The Compliance Industry Has a Discovery Problem And Nobody Wants to Talk About It

The modern compliance industry is genuinely impressive. Twenty years ago, SOC 2 was a months-long human-driven endeavor with binders and stickers on physical doors. Today, automated platforms collect evidence continuously, map controls to frameworks, and produce auditor-ready reports with a few clicks. It's a real improvement.

It also has a hole in the middle that the industry collectively pretends doesn't exist.

The thing automated evidence doesn't tell you

Compliance automation works by integrating with the systems you've told it about. Your cloud accounts, your identity provider, your code repos, your endpoint manager. Every integration is a pipe carrying configuration data and event logs into the platform. The platform maps those signals to controls, declares the controls in place, and produces evidence.

It does this very well. For the systems that are connected. There's a quieter question nobody asks: is that the full list?

Of course it isn't. It's never the full list. The SaaS apps your marketing team adopted last quarter aren't in there. The AI tool your product team is using to summarize customer feedback isn't in there. The OAuth grant your developer gave to a code assistant isn't in there. The Azure subscription your contractor spun up on a personal card isn't in there. The dashboard looks clean because the dashboard can only show you the systems it can see.

Auditors are starting to notice

For a while, this gap didn't hurt anybody. Auditors took the inventory they were given, checked the controls, and signed the opinion. Times are changing. The newer cohort of auditors — particularly those who came up through cloud-native firms — have started asking a different question: "How do you know that's all of it?"

Answer that question with a confident "the platform shows us everything" and watch the auditor smile politely while writing down "Management asserts." Answer it with "we don't, actually, and here's the reconciliation we do to find what's missing" and the conversation gets a lot easier. Regulators in particular have been moving toward the same posture. The AICPA's SOC 2 Trust Services Criteria require evidence of inventory completeness, not just control operation. The ISO/IEC 27001 stewardship model is similarly explicit.

Why the industry doesn't fix it

The compliance automation vendors aren't blind to this. They know. The reason it's not the lead message in their go-to-market is straightforward — it's much harder to sell "we'll tell you what you don't know" than it is to sell "we'll automate the things you already do." So the marketing focuses on integrations. The slide decks emphasize connectors. The customer onboarding starts with "what systems should we connect first?" And the inventory sits where it sat, slowly aging.

The result is that the most expensive piece of the compliance stack — the one that generates the audit-ready reports — is downstream of the cheapest, most-ignored piece. Which is discovery.

What to do about it

Use the automation. It's good. Just stop trusting it as a measure of your true posture without an independent discovery layer underneath. The case study on a financial-services compliance nightmare describes exactly what happens when the gap goes unaddressed long enough. The comparison of GRC tools in 2026 covers the broader landscape.

The fix is also not exotic. Continuous discovery of every SaaS, OAuth grant, AI integration, and cloud tenant attached to your domain. Feed that into the compliance platform you already pay for. Suddenly the evidence reflects reality instead of the version of reality that fit through your existing connectors.

That's the layer Waldo Security's SaaS Governance and Compliance offering is built to be. Underneath your GRC tool, not next to it. Filling the hole the industry politely refuses to mention.

Curious what your evidence looks like once the inventory is right? Book a demo. Worst case, you get a better answer for the auditor next quarter.