A difficult audit experience usually has more than one cause. The auditors involved in the engagement may be experienced, but without a consistent and rigorous process, engagements can look different every time. The process may be well-documented, but without the right audit technology, it still requires significant manual work on the client side. The technology may be useful for preparing for the audit, but stops short of the actual audit.

Most audit firms bring either experienced people, an efficient process, or modern technology. Few bring all three. That combination is what determines whether an audit runs smoothly or puts the burden back on the compliance team.

What it looks like when each element works alone

A compliance program that relies primarily on skilled people can produce good audits, but the work tends to concentrate. Institutional knowledge stays with whoever manages the engagement. Evidence gathering, auditor communication, and status tracking happen manually because there’s no system carrying that load. The work gets done, but not because the program is designed well — because one person is absorbing the inefficiency.

Process-heavy programs run into a different version of the same problem. Good documentation and standardized procedures create consistency and reduce dependence on any one person. But without the right tools, a well-documented process still requires significant manual execution. Teams following a defined audit checklist while tracking status in spreadsheets and managing evidence through email have a process. They don’t have efficiency.

Technology-first programs can stall in a different way. Compliance platforms built for readiness and evidence collection are useful during audit prep, but they often stop at the point where the audit firm enters the picture. When the formal engagement begins, clients are moving evidence into a separate system, managing communication across different channels, and bridging a gap between their GRC tool and the auditor’s workflow. The technology solved part of the problem and introduced a new handoff point.

Where the gaps show up in practice

Two-thirds of organizations spend more than three months preparing for audits. Evidence submitted last cycle gets requested again because nothing rolls it forward automatically. Organizations running SOC 2 and ISO 27001 simultaneously manage them as separate workstreams despite significant control overlap. Gaps in evidence coverage surface during fieldwork rather than before it, when they’re harder to address without disrupting the timeline. Auditor communication runs parallel to the platform in email threads, so the compliance manager is piecing together status from multiple places rather than seeing it in one.

These patterns are consistent enough that most compliance teams treat them as the cost of doing audits. But they don’t always have to be. They’re what happens when people, process, and technology aren’t working together, and when the audit firm isn’t set up to close that gap.

What changes when all three are aligned

When people, process, and technology function as a single system, the burden on the client is significantly reduced and results in a greater audit experience. An experienced compliance team can spend less time chasing files. They’re reviewing what’s already been surfaced and addressing issues with context in hand. Process doesn’t just describe what should happen; it’s built into the workflow so that historical evidence rolls forward automatically, framework overlap is handled once rather than separately, and progress is visible without someone manually tracking it.

Technology in this context isn’t a standalone platform or a tool bolted onto an existing process. It’s the environment where the audit is actually conducted — where auditors and clients work in the same space, where AI surfaces evidence matches and readiness gaps early enough to act on them, and where the output is an audit cycle that gets more efficient over time rather than repeating the same work each year.

Most audit firms aren’t set up to deliver all three. The people, process and technology exist separately with different vendors, different systems, and different incentives. That’s what A-SCEND is built for. Because A-SCEND is a proprietary platform, the technology has ingested over 4 million pieces of evidence and undergoes rigorous auditor testing before clients consume new features. This means when features are released, they have been pressure-tested and designed for greater efficiency in the process. People, process, and technology aren’t three separate investments to manage — they’re designed to function as one.

Learn more about A-SCEND here.

If you’re a cloud service provider (CSP) trying to figure out where you fit in the new FedRAMP world, you’ve probably noticed the program has introduced new types, classes, paths, and profiles all at once.

Let’s break these down so you can better understand the possible paths forward with the future of FedRAMP. 

The FedRAMP Consolidated Rules for 2026 are still in public preview. Details will likely adjust with the final publishing, but the framework is clear enough to start planning around now.

The new building blocks

Your FedRAMP certification is now defined by three dimensions: 

• Type: The methodology (FedRAMP Rev5 or FedRAMP 20x) 
• Class: The level of disclosure and reporting required (A, B, C, or D) 
• Path: How you get certified (Program Certification or Agency Certification) 

The combination of all three is called your certification profile. Not every combination is valid, so let’s break down the options. 

Type: Rev5 or 20x?

FedRAMP Rev5 is the modernized version of the traditional process. It’s still fundamentally the regulatory-driven, documentation-heavy approach that has defined FedRAMP for years. In practice, this has meant building a government cloud, standing up public-sector compliance teams, and navigating extensive assessment requirements. The 2026 rules have updated Rev5 considerably, but it hasn’t becomesomething radically different. 

Rev5 is the right choice if you run your own data centers and physical infrastructure, if your sponsor or customers contracts still request Rev5, or if you need Class D certification (Rev5 is the only path to Class D). By the end of 2027, new Rev5 certifications will be limited to these use cases. If you’re cloud-native and not pursuing Class D, the program is actively nudging you toward 20x. 

FedRAMP 20x is genuinely new. It’s a cloud-native process for commercial services built on FedRAMP-certified infrastructure. Instead of documenting compliance against a sprawling control list, 20x focuses on Key Security Indicators (KSIs) which are machine-readable data points demonstrating security capabilities in practice, validated through automation rather than static documentation snapshots. 

The intent: a well-run cloud-native product should be able to certify its existing commercial service without building a parallel government cloud. 

Class: A, B, C, or D

Certification Class is about how much information you share and how intensive your ongoing reporting obligations are. Not how secure your service is. One of the biggest factors that differentiates each class is continuous monitoring. As class level increases, so does the scope of what you’re required to monitor and report on an ongoing basis. For many CSPs, standing up and maintaining a continuous monitoring program is one of the most significant operational investments in the certification process.

Class A: The Entry Point. This is for CSPs with mature security programs looking to break into the federal market for the first time. There are limited disclosure and reporting requirements. Think of it as a provisional credential. You’re expected to transition to Class B, C, or D once agencies start adopting your service. 

Class B: Light Use. Designed for smaller-scale or niche services where an entire agency is unlikely to stake critical operations on your product. Reporting requirements are more than Class A, but less than C or D. 

Class C: The Workhorse. This is where most CSPs land — common enterprise services used broadly across agencies. The rules call it the “most commonly used class,” which tracks with Moderate being the most common authorization under the old model. If you’re selling SaaS to the federal government at scale, this is probably your destination. 

Class D: Mission Critical. Reserved for services where failure could cripple agency operations, cause major financial damage, or result in catastrophic harm to individuals. The investment required, according to the rules, is “immense”. Class D is exclusively Rev5 and requires an agency sponsor. 

Path: Program or Agency Certification?

Program Certification is brand new in 2026. It lets CSPs submit directly to FedRAMP for initial certification without needing an agency sponsor. This is a meaningful change as the sponsor requirement has historically been one of the biggest barriers to market entry. Program Certification is available for 20x at Class A, B, or C; Rev5 at Class A; and Rev5 at Class B or C in “extremely limited cases”. 

Agency Certification is the traditional path: an agency conducts the initial review, grants an agency-specific ATO, and submits to FedRAMP for official certification. It’s required for Rev5 Class B, C, and D. For Class D, it’s the only option — no sponsorless path exists. 

Profiles at a glance

The three questions that actually matter

Strip away the framework language and most CSPs are making three decisions: 

1. Am I 20x-eligible? If you’re running a cloud-native service on FedRAMP-certified infrastructure with automation capabilities to support KSI reporting, you’re almost certainly 20x. Running your own infrastructure or need Class D? You’re on Rev5.

2. What class fits my actual use case? Be honest about this one. Class D sounds more impressive than Class C, but it comes with obligations that aren’t right for most products. Start with Class A if you’re new and build from there. 

3. Do I need an agency sponsor? Going 20x at Class A, B, or C — no. Going Rev5 at Class C or D — yes. That dependency is still very real for the traditional pathway. 

As a top three FedRAMP assessor with a 100% PMO acceptance rate, we’re committed to supporting you at every stage, from selecting the right certification path to managing the full scope of certifications your organization may need over time. Contact us today to get started. 

For enterprise compliance teams, compliance does not grow gradually — it compounds. A new market triggers a new framework. A new product line adds another. A valuable customer in a regulated vertical requires two more. Before long, the team is running four, five, or six audits per year. 

According to the 2026 Compliance Benchmark Report, 1 in 4 organizations say the greatest challenge to their compliance strategy is conducting multiple audits. Plus, 74% of enterprise organizations (companies with more than 1,001 employees) conduct four or more audits per year. 

The heavy burden of multi-framework compliance is often exacerbated by a lack of time to think critically about the way things are operating. It doesn’t have to be a constant challenge. Read on to debunk common myths about multi-framework compliance and best practices for effective, efficient compliance. 

Myth one: Each framework requires a separate schedule of meetings 

During audit season, compliance teams at enterprise organizations hardly have a minute to spare. Their calendars are booked with calls to kick off one certification, review evidence for another, and get updates for a third. They’re juggling the status of each audit, answering the same questions in today’s call that they did in last week’s meeting with another auditor. Plus, just when one audit nears completion, the next one is kicked off. 

The misconception 

Most audit firms treat each engagement separately, resulting in separate meeting schedules. There are repetitive and disjointed processes for each framework, despite the evidence and control overlap that some of the most common assessments share. 

Compliance teams accept the stacked meeting sequences because that is how it has always been done. They don’t know that there is a better way. 

The reality 

Meeting sprawl is a symptom of a missing strategy, not a given element of multi-framework compliance. A high-quality partner will harmonize your audit cycles by mapping requirements, developing a customized plan that reduces duplicative work, and building the right audit team that can tackle multiple frameworks at once. The result of this strategic plan is fewer meetings and a more efficient audit process. 

Key takeaway 

Multi-framework compliance is complex, but the right partner sorts through the chaos to get your team out of meetings and into their jobs. Seek out a partner that is experienced in audit harmonization and can identify overlapping requirements and develop a custom strategy to simplify your meeting schedule and evidence collection process. Additionally, setting clear expectations upfront to ensure a transparent and well-executed process is critical for a smoother experience across the board. 

Myth two: Adding another framework means adding cost 

At the enterprise level, adding another framework to your compliance strategy can feel like less like a strategic move and more like a tax. Additional audit services required, new teammates to oversee those audits, more evidence to collect, and another invoice. It’s a reasonable assumption: more frameworks equal more overhead. Most compliance teams operate from this belief by default, treating every new framework as a cost rather than an opportunity. 

The misconception 

Compliance teams run under the assumption that each new framework inherits its own set of recurring costs. Another line item on the budget, more internal bandwidth put to use, which means fewer resources available to drive the organization forward. 

Under this assumption, compliance scales linearly: each SOC 2 report, ISO 27001 certification, or HIPAA attestation is treated like a standalone program with its own schedule and its own price tag. In return, teams are often stretched thin and the business views compliance as a cost center rather than an opportunity to unlock revenue. 

The reality 

When compliance is harmonized with one provider in a unified program, rather than a jumble of isolated audits, the logic shifts. 

Many of the most common frameworks – ISO 27001, SOC 2, HIPAA, and more – share overlap in their requirements. When your program is designed to address these strategically, and not in a piecemeal approach, adding a new framework is more about mapping than rebuilding. By streamlining your program with audit harmonization and one provider, you’re unlocking additional budget to execute more audits for the same cost. 

If you harmonize your compliance program with one provider, there may be cost savings to reinvest in your program. By streamlining your program, you’re unlocking additional budget to execute more audits for the same cost. 

Myth three: Expanding your compliance portfolio leads to more manual work 

Teams everywhere will recognize the belief that expanding your portfolio leads to more manual work. Product and engineering teams are pulled out of their work for evidence collection, compliance teams spend hours each week chasing documentation, and leaders are hunting for the right email chain. Many enterprises have accepted the reality of a manual compliance model. 

The misconception  

This misconception is logical: more frameworks mean more controls to document, more evidence to collect, more requests to internal stakeholders. Even efficient teams understand that the process built for one framework doesn’t translate perfectly to implementing two or three. 

Engineering teams bear the brunt of requests from compliance, often during the worst times. They’re providing screenshots, sharing access logs, and more, often without context about why it’s needed. Compliance teams feel it too as they coordinate with multiple auditors, complete more manual mapping, and try to stay on schedule. 

The reality 

Technology isn’t a nice-to-have in modern compliance, it’s a requirement. 

Working with an audit partner that uses audit management technology ensures that your compliance program is run efficiently, reducing the amount of manual labor required on your part. According to the 2026 Compliance Benchmark Report, the #1 reason organizations would switch auditors is for available audit/GRC technology. It provides a streamlined experience, reducing the time you spend looking for the right email thread and consolidates communication into one central location. Managing your audit cycle in one platform means you’re saving meaningful time to reinvest elsewhere in your week. 

Myth four: Every auditor delivers the same outcome 

With SOC 2, ISO 27001, and other certifications under your belt, your environment must truly be secure, no matter the provider you’ve selected. The framework is the same, the criteria are the same, the format of the final report is the same. It is easy to assume the auditor is interchangeable — a procurement decision rather than a strategic one. 

The misconception 

Your auditor issues you reports for multiple frameworks or assessments. Your compliance program must be in great standing. 

The reality 

Reports are not created equal. According to a market survey of more than 500 compliance professionals, 24% of enterprises (1,000 to 5,000 FTEs) and 48% of strategic organizations (5,000+ FTEs) have rejected a report. 

Choosing a low-quality provider that saves $5,000 upon signature won’t necessarily guarantee you long-term savings, as the cost of a rejected report can total up to $100,000 for remediation. 

Working with an experienced, reliable audit partner that can help your compliance program mature is critical to avoiding an expensive mistake down the line. 

Key takeaway 

Be sure to vet any potential auditor. Requesting case studies from happy customers, their accreditations, and relevant experience with similar companies is always a good idea to ensure you’re getting a high-quality partner.  We recommend assessing for: 

• Experience 
• Breadth of services 
• Report quality 
• Tech enablement 
• Audit process 

Why A-LIGN 

A-LIGN is the leading provider of high-quality, efficient cybersecurity compliance programs. 

Our more than 400 global auditors have completed more than 36,00 audits and have more than 20 years of experience providing the best quality audit experience and final reports, exemplified through A-LIGN’s 96% customer satisfaction rating. 

A-LIGN’s white glove audit harmonization process ensures that your organization can get back to work instead of completing duplicative work. Our industry-leading audit management software, A-SCEND, powers our best-in-class audit experience. 

With A-LIGN, you can achieve your compliance goals with confidence and earn a report that your buyers can trust, with support from technology that streamlines the process. Ready to learn more? Contact us today. 

Most organizations think about compliance as something to get through, not something to build on. That mindset leaves significant value on the table, and the data makes that clear.

To better understand how certifications shape business outcomes, A-LIGN surveyed 500 senior information security, governance, and compliance leaders across the US and Europe.

The results showed that the certifications companies pursue to meet customer requirements and pass vendor reviews do more than check a box. They can also help unlock new revenue, open doors to new markets, reduce the likelihood of a costly breach, and in many cases, make entire customer segments accessible that would otherwise be out of reach.

Compliance drives revenue growth

On average, organizations unlock between $250M and $770M in new revenue streams through compliance initiatives. That’s because many customers, especially in enterprise and regulated industries, won’t sign a contract until they see the right certifications in place.

SOC 2 and ISO 27001 are the certifications most commonly tied to this growth, consistently ranking as the top frameworks for expanding into new regions, industries, and customer segments. Among organizations with ISO 27001, roughly half say more than half of it would have been more difficult to expand into new geographies without it.

Here’s a breakdown of the ROI associated with each certification:

• ISO 27001: $2.2M in average customer revenue unlocked, with a net upside of +$2.18M after certification costs
• SOC 2: $1.5M in average customer revenue unlocked, with a net upside of +$1.48M
• HITRUST: $1.5M in average customer revenue unlocked, with a net upside of +$1.46M
• ISO 42001: $1.4M in average customer revenue unlocked, with a net upside of +$1.36M
• FedRAMP: $1.4M in average customer revenue unlocked, with a net upside of +$1.3M

Across every major framework, the value returned exceeds the cost of certification.

ISO 27001 and SOC 2 unlock market access

For companies pursuing international growth, ISO 27001 and SOC 2 aren’t just certifications — they’re what’s going to get a buyer to consider you. According to our survey, ISO 27001 leads all frameworks in enabling geographic expansion, with strong adoption across North America, Europe, and Latin America. In many European markets, ISO 27001 is expected before a buyer will engage, with SOC 2 playing a similar role in North America.

Both certifications communicate the same thing to a prospective customer: an independent third party has assessed your security controls and found them to hold up. For companies evaluating vendors, that matters. Without that validation, many deals never move forward.

Compliance lowers breach risk and cost

Organizations with major compliance certifications report approximately 50% fewer security breaches than those without them. That finding holds across every major framework: SOC 1, SOC 2, ISO 27001, HITRUST, FedRAMP, and PCI. Given that the average breach costs $4.4 million, the reduction in financial exposure is significant.

Another often-overlooked benefit is cyber insurance leverage. Insurers are increasingly tying premiums and coverage terms to proven security practices, and holding a current certification gives organizations concrete evidence to strengthen their position in those conversations.

Why audit quality determines your ROI

The revenue, market access, and risk reduction benefits of compliance only materialize if the report is accepted. Low-cost audit providers may look appealing, but the savings disappear quickly if a customer rejects the final report. About 12% of organizations surveyed said they have had a compliance report rejected, and each rejection costs roughly $70,000 and three months of remediation time. Once remediation labor is factored in, the total cost is closer to $100,000.

Most rejections aren’t caused by technical complexity. They stem from incomplete scoping, inconsistent findings, and documentation gaps. These are execution issues, and all of them point back to audit quality. A high-quality audit produces a report that stands up to customer scrutiny and supports the business outcomes compliance is supposed to unlock. A low-quality audit can delay deals, stall expansion, and weaken the return on the investment.

How to get more from your compliance program

The data makes the case clear: organizations that treat compliance as a strategic priority are seeing returns that far outweigh the investment. In many cases, the difference between compliance that delivers business value and compliance that doesn’t is the quality of the audit behind it.

A-LIGN has completed more than 31,000 audits for over 6,400 customers globally, with zero report rejections. Our audit process combines experienced audit teams with technology that enforces consistency, strengthens audit quality, and drives efficiency.

If you’re looking to get more out of your compliance program, reach out to the A-LIGN team.

Compliance reports might look the same from the outside. Same cover page, same certification logos, same general structure. That uniformity creates a false sense of equivalence — and it’s costing organizations more than they realize. 

To better understand how buyers evaluate audit quality, A-LIGN surveyed more than 500 senior information security, governance, and compliance leaders across the U.S. and Europe. What we found reveals a significant gap between perception and reality: most buyers believe audit quality is largely the same across providers, yet the consequences of a poor-quality audit can reach six figures and derail the deals that matter most. 

The quality perception problem 

According to the survey, 93% of buyers see little to no meaningful difference in audit quality across providers. Most assume that if a firm is accredited and a report is issued, the quality is roughly equivalent. 

That assumption is wrong, and expensive. 

As we covered in a previous blog in this series, the cost of a rejected report can total an average of $70,000 in direct expenses, plus an additional $30,000 in remediation labor, for a total exposure of approximately $100,000 per rejection. And the organizations most likely to reject a report, enterprises (1,000 to 5,000 full-time employees) and strategic organizations (more than 5,000 full-time employees), are exactly the ones most companies are trying to sell to. 

The disconnect is clear: buyers can’t distinguish quality, but quality determines outcomes. That’s a market maturity problem with real business consequences. 

What quality actually looks like 

If most buyers can’t differentiate audit quality, what signals should they be looking for? 

The survey data is direct on this. Technology is the single most important auditor selection criterion, ranking above cost, brand, and even years of experience. According to respondents, 88% of buyers agree that tools and technology improve audit quality. This is reinforced by the top indicators of a high-quality audit experience: use of modern tools and automation, timeliness of delivery, and thoroughness of testing. 

On the flip side, the top red flags buyers associate with low-quality firms are equally telling: lack of technology investment, high error and rework rates, and inconsistent quality across engagements. 

This isn’t about bells and whistles. A tech-enabled audit produces more consistent evidence collection, reduces the risk of documentation gaps, and creates a more defensible final report — the kind that holds up when a sophisticated buyer reviews it. 

The criteria buyers use — and the ones they should 

There’s a gap between how buyers say they evaluate auditors and what they’re actually measuring. Technology, client satisfaction, and industry experience rank as the top three auditor selection criteria in the survey data. In practice, however, many buyers default to cost and brand recognition when making their decision. These factors don’t reliably predict whether a report will be accepted by a demanding customer. 

The buyers who can evaluate quality have a framework for it. They cross-check evidence, review auditor methodology, and confirm accreditation. But that’s a small portion of the market. Most organizations are selecting audit providers without the education to discern the quality of their audit partner’s experience and report. 

That gap creates the conditions for report rejection. Buyers who can’t evaluate quality make decisions based on price. They receive a report that looks complete. And then they find out, often at the worst possible moment, that it doesn’t hold up. 

What a quality audit produces 

A high-quality audit isn’t just a cleaner PDF. The difference shows up in specifics: 

Depth and specificity of control testing. A quality auditor doesn’t just confirm controls exist, they test rigorously and document thoroughly. Shallow testing is one of the most common reasons reports get rejected. 

A report tailored to your organization. Cookie-cutter reports are a signal, not just an aesthetic problem. A report that reads like it could belong to any company in any industry is one that sophisticated buyers will scrutinize and often reject. 

Findings that strengthen your posture. A quality audit surfaces recommendations specific to your environment. If your report has no findings or no meaningful observations, that’s not a clean bill of health, it’s a sign of insufficient rigor. 

Technology isn’t optional anymore 

The survey finding that technology is the number one auditor selection criterion isn’t a preference; it’s a forecast. As AI and automation raise the baseline for what an efficient, consistent audit looks like, providers that can’t demonstrate a modern process will find themselves disqualified earlier in the conversation. 

Buyers already associate technology use with quality. According to our survey, 83% of respondents have a positive perception of AI use in audits overall. What they want isn’t AI replacing judgment — it’s AI augmenting it. The top cited benefits are greater efficiency and speed, enhanced data coverage and analysis, and improved anomaly detection. The concerns are about oversight: security and data privacy, transparency, and the risk of algorithmic bias. 

The providers that win in this environment are those that can show how their technology works, why it improves quality, and where experienced human judgment remains in the loop. 

The bottom line for buyers 

If you’re choosing an auditor based primarily on price, you may be selecting the most expensive option in disguise. A rejected report costs roughly five times the savings that a discounted audit fee represents. And that’s before accounting for the reputational cost of a deal that stalls because a customer won’t accept your report. 

The organizations that get the most from their compliance investment are those that evaluate audit quality as rigorously as they evaluate anything else with a six-figure risk profile. That means asking about methodology, technology, industry experience, and what the firm’s track record looks like with companies similar to yours.  

Quality isn’t obvious from the outside. But the signals are there if you know what to look for. For more on how to ask the right questions to evaluate quality, download our checklist, How to Choose a Quality Auditor. 

Why A-LIGN

A-LIGN is the #1 SOC 2 auditor in the world and the only global provider to offer tech-enabled compliance services that reduce control overlap across frameworks. With more than 31,000 audits completed, 96% customer satisfaction, and zero report rejections, we’ve built our reputation on the quality that sophisticated buyers demand. 

Reach out today to learn what a high-quality audit experience looks like — and what it means for your compliance outcomes.

The inefficiencies that make audits slow and resource-intensive are familiar to most compliance teams. Evidence submitted last year gets requested again. Context from prior audit cycles doesn’t carry forward. Teams running multiple frameworks simultaneously end up managing separate processes despite control overlap between them. And by the time gaps surface, fieldwork has already started.

These problems tend to be structural, and they’re consistent enough that most compliance teams have come to treat it as the cost of doing audits.

A-SCEND was built to change that.

Why most audit tools don’t solve the underlying problem

Most compliance technology is built around evidence collection and readiness monitoring, helping organizations prepare before an audit begins. That’s useful, but it often covers only the preparation phase before the audit firm enters the picture.

What happens next — the actual audit execution, the evidence review, the back-and-forth between clients and auditors, the management of requests across frameworks, the translation of audit work into a final report — typically happens outside those tools. Auditors use their own systems. Clients use email threads and spreadsheets to track status. Evidence submitted in one tool may need to be resubmitted in another. The audit itself introduces a new layer of fragmentation on top of whatever prep process was already in place.

A-SCEND is built for the other side of that divide. It’s the audit management environment. The platform where evidence gets reviewed, requests get managed, and the audit runs from preparation through report delivery. Because A-LIGN both builds and operates the platform, the same tool serves auditors and clients in the same engagement. There’s no translation layer, no handoff between systems, and no context that disappears when the audit begins.

How A-SCEND is structured

The platform organizes the audit process into three phases, each addressing a distinct point of friction.

Audit Intelligence: Know where you stand before fieldwork starts

The first phase covers everything that happens before an audit formally begins. For most organizations, this is where the most avoidable work piles up. Evidence needs to be gathered, organized, and mapped to audit requirements — typically with no reliable way to evaluate completeness before the auditor does.

A-SCEND addresses this with two tools. The first is AI Evidence Matching, which analyzes a file name and its contents, matching it to a request from the Information Request List (IRL) based on the request description and A-LIGN guidance. It returns a confidence score (High, Medium, or Low) and a technical summary explaining the match. This saves a compliance professional a lot of manual work early in the process.

The second is EvidenceIQ, which evaluates how well submitted evidence meets audit criteria across the engagement as a whole. The output is a pre-audit readiness score that gives compliance teams a clear view of where gaps exist before the formal audit begins.

Both tools are designed to increase efficiencies earlier in the process, and addressing issues is straightforward rather than disruptive.

Audit Execution: Manage the audit without rebuilding it each cycle

The second phase covers the engagement itself — the period when auditors are actively reviewing evidence, requesting clarification, and working toward report delivery.

Historical reuse. Evidence, decisions, and auditor notes from prior audit cycles roll forward automatically. Teams aren’t rebuilding submissions from scratch each year. Prior context is available at the start of each new engagement.

Deduplication. Multiple audits don’t have to mean multiple disparate workstreams. A-SCEND consolidates audits — within a single framework or across several — into one engagement. Where scopes overlap, evidence carries across without being resubmitted. For example, SOC 2 and ISO 27001 share significant control overlap, as do other common framework combinations. The deduplication logic can meaningfully reduce the overall effort involved for compliance teams.

Embedded auditor collaboration. Clients and auditors communicate directly within the platform through comment fields. There’s no separate communication channel to manage. Status is visible in real time for both sides of the engagement.

The combination of these three capabilities addresses the most consistent complaints compliance teams have about the audit process: starting over every year, duplicating work across frameworks, and losing visibility into where things stand.

Audit Expansion: Understand what your existing work covers

The third phase applies after an audit is complete. As compliance programs grow, organizations frequently need to add frameworks. The question is always: how much of what we already have applies?

A-SCEND’s engagement crosswalk shows how evidence from a completed engagement maps to other frameworks. If a team just completed SOC 2 and is evaluating ISO 27001 or HITRUST, the crosswalk shows how close their current evidence base gets them before they start a new engagement. This can give compliance leaders a more accurate picture of the incremental effort required to expand their program.

What makes this approach different

A-SCEND has processed over 4 million pieces of evidence across more than 31,000 completed audits. That foundation is what makes its AI features credible and confidence scores meaningful. These AI features are designed with auditor oversight at every step, and clients can toggle AI functionality off entirely if they prefer to operate without it.

As a proprietary platform, A-LIGN owns the full roadmap and tests every enhancement internally with its own audit teams before releasing it to clients. Changes are driven by what auditors and clients actually encounter in real engagements — not by theory.

A-SCEND is built by people who run audits for a living, validated through real-world practice, and designed to reduce the friction that makes audits slower and more resource-intensive than they need to be.

Learn more about A-SCEND here.

For years, attackers had the advantage: they only needed to find one vulnerability to break into a network. AI has made that easier, enabling adversaries to move faster, adapt mid-attack, and probe defenses at a scale that outpaces a manual response. But that same technology is now in the hands of offensive security professionals.

AI doesn’t just level the playing field. It changes the game entirely. Offensive security professionals can now pre-run the attacker’s playbook thousands of times before an adversary ever shows up.

Why annual testing doesn’t match the threat

Traditional penetration testing operates on a schedule. You engage a team, they test, they report, and you remediate. Most teams only run penetration tests once a year. The problem is that attackers don’t operate on a schedule. They probe continuously, adapting their techniques in real time as they learn more about your environment.

AI-assisted offensive security changes this dynamic. Instead of waiting for an engagement window, security teams can simulate adversarial behavior at scale and on demand, running thousands of attack scenarios against your environment before any real threat actor gets the chance. The result isn’t a point-in-time snapshot. It’s a living, continuously updated picture of your actual exposure.

What AI enables for offensive security

This isn’t about replacing skilled testers with automation. The value of AI in offensive security is in amplification — giving offensive security professionals the ability to do more, faster, with greater accuracy. AI can model attacker behavior based on real-world threat intelligence, chain together complex attack paths that manual testing might miss, and adapt dynamically as defensive controls respond.

For environments like OT, IoT, CMMC-scoped systems, or traditional enterprise infrastructure, this means exposure isn’t just identified. It’s validated against how a real adversary would actually move through your environment.

Why human expertise still drives the outcome

The most effective AI-augmented penetration tests combine automated simulation with human judgment. AI can run attack scenarios at scale, surface exposure paths, and adapt to defensive controls in real time. It takes an experienced tester to understand what the findings actually mean for your environment, prioritize what matters most, and identify the nuanced, context-dependent risks that automated tools aren’t built to catch.

An AI model can assume — but doesn’t know — that your legacy OT system can’t be patched, that a particular network segment is implicitly trusted for operational reasons, or that a misconfiguration your team considers low-risk sits one step away from your most sensitive data. That context comes from skilled testers who understand your environment, not from the tool they’re using.

Four ways AI changes what’s possible for defenders

AI fundamentally expands what offensive security professionals can do:

• Simulate attackers at scale: Run thousands of adversarial scenarios continuously, not just during an engagement window.
• Find vulnerabilities before exploitation: Identify exposure paths before a threat actor does.
• Continuously pressure-test systems: Move from annual snapshots to ongoing validation of your defensive controls.
• Neutralize AI-driven attacks: The best way to defend against AI-powered adversaries is to understand exactly how they’d attack you.

This is what it looks like when offensive security operates at the same speed as the threats it’s defending against.

Why this works across every environment

One of the most important things about AI-augmented offensive security: it’s not environment-specific. Whether your concern is a CMMC-scoped defense contractor environment, an OT network running legacy industrial systems, IoT deployments with limited patching options, or a traditional enterprise infrastructure, the core approach is the same. Simulate attacker behavior. Identify exploitable exposure. Validate your controls. Repeat.

The specific techniques adapt to the environment. The methodology doesn’t. This is what makes it scalable, and why organizations with diverse, complex environments benefit most.

Get ahead of the threat

AI changes what’s possible. Offensive security teams can now simulate the adversaries targeting your environment before they ever arrive, continuously validating your defenses against the techniques being used against organizations like yours.

Reach out to the A-LIGN team to learn how AI-augmented penetration testing can help you get ahead of the threats targeting your environment.

Rick Orloff is a Fortune 1000 CISO and Strategic Advisor at A-LIGN, with over 20 years of experience at companies including Apple and eBay. 

For most of my career, the assumption has been that compliance lives inside the security organization, gets owned by the GRC team, and gets funded out of the security budget. The rest of the business consumes the outcome.  

But I believe every compliance certification is a revenue decision. So, that means your most important compliance stakeholder isn’t your CFO, your board, your engineering team, or your auditor. It’s your Chief Revenue Officer. 

If Sales can’t convert a certification to market share, it’s not worth pursuing

When I’m deciding whether to pursue a new certification, the first conversation I have is with the head of sales. Why? Because if I got alignment from every executive in the company and sales said there was no value, we wouldn’t waste our resources. 

That isn’t a slight to anyone else’s role. Privacy, legal, engineering, and finance all have a stake. But they are recommenders. The certification either does or doesn’t help convert pipeline, and the only person who can answer that question is the person who owns the revenue number. 

The conversation I want to have is two questions long: 

• If we got this certification, would it help you close more deals or protect our market share? 
• If yes, can you put a number on it? 

If sales tells me a new certification is worth $10M in ARR, the rest of the budget conversation becomes simple math.

Two metrics nobody tracks well 

The hard part of that conversation is that most sales organizations don’t have great data on the impact of compliance certifications. Two metrics matter, and almost no one tracks both. 

The first are deals that you lost because you didn’t have a specific certification. That one is at least within reach. Your account executives know which deals fell apart and why. Tracking this helps drive a Return on Investment (ROI) justification to support sales with additional certifications. This should be a ‘required’ field in CRMs.

The second is harder. It’s the deals that never came to the table because you didn’t have the certification. Your AE never saw the opportunity. The prospect’s procurement filter screened you out before anyone made a call. You will never see those names in your pipeline, but they are real, and over time they add up to more lost revenue than the deals you watched die. 

The leaders I’ve worked with who handle this best, build a lightweight discipline into their RevOps practice. They tag lost deals with the missing certification. They survey their AEs quarterly about which certifications prospects are asking for. They look at win rates against competitors who have certifications they don’t. Imperfect data beats no data, and any actionable data you can put in front of your CRO beats a hypothetical guess. 

The budget math gets easier when sales is your advocate 

Once your CRO has a number, the rest of the path is straightforward. 

If a new certification costs $100K and sales says it will generate $10M in ARR, that’s the end of the conversation as far as I’m concerned. I’m putting it in my budget. 

If I don’t have the budget, I’m going to finance and the CFO and bringing my CRO into that conversation. The justification isn’t “the security team wants this.” The justification is “your sales organization thinks this is worth $10M, and the cost of getting there is $100K.” That conversation lands differently than a typical security budget ask, because it has been reframed as a revenue investment with a security team executing it. 

And here’s the part that surprises people: in a healthy organization, you may not need a new budget ask at all. If you’ve already rationalized your audit portfolio, consolidated frameworks under one provider, freed up engineering hours, cut redundant evidence collection, you’ve probably freed up the dollars to self-fund the new certification. That’s what we did in my prior role. The savings from consolidation paid for the next two certifications. No incremental budget required. 

Handling the “Compliance is theater” objection 

If you spend any time around founders or senior engineers, you’ll hear some version of this take: compliance certifications aren’t real security; they’re theater. 

A SOC 2 report isn’t a substitute for an actual security program. A certification doesn’t make you fully secure. The people who think it does are kidding themselves. 

But here’s the part the theater argument misses: the certification isn’t for your security program. It’s for your customer. It exists so the buyer on the other side of the deal can perform their due diligence efficiently and your AE can advance the pipeline. The certification is a procurement artifact that pays for itself in cycle time and deal velocity. 

When an engineer tells me compliance is theater, I don’t argue. I explain that without certifications, every customer would be asking to effectively perform their own audits, speak with stakeholders, and impact a large number of people. Having a trusted third-party auditor certify us using a comment control framework is incredibly efficient for all of us. That framing puts compliance in its right context: necessary, valuable, and not the same thing as security. 

Five questions to bring to your next CRO conversation 

The right place to start is with your CRO. Here are five questions I’d recommend before kicking off a new audit: 

• Which certifications are prospects asking for that we don’t have today? 
• Of the deals we’ve lost in the last twelve months, how many cited a missing certification? 
• Among the certifications on our roadmap, which would move the most pipeline? 
• Do you have regulatory blockers to your market? 
• Are there geographic or vertical-specific certifications that would open markets we aren’t competing in today? 

Those five questions reframe the audit conversation from a compliance exercise into a growth conversation. They also give your CRO a reason to be in the room when the project is being approved. Security should help drive top-line revenue, not just protect bottom-line costs.

The takeaway 

The security leaders who operate most effectively treat compliance as a revenue function. When you treat it that way, things change. The conversation with the C-suite becomes substantive, and you’re seen as a stakeholder to the entire business. The conversation with your CFO becomes a revenue conversation, not a cost conversation. The conversation with engineering becomes a “we’re doing this to help close deals” conversation, which is a much more durable motivator than “we’re doing this because the auditor asked.” And your own work as a security leader becomes more strategic, because you’re now operating at the intersection of risk and revenue rather than as a cost center. 

The test is simple: are you a transactional security leader or strategically aligned with what’s around the corner? A transactional CISO produces audit reports. A strategically aligned CISO produces revenue. Both jobs are real. One is more interesting, and a lot more valuable. 

Ready to align your compliance program with revenue? 

Talk to A-LIGN about how a consolidated, multi-framework audit program can drive both pipeline and ROI for your organization. 

Every prime contractor tells us the same thing: “We’re ready for CMMC. Our suppliers, not so much.” 

We hear it in readiness reviews, right before solicitations drop, and when programs are already at risk. 

That statement is where CMMC reveals its real purpose. Not as a compliance framework or an assessment event, but as a stress test of supply chain leadership, risk visibility, and accountability across the defense industrial base (DIB). 

CMMC does not pass or fail at the prime. It passes or fails at the weakest supplier that touches Controlled Unclassified Information (CUI). 

When a small supplier becomes a big problem

The most common misconception we encounter is that supplier size equals supplier risk. Under CMMC, that assumption breaks quickly. 

Today, CMMC requirements are embedded directly in the Department of Defense (DoD) acquisition lifecycle before contract award, option exercise, or extension. When a subcontractor handling CUI cannot demonstrate the required certification level, the consequence is immediate and operational: 

• A task order cannot be released 
• An option year cannot be exercised 
• A delivery milestone slips 
• A mid‑program supplier replacement becomes unavoidable 

We routinely see single unready suppliers delay or disrupt multibillion dollar programs. Not because they represent large spend, but because they represent an irreplaceable flow of data, engineering, or sustainment capacity. 

Under CMMC, supplier readiness is no longer a downstream compliance concern. 
It is program execution risk. 

Why the DoD is uncompromising: Cyber gaps become adversarial advantage.

CMMC exists because adversaries adapted faster than the defense supply chain did. They learned they did not need to breach primes. They only needed access to the supply chain layers where defenses were weaker and visibility was limited. 

In assessments and investigations, the pattern is consistent: poorly scoped environments, undefined CUI boundaries, and inherited controls assumed but never validated. 

These gaps expose capability development timelines, production constraints, sustainment vulnerabilities, and sensitive technical context years before deployment. 

That’s why the DoD tied CMMC directly to eligibility and not remediation promises. Cyber readiness, contract performance, and mission readiness are now inseparable. 

The readiness gap is real, even as certifications increase

Certification momentum is building, but the scale of what remains is where the real challenge comes into focus. With an estimated 80,000 organizations ultimately requiring Level 2, and roughly 1,100–1,200 certified as of early 2026, tens of thousands of suppliers still have a long road ahead. 

What we see consistently as a C3PAO is that the central challenge is not willingness. Most organizations understand the stakes and are making genuine efforts. The challenge is assessment readiness. Suppliers arrive at formal assessments with gaps they did not know they had: CUI boundaries that were never fully defined, controls that were assumed inherited rather than validated, and remediation plans built around theoretical best practices rather than how their environment actually operates. 

The result is predictable. There is misalignment between how a supplier believes they are running their program and what an assessor finds when they look closely. That gap between operating reality and the chosen path to certification is what stalls organizations, not lack of intent. 

What assessment reality has taught us 

Having worked across hundreds of readiness efforts and formal assessments, we can state several truths clearly. 

There is no single path to CMMC Level 2. Suppliers differ materially in how and where CUI is handled, how their architecture and boundaries are designed, how cloud usage and shared responsibility are structured, and how mature their governance and leadership are. 

Attempts to apply generic, one-size-fits-all remediation plans consistently lead to over-engineering, missed scope, inflated POA&Ms, and delayed or failed assessments.  

The good news is that there are multiple proven pathways to certification. We know because we have seen it firsthand as a leading CMMC C3PAO. The organizations that progress faster choose pathways grounded in assessment‑validated patterns, not theoretical best practices. 

Why the Affirming Official is the most underutilized control in CMMC

CMMC intentionally introduced a leadership accountability mechanism that did not exist before: the Affirming Official. This role is not symbolic. It is structural. 

In successful assessments, the Affirming Official is clearly designated early, actively engaged throughout readiness, empowered to make scope, funding, and risk decisions, and accountable for accuracy, not optimism. 

When this role is weak or undefined, we consistently see delayed readiness, unresolved scope disputes, documentation that does not reflect reality, and last-minute surprises during assessment. 

The Affirming Official is the control that aligns cybersecurity, operations, legal, and leadership into a single accountable outcome. 

CMMC was designed this way for a reason. When that role functions as intended, readiness accelerates not because controls are easier, but because decisions are clearer. 

How suppliers get unstuck

Suppliers that move from stalled to assessment-ready do three things consistently: 

1. They stop pursuing “perfect” and commit to “defensible.” 
   Assessments reward clarity, evidence, and repeatability. Not idealized architectures. 
2. They align to a proven pathway matched to their environment. 
   Control inheritance, boundary decisions, and evidence strategies are selected intentionally. They are not assumed. 
3. They engage primes and advisors as partners in risk, not enforcers of checklists. 
   Transparency improves, remediation focuses, and timelines compress. 

Readiness improves when suppliers are enabled to follow the right path for them, not forced down the wrong one. 

The leadership question CMMC forces forward

CMMC ultimately asks leadership across primes, suppliers, and program offices one defining question: 

Will weak supplier readiness be allowed to delay programs and erode advantage, or will accountability be applied early enough to prevent it? 

The organizations succeeding are decisive. They empower Affirming Officials, segment supplier risk intelligently, and guide readiness using pathways proven through real assessments. 

They understand a hard truth: under CMMC, you don’t rise to the level of your policy, you fall to the level of your weakest supplier. 

Final word

CMMC is not where cybersecurity becomes bureaucratic. It is where it becomes real: where trust becomes operationalized, supplier readiness determines program readiness, accountability replaces self-attestation, and leadership — not documentation — decides outcomes. 

The pathways to certification exist. We know them because we assess them, and we openly share what works because strengthening the defense supply chain cannot be done in isolation. CMMC’s real stress test is not the assessment. It’s whether leaders act before the chain breaks.  

Most organizations don’t fail on intent. They fail on preparation. Reach out today to find out where you stand.