The IT Nerd

RegScale today announced its second annual State of Continuous Controls Monitoring (CCM) Report, building on last year’s landmark study with expanded insights into how organizations are adapting to rising regulatory pressure and increasing security demands.

This year’s data shows that 83% of organizations report moderate or major delays caused by manual compliance work, with 53% dedicating the equivalent of one full-time employeeexclusively to evidence collection — just one of dozens of manual GRC workflows. As security and risk frameworks multiply and regulatory expectations accelerate, teams are facing the highest operational stress levels recorded to date.

Key Findings from the 2026 Report

• 85% of organizations report delaying or eliminating legacy GRC activities due to resource constraints.
• 44% have postponed control testing and monitoring, while 33% have postponed policy updates and governance reviews with 25% citing a lack of skilled employees as a major barrier.

AI Adoption Rising, Yet Full Automation Remains Rare:

• 95% of organizations have implemented some level of automation in GRC.
• Only 4% have achieved full end-to-end automation.
• Only 28% monitor their security controls continuously in real- time, while 72% still rely on periodic assessments.
• 64% report significant or transformational improvement from AI adoption.

The 2026 report underscores a pivotal trend: real-time compliance and security are becoming indistinguishable requirements. Organizations that rely on manual evidence collection, fragmented data, and periodic control checks face increased exposure and higher operational costs, particularly as AI-driven threats accelerate.

Beyond workforce strain and automation maturity, the report examines board-level reporting and metrics, industry-specific compliance challenges, regulatory complexity, and how organizations are evolving governance models to support continuous assurance. Together, these insights provide a broader view of how compliance programs are being reshaped to meet rising expectations from regulators, executives, and businesses.

To explore the full findings of the 2026 State of Continuous Controls Monitoring Report, please download the full report or attend the exclusive webinar on January 27, 2026, where industry experts will share actionable guidance on strengthening compliance operations, improving automation maturity, and building a more resilient security posture.

Methodology:

The 2026 State of Continuous Controls Monitoring Report is based on a survey conducted in September and October 2025 among 253 InfoSec leaders, including CISOs, CIOs, Chief Risk Officers, and VPs and Directors of Security. Respondents were surveyed from organizations with more than 1,000 employees and across a range of industries, including financial services, healthcare, tech, retail, government, business services, manufacturing, and more.

 RegScale, the leader in Continuous Controls Monitoring (CCM), today launched the OSCAL Hub, an open-source industry platform that will help accelerate the approval of security authorizations (Authority to Operate (ATO) for government regulators, federal agencies, cloud service providers, and other organizations using the Open Security Controls Assessment Language (OSCAL) standardized framework for information systems. The OSCAL Hub was unveiled this week at OSCAL Plugfest, a hands-on event bringing together OSCAL practitioners, industry, regulators, and the broader community to collaborate on real-world technical challenges and workstreams.  

Federal agencies and contractors spend thousands of hours on manual compliance work. As cyber threats to national security escalate in speed and sophistication, the need to automate cybersecurity risk management has become a priority across the public and private sectors to speed innovative technology solutions into production to support government missions and citizen services.  

To meet this mission need, the OSCAL Hub was created as a free, open-source, and comprehensive platform for security compliance teams working with OSCAL documents. It enables government regulators and any Authorizing Officials to review and approve packages, and industry technology providers to submit their Risk Management Framework (RMF) documents in an OSCAL format—resulting in up to 85 percent time savings, due to machine-readable artifacts that can be reviewed and audited with automated approaches. 

RegScale also announced today that it is donating the OSCAL Hub source code as both free and open source to the OSCAL Foundation to advance the use of the application in the community, across both commercial and federal applications.  

The OSCAL Hub features templates and visual tools and can be run as a modern web application for supporting simple, rapid, and robust authorization processes and content sharing.  It can be deployed to Google Cloud, Azure, AWS, locally, or even as a command line tool inside of customer data pipelines. The OSCAL Hub allows: 

• Federal Agencies to maintain RMF packages and their associated ATOs 
• Technology vendors to share component definitions for easy ingestion into their OSCAL tooling 
• Regulators to publish and share OSCAL catalogs and profiles that can serve as a foundation for modern GRC tooling 

• Security Engineers to validate OSCAL in CI/CD pipelines, convert between formats automatically, and integrate into workflows via REST APIs 
• AOs to review validated packages and track conditions of approval and Plans of Action and Milestones (POAMs) over time 

Learn more about the OSCAL Hub here or access the Hub in this link.  

RegScale, the leader in Continuous Controls Monitoring (CCM), today announced it has raised $30+ million in an oversubscribed Series B round led by Washington Harbour Partners, with additional investment from new investors M12, Microsoft’s Venture Fund, Hitachi Ventures, and Ankona Capital, as well as continued participation from existing investors SYN Ventures and SineWave Ventures. This raise confirms what customers and investors already know: RegScale isn’t building the next wave of cyber GRC, it’s redefining it, turning compliance from a burdensome, manual checklist process into a real-time and automated platform for the most heavily regulated industries.

The new capital will accelerate RegScale’s leadership in the $50+ billion GRC market and fuel key hires across R&D and sales, enabling the company to deliver increased impact to its growing customer base. It will accelerate RegScale’s RegML, industry-leading AI roadmap, expanding the only CCM platform with AI agents purpose-built to continuously monitor compliance, automate evidence collection/reviews, conduct audits, and analyze risk — capabilities no other provider delivers securely at scale. “RegScale’s AI-powered compliance-as-code approach delivers what today’s operators need most: faster certifications, lower costs, and a stronger security posture. This is the future of cyber GRC, and we’re excited to support RegScale as they scale to meet the growing demand,” said Todd Graham, Managing Partner at M12, Microsoft’s Venture Fund.

With this funding, RegScale is not only strengthening its value for government agencies, financial services, and high-tech organizations but also accelerating expansion into energy, utilities, and other highly regulated sectors where continuous compliance and security assurance are most urgent.

With cyberattacks escalating, nation-states and criminal groups exploiting compliance gaps, and budget cuts pushing for cost takeout and tool consolidation across all industries, CISOs can no longer rely on traditional GRC and manual labor approaches to just check a box. They need CCM to operationalize their risk program and deliver real-time control assurance against a growing set of cybersecurity threats.

RegScale is leading this revolutionary change in managing cyber GRC. Customers report 60% faster audit prep, 3–4x faster FedRAMP High authorizations, and up to 80% greater accuracy, with AI and automation delivering up to 10x staff efficiency. RegScale continues to promote industry standards, serving as the lead affiliate for the Cyber Risk Institute’s (CRI) OSCAL initiative, as a founding member of the OSCAL Foundation, a participant in the Cloud Security Alliance (CSA) Compliance Automation Revolution, and a contributor to the FedRAMP 20x initiative. Its impact has been recognized across the industry, most recently being named Best Compliance Solution by SC Media and as an industry leader by Gartner.

As proof of its platform’s maturity, RegScale achieved FedRAMP High Authorization sponsored by the DHS in half the cost and in just six months, versus the typical 18–24 months. Inside the company, the team is driving incredible growth: ARR has tripled year-over-year, key enterprise and federal customers are on board, and the team has expanded with major additions, including Devon Goforth as CTO, Rich Shirley as VP of Strategic Partnerships, Mike Kimball and Meghan Shafer as VPs of sales, Jennifer Stafford as GM of Federal, and strategic advisors Roland Cloutier and Alex Tosheff.

RegScale is a continuous controls monitoring (CCM) platform that is designed to be the operational risk tool for the CISO. Built on a compliance as code foundation, RegScale enables extreme automation with our API first strategy, self-updating paperwork, and powerful AI agents that all but eliminate manual labor, turn your program more proactive, save money, accelerate time to market, and reduce risk in your operational environment. Heavily regulated organizations, including Fortune 500 enterprises and the Federal government, use RegScale and report achieving compliance certifications 90% faster and trimming audit preparation efforts by 60%, thereby strengthening security and reducing costs. Learn more at http://www.regscale.com.