LR-301f · Module 1

Compliance Drift Detection

3 min read

Compliance drift is the gradual degradation of compliance posture over time. It does not happen suddenly. It happens when a quarterly review is postponed once, then twice, then becomes semi-annual. When an evidence generation process is skipped during a busy week and nobody notices. When a control owner changes and the successor does not know the evidence requirements. Each individual drift is minor. The cumulative effect is material non-compliance.

Do This

Detect drift through automated health checks that compare current state against documented baseline — the delta is the drift
Alert on drift immediately — the earlier drift is detected, the cheaper it is to correct
Track drift patterns over time — controls that drift repeatedly have a systemic issue that one-time correction does not fix. [RECOMMEND]: Controls with recurring drift should be re-engineered, not re-corrected.

Avoid This

Check for drift only during scheduled reviews — drift that accumulates between reviews compounds before detection
Tolerate minor drift as insignificant — minor drift becomes major drift through accumulation
Address drift without root cause analysis — correcting the symptom without addressing the cause produces recurring drift