-LIGN both builds and operates the platform, the same tool serves auditors and clients in the same engagement. There’s no translation layer, no handoff between systems, and no context that disappears when the audit begins.

How A-SCEND is structured

The platform organizes the audit process into three phases, each addressing a distinct point of friction.

Audit Intelligence: Know where you stand before fieldwork starts

The first phase covers everything that happens before an audit formally begins. For most organizations, this is where the most avoidable work piles up. Evidence needs to be gathered, organized, and mapped to audit requirements — typically with no reliable way to evaluate completeness before the auditor does.

A-SCEND addresses this with two tools. The first is AI Evidence Matching, which analyzes a file name and its contents, matching it to a request from the Information Request List (IRL) based on the request description and A-LIGN guidance. It returns a confidence score (High, Medium, or Low) and a technical summary explaining the match. This saves a compliance professional a lot of manual work early in the process.

The second is EvidenceIQ, which evaluates how well submitted evidence meets audit criteria across the engagement as a whole. The output is a pre-audit readiness score that gives compliance teams a clear view of where gaps exist before the formal audit begins.

Both tools are designed to increase efficiencies earlier in the process, and addressing issues is straightforward rather than disruptive.

Audit Execution: Manage the audit without rebuilding it each cycle

The second phase covers the engagement itself — the period when auditors are actively reviewing evidence, requesting clarification, and working toward report delivery.

Historical reuse. Evidence, decisions, and auditor notes from prior audit cycles roll forward automatically. Teams aren’t rebuilding submissions from scratch each year. Prior context is available at the start of each new engagement.

Deduplication. Multiple audits don’t have to mean multiple disparate workstreams. A-SCEND consolidates audits — within a single framework or across several — into one engagement. Where scopes overlap, evidence carries across without being resubmitted. For example, SOC 2 and ISO 27001 share significant control overlap, as do other common framework combinations. The deduplication logic can meaningfully reduce the overall effort involved for compliance teams.

Embedded auditor collaboration. Clients and auditors communicate directly within the platform through comment fields. There’s no separate communication channel to manage. Status is visible in real time for both sides of the engagement.

The combination of these three capabilities addresses the most consistent complaints compliance teams have about the audit process: starting over every year, duplicating work across frameworks, and losing visibility into where things stand.

Audit Expansion: Understand what your existing work covers

The third phase applies after an audit is complete. As compliance programs grow, organizations frequently need to add frameworks. The question is always: how much of what we already have applies?

A-SCEND’s engagement crosswalk shows how evidence from a completed engagement maps to other frameworks. If a team just completed SOC 2 and is evaluating ISO 27001 or HITRUST, the crosswalk shows how close their current evidence base gets them before they start a new engagement. This can give compliance leaders a more accurate picture of the incremental effort required to expand their program.

What makes this approach different

A-SCEND has processed over 4 million pieces of evidence across more than 31,000 completed audits. That foundation is what makes its AI features credible and confidence scores meaningful. These AI features are designed with auditor oversight at every step, and clients can toggle AI functionality off entirely if they prefer to operate without it.

As a proprietary platform, A-LIGN owns the full roadmap and tests every enhancement internally with its own audit teams before releasing it to clients. Changes are driven by what auditors and clients actually encounter in real engagements — not by theory.

A-SCEND is built by people who run audits for a living, validated through real-world practice, and designed to reduce the friction that makes audits slower and more resource-intensive than they need to be.

Learn more about A-SCEND here.

For years, attackers had the advantage: they only needed to find one vulnerability to break into a network. AI has made that easier, enabling adversaries to move faster, adapt mid-attack, and probe defenses at a scale that outpaces a manual response. But that same technology is now in the hands of offensive security professionals.

AI doesn’t just level the playing field. It changes the game entirely. Offensive security professionals can now pre-run the attacker’s playbook thousands of times before an adversary ever shows up.

Why annual testing doesn’t match the threat

Traditional penetration testing operates on a schedule. You engage a team, they test, they report, and you remediate. Most teams only run penetration tests once a year. The problem is that attackers don’t operate on a schedule. They probe continuously, adapting their techniques in real time as they learn more about your environment.

AI-assisted offensive security changes this dynamic. Instead of waiting for an engagement window, security teams can simulate adversarial behavior at scale and on demand, running thousands of attack scenarios against your environment before any real threat actor gets the chance. The result isn’t a point-in-time snapshot. It’s a living, continuously updated picture of your actual exposure.

What AI enables for offensive security

This isn’t about replacing skilled testers with automation. The value of AI in offensive security is in amplification — giving offensive security professionals the ability to do more, faster, with greater accuracy. AI can model attacker behavior based on real-world threat intelligence, chain together complex attack paths that manual testing might miss, and adapt dynamically as defensive controls respond.

For environments like OT, IoT, CMMC-scoped systems, or traditional enterprise infrastructure, this means exposure isn’t just identified. It’s validated against how a real adversary would actually move through your environment.

Why human expertise still drives the outcome

The most effective AI-augmented penetration tests combine automated simulation with human judgment. AI can run attack scenarios at scale, surface exposure paths, and adapt to defensive controls in real time. It takes an experienced tester to understand what the findings actually mean for your environment, prioritize what matters most, and identify the nuanced, context-dependent risks that automated tools aren’t built to catch.

An AI model can assume — but doesn’t know — that your legacy OT system can’t be patched, that a particular network segment is implicitly trusted for operational reasons, or that a misconfiguration your team considers low-risk sits one step away from your most sensitive data. That context comes from skilled testers who understand your environment, not from the tool they’re using.

Four ways AI changes what’s possible for defenders

AI fundamentally expands what offensive security professionals can do:

• Simulate attackers at scale: Run thousands of adversarial scenarios continuously, not just during an engagement window.
• Find vulnerabilities before exploitation: Identify exposure paths before a threat actor does.
• Continuously pressure-test systems: Move from annual snapshots to ongoing validation of your defensive controls.
• Neutralize AI-driven attacks: The best way to defend against AI-powered adversaries is to understand exactly how they’d attack you.

This is what it looks like when offensive security operates at the same speed as the threats it’s defending against.

Why this works across every environment

One of the most important things about AI-augmented offensive security: it’s not environment-specific. Whether your concern is a CMMC-scoped defense contractor environment, an OT network running legacy industrial systems, IoT deployments with limited patching options, or a traditional enterprise infrastructure, the core approach is the same. Simulate attacker behavior. Identify exploitable exposure. Validate your controls. Repeat.

The specific techniques adapt to the environment. The methodology doesn’t. This is what makes it scalable, and why organizations with diverse, complex environments benefit most.

Get ahead of the threat

AI changes what’s possible. Offensive security teams can now simulate the adversaries targeting your environment before they ever arrive, continuously validating your defenses against the techniques being used against organizations like yours.

Reach out to the A-LIGN team to learn how AI-augmented penetration testing can help you get ahead of the threats targeting your environment.

Rick Orloff is a Fortune 1000 CISO and Strategic Advisor at A-LIGN, with over 20 years of experience at companies including Apple and eBay. 

For most of my career, the assumption has been that compliance lives inside the security organization, gets owned by the GRC team, and gets funded out of the security budget. The rest of the business consumes the outcome.  

But I believe every compliance certification is a revenue decision. So, that means your most important compliance stakeholder isn’t your CFO, your board, your engineering team, or your auditor. It’s your Chief Revenue Officer. 

If Sales can’t convert a certification to market share, it’s not worth pursuing

When I’m deciding whether to pursue a new certification, the first conversation I have is with the head of sales. Why? Because if I got alignment from every executive in the company and sales said there was no value, we wouldn’t waste our resources. 

That isn’t a slight to anyone else’s role. Privacy, legal, engineering, and finance all have a stake. But they are recommenders. The certification either does or doesn’t help convert pipeline, and the only person who can answer that question is the person who owns the revenue number. 

The conversation I want to have is two questions long: 

• If we got this certification, would it help you close more deals or protect our market share? 
• If yes, can you put a number on it? 

If sales tells me a new certification is worth $10M in ARR, the rest of the budget conversation becomes simple math.

Two metrics nobody tracks well 

The hard part of that conversation is that most sales organizations don’t have great data on the impact of compliance certifications. Two metrics matter, and almost no one tracks both. 

The first are deals that you lost because you didn’t have a specific certification. That one is at least within reach. Your account executives know which deals fell apart and why. Tracking this helps drive a Return on Investment (ROI) justification to support sales with additional certifications. This should be a ‘required’ field in CRMs.

The second is harder. It’s the deals that never came to the table because you didn’t have the certification. Your AE never saw the opportunity. The prospect’s procurement filter screened you out before anyone made a call. You will never see those names in your pipeline, but they are real, and over time they add up to more lost revenue than the deals you watched die. 

The leaders I’ve worked with who handle this best, build a lightweight discipline into their RevOps practice. They tag lost deals with the missing certification. They survey their AEs quarterly about which certifications prospects are asking for. They look at win rates against competitors who have certifications they don’t. Imperfect data beats no data, and any actionable data you can put in front of your CRO beats a hypothetical guess. 

The budget math gets easier when sales is your advocate 

Once your CRO has a number, the rest of the path is straightforward. 

If a new certification costs $100K and sales says it will generate $10M in ARR, that’s the end of the conversation as far as I’m concerned. I’m putting it in my budget. 

If I don’t have the budget, I’m going to finance and the CFO and bringing my CRO into that conversation. The justification isn’t “the security team wants this.” The justification is “your sales organization thinks this is worth $10M, and the cost of getting there is $100K.” That conversation lands differently than a typical security budget ask, because it has been reframed as a revenue investment with a security team executing it. 

And here’s the part that surprises people: in a healthy organization, you may not need a new budget ask at all. If you’ve already rationalized your audit portfolio, consolidated frameworks under one provider, freed up engineering hours, cut redundant evidence collection, you’ve probably freed up the dollars to self-fund the new certification. That’s what we did in my prior role. The savings from consolidation paid for the next two certifications. No incremental budget required. 

Handling the “Compliance is theater” objection 

If you spend any time around founders or senior engineers, you’ll hear some version of this take: compliance certifications aren’t real security; they’re theater. 

A SOC 2 report isn’t a substitute for an actual security program. A certification doesn’t make you fully secure. The people who think it does are kidding themselves. 

But here’s the part the theater argument misses: the certification isn’t for your security program. It’s for your customer. It exists so the buyer on the other side of the deal can perform their due diligence efficiently and your AE can advance the pipeline. The certification is a procurement artifact that pays for itself in cycle time and deal velocity. 

When an engineer tells me compliance is theater, I don’t argue. I explain that without certifications, every customer would be asking to effectively perform their own audits, speak with stakeholders, and impact a large number of people. Having a trusted third-party auditor certify us using a comment control framework is incredibly efficient for all of us. That framing puts compliance in its right context: necessary, valuable, and not the same thing as security. 

Five questions to bring to your next CRO conversation 

The right place to start is with your CRO. Here are five questions I’d recommend before kicking off a new audit: 

• Which certifications are prospects asking for that we don’t have today? 
• Of the deals we’ve lost in the last twelve months, how many cited a missing certification? 
• Among the certifications on our roadmap, which would move the most pipeline? 
• Do you have regulatory blockers to your market? 
• Are there geographic or vertical-specific certifications that would open markets we aren’t competing in today? 

Those five questions reframe the audit conversation from a compliance exercise into a growth conversation. They also give your CRO a reason to be in the room when the project is being approved. Security should help drive top-line revenue, not just protect bottom-line costs.

The takeaway 

The security leaders who operate most effectively treat compliance as a revenue function. When you treat it that way, things change. The conversation with the C-suite becomes substantive, and you’re seen as a stakeholder to the entire business. The conversation with your CFO becomes a revenue conversation, not a cost conversation. The conversation with engineering becomes a “we’re doing this to help close deals” conversation, which is a much more durable motivator than “we’re doing this because the auditor asked.” And your own work as a security leader becomes more strategic, because you’re now operating at the intersection of risk and revenue rather than as a cost center. 

The test is simple: are you a transactional security leader or strategically aligned with what’s around the corner? A transactional CISO produces audit reports. A strategically aligned CISO produces revenue. Both jobs are real. One is more interesting, and a lot more valuable. 

Ready to align your compliance program with revenue? 

Talk to A-LIGN about how a consolidated, multi-framework audit program can drive both pipeline and ROI for your organization. 

Every prime contractor tells us the same thing: “We’re ready for CMMC. Our suppliers, not so much.” 

We hear it in readiness reviews, right before solicitations drop, and when programs are already at risk. 

That statement is where CMMC reveals its real purpose. Not as a compliance framework or an assessment event, but as a stress test of supply chain leadership, risk visibility, and accountability across the defense industrial base (DIB). 

CMMC does not pass or fail at the prime. It passes or fails at the weakest supplier that touches Controlled Unclassified Information (CUI). 

When a small supplier becomes a big problem

The most common misconception we encounter is that supplier size equals supplier risk. Under CMMC, that assumption breaks quickly. 

Today, CMMC requirements are embedded directly in the Department of Defense (DoD) acquisition lifecycle before contract award, option exercise, or extension. When a subcontractor handling CUI cannot demonstrate the required certification level, the consequence is immediate and operational: 

• A task order cannot be released 
• An option year cannot be exercised 
• A delivery milestone slips 
• A mid‑program supplier replacement becomes unavoidable 

We routinely see single unready suppliers delay or disrupt multibillion dollar programs. Not because they represent large spend, but because they represent an irreplaceable flow of data, engineering, or sustainment capacity. 

Under CMMC, supplier readiness is no longer a downstream compliance concern. 
It is program execution risk. 

Why the DoD is uncompromising: Cyber gaps become adversarial advantage.

CMMC exists because adversaries adapted faster than the defense supply chain did. They learned they did not need to breach primes. They only needed access to the supply chain layers where defenses were weaker and visibility was limited. 

In assessments and investigations, the pattern is consistent: poorly scoped environments, undefined CUI boundaries, and inherited controls assumed but never validated. 

These gaps expose capability development timelines, production constraints, sustainment vulnerabilities, and sensitive technical context years before deployment. 

That’s why the DoD tied CMMC directly to eligibility and not remediation promises. Cyber readiness, contract performance, and mission readiness are now inseparable. 

The readiness gap is real, even as certifications increase

Certification momentum is building, but the scale of what remains is where the real challenge comes into focus. With an estimated 80,000 organizations ultimately requiring Level 2, and roughly 1,100–1,200 certified as of early 2026, tens of thousands of suppliers still have a long road ahead. 

What we see consistently as a C3PAO is that the central challenge is not willingness. Most organizations understand the stakes and are making genuine efforts. The challenge is assessment readiness. Suppliers arrive at formal assessments with gaps they did not know they had: CUI boundaries that were never fully defined, controls that were assumed inherited rather than validated, and remediation plans built around theoretical best practices rather than how their environment actually operates. 

The result is predictable. There is misalignment between how a supplier believes they are running their program and what an assessor finds when they look closely. That gap between operating reality and the chosen path to certification is what stalls organizations, not lack of intent. 

What assessment reality has taught us 

Having worked across hundreds of readiness efforts and formal assessments, we can state several truths clearly. 

There is no single path to CMMC Level 2. Suppliers differ materially in how and where CUI is handled, how their architecture and boundaries are designed, how cloud usage and shared responsibility are structured, and how mature their governance and leadership are. 

Attempts to apply generic, one-size-fits-all remediation plans consistently lead to over-engineering, missed scope, inflated POA&Ms, and delayed or failed assessments.  

The good news is that there are multiple proven pathways to certification. We know because we have seen it firsthand as a leading CMMC C3PAO. The organizations that progress faster choose pathways grounded in assessment‑validated patterns, not theoretical best practices. 

Why the Affirming Official is the most underutilized control in CMMC

CMMC intentionally introduced a leadership accountability mechanism that did not exist before: the Affirming Official. This role is not symbolic. It is structural. 

In successful assessments, the Affirming Official is clearly designated early, actively engaged throughout readiness, empowered to make scope, funding, and risk decisions, and accountable for accuracy, not optimism. 

When this role is weak or undefined, we consistently see delayed readiness, unresolved scope disputes, documentation that does not reflect reality, and last-minute surprises during assessment. 

The Affirming Official is the control that aligns cybersecurity, operations, legal, and leadership into a single accountable outcome. 

CMMC was designed this way for a reason. When that role functions as intended, readiness accelerates not because controls are easier, but because decisions are clearer. 

How suppliers get unstuck

Suppliers that move from stalled to assessment-ready do three things consistently: 

1. They stop pursuing “perfect” and commit to “defensible.” 
   Assessments reward clarity, evidence, and repeatability. Not idealized architectures. 
2. They align to a proven pathway matched to their environment. 
   Control inheritance, boundary decisions, and evidence strategies are selected intentionally. They are not assumed. 
3. They engage primes and advisors as partners in risk, not enforcers of checklists. 
   Transparency improves, remediation focuses, and timelines compress. 

Readiness improves when suppliers are enabled to follow the right path for them, not forced down the wrong one. 

The leadership question CMMC forces forward

CMMC ultimately asks leadership across primes, suppliers, and program offices one defining question: 

Will weak supplier readiness be allowed to delay programs and erode advantage, or will accountability be applied early enough to prevent it? 

The organizations succeeding are decisive. They empower Affirming Officials, segment supplier risk intelligently, and guide readiness using pathways proven through real assessments. 

They understand a hard truth: under CMMC, you don’t rise to the level of your policy, you fall to the level of your weakest supplier. 

Final word

CMMC is not where cybersecurity becomes bureaucratic. It is where it becomes real: where trust becomes operationalized, supplier readiness determines program readiness, accountability replaces self-attestation, and leadership — not documentation — decides outcomes. 

The pathways to certification exist. We know them because we assess them, and we openly share what works because strengthening the defense supply chain cannot be done in isolation. CMMC’s real stress test is not the assessment. It’s whether leaders act before the chain breaks.  

Most organizations don’t fail on intent. They fail on preparation. Reach out today to find out where you stand.  

Selecting an audit firm has traditionally come down to cost, reputation, industry experience, and a track record with the relevant frameworks. Those criteria still matter, but buyer research shows that compliance teams are now weighing a new factor more heavily than before.  

According to A-LIGN’s market survey of 500 senior compliance, security, and governance leaders, audit technology is now the top factor among organizations evaluating audit firms, ranking above cost, brand, and auditor experience. 88% of organizations say technology improves audit quality, and 63% expect greater efficiency and speed from a tech-enabled audit. 

Understanding what’s driving that shift, and what technology-enabled actually means, gives compliance teams a more complete framework for evaluating their current or prospective audit partners. 

Why technology has moved to the top of the list 

Compliance programs have grown significantly in scope. Most organizations are no longer managing a single framework. Running SOC 2, ISO 27001, HITRUST, and FedRAMP simultaneously has become common, often with the same internal team responsible for all of them. Two-thirds of organizations now spend more than three months preparing for a single audit. 

The result is that the audit process itself has become a substantial operational burden. Teams resubmit the same evidence year after year for frameworks that share significant control overlap. Context and decisions from prior audit cycles don’t carry forward, so each new cycle starts from scratch. Gaps in evidence aren’t identified until fieldwork is already underway, creating delays and rework at the worst possible time. 

These inefficiencies aren’t inevitable. They’re largely a function of how audit firms are set up to operate, and buyers have started factoring that into their selection process. 

What technology-enabled actually means 

For buyers, the relevant question isn’t whether a firm uses technology. It’s whether that technology addresses the specific problems that make audits slow and resource-intensive. 

There are four areas where audit technology makes the most measurable difference: 

Evidence reuse across cycles and frameworks. 

Audit technology that preserves prior-year evidence and maps it forward means teams aren’t rebuilding the same submissions from scratch every year. The same logic applies across frameworks — SOC 2 and ISO 27001 share a substantial number of controls, and technology that can recognize that overlap and harmonize frameworks eliminates the duplicate work that would otherwise fall entirely on the client. 

Gap identification before fieldwork begins. 

When evidence gaps surface after fieldwork has started, the options for addressing them without disrupting the timeline are limited. Audit technology that evaluates evidence completeness before the engagement formally begins gives teams time to close those gaps while it’s still straightforward to do so. 

Real-time engagement visibility. 

Tracking audit progress through email threads and status meetings is a coordination tax that adds up quickly. A well-built platform should handle that automatically, giving both the client and auditor a live view of where every request stands without anyone having to ask.  

Auditor judgment stays in the process. 

Technology reduces manual burden on repetitive, rule-based work. It doesn’t replace the judgment required to scope an audit accurately, interpret ambiguous evidence, or identify issues that don’t surface through automated checks. The firms applying technology effectively are using it to reduce the manual burden on both sides, not to substitute for the auditors responsible for the quality of the final report.  

That distinction matters more than it might seem. 53% of compliance professionals have concerns about AI in audits, with accountability and transparency ranking highest. A firm that can clearly explain what its AI does, what auditors review before anything is acted on, and how clients retain control over the process is operating at a different standard than one that simply claims to use AI. 

Four questions to ask when evaluating an audit firm’s technology 

These questions uncover whether a firm’s technology actually solves the problems compliance teams often deal with. 

Does evidence carry forward between audit cycles? 

If your team re-uploads the same documentation every year, the platform isn’t addressing one of the most common sources of audit inefficiency. Ask directly: does prior-year evidence roll forward automatically, or does your team rebuild from scratch each cycle? 

Can the firm assess evidence readiness before fieldwork starts? 

A firm with mature audit technology should be able to evaluate how well your current evidence maps to audit requirements before the engagement formally begins. If they can’t surface gaps proactively, there’s no intelligence in the process — just a request list sent after kickoff. 

How does the platform handle multiple frameworks? 

For organizations running more than one framework, ask specifically how shared controls are managed. Evidence submitted for one framework should apply to another without manual mapping on the client’s side. If it doesn’t, the overlap savings that should flow to the client end up as manual work instead. 

How is AI used, and what oversight exists? 

Ask the firm to explain specifically what its AI does, what auditors review before anything is acted on, and whether clients can adjust or disable AI features. A clear, detailed answer indicates the firm has thought carefully about responsible implementation. A vague one suggests they haven’t. 

Applying a sharper evaluation criteria 

The data from A-LIGN’s survey reflects a shift that’s already underway among the most sophisticated compliance buyers. Technology has moved up the list in large part because buyers have experienced firsthand what a manual, fragmented audit process costs them in time and resources. 

Cost and experience remain relevant. But an audit firm that can’t demonstrate how its technology reduces the burden on your team, year over year, is leaving a meaningful gap in what it offers. 

A-LIGN built A-SCEND to address each of these areas directly. To see how it works, visit our A-SCEND page. 

Most organizations deploying AI agents have thought carefully about what those agents are supposed to do. Fewer have thought carefully about what those agents are capable of doing. That gap is where governance risk lives.

A working paper released in April 2026 by researchers affiliated with CEN/CENELEC JTC 21 put a specific conclusion on record: your regulatory obligations are determined not by what is inside an agent, but by what it does in deployment. An AI agent that summarizes internal meeting notes triggers a narrow set of transparency obligations. The same agent, given access to a hiring system, activates a completely different tier of EU AI Act requirements. The difference is not the agent’s architecture. It is the agent’s footprint.

ISO 42001, the international standard for AI management systems, provides the right organizational framework for governing that footprint. The six disciplines below are where that framework meets practical business operation.

Six governance disciplines for agentic AI

These six disciplines are not aspirational. They are the minimum operational posture for an organization that is deploying AI agents and intends to govern them responsibly. ISO 42001 provides the management system framework that holds them together in an auditable, certifiable structure.

Discipline 1: Know your agent’s footprint, not just its function

Every AI agent has two profiles. The first is what it was designed to do. The second is what it can actually do: every system it can access, every action it can take, every person affected by those actions. Governing an agent means knowing both profiles and confirming they match.

This is not a technical exercise. It is an accountability exercise. The same discipline you apply to documenting a vendor relationship or a new employee’s system access rights applies here. Before an agent is deployed, your organization should be able to produce a clear inventory: what external systems does it connect to, what can it read, what can it write, what can it send, and who does that affect?

Business analogy: You would not onboard a new employee and give them a master key to every system in the building because their job description did not explicitly forbid it. An AI agent’s access should be documented with the same deliberateness you apply to employee onboarding.

Governance question: Can your organization produce a complete access inventory for every deployed agent today? If not, that is your starting point.

Discipline 2: Build fences, not rules

There is a critical difference between telling an AI agent not to do something and technically preventing it from doing that thing. Instructions can be overridden, misinterpreted, or circumvented by an unusual input. Technical constraints cannot.

For any action your agent is not authorized to take, it should lack the technical ability to take it, not merely the instruction. A customer service agent that is not authorized to issue refunds above a certain threshold should have that limit enforced by the system it connects to. A recruiting agent that is not authorized to reject applications should not have access to the rejection function at all.

Business analogy: A rule telling an employee not to access the payroll system means very little if their computer has the login credentials. Removing the credentials is a different category of control entirely.

Governance question: For every action your agents are not authorized to take, is that enforced by a technical constraint or an instruction? The answer determines your actual risk exposure.

Discipline 3: Treat agent updates like product launches, not software patches

AI agents change, new tools get added, new data sources get connected, and the underlying model gets updated. Each of these changes can alter the agent’s regulatory profile, its risk tier, and the controls required to manage it responsibly. Without a deliberate process for classifying those changes, capability growth accumulates without oversight.

The governance discipline here is a pre-agreed classification system. Some changes are minor, like a wording update that does not affect what the agent can do. Some changes are material, like adding a new external system the agent can act on, or connecting to a new data source it did not previously access. Material changes require fresh review before deployment. The business value is the ability to demonstrate, at any audit or enforcement inquiry, that governance kept pace with deployment.

Business analogy: When a software team updates a customer-facing application, it goes through testing and sign-off before it is released. An agent update that expands what that agent can do deserves the same discipline as any other change that affects customers or business processes.

Governance question: Who in your organization decides whether an agent update requires a governance review? If there is no clear answer, that is a gap.

Discipline 4: Give your agents a performance review

Every employee is measured against expected performance. An AI agent should be no different. The question is not whether to monitor agents. It is whether your organization has defined what normal looks like, so departures from it are visible.

This starts with a baseline. How often does the agent act? What kinds of actions does it typically take? What proportions involve external communications, data reads, or consequential outputs? When does a pattern shift enough that a human should review it? Organizations that operate agents without baselines have no mechanism for detecting behavioral drift, which is the condition the EU AI Act’s essential requirements are designed to prevent. You do not need sophisticated tooling to start. You need a decision about what you are going to measure and what threshold warrants human attention.

Business analogy: A financial controller reviewing monthly expenditures is not looking for fraud on every line. They are looking for patterns that deviate from the expected range. Agent monitoring works on the same principle. Normal must be defined before abnormal can be recognized.

Governance question: If one of your agents started behaving differently today, who would notice, and how quickly?

Discipline 5: Have a response plan before you need one

When an agent’s behavior crosses a defined threshold, what happens? Who has authority to suspend it? Who reviews what it did? What is the process for determining whether the behavior was a one-time event or a systemic change? What does re-approval look like before the agent returns to operation?

Organizations that work through these questions in advance are applying the same operational discipline that exists for every other business continuity scenario. The response plan exists for the same reason a financial escalation policy exists. Not because the scenario is expected, but because the moment you need it is not the moment you want to be designing it. The EU AI Act requires corrective action procedures for high-risk AI systems. The more important outcome, though, is organizational readiness.

Business analogy: A fire evacuation plan is not evidence of pessimism about fire risk. It is evidence of operational maturity. An AI agent response plan sits in the same category of governance infrastructure.

Governance question: If an agent produced an output tomorrow that caused customer harm, could your organization reconstruct what it did and why? If not, your response capability is not yet ready.

Discipline 6: Know what version of your agent is running

At any given moment, can your organization say with confidence what capabilities your deployed agents have, what data they can access, and what guardrails are in place? Most organizations can answer this for their core software systems. Fewer can answer it for their agents, particularly as those agents evolve through updates and capability additions.

The governance discipline here is version accountability. When the agent changes, the change is recorded and the current version is traceable. This is not a technical formality. It is the foundation of any audit response. If a regulator, a customer, or a board member asks what a specific agent was capable of doing on a specific date, the answer needs to be retrievable. Organizations that cannot produce that answer are carrying exposure that documentation would close at low cost.

Business analogy: A manufacturing company can tell you exactly what specifications any product on the floor was built to. A financial firm can tell you what trading rules were active on any given date. AI governance requires the same baseline accountability for your agents.

Governance question: Can your organization demonstrate, for any deployed agent, what it was capable of at any point in the past six months?

What good looks like at each stage

Governance maturity in this area develops in stages. Few organizations arrive at all six disciplines simultaneously. The practical question is where you are starting from and what the next step looks like.

Stage 1: Aware. You can name your deployed agents and describe their general function. The next step is to document the footprint inventory for each agent: external systems, data access, and affected persons.

Stage 2: Documented. Access inventories and a change classification policy are in place. The next step is to define behavioral baselines and thresholds that trigger human review when crossed.

Stage 3: Monitored. Baselines are active and threshold breaches are routed to a human reviewer. The next step is to build and test the response plan and establish version accountability for every deployed agent.

Stage 4: Certifiable. All six disciplines are operating and documented within an ISO 42001 AIMS. The organization can demonstrate governance posture to a regulator, auditor, or customer at any point.

The case against waiting

The most common reason organizations delay agentic AI governance work is that the formal standards are not yet finalized. The EU AI Act harmonized standards are still in development. That fact is accurate, but the conclusion drawn from it is wrong.

The EU AI Act’s requirements for high-risk AI systems will be enforceable by December 2027. Standards provide a path to demonstrating compliance. They do not create obligations. Every month of delay is a month of compliance debt accumulating on a timeline that has already started.

The governance disciplines described here do not require finalized standards. They require decisions, documentation, and organizational commitment. All three are available today.

The ISO 42001 connection

Each of the six disciplines above maps to a specific clause in ISO 42001. The footprint inventory lives in the scope statement under Clause 4. Change classification lives in the operational controls under Clause 8. Behavioral monitoring lives in performance evaluation under Clause 9. Your balancing feedback lives in corrective action under Clause 10.

ISO 42001 is not a constraint on agentic AI deployment. It is the management system that makes deployment defensible. Organizations already certified against ISO 42001 have the structural foundation in place. What most need is a deliberate extension of that foundation to cover the specific characteristics of agentic systems: their runtime behavior, their dynamic capability footprints, and their multi-system action chains.

Organizations that have not yet begun ISO 42001 implementation have an opportunity to build that foundation with agentic AI governance built in from the start, rather than retrofitted after the fact.

Where does your organization stand?

Agentic AI governance is not a future problem. It is a current one. The organizations building that foundation now will be the ones that can demonstrate it when asked by a regulator, an auditor, or a customer. A-LIGN works with organizations at every governance maturity stage, from initial readiness to full ISO 42001 certification assessment. Reach out today to find out where your organization stands.

For most compliance managers and IT security leaders, audit season follows a familiar pattern: repeated evidence requests, gathering documentation from scratch, and losing critical context with each new cycle. Most teams spend a disproportionate amount of time managing audit logistics, taking them away from other critical components of compliance. In fact, two-thirds of organizations spend more than three months preparing for audits — putting a heavy strain on both teams and productivity. These challenges aren’t a sign of a poorly run program. They’re a reflection of how most audit processes were designed before modern compliance demands existed. 

After completing over 36,000 audits, A-LIGN has identified the recurring patterns that cause even the strongest compliance programs to stall. One of the biggest sources of audit pain isn’t gaps in security controls — it’s a broken process. Inefficient tools, scattered communication, and time-consuming manual work slow progress for both auditors and clients. 

Below we break down the key reasons compliance programs routinely falter and how to address them.  

The most common ways compliance programs break down 

Even the most mature organizations struggle with the operational side of compliance. These are five common patterns that frequently contribute to audit inefficiency. 

The evidence management trap 

Evidence management often starts with a well-organized folder or master spreadsheet. But as the audit progresses, these tools quickly become cluttered with colored cells, conflicting versions, and broken links. Without a centralized, integrated system, evidence becomes scattered and difficult to manage. This leads to submitting the same files multiple times when auditors can’t locate them, or wasting hours manually matching documents to requirements. These manual processes not only increase the risk of errors but also force skilled security professionals to spend audit season chasing files and formatting spreadsheets instead of identifying and closing actual security gaps. 

The “starting from scratch” cycle 

The annual audit cycle often brings a loss of important context from previous reviews. Months are spent providing information and guiding auditors through complex environments. Once the report is delivered, attention shifts to new priorities, and the background that informed key decisions is often forgotten. 

A year later, the entire process begins again. Notes explaining decisions around specific controls are lost, the same questions are asked, and identical baseline evidence is gathered. Without the ability to reuse past data, every audit cycle feels like starting from scratch. 

Multi-framework redundancy 

As organizations grow, so do their compliance obligations. Many start with SOC 2, then add ISO 27001, and later take on frameworks like HITRUST or HIPAA. Despite significant overlap between these frameworks, audits are often treated as completely separate projects and on different cycles. The same policy documents are collected and presented multiple times for different auditors or standards. Without tools to map and reuse evidence across requirements, teams duplicate work, strain subject matter experts, and drive up the overall cost and complexity of compliance. 

Late gap discovery 

Few things stall an audit faster than a critical gap discovered right before or during fieldwork. Often, materials appear complete until auditors review evidence and find missing details or documentation that doesn’t fully meet requirements. This triggers a last-minute scramble, pulling resources away from planned work and interrupting timelines when accuracy matters most. Identifying these gaps only after fieldwork begins not only delays the process but also increases stress and operational risk. 

Stakeholder coordination breakdown 

Compliance doesn’t happen in isolation. Engineering, HR, legal, and operations teams all play critical roles in providing required data and documentation. 

Audits managed through scattered email threads and chat messages often suffer from a breakdown in stakeholder coordination. Internal teams experience audit fatigue from repeatedly supplying the same data. Missed messages and forgotten follow-ups slow project progress. Without a centralized platform to track requests and communications, achieving consistent alignment among all parties becomes extremely difficult. 

A smarter approach to audit management 

Thorough inspection and validation are critical to ensuring audit quality. The real challenge lies in eliminating the avoidable friction that slows teams down. 

Expecting compliance professionals to manage complex, multi-framework audits with spreadsheets only adds to their frustrations. Software alone cannot resolve process issues, and expertise alone cannot scale without the right tools. Audit expertise and technology must work together within a unified system. 

This realization shaped the development of A-SCEND, A-LIGN’s proprietary audit management platform built from the ground up. A-SCEND centralizes evidence, connects stakeholders, and enables historical data to be reused year after year. By unifying people, processes, and technology in one platform, it reduces redundant requests and maintains alignment from preparation through to the final report.  

Audit season no longer needs to be a taxing cycle of starting over. By addressing these recurring challenges and adopting a more integrated, tech-enabled approach, organizations can streamline the process and focus on strengthening their compliance programs.