Thoropass Releases 2026 State of Audit And Compliance Report: AI Emerges as the Top Compliance and Audit Risk

NEW YORK--(BUSINESS WIRE)--Thoropass today released its 2026 State of Audit and Compliance Report, revealing that AI adoption has rapidly become the most significant new source of IT security compliance risk. Almost 7 in 10 security and compliance leaders say AI adoption is outpacing their security and compliance controls, signaling a growing governance gap.

Most organizations are losing the race to control the use of corporate and personal AI solutions in the workplace, increasing the “governance gap”. AI-related concerns now eclipse traditional security threats in both perceived likelihood and impact.

Share

The report, based on a survey of more than 500 security, IT, and compliance professionals, shows that while compliance programs are more mature than ever, they are under increasing strain from multi-framework audits, evidence management overhead, and the fast rise of AI-related risk.

“AI has moved faster than governance,” said Sam Li, CEO of Thoropass. “Most organizations didn’t plan for how quickly employees and teams would adopt AI tools, and compliance programs are now racing to catch up. What we’re seeing is a widening gap between innovation and oversight.”

AI is becoming integral not just to organizations’ technology stacks, but to how companies operate. That same technology can and should be used to help organizations run smoother, more efficient audits, empowering them to eliminate manual effort, improve evidence quality, and give teams confidence as audit expectations evolve.”

Key findings from the research include:

AI Has Become the Leading Compliance Risk

AI-related concerns now eclipse traditional security threats in both perceived likelihood and potential regulatory impact:

• 69% of respondents stated that adoption of AI tools in the organization is outpacing their ability the security and compliance controls
• 55% say that AI-related data exposure or misuse as their top breach concern – a higher rate than ransomware, IAM failures, or cloud misconfigurations
• 57% believe AI-related incidents are the most likely to trigger regulatory action or customer fallout in 2026
• Only 18% say they are not concerned about AI-related compliance risk

Compliance Maturity Is High, but Audit Friction Persists

Even as organizations report mature compliance programs, operational inefficiencies remain widespread:

• Challenges related to collecting evidence across multiple tools is the most common bottleneck in the audit process, cited by 53% of respondents
• 91% say they must resubmit audit evidence at least sometimes due to miscommunication or shifting auditor expectations
• The top compliance challenges are managing multiple frameworks and keeping evidence continuously audit-ready

The report finds that compliance is increasingly viewed as an ongoing risk management function – driven by security posture, insurance requirements, and customer trust – rather than a once-a-year certification exercise.

“The audit model itself is changing. Organizations don’t just need more controls — they need audits that operate continuously and keep pace with how modern systems actually work. The future of audit is less manual collection and more real-time assurance,” continued Li.

What This Means for IT Audit in 2026

The definition of “audit-ready” is changing. Organizations that can consolidate compliance workflows, maintain up-to-date evidence, and integrate AI governance into existing frameworks will be better positioned for both upcoming audits and regulatory scrutiny.

Download the full 2026 State of Audit and Compliance Report to see how your organization compares.

Survey methodology: 536 InfoSec leaders across SMB to enterprise organizations were surveyed online in January 2026. The breakdown of respondents was:

By role:

• IT / Security Operations Leader: 70.3%
• GRC / Compliance Director or Manager: 17.9%
• CISO / VP Security / Head of Security: 9.9%
• Founder / President / CEO: 1.1%

By company size:

• Under 250 employees: 12.9%
• 250–999 employees: 45%
• 1,000–2,499 employees: 27.2%
• 2,500+ employees: 14.9%

About Thoropass

Thoropass is the only end-to-end cybersecurity auditor. Our Audit Lifecycle Platform combines continuous, AI-powered evidence collection with the industry’s most advanced suite of AI agents and a highly experienced team of auditors to deliver comprehensive, trusted security audits.

Thoropass offers the most flexible and scalable solution for organizations to ensure compliance with more than 30 frameworks, including SOC 2, ISO, PCI, and HITRUST. The Thoropass Audit Lifecycle Platform works seamlessly with any GRC platform and systems of record, ensuring organizations have absolute confidence in their audit–regardless of which software they use across the organization.

To learn more about doing your cybersecurity audits the Oro way, visit us at thoropass.com.