1 in 5 GRC Teams Is a Single Person — How Solo Practitioners Handle Compliance
18% of GRC practitioners run the entire compliance function alone, and 42% of them have zero tooling. The State of GRC 2026 survey reveals what solo practitioners actually use, what they skip, and why automation isn't optional when you're the only person on the team.
142 people in the largest independent GRC survey run the entire compliance function alone. No team. No backup. No dedicated budget. Just one person responsible for governance, risk, and compliance across their entire organization.
That's 18% of the 795 respondents in The State of GRC 2026 by Ayoub Fandi at GRC Engineer — the first major GRC market report conducted outside of vendor-sponsored research.
And 42% of those solo practitioners have zero tooling.
The Shape of GRC Teams
The survey breaks down team sizes across the profession:
| Team Size | Respondents | Share |
|---|---|---|
| Solo (1 person) | 142 | 18.0% |
| Small (2-4) | 249 | 32.5% |
| Mid (5-10) | 182 | 23.7% |
| Enterprise (11+) | 194 | 25.3% |
51% of GRC teams have four people or fewer. The mid-market (2-10 people) represents 56% of the market and is the most underserved segment. But it's the solo practitioners — nearly 1 in 5 — who face the most acute version of every problem in GRC.
These numbers challenge the assumption that GRC is an enterprise function. The majority of the profession works in small teams, and a significant chunk works entirely alone. The enterprise segment (11+) — the audience most GRC platforms are designed for — accounts for only 25.3% of the market.
What Solo Looks Like
Solo doesn't mean junior. The survey reveals two very different realities hiding under the same team size.
The Entry-Level Solo
28 of the 142 solo practitioners are entry-level. They average 3.6 in self-reported technical skill on a 1-10 scale. No team, no mentorship, no architecture guidance. They default to spreadsheets because that's what they know. This is where compliance theater begins — checkbox exercises that satisfy nobody, least of all the auditor.
For these practitioners, the challenge isn't choosing the right tool. It's knowing what "right" looks like. They're Googling SOC 2 requirements, watching YouTube walkthroughs, and cobbling together evidence from templates they found online. Our guide for SOC 2 first-timers was written for exactly this situation — but the real problem isn't information, it's confidence.
The Senior Solo
19 CISOs — 20.9% of all CISOs in the survey — also work solo. They average 6.3 in technical skill. Same team size as the entry-level cohort. Completely different capability.
These CISOs chose to work solo, often at smaller companies where security leadership means doing the work yourself. They build custom tools, evaluate rigorously, and reject platforms that don't meet their standards. They're not drowning — they're swimming efficiently. But they're still one person doing the work of a team.
The gap between these two groups — a 3.6 and a 6.3 doing the same job at the same team size — is the starkest illustration of the skills gap in GRC.
42% Have Zero Tooling
Among the 142 solo practitioners:
| Tool Category | Count | Share |
|---|---|---|
| No tool at all | 60 | 42% |
| Spreadsheets | 21 | 14% |
| Commercial | 61 | 42% |
60 people manage their organization's entire compliance function with nothing. No spreadsheet template. No Jira board. Nothing.
Among the 61 who do use a commercial tool, the breakdown reveals something interesting:
- Vanta: 15 users
- Custom tools: 12
- Open Source: 9
- ServiceNow: 6
- Other: 19
Vanta's 15 solo users represent a 7.4x overrepresentation compared to its share among non-solo practitioners (Fisher's exact test, p=0.0002). When one person runs the entire compliance function, the market gravitates toward automation-first tools. Vanta's strength in this segment isn't an accident — it's a signal about what solo practitioners actually need: tools that do the work for them, not tools that organize the work they still have to do manually.
What Solo Evidence Collection Actually Looks Like
The abstract data becomes concrete when you look at what a solo practitioner's audit prep cycle involves. For a SOC 2 Type II audit — the most common framework for B2B SaaS companies — a solo practitioner handles every step:
Quarter 1: Setup and Policy
- Write or update 8-17 security policies (information security, access control, change management, incident response, etc.)
- Complete a risk assessment with at least 6 identified risks including fraud scenarios
- Create or update the AICPA-format system description
- Map controls to Trust Services Criteria
Our guide to the 7 documents your auditor actually needs covers this deliverable list in detail.
Quarters 2-4: Evidence Collection (The Time Sink)
This is where solo practitioners lose the most time. Every quarter, they need to prove controls work through evidence:
Access control evidence (CC6.1):
- Log in as a restricted user, attempt to access admin pages, screenshot the denial
- Document RBAC configurations across every application
- Screenshot MFA enforcement settings
- Prove that role-based access control works
Change management evidence (CC7.2, CC8.1):
- Walk through a PR approval workflow, screenshot each step
- Show that branch protection prevents direct commits to main
- Document the deployment pipeline with screenshots
- Capture evidence for application-level change management
Monitoring and availability evidence:
- Screenshot vulnerability scan results
- Document backup configurations and test restoration
- Show alerting configurations and incident response procedures
For a solo practitioner, this isn't a delegation problem — it's a serialization problem. A team of 3 can split evidence collection across controls and work in parallel. A solo practitioner collects evidence for CC6.1, then CC7.2, then CC8.1, one control at a time. 300-500 screenshots per audit cycle, taken one at a time, formatted one at a time, organized into evidence packs one at a time.
At 80-120 hours per audit cycle, that's 2-3 full work weeks consumed by evidence collection alone. For someone who also handles risk management, vendor assessments, policy maintenance, and security operations, those hours don't exist.
The Graduation Path
The survey reveals a four-stage adoption pattern tied to team size:
| Stage | Team Size | Commercial Adoption |
|---|---|---|
| 1. No tool at all | Solo | 42% use nothing |
| 2. Spreadsheet | Solo to Small | Spreadsheets peak at 2-4 person teams |
| 3. Commercial platform | Small to Mid | Adoption jumps to 51% at team size 2-4 |
| 4. Enterprise platform | Mid to Enterprise | ServiceNow dominates at 11+ |
Every team size threshold is a buying trigger. But for solo practitioners, 42% never even reach step one. They operate in a pre-market state — the compliance equivalent of a startup that hasn't found product-market fit for its own internal processes.
Why Solo Practitioners Skip Tools
The data suggests three reasons.
1. The Tools Weren't Built for Them
Most commercial GRC platforms assume you have a team to configure the platform, maintain integrations, and run the compliance program. When you're solo, the setup cost of a GRC platform can exceed the time you'd spend just doing the work manually. A platform that takes 40 hours to configure properly is a bad trade when your entire quarterly evidence collection takes 60 hours.
The ROI of compliance evidence automation only works when setup time is low relative to ongoing time savings. For solo practitioners, the ratio is often inverted.
2. Budget Follows Headcount
Solo practitioners often lack a dedicated compliance budget. They're a security team of one, or a compliance function bolted onto someone's existing role. Convincing finance to approve a $10,000-$20,000/year GRC platform is harder when there's no "compliance team" line item in the org chart.
The cost breakdown for SOC 2 shows why this matters: the traditional path (platform + consultant) runs $61,000-$120,000 in the first year. For a solo practitioner at a 20-person startup, that's a hard sell.
3. The Confidence Gap
Solo practitioners who are entry-level or mid-career (avg skill 3.6-5.0) often don't trust themselves to configure a dedicated tool correctly. The risk of setting up a platform wrong — and only discovering it during an audit — feels worse than the known pain of spreadsheets. Better the devil you know.
This confidence gap is real. Manual SOC 2 controls already require judgment about what evidence is sufficient. Adding a platform configuration layer on top of that creates another failure mode.
The Adoption Matrix: Experience Changes Everything
The survey includes an adoption matrix crossing seniority with team size. For solo practitioners specifically:
| Seniority | Commercial Adoption (Solo) |
|---|---|
| Entry Level | 10% |
| Intermediate | 6% |
| Senior | 10% |
| Manager | 27% |
| Senior Manager | 81% |
| Director | 19% |
| CISO/VP+ | 26% |
The Senior Manager row is the outlier: 81% adoption rate while working solo. These are experienced practitioners who know exactly what they need, have the skill to configure it, and have the organizational standing to get budget approved. The 71-percentage-point gap between Intermediate (6%) and Senior Manager (81%) at the same team size tells you everything: experience is the variable, not team size.
The Director dip (19%) is also telling. Directors often sit at companies large enough to have a GRC budget but not large enough to have a GRC team. They're senior enough to know what tools exist but stretched too thin to evaluate and implement one. They default to the same coping mechanism as everyone else: spreadsheets and manual work.
What This Means If You're Solo
If you're one of the 142, here's what the data suggests about your situation.
Pick tools that match your actual workflow
You don't need a platform that manages 200 controls across 5 frameworks. You need something that handles the work you actually do every quarter: collecting evidence, formatting it for your auditor, and proving controls work. Start with the bottleneck, not the org chart.
For most solo practitioners, the bottleneck is evidence collection — specifically the application-level screenshots and workflow documentation that no API integration captures. You're the one logging into admin panels, testing access controls, verifying that the delete button shows a confirmation modal, and screenshotting everything. That's where your hours go.
Automate the "last mile" first
API-based monitoring (infrastructure state, cloud configs, identity provider settings) is already well-served by existing platforms. What isn't automated is the application-level testing: the screenshots, the workflow recordings, the evidence packs your auditor actually reviews.
When you're a team of one, every hour you spend formatting screenshots is an hour you're not spending on actual risk management. Automating evidence capture and formatting is the highest-leverage investment a solo practitioner can make. If you're evaluating options, our comparison of tools that replace manual screenshot collection covers the current landscape.
Don't replicate a team structure you don't have
Enterprise GRC platforms model workflows around roles: someone configures controls, someone collects evidence, someone reviews, someone reports to leadership. If you're all four of those people, that workflow creates overhead instead of removing it. Look for tools that collapse those roles into a single workflow.
Prepare for the audit the way auditors expect
Solo practitioners can't afford the reformatting step that larger teams absorb. When you produce evidence, it needs to go straight to the auditor without conversion. That means timestamped screenshots, PDF evidence packs, and clear control narratives — not platform dashboards your auditor needs a login to review. See what SOC 2 auditors actually look for in application evidence for the specific formats auditors accept.
How Screenata Works for Solo Teams
Screenata was designed for the exact scenario the survey describes: a small team (or a team of one) that needs audit-ready evidence without the overhead of an enterprise GRC platform.
Instead of asking you to configure a control framework, map integrations, and build workflows, Screenata works as a full AI Compliance Officer:
- Policy writing: Screenata analyzes your actual codebase and infrastructure to generate security policies grounded in what you've actually built — not generic templates that require hours of customization.
- Evidence capture: You open the browser extension and record yourself testing a control — say, verifying that a non-admin user can't access the billing page. Screenata captures timestamped screenshots at each step.
- AI documentation: Screenata generates descriptions for each screenshot, maps evidence to the relevant control (e.g., SOC 2 CC6.1), and creates a formatted PDF evidence pack.
- Audit readiness: The output is in the exact format auditors expect — timestamped PDFs with control narratives — without touching a Word doc or organizing a screenshot folder.
For a solo practitioner doing 300-500 screenshots per audit cycle, that's the difference between 80 hours of manual work and under 10. At Screenata's pricing ($499/month), that's $6,000/year to save 70+ hours per audit cycle — a trade most solo practitioners would take without hesitation.
For more on how Screenata fits into a bootstrapped compliance workflow, see The Bootstrapped Founder's Guide to SOC 2.
The Bigger Picture
The solo practitioner data is the most concentrated version of a problem that affects the entire GRC market. The State of GRC 2026 found that 59% of all practitioners — not just solo ones — use no commercial GRC tool. The tools exist, but they were designed for a market segment (large enterprise teams) that represents only 25% of the actual user base.
The 60 solo practitioners with zero tooling are the biggest greenfield segment in GRC. They're not choosing between vendors. They're choosing between doing the work manually and not doing it at all. The vendor that figures out how to serve them — with the right price, the right complexity level, and the right output format — wins the largest untapped segment in compliance.
Read the full report at grcengineer.com.
Ready to Automate Your Compliance?
Join 50+ companies automating their compliance evidence with Screenata.