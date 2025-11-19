Nearly 40 percent of organizations have experienced security or compliance incidents directly linked to governance gaps introduced during cloud migration according to a new report.

The study from Pathlock, based on responses from 620 enterprise IT, compliance, and security leaders, finds that in spite of the regulatory pressures many organizations face, with respondents operating under major regulations like SOX, GDPR, and others, governance is often treated as an afterthought.

Among the key findings, while HR and CRM are largely cloud-mature, areas like supply chain and procurement remain in migration, underscoring the need for rigorous governance and oversight.

Only seven percent updated governance, risk management and compliance (GRC) controls prior to migration, while more than half (52 percent) failed to embed GRC strategy from the start. Separately, 50 percent did not perform full Segregation of Duties (SoD) checks when redesigning roles.

“It’s been nearly 25 years since Sarbanes-Oxley (SOX), yet compliance is still being ignored during major transformation projects,” says Susan Stapleton, GRC expert at Pathlock. “Companies invest hundreds of millions into these initiatives -- only to face audit failures at the end because GRC was ignored. Then, they scramble to get fixes in place, which costs them double, if not triple, what it would’ve taken to do it right from the start. This report should serve as a wake-up call: GRC must be built into every transformation project from day one.”

Over 70 percent of respondents lack automated access risk analysis, user access reviews (UARs), and provisioning and de-provisioning processes. 51 percent of organizations also take more than 24 hours to revoke access after termination.

Governance failures are driving incidents too, 39 percent of organizations experienced security or compliance issues tied to governance gaps introduced during cloud migration; 21 percent reported compliance violations in the past year, and 17 percent insider fraud. 23 percent experienced insider-related incidents during or after cloud migration.

“The findings show that digital transformation, while essential for growth and innovation, is also introducing material business risk when governance lags behind,” says Chris Radkowski, GRC expert at Pathlock. “When organizations treat GRC as a business enabler, it becomes a catalyst for achieving resilience, reducing costs, and minimizing compliance and reputational risk.”

The full report is available from the Pathlock site.

Image credit: phonlamai/depositphotos.com