A consistent blind spot in AI governance programs is the tendency of executives to focus on models, documentation, and regulatory classification instead of starting with vendors. Most AI systems today are often composites, relying on foundation models, external datasets, annotation providers, cloud infrastructure, monitoring platforms, and API integrations. In many cases, the most consequential component of the system does not originate inside the organization.  

Under both ISO 42001 and the EU AI Act’s high-risk Quality Management System (QMS) requirements, it is clear:  if a third party can influence system behavior, you remain accountable for the outcome. 

The core principle: Accountability does not transfer

Management systems and product safety regulation share a common logic — responsibility follows the system, not the contract. Under ISO 42001, the organization must control externally provided processes, products, and services that affect the AI Management System (AIMS). That requirement flows from basic management system architecture. If something affects the system, it must be governed within the system. 

The EU AI Act applies similar reasoning at a regulatory level. High-risk providers must operate a QMS under Article 17, and that QMS must address resource and supplier management. prEN18286 translates that legal obligation into auditable lifecycle controls. 

The effect is straightforward. If your supplier changes a dataset, updates a model, modifies evaluation parameters, or alters hosting conditions, and that change affects safety, robustness, or compliance, you are responsible for demonstrating control. 

The regulator does not audit your vendor — the regulator audits you. 

What ISO 42001 actually requires

ISO 42001 is often described as a governance standard, which is accurate but incomplete. It is a management system standard built on the same high-level structure as ISO 27001 and ISO 9001. That means it expects defined processes, assigned responsibilities, operational controls, monitoring, corrective action, and evidence. 

Third-party governance fits squarely within Clause 8’s operational controls and Annex A’s supplier controls. The intent is not to force micromanagement of vendors; it is to ensure that any externally provided input that affects AI lifecycle outcomes is identified, risk assessed and controlled. 

In practice, that means an organization must be able to answer several hard questions: 

• Do we know which suppliers influence model behavior or training data integrity? 
• Have we defined requirements those suppliers must meet? 
• Can we detect if they change something material? 
• Do we have contractual mechanisms to enforce notification and traceability? 
• Can we show evidence that we monitor their performance? 

If those answers are unclear, the AIMS is incomplete.  

Annex A reinforces this by requiring allocation of responsibilities across the AI lifecycle. That allocation does not stop at organizational boundaries — it must include partners and suppliers. 

ISO 42001 treats supplier inputs as lifecycle components; a framing that carries significant weight. 

What changes under the EU AI Act and prEN 18286 

The EU AI Act raises the stakes for high-risk systems. Article 17 requires a QMS that covers design control, testing, validation, monitoring, corrective action, and supplier oversight. prEN 18286 interprets those requirements into auditable QMS elements aligned with product conformity assessment. 

The regulatory logic is different from ISO certification logic. ISO certification demonstrates conformance to a management system standard, and the EU AI Act demonstrates conformity to essential requirements under a product safety framework. 

For high-risk providers, supplier governance becomes part of conformity. 

• If you rely on third-party training data, you must ensure its relevance and quality  
• If you rely on a foundation model provider, you must understand version control and update processes  
• If you rely on external evaluation services, you must validate methodological rigor  

The QMS must demonstrate that these external elements are integrated into your conformity controls. During conformity assessment, auditors or notified bodies will expect evidence that supplier-related risks are identified, evaluated, controlled, and monitored. Change control and version traceability becomes critical, and corrective action must extend beyond internal teams. 

The provider remains the legally accountable actor. 

Where the two frameworks converge 

Although ISO 42001 and prEN 18286 arise from different legal and voluntary regimes, they converge on the same management truth: 

1. Third parties can alter system behavior 
2. Altered system behavior can alter risk exposure  
3. Risk exposure must be governed  

Both frameworks therefore require: 

• Identification of AI-relevant suppliers  
• Risk-based classification of those suppliers  
• Defined expectations and controls  
• Documented oversight  
• Evidence of monitoring and improvement  

The difference lies in consequence. Under ISO 42001, failure may result in certification findings. Under the EU AI Act, failure may result in regulatory enforcement. 

Regardless, the control logic is the same. 

Why traditional vendor risk programs fall short 

Many organizations assume their existing third-party risk management program covers this territory, but most do not. Traditional TPRM programs focus on information security, privacy compliance, and financial stability. They are structured around data protection and service availability. 

AI supplier governance introduces new dimensions: 

• Model update transparency  
• Dataset provenance integrity  
• Evaluation reproducibility  
• Bias and performance monitoring  
• Algorithmic change notification  

If these are not embedded into supplier contracts and oversight procedures, there is a governance gap.  

The market is only beginning to recognize this distinction. Regulators will not be forgiving if that recognition comes too late. 

What leaders should do now 

If your organization is pursuing ISO 42001 certification or assessing exposure under the EU AI Act, supplier governance should be treated as a design control exercise, not a procurement checklist.  

Start by mapping your AI lifecycle end to end. Identify every external input that could influence system performance or regulatory conformity. 

Then ask: 

1. Are these suppliers tiered by AI-specific risk? 
2. Do our contracts include AI-relevant obligations? 
3. Do we receive structured change notifications? 
4. Can we demonstrate monitoring and corrective action that includes suppliers? 

If the answers require improvisation, that is a sign. Governance gaps rarely announce themselves loudly — they surface during audit, incident response, or enforcement.  

The strategic view 

AI governance is often framed as policy writing or ethical commitment. In reality, it is systems engineering, and systems extend beyond organizational walls. 

If your AI system depends on vendor-supplied AI components, then your governance perimeter must extend to those relationships. That is true under ISO 42001 and it is non-negotiable under the EU AI Act. 

The organizations that mature fastest in this space are not those with the most detailed policies. They are those that design supplier governance into their lifecycle architecture from the beginning. 

How A-LIGN can support your AI supplier governance strategy 

At A-LIGN, we help organizations operationalize AI governance in a way that aligns management system rigor with regulatory expectation. 

We assist with: 

• ISO 42001 readiness assessment 
• ISO 42001 third party audit and certification 

Supplier governance is no longer a back-office function in AI programs. It is a control domain that influences certification outcomes and regulatory exposure. 

If you rely on third parties to build, train, host, or monitor your AI systems, your governance model must reflect that reality. Now is the time to test whether it does. 

Connect with our team to evaluate your AI supplier governance posture before your auditors, customers, or regulators ask the same questions. 

Most business leaders preparing for the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) Level 2 aren’t confused about the mission. They understand why CMMC exists, why Controlled Unclassified Information (CUI) protection matters, and the stakes for contracts, customers, and national security.  

What they struggle with is the experience. CMMC can often feel chaotic, subjective, and exhausting. Even after a months‑long readiness journey and an assessment that ends in a “pass,” many leaders quietly say the same thing: 

“We passed, but I’m not confident we could do this again without starting over.” 

That feeling isn’t caused by CMMC. It’s caused by assessment quality. 

Leaders are clear: quality is the problem

Across regulated industries, A-LIGN’s Compliance Benchmark Report highlights a consistent message: Quality matters more than ever. Poor quality assessments waste time and energy, cause rework and confusion, undermine executive confidence, and make ongoing compliance harder, not easier. 

Many leaders say they would switch providers based on quality alone. Not on personality, friendliness, or formatting. 

Quality is what matters.  

When assessment quality is low, the entire process starts to feel subjective, even when the standard itself is not. 

Why poor-quality CMMC assessments create chaos  

Low-quality assessments almost always share the same root cause: They are not anchored to a disciplined assessment procedure. 

Without that anchor, everything drifts.

• Evidence requests appear without a clear purpose  
• Interviews become substitutes for validation  
• Artifacts are collected “just in case”  
• Scope expands quietly  
• Rabbit holes never close  

From the outside, it feels unpredictable. From the inside, it’s simpler: The assessor has lost the frame that governs how assessments are supposed to work. 

The assessment frame most organizations never see 

CMMC assessments are not improvised. They are grounded in decades of federal assurance practice, formalized in NIST SP 800‑53A and NIST SP 800‑171A. Every legitimate assessment is built from the same components:  

1. The determination statement 

The determination statement defines what must be true. It is: 

• Defined by NIST 
• Fixed 
• Not invented by the assessor 

Examples:

• Access is limited to authorized users  
• Audit records contain required information  
• An incident response capability exists and is followed  

The assessor does not decide what “good” looks like. They simply verify whether the condition is satisfied. 

2. The assessment method 

Methods define how evidence is gathered. There are only three methods: 

• Examine 
• Interview 
• Test 

Methods do not determine outcomes. They are simply tools used to collect information necessary to evaluate the determination statement. 

3. The assessment object 

Objects define what the method is applied to. They include: 

• Policies, procedures, and plans 
• System configurations and logs 
• Operational activities 
• Individuals responsible for control execution 

High-quality assessments tightly control these inputs through structured information requests not ad hoc evidence chasing. 

4. The determination 

After reviewing evidence gathered through the defined methods and objects, the assessor answers one question: Is the determination statement satisfied or not satisfied? 

There is no: 

• “Mostly” 
• “Close enough” 
• “Intent” 
• “We’ve started working on it” 

Only evidence‑based conclusions. 

What happens when this frame is ignored

When assessors lose discipline, quality collapses. Evidence loses purpose, scope creeps, interviews run endlessly, and findings feel arbitrary. This causes organizations to experience endless evidence requests, confusion about what matters, and assessments that feel personal, not procedural.  

This is not because CMMC is vague, but because the assessment procedure is being executed poorly. 

What high-quality assessments feel like instead

When the assessment frame is applied correctly, everything changes. The assessment feels calmer: every request has a reason, every interview has a purpose, and every artifact maps back to a determination.  

When the condition is satisfied, the work stops. 

That predictability is what CMMC quality feels like and why user experience matters. It’s also what helps organizations sustain compliance, not just pass once. 

What the assessor is — and is not — evaluating 

High-quality assessors do not evaluate effort, maturity, intent, how hard the team tried, or future plans. 

They evaluate what exists and operates today against predefined determination statements. This objectivity is what allows trust to scale across the defense supply chain. 

Explainability: The missing discipline in most assessments

High‑quality assessments do one more thing exceptionally well: They explain the why. Not opinions or preferences, but clearly: 

• How the requirement was interpreted 
• Which methods were used 
• Which objects were examined 
• What evidence was relied on 
• Why that evidence satisfied, or did not satisfy, the determination 

Without this discipline, findings feel arbitrary even when technically correct. 

Explainability: 

• Reduces disputes 
• Increases executive confidence 
• Enables teams to sustain compliance 
• Turns findings into learning instead of frustration 

Internal readiness efforts should follow this same model so that certification feels like confirmation, not a cliff. 

The question every CMMC client should know to ask 

If an assessment ever starts to drift, pause and ask: 

“What determination statement are we evaluating, which method(s) are you using, what object(s) do you need to see, and how does that evidence satisfy the determination?” 

A disciplined assessor will answer clearly. If they can’t, the problem isn’t your compliance posture — it’s assessment quality. 

What the A-LIGN standard looks like in practice

High-quality assessments don’t happen by accident. They happen when an assessment organization takes its role seriously. At A‑LIGN, we are laser-focused on delivering high-quality CMMC assessments because we respect the mission, the responsibility leaders carry, and the work organizations have already done.  

Our role is not to surprise, trap, or exhaust teams. Our role is to apply disciplined, explainable assessment procedures with consistency and independence so results can be trusted and sustained at scale. 

This allows us to: 

• Conduct assessments calmly and predictably 
• Reduce unnecessary operational disruption 
• Produce determinations that are defensible and clear 
• Support continuous compliance, not one-time certification 

This is not about being easy — it’s about being precise. That precision is the A‑LIGN standard. 

The bottom line 

If CMMC feels chaotic, that’s a signal that quality is missing. High-quality assessments are not dramatic. They’re structured, calm, and explainable. 

When they’re done right, leaders don’t say: “I hope this holds.”  

They say: “Yes, we meet the standard, and we know exactly why.” 

Compliance teams in every industry and company size are facing a great challenge: managing their growing portfolio of audits. The 2026 Compliance Benchmark Report found that 1 in 4 organizations say the greatest challenge to their compliance strategy is conducting multiple audits. 

The challenge of audit complexity applies to virtually every compliance program, with 97% of companies conducting at least two audits per year. The report also found that enterprise organizations are even more affected by audit complexity, with 74% conducting four or more audits per year. Managing multiple auditors only adds to the complexity organizations are facing today, and 90% of organizations surveyed are approaching their strategy with multiple auditors. 

There’s a better way to manage this complexity: audit harmonization. This solution empowers compliance teams to work more efficiently with reduced duplicative work, streamlined communication, and a more methodical compliance strategy. So why aren’t more organizations doing it? Let’s explore. 

Defining audit harmonization 

Audit harmonization’s ultimate goal is simple: streamline audit cycles. But how does it work? 

This approach to compliance, which is designed for enterprise organizations that conduct  more than three audits per year, involves working closely with an experienced audit partner.  We will work directly with compliance teams to understand business and compliance goals so we can identify overlaps when the scopes are the same, and streamline complex compliance strategies. 

Consolidating audits with one provider can help drive audit harmonization results. Moving all your audits to one provider saves time by streamlining meeting times, reducing duplicative work and evidence, and ensuring consistency across your compliance program. 

Who is audit harmonization for?  

A-LIGN designed the audit harmonization program with enterprise companies in mind. This service is best suited for large companies with three or more frameworks to adhere to.   

Who will execute my audit harmonization process?  

Your audit harmonization process will be led by a dedicated team who will offer tailored guidance to help you feel prepared and confident. This team will create a strong partnership focused on ongoing success and features A-LIGN’s expert team of auditors, including our leadership, to ensure you continuously receive the highest quality, white-glove service. 

How does audit harmonization work?  

First is the preparation phase, where our team aims to understand the way your business operates, your organization’s objectives and the role of compliance in those objectives.  A-LIGN identifies areas that may impact the audit scope, such as changes to the business, locations, headcount, processes, IT, software, and infrastructure. We’ll also work with you to seamlessly transition existing audits over to A-LIGN.  

Next, we will enter the planning phase, where we’ll create and deliver a detailed master audit plan that outlines audit timelines. This is where you’ll begin uploading evidence in your preferred platform, and our audit management technology creates a more efficient experience by applying overlapping evidence to multiple frameworks where appropriate and scopes are the same.  

Our team also works throughout the process to consolidate auditor meetings where applicable. Consolidating auditor meetings across SOC 2, ISO 27001 and PCI, for example, can save 40 hours in meeting time alone.  

We’ll then kick off fieldwork, and host recurring regular touchpoints to ensure progression and achievement of deadlines.  

Finally, our team will deliver a high-quality report for each of the applicable service lines. From there, we’ll schedule a post-audit touchpoint to regroup and discuss.  

Benefits of audit harmonization 

For companies with growing audit complexity, audit harmonization offers a tailored, integrated compliance framework that aligns business and compliance goals, mitigates risk, and refines audit efficiencies to save you time and deliver a seamless, white-glove audit experience. Benefits of audit harmonization include: 

Align business and compliance objectives 
We create a compliance strategy with a custom solution to your compliance hurdles that drives efficiency and business outcomes. We have interim strategic workshops for continual improvement and evolution of your compliance program.  

Simplified transition and consolidation  
Our customized transition process ensures a frictionless migration. We identify and eliminate overlapping requirements, requests, and subject‑matter interviews.  

Seamless, white‑glove audit experience  
A dedicated team with a central point of contact provides tailored guidance and consistent resourcing to build a deep understanding of your business. 

Barriers to audit harmonization 

Compliance professionals understand the benefits of audit harmonization: 99% of those surveyed in the 2026 Compliance Benchmark Report say they know audit harmonization would help them save time or money. So why aren’t they doing it? 

Between a full schedule of meetings, evidence collection, conducting audits, and administrative work, it’s tough to find the time to understand the process and how to get started. Our report found that 20% of organizations say that their biggest challenge during the audit process is limited staff resources. Without a developed team and an experienced partner in your corner, the process can be intimidating. The biggest barrier to audit harmonization for 27% of organizations is that they don’t know how to get started and need more information.  

How to get started with audit harmonization 

Selecting the right partner is key to a successful audit harmonization engagement. This choice will set the stage for your compliance strategy, so be sure to take the time needed to vet potential partners and choose one that will educate and empower your team. 

Qualities to look for in a partner 

Not just any auditor can set your organization up for success with audit harmonization. It requires a dedicated, experienced partner. Here’s what you should look for in a potential partner: 

• Breadth and depth of services: From their certifications and accreditations to their experience with similar companies, the breadth and depth of services is crucial to successfully harmonizing your audits. This also demonstrates that the auditor can grow with your compliance program. Choosing a partner that can already execute audits on your roadmap means you can achieve your goals sooner and with less effort. 

• Tech-enabled: Technology isn’t the future anymore, it’s the standard. The right audit partner will be tech-enabled, whether through their own in-house audit management software or by integrating with GRC and audit readiness tools.  

• Aligned audit process: An experienced auditor will have a clear process laid out for your audit process and harmonization engagement. This demonstrates their level of experience and ability to provide your organization with a high-caliber audit. 

Remember: choosing the right audit partner will set the tone for your compliance strategy as a whole, so choose wisely. 

Why A-LIGN 

A-LIGN is the leading provider of high-quality, efficient cybersecurity compliance programs.  

Our more than 400 global auditors have completed more than 36,00 audits and have more than 20 years of experience providing the best quality audit experience and final reports, exemplified through A-LIGN’s 96% customer satisfaction rating. 

A-LIGN’s white glove audit harmonization process ensures that your organization can get back to work instead of completing duplicative work. Our industry-leading audit management software, A-SCEND, powers our best-in-class audit experience. 

With A-LIGN, you can achieve your compliance goals with confidence and earn a report that your buyers can trust, with support from technology that streamlines the process. Ready to learn more? Contact us today. 

What happens when a cyber-attack doesn’t just compromise data, but disrupts real-world operations or critical infrastructure? This is the high-stakes reality of Operational Technology (OT). Unlike traditional IT environments where the primary focus may be data confidentiality, OT systems interact directly with physical processes and hardware. 

Let’s explore what makes OT environments unique, why traditional IT security controls often fall short, and how specialized penetration testing can help protect critical operations. 

What is Operational Technology? 

Operational Technology (OT) refers to systems that monitor, control, or directly affect physical hardware in the real world. These are environments where digital commands translate into physical actions — starting or stopping motors, opening valves, tripping breakers, or adjusting temperature and pressure. Because these actions affect real equipment and people, OT systems have historically been designed around safety, availability, and deterministic behavior — often lacking basic security protections. 

Where you’ll find OT 

Common OT systems make up a range of Industrial Control Systems: Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), Distributed Control Systems (DCS), and Safety Instrumented Systems (SIS). OT shows up across manufacturing, energy, water and wastewater, oil and gas, transportation, building automation, and even healthcare facilities. 

The basics of OT penetration testing

OT penetration testing is the practice of assessing whether an attacker could manipulate physical processes, disrupt operations, or bypass safety controls that keep everything in check. Unlike traditional IT penetration testing, OT testing must account for the fact that aggressive scanning, exploitation, or system instability can cause real-world safety incidents or production outages. As a result, OT assessments prioritize safety and uptime, rely heavily on passive techniques, and focus more on understanding how systems can be misused and less on exploiting vulnerabilities. 

Many OT attacks do not depend on zero-day exploits. Instead, they exploit protocols and commands that the systems were designed to accept under normal operations in trusted environments. In these cases, malicious activity can look indistinguishable from legitimate control traffic, making detection particularly challenging.  

How OT pen testing works in practice 

A mature OT pen test examines how an adversary could: 

• Move from IT networks into OT environments 
• Abuse engineering software or operator access 
• Send valid commands with malicious intent 
• Alter hardware values to degrade operations 
• Interfere or ultimately disable safety systems 

The goal is not simply to find vulnerabilities, but to understand how real attackers could leverage normal system behavior to create physical, operational, or safety impacts. This is where experience and deep knowledge of OT environments become critical — because in OT, the most dangerous attacks often use the system exactly as it was designed to be used. 

The CMMC impact on OT 

As CMMC pushes defense contractors and suppliers to demonstrate stronger asset visibility, risk management, monitoring, and incident response, OT environments can no longer sit outside the scope of cybersecurity programs. Many organizations supporting the defense industrial base operate manufacturing lines, test equipment, building automation, or other control systems that directly or indirectly impact Controlled Unclassified Information (CUI). The problem is that these systems are often implicitly trusted, poorly segmented, and sparsely monitored — creating blind spots that conflict with CMMC expectations around access control, system security plans, and continuous monitoring. 

Final thoughts 

The challenge is that traditional IT security controls and testing methods do not translate cleanly into OT environments. While CMMC emphasizes demonstrable risk reduction, OT systems often cannot be patched, aggressively scanned, or equipped with standard endpoint tools.  

This is why OT penetration testing needs specific expertise — to validate trust boundaries, identify unsafe exposure paths, and assess how legitimate control functionality could be abused. 

Preparing for a CMMC assessment can feel like a high-stakes race. But in the rush to the finish line, many organizations stumble over preventable hurdles. These missteps not only delay certification but also introduce significant operational and financial risk. Understanding the most common mistakes is the first step toward building a successful and sustainable compliance strategy. 

Read on to learn about the critical errors companies make during their CMMC journey and how the right team of partners can set you up for success. 

Mistake 1: Internal teams working in silos 

One of the most frequent yet damaging mistakes happens before an external partner is ever engaged. When IT, compliance, and business leadership teams don’t communicate, they create significant internal friction. This lack of alignment often leads to assessments being scheduled before the organization is truly prepared. 

The risk is substantial. Imposing an assessment with an unrealistic timeline leaves no room to discover and fix unexpected issues. In large, complex environments, this almost guarantees that critical, show-stopping problems will surface too late in the process, leading to a failed assessment and wasted resources. 

Mistake 2: Choosing the wrong C3PAO 

In an attempt to manage costs, some organizations opt for the cheapest or most readily available C3PAO. This decision can backfire spectacularly. An inexperienced or unproven C3PAO introduces, “interpretive risk,” which is the danger that an assessor will assess controls incorrectly or inconsistently due to a lack of relevant experience. 

This risk is amplified when the C3PAO isn’t familiar with your specific industry. For example, applying controls in a manufacturing setting is very different from an office environment; it depends heavily on context, operational processes, and unique documentation. If you have to spend your assessment time educating your assessor on the basics of your business, you’re already behind. 

Mistake 3: Neglecting your technology and service providers 

Your compliance posture is only as strong as its weakest link, and that includes your partners. Many organizations fail to properly evaluate their technology stack and service providers. Do you know if your tools are FedRAMP authorized or CMMC compliant? Is your Managed Service Provider itself CMMC Level 2 certified? 

Relying on an MSP that hasn’t achieved certification creates unnecessary friction and can be a roadblock to your own success. Similarly, if business owners can’t clearly explain technical workflows without leaning entirely on IT, it signals a gap in organizational readiness. You must have full visibility into how Controlled Unclassified Information (CUI) flows through your environment and a team that can articulate it. 

The solution: Building a “battle-tested” partner team 

Mitigating these risks comes down to one core strategy: choosing the right partners. Your CMMC journey should be a team sport, and your roster should include experienced, “battle-tested” providers who understand your business. 

A strong partner ecosystem, combining knowledgeable MSPs, Registered Provider Organizations, and C3PAOs like CyberSheath and A-LIGN, sets you up for success. These experts bring proven, real-world knowledge, which saves time and reduces risk. They have seen the challenges of your industry before and won’t be learning on your dime. 

An experienced C3PAO will identify readiness gaps early and advise you to pause if you aren’t prepared, prioritizing your long-term success over a quick assessment. A CMMC-certified MSP has already done the hard work and can implement compliant solutions efficiently. 

By assembling a team that understands your industry and aligns with your business goals, you can avoid common pitfalls and turn the CMMC gauntlet into a clear path toward certification and long-term security. 

Most of the conversation around CMMC has been about getting certified: 

• “What are the requirements?” 
• “How do I meet the controls?” 
• “Why do I have to do this?”

That focus makes total sense. CMMC is new, can be confusing, and is directly tied to whether you get to keep doing business in the DoD supply chain. So naturally, everyone has been obsessed with clearing that first hurdle and getting the golden piece of paper known as a Level 2 CMMC Certification. 

But did you know there are other requirements as part of the three-year certification? That’s right — CMMC certification is not a one-time event. Instead, it’s a three-year cycle. Now that moreorganizations are getting certified, Years 2 and 3 are where they’re starting to quietly take on risk. But what are the requirements? 

What are the Year 2 and Year 3 requirements?

Once you pass a Level 2 C3PAO assessment and receive a Final Status Date, your three-year certification clock begins.  

Congrats! You did it! You can now retire and run off into the sunset! Right?!?… right? 

While Year 1 brings the third-party assessment, Years 2 and 3 look different. There is no required third-party assessment in those years. Instead, the organization must submit an annual affirmation, signed by a senior official, that states that the organization has implemented and continues to maintain all applicable CMMC requirements for the environment in scope. This affirmation is submittedinto SPRS and is used to determine whether your CMMC status remains current and eligible for contract use. 

I know what you’re saying out loud to yourself right now:  

“This sounds familiar. You’re talking about annual affirmations like the ones we used to do as part of DFARS 7012/7019? The ones that the DoD proved didn’t work, thus forcing their hand in creating the exact program we’re discussing today, CMMC?” 

Yeah, let’s talk about that.  

The uncomfortable context everyone avoids 

Let’s say this more plainly:  

The entire reason CMMC exists is because the DoD determined that self-attestation does not work. 

For years, contractors self-attested to NIST 800-171 compliance as part of DFARS 7012/7019/7020 clauses. The government reviewed scores, ran spot checks, and investigated incidents as they popped up. What they found was not great — most self-attestations were anywhere from inaccurate to flat out wrong. 

And even worse, it was reported again and again that sensitive DoD information was getting into the hands of our adversaries. That’s right — the entire reason we care about protecting this information in the first place was happening with the self-attestation model.   

So independent verification became necessary. That is the justification for CMMC.  

So, you have to ask yourself: 

If self-attestation failed at scale before, why aren’t more people freaking out about the risks of self-attestation in Years 2 and 3 of their CMMC Certification? 

Outlining the risks involved

In a three-year span, a lot changes: 

• People leave and join your organization 
• Systems evolve and technology changes 
• Vendors change and supply chains shift 
• Threats evolve and new vulnerabilities emerge  
• Policies update and regulations tighten  

Compliance doesn’t usually fail loudly. It erodes slowly. By the time the annual affirmation is due, your people, processes, and technology have absolutely changed. The question becomes whether your compliance and documentation have changed with it. 

That is where risk compounds. But what really is the risk? 

Introducing: The False Claims Act 

On top of the fact that you risk drifting out of compliance (let’s not forget how wrong self-attested SPRS scores have proven to be), there is a much larger risk at play: an inaccurate affirmation can create exposure under the False Claims Act. 

The Department of Justice has already demonstrated a willingness to pursue cybersecurity-related misrepresentations tied to federal contracts. Yes, the Department of Justice has time (Raytheon $8.4M) and time (MorseCorp $4.6M) and time (Penn State $1.25M) again come after organizations who have incorrectly claimed compliance under the self-attestation model. 

Contractors have paid real money for overstating compliance with NIST 800-171.CMMC does not replace that risk, it reduces the risk by having a vetted third party (C3PAO) perform a review of your compliance to the controls you will sign off on meeting. And if you are the affirming official whose name is signed off on that attestation? There is the possibility of personal liability in these cases. 

“Failure to implement cybersecurity requirements can have devastating consequences, leaving sensitive DoD data vulnerable to cyber threats and malicious actors,” said Special Agent in Charge William Richards of the Air Force Office of Special Investigations Procurement Fraud Office, Andrew AFB, Md. “AFOSI, alongside our investigative partners and the Department of Justice, will continue to combat fraud affecting the Department of the Air Force and hold those accountable that fail to properly safeguard sensitive defense information.” 

How to buy down the risk in Years 2 and 3

The CMMC rule does not require a mid-cycle third-party assessment. But organizations that take cybersecurity, legal exposure, and executive accountability seriously don’t rely on memory and optimism for two years. They validate. 

The most effective way to do that is through an interim C3PAO assessment. Having a CMMC third-party assessment organization come and validate your controls as MET/NOT MET before you attest to meeting them can: 

• Identify compliance drift while it is still manageable  
• Give the affirming official something concrete to rely on when signing an annual legal statement 
• Create a defensible narrative if an audit, investigation, or inquiry ever occurs 

Being able to say, “we hired an independent assessor to validate our posture before signing,” is very different from, “we assumed we were fine.” 

It’s not about perfection — it’s about due diligence.  

Key takeaway 

CMMC is not a one-time trophy. It is a commitment. The program exists because self-attestation alone did not work, yet Years 2 and 3 still rely on it.  

That means you should be wary of treating those years casually. You should be intentional and avoid the risks that existed with the previous self-attestation model because those annual affirmations are legal representations tied to contracts, money, and accountability. With your name on the line, you should know exactly what you are signing and feel confident in what you’re attesting to. 

In a world where cybersecurity representations are being scrutinized harder than ever, that matters. 

Enterprise compliance teams are increasingly focused on raising the bar for their compliance strategy. Between a desire to pursue additional frameworks and grow their business, compliance professionals are piecing together the puzzle of a successful comprehensive compliance strategy. Audit quality is emerging as a key piece of this puzzle. 

Quality is key to a well-run compliance program. It’s intrinsically connected to an organization’s business deals, financial investment, and most importantly, its reputation. Enterprise organizations are uniquely challenged to maintain a high level of quality throughout their often complex compliance strategies. 

A-LIGN’s 2026 Compliance Benchmark Report found that 83% of respondents can spot the difference between low- and high-quality variations in auditors, suggesting that compliance professionals are attuned to what makes up a quality audit report and experience. The importance of quality isn’t fading. In fact, according to the report, 80% of respondents say the quality of a compliance report is extremely important, up from 70% in 2025.  

Why is maintaining quality important? And why should enterprise organizations take it seriously? Read on to learn: 

• Why quality is important to a successful compliance strategy 
• What is (and isn’t) quality during the audit experience and final report 
• How to pick a high-quality audit partner 

Why is audit quality important? 

More than half of all respondents to the 2026 Compliance Benchmark Report have had a vendor or prospect reject a report. There are many paths organizations might’ve taken to find themselves in this situation, but it’s most often due to selecting a budget auditor. 

The most common reasons vendors or prospects reject reports include: 

• Incomplete or missing documentation 
• Insufficient testing of controls 
• Lack of additional findings 
• Report was too templated and lacked relevant and appropriate insights 
• Lack of trust in auditor reputation 

It might seem like no big deal at first glance, but rejected reports have real consequences. The actual cost of a cheap audit can include lost business, costly remediation, or even worse, a weakened reputation if you experience a breach. 

Particularly for enterprise businesses, your reputation is everything. While you may be able to afford the loss of a customer, the damage a cybersecurity incident will cause is almost irreparable. 

Defining audit quality 

How do you distinguish between high- and low-quality audits? The definition of quality will vary depending on who you talk to, but there are a few factors that make up a high-quality audit experience and final report: 

Audit experience  

Auditor experience  
A trustworthy auditor has plenty of experience working in your chosen framework and its related regulations/guidance. Certifications and accreditations from reputable bodies also demonstrate an auditor’s experience. 

Technology  
Technology helps your auditor do their job better and opens lines of communication between the two of you. Whether it’s a partnership with a GRC/readiness tool or an in-house solution, technology is foundational to a high-quality audit experience. 

Experience with similar companies  
Particularly for enterprise organizations, experience with similar companies is key. Enterprise compliance strategies are complex and require high attention to detail and the ability to assess business priorities and streamline accordingly.  

Final report  

Depth and specificity of each control  
Thorough testing of controls is a crucial part of the audit process and demonstrates a rigorous, credible audit that holds up to customer requests to demonstrate compliance.  

Relevance and customization of report  
Cookie-cutter reports won’t suffice, especially at a high-performing enterprise organization. A high-quality report will provide custom recommendations and results. 

Demonstration of risk mitigation  
Compliance is an ongoing mission, and your final report should include recommendations for your organization to work through to strengthen your security posture. 

Discerning low-quality audits 

Though the definition of a high-quality audit may fluctuate depending on who you talk to, spotting a low-quality audit is straightforward. The traits that make up a low-quality audit include: 

Poor response time  
An experienced auditor will have defined check-ins and quick responses to questions. Poor response time indicates a low level of audit expertise and an inability to form relationships, two key elements of a successful audit. 

Outdated processes  
Technology drives efficiency and empowers auditors to conduct the best possible audit. A refusal to adopt methods that streamline the audit process demonstrates a lack of care for your bottom line. Technology empowers auditors to work quicker and reduce costs and time for your business. 

Insufficient references  
Auditors that have successful, quality audit cycles will always have customers who will advocate for them. If an auditor can supply happy customers or case studies, it’s a red flag. This potential partner might now be providing their customers with a quality experience or final report. 

Limited experience  
It’s tempting to go with an auditor that has lower rates and less experience. But this could lead to a report from an unaccredited certification body or vulnerabilities left exposed by an inexperienced audit team. 

Templatized reports 
Your final report should be personalized to your organization with actionable recommendations. Surface-level, templatized reports could belong to anyone and won’t help your organization improve its security posture. 

How to pick a high-quality audit partner 

It can be tough to cut through the noise and select an audit partner that will provide your organization with the best possible report and audit experience. But there are some questions you can ask to separate the pack. For a complete list of questions to ask, check out our Quality Checklist. 

Questions to ask a potential audit partner: 

• Which accreditations and certifications does your organization hold? 

• Do you have experience with customers my size? In my industry? 
• How many auditors do you have? 
• Can you provide references and case studies from satisfied customers? 
• How often are your reports rejected by external vendors? 
• How do you help clients streamline the process? 
• What kinds of technology do you have experience working with? 
• How involved will our team be in the process? 
• Will we have regular check-ins? How frequently? 

Why A-LIGN 

A-LIGN is the leading cybersecurity compliance partner, trusted by more than 6,400 organizations worldwide. Our organization is accredited by top certification bodies and has industry-leading auditor retention, allowing our auditors to hold a deep understanding of frameworks and your business. The A-LIGN difference is: 

• 36k+ audits completed  
• 96% customer satisfaction rating  
• 6.4k+ global clients  
• 400+ auditors globally 

With A-LIGN, you can achieve your compliance goals with confidence and earn a report that your buyers can trust, with support from technology that streamlines the process. Ready to get started? Contact us today. 

We get asked a version of the same question almost weekly: “When did AI governance actually become real?” Our answer is consistent — it was not a single law, a single enforcement action, or even one headline moment. It was 2025.  

What changed in 2025 was not the presence of AI. AI had already been embedded across products, services, and operations. What changed was the risk model surrounding it. Signals that had been building quietly for years converged at the same time. And when that happens, governance stops being conceptual and starts being operational. 

In the remainder of this article you will find a reflection on what we saw unfold during 2025 and how those signals shape the three priorities leaders should be focused on as they move into 2026. 

What shifted in 2025

For several years, most organizations approached AI governance through intent — responsible AI principles, ethical commitments, high level policy statements, and committees charged with oversight. Those efforts were not wrong, but in 2025, they reached their natural limit. Here is what changed: 

Regulators moved from guidance to enforcement signaling. Not everywhere and not all at once, but enough to make leadership teams take notice. The conversation shifted from “what should we do?” to “what will we have to defend?” 

Insurers began tightening AI-related exclusions and underwriting language. That was a critical signal. Insurance markets do not move on philosophy —  they move on loss data and exposure models. 

Enterprise buyers changed their questions. Instead of asking what organizations believed about responsible AI, they began asking what organizations could prove. What assessments existed, what controls were in place, and who was accountable? 

Shortly after, boards shifted their focus. Their questions were no longer about ethical frameworks — they were about defensibility.  

“Can we explain how this system behaves if something goes wrong?” 

For many organizations, that question exposed an uncomfortable truth: their AI governance posture looked reasonable on paper, but fragile in practice. That realization defined 2025. 

Why this moment feels familiar 

We have seen this pattern before. Information security went through it, privacy went through it, and financial controls went through it. Early stages are principle driven, then frameworks emerge, and eventually, evidence and assurance become unavoidable. 

AI governance crossed that threshold in 2025, which is why management system thinking matters. Standards like ISO 42001, ISO 42005, and ISO 23894 did not appear by accident. They reflect where governance expectations are heading, not where they have been. 

Priority 1 for 2026: Move from AI policy to AI proof

The priority for 2026 is straightforward, even if it is not easy. AI governance must move from policy to proof.  The say-do ratio has to be measured and communicated. 

Written principles still matter, but they no longer carry decision weight on their own. Regulators, insurers, customers, and auditors are asking for evidence of how decisions are made, how risks are assessed, and how tradeoffs are handled over time. 

This includes: 

• Impact assessments tied to real use cases 
• Risk registers that evolve as models and data change 
• Clear records of who approved what and why 
• Evidence that governance is active, not ceremonial 

This is not about creating paperwork — it is about making governance traceable. If you cannot reconstruct a decision six or twelve months later, that gap becomes a liability the moment scrutiny increases. 

What you, as a leader, should do now 

• Identify where AI decisions are being made without durable records 
• Make impact and risk assessments part of normal operations, not special events 
• Design governance as if it will be reviewed by a third party, because eventually it will 

Proof is becoming the currency of trust. 

Priority 2 for 2026: Treat AI assurance as inevitable 

One of the quieter but more important developments in 2025 was the rise of AI assurance expectations. It did not arrive as a mandate but as a question.  

Procurement teams began asking vendors to show evidence of AI governance, boards requested independent views on AI risk exposure, and insurers looked for objective signals of governance maturity. This mirrors exactly how assurance matured in cybersecurity. 

Once assurance enters the ecosystem, it does not disappear — it becomes normalized. AI risk is not confined to a single team or model. It spans internal development, third party services, data pipelines, and downstream use. Over time, self-attestation stops being credible. 

Management systems make this survivable. ISO 27001 showed how assurance can scale without overwhelming organizations, and AI governance is now following a similar path. 

What you, as a leader, should do now 

• Decide where AI assurance belongs within your organization 
• Align AI governance with existing audit and assurance functions 
• Establish expectations for vendor AI oversight before customers force the issue 

By 2026, assurance will be one of the primary ways trust is evaluated.  

Priority 3 for 2026: Use standards to navigate regulatory fragmentation 

If 2025 demonstrated anything clearly, it is that AI regulation will not converge neatly. Different jurisdictions are moving at different speeds. Definitions vary, enforcement models differ— and this fragmentation is not temporary. Waiting for clarity may feel prudent, but it leaves organizations exposed.  

Standards exist precisely for this environment. They provide a stable operating backbone when laws shift. Courts, regulators, and insurers increasingly rely on standards as evidence of due care because they are structured, auditable, and internationally recognized. ISO 42001 does not replace regulation but operationalizes compliance across jurisdictions without requiring organizations to rebuild their programs every time a new rule appears. 

What you, as a leader, should do now 

• Stop designing AI governance around a single regulation 
• Anchor your program in standards and map regulatory obligations on top 
• Be explicit internally that adaptability is the goal, not perfect prediction 

In a fragmented regulatory landscape, standards become more valuable, not less. 

Where this leaves us 

2025 was not the year AI regulation suddenly arrived. It was the year leaders realized that existing governance approaches would not scale. 

2026 will reward organizations that: 

• Build evidence instead of narratives 
• Normalize assurance instead of treating it as exceptional 
• Use standards to absorb change rather than chase headlines 

This is not intended to be a narrative about fear, instead it is about leadership. The organizations that invest now will not be scrambling later. They will move forward with confidence while others are still trying to understand why the earth shifted beneath them. 

At A-LIGN, this is the work we see coming. Not because the market demands it rhetorically, but because the underlying systems are already changing. 

Data finds a revolving door of regulations and requirements demand a new approach to audit cycles to better manage risk

TAMPA, Fla. – (January 28, 2026) – A-LIGN, a leading provider in cybersecurity compliance, today announced findings from its annual 2026 Compliance Benchmark Report. Now in its sixth year, A-LIGN’s annual data report has become a trusted resource for compliance teams navigating an increasingly complex regulatory landscape, offering insight into evolving requirements, emerging challenges, and proven strategies for managing risk.

While compliance teams may have relied on fragmented strategies in the past, a spike in mandated certifications have made the intricate task of managing audits a labyrinth. According to the report, which surveyed over 1,000 global leaders, nearly all organizations (97%) now conduct at least two audits annually, with 74% of large enterprises managing four or more. At the same time, 72% of organizations recognize that compliance programs must evolve to keep pace with increasingly complex requirements. By adopting a more strategic, technology-enabled, and proactive approach, teams can modernize audit cycles and more effectively manage risk.

“Compliance can no longer be treated as a once-a-year checkbox,” said Scott Price, CEO of A-LIGN. “In an era of relentless ransomware attacks, data breaches, and AI-powered threats, cybersecurity hygiene and compliance is paramount. By combining our team of experts with our AI-powered A-SCEND platform, we’re helping organizations improve their posture and streamline the audit process, turning compliance into a proactive, year-round strategy that achieves cyber resilience.”

Federal compliance is evolving:

Shifting federal requirements are also rapidly reshaping how organizations approach compliance, yet this continues to create confusion. 60% of respondents work with the U.S. government, and nearly all (94%) are already pursuing compliance with frameworks such as CMMC, FISMA, FedRAMP, or GovRAMP. Yet, organizations cite new certifications like CMMC, actions from the current administration, and the cost of compliance as their most pressing concerns inhibiting a fully developed strategy.

Overcoming barriers to audit harmonization:

An influx of new regulations and growing pressure to better manage risk is forcing leaders to take a more deliberate approach to compliance. In fact, 80% of respondents say the quality of a compliance report is extremely important – up from 70% in 2025. At the same time, the report underscores the operational complexity of meeting those rising standards: one in four organizations cite the need to manage multiple audits throughout the year as their greatest compliance challenge, while 20% point to limited staffing as a key barrier to maintaining consistent, high-quality audit cycles.

Defining high-quality audits:

Audit quality is increasingly viewed as a strategic differentiator. 60% of surveyed organizations indicate they would change auditors to improve the quality of their final report, and 83% say they have observed clear differences in quality between audit providers, up from 72% in 2025. The findings also show that technology now plays a central role in audit quality, with 95% of respondents incorporating technology into their audit and assessment processes.

Strategic AI risk management:

As AI adoption accelerates, customer concerns around data governance are intensifying, placing greater pressure on organizations to establish comprehensive and transparent compliance strategies. While organizations are aware of this reality, 33% don’t have an AI compliance strategy in place at all. With the rise in compliance risks stemming from AI, the C-Suite can’t afford to ignore it any longer. Case in point: 80% of companies that use AI are already getting questions from customers about risk management practices.

Tech-enabled compliance is the new baseline:

Tech-enabled audits are no longer optional. What was once considered cutting-edge is now the baseline for doing business: 95% of respondents report using technology during their audits and assessments. Organizations are seeking greater efficiency and simplicity, turning to solutions like audit management or GRC tools to streamline the process. Technology is now a deciding factor, as respondents cite the availability of audit and GRC tools as the top reason they would switch auditors. And the impact is clear: 96% of respondents believe that audit and GRC technology lead to higher-quality audits.

To learn more, download the full Compliance Benchmark Report here.

Methodology

A-LIGN conducted the Compliance Benchmark Report between August and September 2025. It reflects the opinions of 1,043 global respondents. Of these, 85% of companies represented are headquartered in the United States and 15% are headquartered outside of the United States. This survey was conducted by an independent, third-party market research company that is not affiliated with A-LIGN to ensure unbiased, transparent responses.

About A-LIGN

A-LIGN is the leading provider of high-quality, efficient cybersecurity compliance programs. Combining experienced auditors and audit management technology, A-LIGN provides the widest breadth and depth of services including SOC 2, ISO 27001, HITRUST, FedRAMP, CMMC and penetration testing. A-LIGN is the number one issuer of SOC 2 and a leading HITRUST and FedRAMP assessor. To learn more, visit a-lign.com.

Media Contact
Lindsay Mahaney
[email protected]