What Is Compliance Drift?

(And Why Your Business Probably Has It) 

Could you pass inspection?

Think about a building inspection. When you first move into a commercial space, everything passes: the wiring is up to code, the HVAC is properly maintained and the fire suppression system is certified.


Years go by, and since you checked that inspection off the list, nobody’s checking anymore. Your equipment ages, and codes change. A staff member who knew where the maintenance logs were kept leaves the company. Eventually, an inspection reveals a list of violations — not because anyone neglected the building on purpose, but because time passed and nobody was watching. 


IT compliance works the same way. 


Compliance Drift is what happens when a business sets up its IT security and compliance programs correctly — and then assumes they stay that way. Meanwhile, the regulations don’t stop evolving, software doesn’t stop aging, and your employees don’t stop turning over.

Are you actively watching for compliance drift at your organization?

Without someone actively watching for drift, the gap between where your compliance stands and where it needs to be grows quietly, month by month, until a breach or an audit reveals the distance you’ve traveled. 

This isn’t a result of bad decisions. Most businesses with compliance drift did everything right when they started. The drift comes from doing nothing — from the natural passage of time operating on a system that nobody was actively maintaining.

Good Managed IT Avoids Drift

REAL CLIENT TESTIMONIAL

better IT support

“Partnering with NOC Technology gives me a sense of security and peace of mind. They have a support system no other MSPs can match. Their team is knowledgeable and quick to respond. The Mid-American team is extremely pleased with NOC and the service they provide.”

 

Loyd Bailie
President & General Manager

Mid-American Coaches

How compliance drift happens 


Compliance drift isn’t sudden. It follows a predictable arc that plays out over months and years. 


Stage 1: Setup 

At some point, your business got serious about IT security. Maybe you hired an IT provider, updated your policies, completed a risk assessment, or implemented new software. You were compliant — genuinely, thoroughly compliant. 


Stage 2: Assumption 

You were relieved when the compliance process felt done. Your IT systems passed audit, and nothing seemed to break! It’s natural to assume that what’s working today will still be working tomorrow. 


Stage 3: Drift 

Unfortunately, things shift. Each gap (on its own) feels small:

  • A regulation gets updated and your policy no longer matches
  • A vendor you share data with changes their security posture and nobody updates the business associate agreement
  • A key employee who ran your compliance training leaves and their replacement doesn’t know the process
  • Software that hasn’t been patched in six months sits quietly on your network


Stage 4: Blind Spot 

Here’s where it gets tricky. Most IT providers are built to respond to problems. They’ll fix what breaks, and the best ones even alert you when something fails. But compliance drift rarely breaks anything. An overdue risk assessment doesn’t trigger an alarm, and an unsigned vendor agreement doesn’t generate a help ticket— so nobody reports it


Stage 5: Discovery 

Eventually, the drift surfaces, through one of the following:

  • A proactive assessment from your IT provider shows the gap
  • An audit from your regulatory agency
  • A breach exposes your weakness and threatens your business
Don't wait for the worst

Why Most IT Providers Won’t Tell You 


In the IT services industry: most providers are structured to respond, not to search. 


When a server goes down, they fix it. When ransomware hits, they restore backups. When an employee can’t connect, they troubleshoot. That’s a reasonable model for keeping systems running, and it's what you've come to expect from IT support providers.


But this model has a gap. Reactive support can't catch things that haven’t broken yet. 


There’s also an economic dynamic at work. Many IT providers bill by the hour or by the incident. Proactive compliance auditing takes time, and that time isn’t always built into what you pay. It’s not that these providers are doing a bad job — it’s that their business model is built around fixing problems, not finding ones you don’t know you have. 


NOC Technology is built differently.

Our pricing is published online — you can see exactly what you’re paying for before you sign anything. We don’t have a financial incentive to hide problems or stretch out work. When we find compliance drift, we tell you about it clearly, give you a prioritized plan, and let you decide what to fix.


We actively look for compliance drift — and it’s worth your time to find out if you have it. 

Compliance Drift by Industry 


Compliance Drift shows up differently depending on your industry’s regulatory environment. Here’s what it typically looks like for the verticals we serve in the St. Louis area. 

Medical and Dental Practices 

HIPAA doesn’t expire on a date, but your compliance program can expire in practice.


Common compliance drift in medical and dental offices:

  • Risk assessments haven’t been completed in years
  • Business associate agreements with cloud vendors were never executed
  • Staff security training lapsed after turnover
  • Software running without updated security patches on workstations which can access patient records


A majority of HIPAA enforcement fines hit small practices — not large hospital systems. The compliance burden doesn’t scale down just because you’re a smaller practice.

How we support medical/dental
Legal firms are bound by ABA rules 1.1 and 1.6, which establish guidelines around both competency and confidentiality when it comes to technology.

Law Firms 

Taken together, ABA Rules 1.1 and 1.6 create a meaningful ethical obligation around IT security as it relates to competence and client confidentiality.


Unfortunately, many law firms have already experienced a breach. Despite this, only 34% of firms have a documented incident response plan. And 10% of firms still have no security monitoring in place at all. 


Compliance drift at law firms often starts small:

  • Outdated document retention policies
  • Shared logins across staff (even after turnover)
  • Client data stored in a cloud service that was never properly vetted
How we support law firms
CPAs and accountants are bound by the FTC Safeguards Rule and IRS Publication 4557 when it comes to data security and compliance.

CPA and Accounting Firms 

The FTC and IRS require financial institutions to maintain a robust information security program.


Through the FTC Safeguards Rule (including accounting firms handling tax returns and financial data) and IRS Publication 4557, regulators have established a documented compliance framework. 


The compliance drift happens in the execution:

  • The individual responsible for overseeing compliance changes roles
  • Annual risk assessment gets pushed off
  • Vendor inventory hasn’t been updated


Accounting firms hold exactly the kind of data attackers want: social security numbers, tax filings, banking credentials, and financial records.

How we support CPA firms
US manufacturers who handle sensitive government data (CUI) are required to meet CMMC standards.

US Manufacturing

CMMC is a contract requirement for manufacturers handling sensitive government data.


Compliance drift in this space can mean losing a contract or failing a certification audit. 


Cyber hygiene tends to drift in manufacturing:

  • Vendor access that was provisioned for a project and never revoked
  • Operational technology systems that haven’t been patched because production lines can’t be taken offline
  • Security policies that predate a significant facility expansion or acquisition


We’re equipped to assess and address these requirements specifically for businesses in the defense supply chain.

How we support manufacturers

Frequently Asked Questions

How do I know if my business has Compliance Drift? +

The most reliable indicator is time. If it has been more than a year since someone specifically reviewed your IT compliance posture, there is a reasonable chance some drift has occurred. Common signs include staff turnover that was not followed by a security review, software updates that have been deferred repeatedly, or a vague sense that your original compliance setup still applies but nobody has actually checked. A Compliance Drift Assessment gives you a definitive answer.

Is Compliance Drift the same as being non-compliant? +

Not exactly. Compliance Drift describes the process of gradual erosion — the gap between where your program is and where it needs to be. That gap may or may not rise to the level of a technical compliance violation depending on your specific situation. The value of catching Compliance Drift early is that you can close gaps before they become findings, fines, or breaches. Think of it as the difference between a slow leak and a flood.

How often should a business check for Compliance Drift? +

We recommend reviewing for Compliance Drift at least annually, and after any significant change — a staff transition, a new software rollout, a facility expansion, or a regulatory update in your industry. The more things change, the more frequently you should check. For businesses in heavily regulated industries like healthcare or financial services, twice-yearly reviews are reasonable.

Do I need to be a NOC client to get a Compliance Drift Assessment? +

No. The Compliance Drift Assessment is available to any business, regardless of whether you are currently a NOC client. Many of the businesses we assess become clients afterward — but that is not a condition. If you schedule an assessment and decide not to move forward with NOC, you will still leave with a clear, honest picture of where your compliance stands.

How long does a Compliance Drift Assessment take? +

The assessment typically takes two to three hours of your time, spread across one or two working sessions. We handle most of the legwork in the background — reviewing your documentation, policies, and technical posture. You do not need to block out your day. Most assessments are completed within two weeks of scheduling.

What does it cost to fix Compliance Drift once it's identified? +

The cost of remediation depends entirely on what the assessment finds and how much of it you want to address. Some gaps are addressable with process changes and documentation updates — minimal cost, just time. Others may require software, training, or ongoing managed services. We price all remediation clearly and in advance. There are no surprise invoices. If we are managing your IT on an ongoing basis, you can see our plan pricing at noctechnology.com/pricing before you commit to anything.

Is Compliance Drift a problem for businesses that aren't in regulated industries? +

Yes — though the nature of the drift looks different. Even businesses outside regulated industries have implicit obligations: protecting customer data, maintaining functional backup systems, managing vendor access responsibly. A breach or ransomware attack does not check whether you are in healthcare first. Compliance frameworks exist for regulated industries, but good security hygiene matters for everyone. Businesses outside regulated verticals often have the most Compliance Drift because nobody has required them to check.

Compliance drift is preventable.

The right technology partner can help.

Request a Free Technology Strategy Session