The 5 Stages of Compliance Drift (and How to Know Where You Stand)

by Jon Lober | NOC Technology

If you've read our overview of Compliance Drift, you know the basic idea: regulated businesses don't usually become non-compliant overnight. They drift there. Gradually. Quietly. And often without anyone noticing until something forces the question.

This week, I want to walk through exactly how that drift happens, because understanding the pattern is the first step to catching it early.


Here are the five stages I've observed in organizations across the St. Louis area. I see this pattern in medical practices, law firms, CPA offices, and manufacturers. The industry details change. The stages don't.



Stage 1: Setup

At some point, your organization got serious about IT security and compliance. Maybe you brought in an IT provider. Maybe you completed a risk assessment or went through an audit. Maybe you updated your policies, trained your staff, and implemented new software.


You were compliant. Genuinely and thoroughly. And that was real, the work was done, the documentation existed, and if an auditor had walked in that week, you would have been in good shape.


Stage 1 is where every organization wants to live permanently. The challenge is that staying there requires ongoing effort; and that's where things start to slip.



Stage 2: Assumption

After Stage 1, things run smoothly. IT works. Audits pass. Staff doesn't call with compliance questions. The systems are doing their job.


This is where assumption sets in. Not negligence, assumption. The reasonable belief that what was true yesterday is still true today. That the controls you set up are still active. That the policies you documented still match current regulations. That the vendor who has access to your system is still operating under the same terms.


The assumption phase isn't a failure. It's a natural response to the absence of visible problems. The danger is that compliance doesn't announce when it expires.



Stage 3: Drift

This is where the gap opens, and it usually happens through accumulation rather than any single event.


A regulation gets updated and your policy no longer matches. A vendor you share data with quietly changes their security posture, but nobody updates the business associate agreement. A key employee who ran your compliance training leaves, and their replacement doesn't know the process exists. Software that hasn't been patched in six months sits on your network. A new workstation gets set up by someone who doesn't know the configuration standard.


Each gap, on its own, seems minor. And it is. The problem is that these gaps compound. Your HIPAA risk assessment from 2022 doesn't reflect the three software platforms you added in 2023. Your network segmentation is still good, except for the device a new vendor plugged in last fall. Your policies are well-written, but they describe a workflow nobody uses anymore.


The distance between where you think you are and where you actually are: that's Compliance Drift.


A note on the medical vertical: One of the most common patterns I see is a healthcare practice that believes their EHR vendor's HIPAA compliance covers the whole organization. It doesn't. The vendor's Business Associate Agreement covers their platform. It doesn't cover your workstations, your Wi-Fi, your staff's devices, your backup processes, or your vendor access controls. The EHR is compliant. The environment around it has often drifted. That gap is where OCR investigations land.



Stage 4: Blind Spot

Here's where it gets difficult: most IT providers are built to respond to problems. When something breaks, they fix it. When a system goes down, they restore it. When a user can't connect, they troubleshoot. That model works well for operational IT.


But Compliance Drift rarely breaks anything. A lapsed risk assessment doesn't trigger an alarm. An unsigned vendor agreement doesn't generate a help ticket. An outdated security policy doesn't show up in a monitoring dashboard. So nobody reports it, because there's nothing to report, the drift is invisible to a reactive support model.


There's also an uncomfortable economic dynamic in this industry: some IT providers don't surface compliance gaps because doing so invites the question, "Well, what exactly are you doing about it?" It's easier to keep things running smoothly and not raise issues that might create work, or worse, might suggest the current provider hasn't been doing enough.


At NOC, we ask the uncomfortable questions. That's the job.



Stage 5: Discovery

Eventually, something brings the drift into view. How it gets discovered matters a great deal.


The best discovery is proactive: your IT provider runs a structured compliance review and shows you exactly where things have slipped. You learn what needs to be fixed, in private, with time to fix it. No breach. No audit. No regulator. Just a clear-eyed inventory and a remediation plan.


The harder versions are audit discovery and breach discovery. An audit finds the gaps while an examiner is watching. A breach finds them the worst possible way, and at that point, discovery is expensive, public, and often irreversible in terms of client trust.


The good news is that proactive discovery is available to any organization that asks for it. It doesn't require a special program or a compliance audit firm. It requires an IT provider who knows what to look for and is motivated to find it.



How to Know Where You Stand

If you're reading this and wondering where your organization falls in these five stages, here are some honest questions to ask:


  • When was the last time your IT provider did a structured compliance review; not just fixed a problem, but proactively audited your environment against the regulations you operate under?
  • If a key employee who managed any part of your compliance process left tomorrow, would you know what they knew? Is that knowledge documented?
  • Do you have a current list of every vendor with access to your systems or your data? Is each one operating under an active, signed agreement?
  • When did your security policies last get updated? Do they describe how your business actually operates today?
  • Has any software, device, or service been added to your environment in the last 12 months without a formal security review?


If you answered "I'm not sure" to more than one of those, you're almost certainly in Stage 3 or approaching Stage 4. That's not a crisis, but it is an honest assessment of where you are.



What Comes Next

Over the coming weeks, I'll be writing about how Compliance Drift shows up specifically in medical practices, law firms, and CPA offices, with the concrete details that make the concept real rather than theoretical.


If you'd like to understand where your organization stands right now, the best starting point is a conversation. Not a sales call — a 30-minute walkthrough of your current environment and the regulations that apply to you. No commitment, no pressure.


You can reach us at 636-390-6621. We're based in Washington, MO and serve businesses throughout the St. Louis metro area.

Frequently Asked Questions

Is Compliance Drift a formal regulatory term? +
No. Compliance Drift is a term we use to describe a pattern we observe repeatedly in organizations across regulated industries. The pattern itself is real and well-documented in audit findings and breach investigation reports — we've just named it in a way that makes it easier to talk about clearly.
How often should a business do a compliance review? +
For most regulated businesses — medical practices, law firms, CPA firms, manufacturers with federal contracts — an annual structured compliance review is the minimum. Any significant environmental change (new software, new vendor, new regulation, staff turnover in a key role) should trigger a targeted review in addition to the annual baseline.
Can my current IT provider do a compliance review? +
They can if they're structured to do so. The key question is whether your provider proactively schedules compliance reviews as part of their service, or whether they're purely reactive. If you've never received a formal compliance assessment from your current provider, that's worth asking about directly.
Does NOC Technology serve businesses outside Washington, MO? +
Yes. We serve businesses throughout the greater St. Louis metro area, including St. Charles, Jefferson, and Franklin counties. Most ongoing IT management is handled remotely; initial assessments typically include an on-site visit.
AI acceptable use policy

AI Acceptable Use Policy Template

By Jon Lober May 1, 2026
A practical AI acceptable use policy template for small businesses. Includes data classification, approved tools list, enforcement language, and customizable sections.
data backup

Medical Practice Data Backup: HIPAA Requirements Explained

By Jon Lober April 30, 2026
HIPAA requires more than just having a backup. Learn what the 3-2-1-1-0 rule means for healthcare practices, what the 2026 Security Rule updates require, and how to document compliance.
tax preparation data safety

IRS Data Security Requirements for Tax Preparers

By Jon Lober April 29, 2026
Every Missouri tax preparer must meet IRS Publication 4557 and FTC Safeguards Rule requirements. Here's what the Security Six and a WISP actually require.
More Articles