Organizations accelerated cloud adoption across core business functions in 2025, yet many did not update Governance, Risk, and Compliance (GRC) controls at the same pace.
Pathlock’s latest report, published today, found that 39% of the 620 organizations surveyed experienced security or compliance incidents tied directly to governance gaps introduced during cloud migration.
The study analyzed how finance, HR, procurement, and supply-chain teams managed access across hybrid environments. While HR and customer relationship management platforms were largely mature in the cloud, supply-chain and procurement systems were still mid-migration.
Pathlock noted that this hybrid mix, where sensitive data spans on-premises and cloud applications subject to regulations such as Sarbanes-Oxley (SOX) and the EU’s General Data Protection Regulation (GDPR), significantly increased oversight challenges.
The report also highlighted several gaps that collectively increased governance and security risk:
- Only 7% updated GRC controls prior to migration, 52% did not integrate a GRC strategy into initial planning and 50% did not perform full Segregation of Duties checks when redesigning roles
- More than 70% lacked automated access-risk analysis, user access reviews, and provisioning and de-provisioning workflows
- 23% experienced insider-related incidents during or after cloud migration
- 21% reported compliance violations in the past year and 17% reported insider fraud
- 51% took more than twenty-four hours to revoke access after termination
According to Pathlock, these issues often stemmed from treating governance as a post-deployment task, rather than an engineering requirement.
“It has been nearly twenty-five years since [the] Sarbanes-Oxley [Act], yet compliance was still being overlooked during major transformation projects,” Susan Stapleton, GRC Expert at Pathlock wrote in the report. “Companies invest hundreds of millions into these initiatives — only to face audit failures at the end because GRC was ignored. Then, they scramble to get fixes in place, which costs them double, if not triple, what it would’ve taken to do it right from the start.”
The report concluded that treating GRC as foundational, rather than a late-stage requirement, helps organizations maintain accountability, protect sensitive data, and ensure resilient transformation as their environments evolve.
