59% of GRC Teams Have No Commercial Tool — What the State of GRC 2026 Survey Reveals | Screenata

The #1 GRC tool in 2026 is a spreadsheet. Not Vanta. Not Drata. Not ServiceNow. A spreadsheet. That's the headline finding from The State of GRC 2026, the largest independent survey of GRC practitioners ever conducted — 795 respondents, no vendor funding, no sponsor influence on the questions.

The data paints a picture that should make every compliance team and GRC vendor pay attention.

The Numbers

The State of GRC 2026 asked practitioners what their primary GRC tool is. Here's what 795 of them said:

Tool	Respondents	Share
Spreadsheets & docs	93	17.7%
ServiceNow	86	16.3%
Custom tool (Jira, Notion, SharePoint)	70	13.3%
Vanta	49	9.3%
Open Source	38	7.2%
AuditBoard	32	6.1%
Drata	32	6.1%
OneTrust	25	4.8%
Archer IRM	22	4.2%
Other	58	11.0%

No vendor holds above 18% share. The "market leader" doesn't even have a logo.

59% Are Commercially Unaddressed

When you group the responses by whether practitioners use a purpose-built commercial GRC platform, the picture gets starker:

Spreadsheets & Docs: 17.7% (93 people)
Custom Tools (Jira, Notion, SharePoint repurposed for GRC): 13.3% (70 people)
Open Source: 7.2% (38 people)
No Tool At All: ~20% (~105 people)

Add those up: 59% of GRC practitioners are not using any commercial GRC product.

Three out of five practitioners are managing governance, risk, and compliance with tools that were never designed for it — or with nothing at all.

Note the "custom tools" category. This doesn't mean teams building purpose-built software. It means Jira boards repurposed as control trackers, Notion databases serving as evidence libraries, and SharePoint folders holding screenshots. These are engineering and productivity tools doing double duty — not because they're good at compliance, but because dedicated tools haven't justified the switch.

Every competitor analysis in GRC starts with the wrong assumption: that vendors are fighting each other for share of an established market.

They're not. Look at how GRC compares to other enterprise software categories:

Category	Top Vendor	Market Share
Observability	Datadog	52% (Gartner 2025)
ITSM	ServiceNow	42% (Analysts 2025)
CRM	Salesforce	21% (IDC 2024)
GRC	Spreadsheets	18% (GRC Engineer 2026)

GRC is the least consolidated major enterprise software category. The "top vendor" is a spreadsheet. There is no incumbent to displace — there's a vacuum to fill.

As Ayoub Fandi puts it in the report: "This is not a market share game. It is a market creation game."

The Shannon entropy of the GRC tool market — a measure of how distributed choices are — dropped from 3.71 bits (Q2 2025, 21 unique tools reported) to 3.25 bits (Q1 2026, 13 tools). The long tail is disappearing. The market is beginning to consolidate, but it hasn't consolidated yet. Every vendor has a shot. Nobody has a lock.

Why Haven't These Teams Adopted a Tool?

The survey data points to three reinforcing dynamics that keep 59% of practitioners on spreadsheets, Jira, or nothing.

The Cognitive Switching Cost

Spreadsheet users average 4.9 out of 10 on self-reported technical skill. The switching cost isn't the subscription price — it's the confidence gap. Practitioners don't trust themselves to configure a dedicated platform correctly. They stick with what they know because the risk of misconfiguring a commercial tool feels higher than the pain of manual work.

Entry-level practitioners have the most concentrated tool landscape of any seniority level (HHI of 1777). Spreadsheets dominate because there's no one showing them an alternative. At Director level, the same metric drops to 924 — the most fragmented tool market of any seniority. The higher you climb, the more options you evaluate. But early-career practitioners never get that exposure.

Here's the finding that should alarm every GRC vendor: 62.3% of mid-skill practitioners already own a commercial platform. They have the license. They can't unlock it. The gap between buying a tool and actually using it is where most GRC programs stall. Vendor onboarding covers the first week. Nobody covers months two through twelve.

The Consultant Multiplier

29% of survey respondents are consultants or advisors. That's 228 people who each influence tool decisions at multiple client organizations every year.

Here's the problem: 64.9% of those consultants use non-commercial solutions themselves. When a consultant uses open source or spreadsheets for their own work, they carry that preference into every client engagement. The survey estimates this creates roughly 1,480 annual decisions steered away from commercial GRC products.

The most influential distribution channel in the industry is actively recommending against the category.

This isn't malicious. Consultants recommend what they know, what they trust, and what they can support across diverse client environments. Spreadsheets work everywhere. A platform-specific recommendation creates dependency on a tool the consultant may not be able to support at their next client. If you're a vCISO managing 10+ clients, your tech stack needs to work at all of them — and recommending a $20,000/year platform to a 15-person startup doesn't always make sense. (For more on this dynamic, see our guide on the vCISO's guide to automating audit prep across portfolios.)

The Auditor Format Problem

Your practitioner invests in a platform that produces evidence in structured formats. Their auditor expects screenshots and spreadsheet exports. The platform's value collapses — not because the product failed, but because the person validating the output won't accept the format.

20% of auditors in the survey use spreadsheets as their primary tool — the highest spreadsheet rate of any persona. Auditors have built their entire review workflow around screenshots organized in folders, data in CSV or Excel, and narratives in Word docs or PDFs. When they receive a JSON export or a platform-specific report layout, the review process breaks.

This creates a cycle: practitioners buy platforms, platforms produce evidence in proprietary formats, auditors reject the format, practitioners reformat everything into screenshots and PDFs anyway. The platform didn't save time — it added a conversion step.

We've written about this auditor evidence format problem in detail in what SOC 2 evidence auditors actually require for application controls and what makes SOC 2 evidence acceptable to auditors.

Where Commercial Tools Do Win

The data isn't all doom for vendors. There's a clear graduation path tied to team size:

Team Size	% Using No Tool	% Using Commercial
Solo (1 person)	42%	42%
Small (2-4)	—	51%
Mid (5-10)	—	58%
Enterprise (11+)	—	62%

Each team size threshold is a buying trigger. When a team grows from 1 to 2-4 people, commercial adoption jumps from 42% to 51%. By the time a team hits 11+, spreadsheets collapse to 3% adoption and platforms like ServiceNow dominate.

The problem is that 51% of all GRC teams have four people or fewer. The majority of the market sits in the segment where commercial tools haven't won yet.

The vendor landscape also shifts dramatically by team size:

Solo teams: Vanta leads among commercial adopters (15 users, 7.4x overrepresentation vs non-solo)
Small teams (2-4): Spreadsheets still lead (41), with custom tools (24) and ServiceNow (20) behind
Mid teams (5-10): Most fragmented segment — 21 unique tools, lowest market concentration of any size
Enterprise (11+): ServiceNow dominates (34 users), followed by custom tools (18) and Archer IRM (11)

What the 59% Actually Struggle With

If you're part of the commercially unaddressed majority, the struggle isn't abstract. It's concrete and it shows up every audit cycle.

The Evidence Collection Bottleneck

The single biggest time sink for teams without commercial tools is evidence collection — specifically the application-level screenshots and workflow documentation that no API integration captures.

For SOC 2 alone, a typical audit cycle requires proving that controls like CC6.1 (logical access), CC7.2 (change management), and CC8.1 (change implementation) actually work. That means:

Logging into your application as a test user with restricted permissions
Attempting to access admin pages and capturing the "access denied" screen
Walking through a PR approval workflow and screenshotting each step
Verifying encryption settings, MFA configurations, and backup procedures
Formatting all of it into timestamped, labeled PDFs your auditor will accept

Without a tool, this process consumes 80-120 hours per audit cycle. With a GRC platform that handles infrastructure but not application-level evidence, it still takes 40-80 hours — because the platform can't reach the controls that live inside your application UI.

The Consistency Problem

Manual evidence varies in quality. One quarter, your screenshots have timestamps and labels. The next quarter, someone new collects evidence and the format changes. Auditors notice. Inconsistent evidence raises questions, extends review timelines, and can trigger additional sampling requests.

Teams on spreadsheets have no standardized evidence format — each person screenshots differently, names files differently, and organizes folders differently. We covered how to fix this in how to standardize manual SOC 2 evidence collection with screenshots.

The "I'll Do It Later" Problem

Without a system that prompts or automates evidence collection, it falls to the bottom of the priority list. Then audit season arrives and the team scrambles. This is the single most common cause of SOC 2 audit delays — not missing controls, but missing evidence for controls that actually work.

What This Means for Compliance Teams

If you're one of the 59%, here's what the data suggests:

You're not behind — you're the majority. The fact that most practitioners manage compliance with spreadsheets or Jira isn't a personal failing. It reflects a market that hasn't built the right product for your situation yet. Most commercial GRC platforms were designed for enterprise teams with 10+ people and six-figure budgets. If you have a team of 3 and a SOC 2 audit coming up, those platforms weren't built for you.

The "last mile" is what kills you. Even teams that adopt commercial tools still face the same evidence collection bottleneck. API integrations handle infrastructure monitoring — checking that CloudTrail is enabled, that MFA is enforced in Okta, that branch protection is on in GitHub. Nobody handles the application-level proof that auditors actually want to see: the screenshot of a non-admin user getting denied access to the settings page, the workflow recording of a change approval process, the evidence that your backup restoration actually works. That gap is what Vanta and Drata don't automate, and it's where teams without commercial tools spend most of their time.

Format matters as much as content. Your auditor doesn't want a JSON export from your GRC platform. They want timestamped screenshots, PDF evidence packs, and clear narratives mapping actions to controls. If your tool produces evidence in a format your auditor won't accept, the tool isn't solving your problem. See our breakdown of what auditors still ask for after Drata automation for the specific evidence types that remain manual.

How Screenata Addresses the 59%

Screenata was built for the reality this survey describes — small teams, limited budgets, auditors who want screenshots.

Instead of asking you to configure a full GRC platform, Screenata works as an AI Compliance Officer that handles the complete compliance workflow: policy writing grounded in your actual codebase, evidence collection through automated screenshot capture, control mapping to Trust Services Criteria, and audit readiness guidance. You record a workflow once (like testing that a non-admin user can't access the settings page), and Screenata generates timestamped screenshots, control narratives, and audit-ready PDF evidence packs automatically.

The output is exactly what auditors expect — because it's the format they've always accepted.

For teams still on spreadsheets or Jira, that's often enough to close the gap without switching to an enterprise GRC platform you don't need yet. You keep your existing workflow for tracking controls and managing your compliance calendar. Screenata handles the evidence production that actually takes 80% of your time.

The cost difference matters too. Enterprise GRC platforms run $10,000-$20,000/year before you add a consultant to configure them. Screenata starts at $499/month. For a team of 2-4 on spreadsheets — the 44% of spreadsheet users the survey identified as the core segment — that's the difference between a tool that requires justification to finance and a tool that fits in an existing software budget. (For the full cost comparison, see The Bootstrapped Founder's Guide to SOC 2.)

For a deeper look at how compliance evidence automation works and where it fits in your stack, see our guide on what compliance evidence automation is and why it's transforming modern audits.

Frequently Asked Questions

Is 59% really accurate? Who responded to this survey?

The State of GRC 2026 surveyed 795 practitioners (748 unique after deduplication) from the GRC Engineer newsletter community. 69% identify as GRC practitioners, 14% from security teams, with the rest split between learners, vendors, and engineering. The audience skews toward practitioners who are fairly senior and actively investing in professional development. The survey acknowledges this bias — results may over-represent engaged practitioners compared to the broader GRC population. No vendor funded the research, and no sponsor influenced the questions.

How does this compare to analyst reports from Gartner or Forrester?

Most analyst reports survey 100-300 people, primarily enterprise buyers sourced through vendor relationships. The State of GRC 2026 reached 795 practitioners across every seniority level and team size, including the solo practitioners and small teams that analyst surveys typically miss. The vendor-funded reports tend to find higher commercial adoption because their sampling method over-represents buyers.

If 59% use no commercial tool, how are they passing audits?

Many are. Spreadsheets and manual processes can produce audit-passing evidence — it just takes significantly more time. The issue isn't that manual approaches fail. It's that they consume 80-120 hours per audit cycle, create inconsistent evidence quality, and don't scale as frameworks multiply. Teams managing one SOC 2 audit on spreadsheets can survive. Teams adding ISO 27001 or HIPAA on top of SOC 2 hit a wall.

What should I do if I'm currently using spreadsheets for GRC?

Don't try to replace everything at once. Start by automating the specific bottleneck: usually evidence collection. Keep your control tracking in whatever spreadsheet works for you, and add an evidence automation layer on top. That gives you the biggest ROI per dollar spent without the risk of a full platform migration. See our practical guide on what tools can replace manual screenshot collection for SOC 2 controls.

Read the Full Report

The State of GRC 2026 by Ayoub Fandi at GRC Engineer is the first major GRC market report not funded by a vendor. The full report covers team structures, tool adoption matrices by seniority and team size, the CISO rejection waterfall (73.6% use no commercial tool), technical skill distributions (average 5.4/10), the persona cliff (at skill 8+, GRC buys but engineers build), and five strategic takeaways for the industry.

If you work in GRC, it's worth reading in full.