Compliance Drift

Compliance drift is the gradual, often unnoticed deviation from an established compliance baseline that occurs as systems are modified, new assets are added, configurations change, and policies evolve. An organization can pass an audit on Monday and fall out of compliance by Friday if a new server is deployed without the required security agent, or an access control rule is relaxed to unblock a deployment.

The term applies across compliance frameworks, including SOC 2, NIST CSF, CIS Controls, ISO 27001, and PCI DSS. In each case, the organization establishes a set of controls, verifies them at a point in time, and then reality slowly drifts away from the documented state.

Point-in-time audits catch the state of compliance on audit day. They do not catch what happens between audits. If an organization only evaluates compliance annually or quarterly, months of drift accumulate before anyone notices. A newly provisioned server without an EDR agent, a user account that was supposed to be decommissioned, a firewall rule opened for testing and never closed, these are the kinds of gaps that emerge between audit cycles.

Compliance drift is a security risk, not just a governance problem. The gaps that emerge between audits are real vulnerabilities. An unmanaged asset is a potential entry point. An over-permissioned account is a privilege escalation path. The drift represents the delta between what the security team believes is true and what is actually true.

Continuous compliance monitoring addresses drift by evaluating the environment against baselines on an ongoing basis, not just at audit time. This requires two things: a current, accurate asset inventory (you cannot evaluate compliance of assets you do not know about) and a rules engine that checks each asset against the expected baseline.

Effective drift detection is specific, not generic. A rule that says "all Windows endpoints must have an EDR agent" should evaluate every Windows endpoint and flag any that lack the agent. A rule that says "all servers must have been patched within 30 days" should check patch timestamps and alert on exceptions. CAASM platforms with compliance rules engines enable this level of specificity.