2026

IT Risk and Compliance Benchmark Report

At the beginning of the year, we surveyed 1,002 GRC professionals. We asked them questions covering how they manage risk, where they’re investing, and what’s holding them back. Now that we’re at the halfway mark for 2026, the data is worth revisiting.

Get a gut-check on how your program stacks up against how your peers started in 2026 and whether you’re on track with where they planned to go.

Unlock the Full Benchmark Report
Decorative Benchmark Report

A sneak peek of the numbers

Click any card to see why it matters

AI Badge
of respondents are using AI to streamline their workflows
Why It Matters
AI Badge
Why it matters:

AI adoption is now mainstream in GRC. The biggest advantage comes when it’s embedded into a SaaS platform that can apply AI directly to controls, evidence, and assessments.

Decorative Icon Breach
of respondents who manage risk ad-hoc or when a negative event happens experienced a breach in 2025
Why It Matters
Decorative Icon Breach
Why it matters:

Integrated, automated approaches to risk management have better results for respondents. Those who took an integrated, automated approach to risk management were less likely to experience a breach in 2025 at only 27%

Decorative Icon GRC
of respondents anticipate that their organization will spend more money on GRC in 2026
Why It Matters
Decorative Icon GRC
Why it matters:

The majority of respondents expect GRC budgets to increase for the second consecutive year, despite a challenging economic climate. Organizations may still feel pressure to invest in GRC, even as they face constraints on how that investment shows up in headcount, tooling, and external services.

What’s inside the report?

Get Your Copy

Five chapters covering the full scope of how GRC programs are operating and where the gaps are. 

  • Chapter 1

    How GRC leaders are scaling and operating their compliance programs

    Benchmark Report
  • Chapter 2

    Framework adoption trends, usage patterns, and risk management practices

  • Chapter 3

    GRC budget direction, the drivers behind changes, and impact on ROI

  • Chapter 4

    The scope of the third-party landscape and how it’s affecting GRC leaders

    Benchmark Report
  • Chapter 5

    Decision-making in GRC, who holds oversight, and how teams are staffed

    Benchmark Report

How can you use this report?

Use this report as a mid-year gut check for the questions GRC leaders are actually wrestling with right now: 

1 How do I justify and defend my budget to stakeholders?

2 What are my peers doing to manage their GRC programs, and how can I improve?

3 What priorities should I focus on in 2026?

4 How do I connect the GRC work my team does to business outcomes?

2026 Benchmark Report Thumbnail

If you’re feeling tired of manual processes and under-resourced, you’re not alone.

We surveyed a variety of GRC leaders, from CISOs to Compliance Managers, to find out how their programs are growing, and more importantly, what feels like a constant challenge.

The consistent finding? Organizations still lose a significant amount of time to manual work and fragmented processes, while those who’ve moved to automated, integrated GRC processes are seeing measurably better outcomes.

If you’re battling for budget, trying to operationalize your processes, maturing your GRC program, or just trying to stay afloat, the 2026 IT Risk and Compliance Benchmark Report gives you the data to make clear decisions.

Unlock the Full Benchmark Report
Decorative Benchmark Report