The 5 Stages of Compliance Drift (and How to Know Where You Stand)

by Jon Lober | NOC Technology | May 4, 2026

If you've read our overview of Compliance Drift, you know the basic idea: regulated businesses don't usually become non-compliant overnight. They drift there gradually, quietly, and often without anyone noticing until something forces the question.

This week, I want to walk through exactly how that drift happens, because understanding the pattern is the first step to catching it early.


Here are the five stages I've observed in organizations across the St. Louis area. I see this pattern in medical practices, law firms, CPA offices, and manufacturers. The industry details change. The stages don't.



Stage 1: Setup

At some point, your organization got serious about IT security and compliance. Maybe it was when you brought in an IT provider. Maybe it was when you completed a risk assessment or went through an insurance audit. Whenever it was, you updated your policies, trained your staff, and implemented new software.


And you were compliant— genuinely and thoroughly compliant. If an auditor had walked in that week, you would have been in good shape.


Stage 1 is where every organization wants to live permanently. The challenge is that staying there requires ongoing effort. Like any system in our universe, entropy happens unless we actively fight back.



Stage 2: Assumption

After Stage 1, everything IT runs smoothly, because the systems are doing their job.


This is where assumption sets in. This isn't negligence, it's mere assumption: the reasonable belief that what was true yesterday is still true today. You assume that the controls you set up are still active, that the policies you documented still match current regulations, and that the vendor who has access to your system is still operating under the same terms.


The assumption phase isn't a failure. It's a natural response to the absence of visible problems. The danger is that compliance doesn't announce when it expires.



Stage 3: Drift

This is where the gap opens, and it usually happens through an accumulation of issues rather than any single event.


It may not even be something you control. A statute gets updated and your suddenly your policy no longer fits the bill. A vendor you share data with quietly changes their security posture, but nobody updates the business associate agreement— because you didn't even know. A key employee who ran your compliance training leaves, and their replacement doesn't know that the process exists. Software that hasn't been patched in six months sits on your network. A new workstation gets set up by someone who doesn't know the configuration standard.


Each gap, on its own, seems minor, and it is! The problem is that these gaps compound. Your HIPAA risk assessment from 2022 doesn't reflect the three software platforms you added in 2023. Your network segmentation is still good, except for the device a new vendor plugged in last fall. Your policies are well-written, but they describe a workflow nobody uses anymore.


The distance between where you think you are and where you actually are: that's Compliance Drift.


A note on the medical vertical: One of the most common patterns I see is a healthcare practice that believes their EHR vendor's HIPAA compliance covers the whole organization. It doesn't. The vendor's Business Associate Agreement covers their platform. It doesn't cover your workstations, your Wi-Fi, your staff's devices, your backup processes, or your vendor access controls. The EHR is compliant. The environment around it has often drifted. That gap is where OCR investigations land.



Stage 4: Blind Spot

Here's where it gets difficult: most IT providers are built to respond to problems. When something breaks, they fix it. When a system goes down, they restore it. When a user can't connect, they troubleshoot. That model works well for operational IT.


But Compliance Drift rarely breaks anything. A lapsed risk assessment doesn't trigger an alarm. An unsigned vendor agreement doesn't generate a help ticket. An outdated security policy doesn't show up in a monitoring dashboard. So nobody reports it, because there's nothing to report, the drift is invisible to a reactive support model.


There's also an uncomfortable economic dynamic in this industry: some IT providers don't surface compliance gaps because doing so invites the question, "Well, what exactly are you doing about it?" It's easier to keep things running smoothly and not raise issues that might create work, or worse, might suggest the current provider hasn't been doing enough.


At NOC Technology, we ask the uncomfortable questions.



Stage 5: Discovery

Eventually, something brings the drift into view. How it gets discovered matters a great deal.


The best discovery is proactive: your IT provider runs a structured compliance review and shows you exactly where things have slipped. You learn what needs to be fixed, in private, with time to fix it without a breach or audit. Just a clear-eyed inventory and a remediation plan.


The harder versions are audit discovery and breach discovery. An audit finds the gaps while an examiner is watching. A breach finds them the worst possible way, and at that point, discovery is expensive, public, and often irreversible in terms of client trust.


The good news is that proactive discovery is available to any organization that asks for it. It doesn't require a special program or a compliance audit firm. It requires an IT provider who knows what to look for and is motivated to find it.



How to Know Where You Stand

If you're reading this and wondering where your organization falls in these five stages, here are some honest questions to ask:


  • When was the last time your IT provider did a structured compliance review; not just fixed a problem, but proactively audited your environment against the regulations you operate under?
  • If a key employee who managed any part of your compliance process left tomorrow, would you know what they knew? Is that knowledge documented?
  • Do you have a current list of every vendor with access to your systems or your data? Is each one operating under an active, signed agreement?
  • When did your security policies last get updated? Do they describe how your business actually operates today?
  • Has any software, device, or service been added to your environment in the last 12 months without a formal security review?


If you answered "I'm not sure" to more than one of those, you're almost certainly in Stage 3 or approaching Stage 4. That's not a crisis, but it is an honest assessment of where you are.



What Comes Next

Over the coming weeks, I'll be writing about how Compliance Drift shows up specifically in medical practices, law firms, and CPA offices, with the concrete details that make the concept real rather than theoretical.


If you'd like to understand where your organization stands right now, the best starting point is a conversation. Not a sales call — a 30-minute walkthrough of your current environment and the regulations that apply to you. No commitment, no pressure.


You can reach us at 636-390-6621. We're based in Washington, MO and serve businesses throughout the St. Louis metro area.

Frequently Asked Questions

Is Compliance Drift a formal regulatory term? +
No. Compliance Drift is a term we use to describe a pattern we observe repeatedly in organizations across regulated industries. The pattern itself is real and well-documented in audit findings and breach investigation reports — we've just named it in a way that makes it easier to talk about clearly.
How often should a business do a compliance review? +
For most regulated businesses — medical practices, law firms, CPA firms, manufacturers with federal contracts — an annual structured compliance review is the minimum. Any significant environmental change (new software, new vendor, new regulation, staff turnover in a key role) should trigger a targeted review in addition to the annual baseline.
Can my current IT provider do a compliance review? +
They can if they're structured to do so. The key question is whether your provider proactively schedules compliance reviews as part of their service, or whether they're purely reactive. If you've never received a formal compliance assessment from your current provider, that's worth asking about directly.
Does NOC Technology serve businesses outside Washington, MO? +
Yes. We serve businesses throughout the greater St. Louis metro area, including St. Charles, Jefferson, and Franklin counties. Most ongoing IT management is handled remotely; initial assessments typically include an on-site visit.

Jon Lober is the CEO of NOC Technology, a managed service provider and business technology consultant based in Washington, Missouri and servicing greater St. Louis and beyond. With over 25 years of business management experience and more than 15 in IT, Jon understands both the complexities of both business operations and the technological infrastructure that makes work possible. Jon is a CMMC Registered Practitioner from CyberAB and is passionate about cybersecurity compliance, business continuity, and intelligent automation, all built to support and protect US-based businesses.

Is your quickbooks set up to maximize cybersecurity?

Accounting Software Security

By Jon Lober May 8, 2026
Most Missouri accounting firms assume cloud-based software is secure by default. It's only as secure as your configuration. Here's what to check and how fix the gaps
Does your dental practice have gaps in protecting patient data?

Dental Practice Cybersecurity in St. Louis

By Jon Lober May 7, 2026
How St. Louis dental practices protect patient data, meet HIPAA requirements, and defend against ransomware in 2026. Plain-language guidance for practice owners.
Is your booking calendar exposing client data?

Does Your Website's Booking Form Put You at Legal Risk?

By Jon Lober May 6, 2026
Booking forms, contact pages, and patient portals can expose your business to privacy lawsuits — especially if you're running tracking pixels. Here's what to check.
More Articles