For years, assurance has been built around a simple premise: if controls are designed effectively and tested periodically, risk can be managed with confidence. That assumption held when environments were relatively stable and change was predictable.
That world no longer exists.
89% of security professionals say they’re familiar with Continuous Controls Monitoring, reflecting widespread recognition that risk now operates on a different cadence. Today’s organisations run on cloud platforms, automated pipelines, outsourced services, and interconnected ecosystems plus throw in the AI innovation, change is constant rather than exceptional. With that comes the inevitable challenges; the increased attack surface, being the biggest one.
Yet many assurance models remain anchored in the past.
The growing mismatch between risk and assurance
Modern risk is continuous. It emerges from configuration drift, identity sprawl, third-party dependencies, and operational changes that occur daily, sometimes hourly. Controls are executed in real time, whether teams are watching or not.
Assurance, however, is often episodic.
Our In the Shadows research shows that many organisations continue to rely on point-in-time testing, periodic reporting, and retrospective validation to assess environments that are in a constant state of flux. These approaches provide valuable snapshots, but snapshots are not the same as visibility.
The challenge is not a lack of awareness or effort. It is structural. Assurance frameworks were designed to answer the question: “Were controls effective at the time of testing?”
Modern risk demands a different question: “Are controls operating as intended right now?”
The illusion of visibility
One of the more striking findings from the research is the confidence many organisations have in their visibility. Dashboards are populated. Reports are produced. Attestations are signed.
And yet, day-to-day insight often tells a different story.
Control evidence is frequently fragmented across security tools, cloud platforms, HR systems, third-party providers, and operational environments. While each data source may be accurate in isolation, the lack of continuous alignment can mask emerging risks between reporting cycles.
This creates an illusion of control, not because teams are complacent, but because traditional assurance was never designed to operate across dynamic, distributed systems. Confidence remains high, even as blind spots quietly grow.
Often larger organisations feel that headcount = continuous monitoring, it doesn’t and this misconception that the more headcount you have the more protected you are. However, this perception is naïve. This is not a criticism, and not intended to undermine the incredible work those teams do, it is simply a fact that with innovation, comes threat and increased likelihood of attack.
Why point-in-time still dominates
If the limitations are so widely understood, why does point-in-time assurance persist?
The answer lies in familiarity and trust. Periodic testing aligns neatly with audit cycles, regulatory expectations, and long-established governance processes. It provides clear outputs, defined responsibilities, and a sense of closure.
Continuous risk, by contrast, is less comfortable. It requires organisations to accept that assurance is not a destination, but an ongoing state one that demands constant alignment between controls, systems, and risk appetite.
This shift is as much operational as it is cultural.
From snapshots to sustained assurance
The findings from In the Shadows suggest the market is at an inflection point. Awareness of continuous risk is high. Confidence in traditional assurance remains, but the gap between the two is becoming harder to ignore.
As environments continue to evolve, organisations will need to reassess whether episodic assurance can genuinely support always-on operations. The question is no longer whether controls exist or were effective at a moment in time, but whether they are consistently operating as intended across the full-service chain.
Closing this gap requires moving beyond snapshots toward sustained, evidence-based insight – not to replace governance, audit, or compliance, but to strengthen them.
Looking ahead
Point-in-time assurance isn’t broken. But it is being asked to do a job it was never designed for.
Understanding where its limits lie and where continuous approaches add value, is becoming essential for organisations seeking confidence in an increasingly complex risk landscape.
The full In the Shadows research explores these challenges in detail, examining where visibility breaks down and why risk often remains hidden in plain sight.
👉 Read the full findings:
https://www.quodorbis.com/in-the-shadows-research/
For more information on continuously monitoring your environment visit our ccm page here.
