The #1 GRC tool is… still a spreadsheet.
Nearly 800 GRC practitioners have been surveyed, and the headline finding is one that will make many CISOs uncomfortable: the most widely used GRC tool in 2026 is the spreadsheet.
The data in the 2026 State of GRC Report by Ayoub Fandi at GRC Engineer is unequivocal. Out of the 748 practitioners surveyed, 93 or 18% said they rely on spreadsheets as their primary tool, ahead of every commercial platform on the market.
That’s not including the 70 practitioners who reported using “custom tools,” a.k.a. existing tools like Jira, Notion, or SharePoint being repurposed for GRC programs. Add in open-source users and those with no tool at all, and 59% of GRC practitioners are completely commercially unaddressed by purpose-built GRC tools. That’s three out of five practitioners ranging across entry-level, mid-career, and senior respondents.
The cost is significant.
Sticking with spreadsheets and manual processes has a very real price tag. Our own 2026 State of Continuous Controls Monitoring Report, based on surveys of 250+ InfoSec leaders, found that:
- 83% of organizations say manual compliance work causes moderate or major delays in meeting regulatory requirements
- 85% have had to delay or cut GRC activities entirely due to resource constraints, with 44% scaling back control testing and monitoring specifically
- 58% are burning through more than 2,000 person-hours every year on evidence collection alone, a.k.a. one full-time employee doing nothing but gathering screenshots and compiling documentation, year-round
Suffice it to say that the spreadsheet is deeply inefficient. It’s also actively crowding out the security and compliance work that matters.
Why won’t the spreadsheet die?
The data points to several converging problems.
The first is a skills and confidence gap. The GRC Engineer data shows an average self-reported technical skill of just 5.4 out of 10 across the field, with nearly a quarter of practitioners rating themselves a 3 or below. Practitioners are sticking with spreadsheets because switching to and configuring a dedicated platform is a major lift that they may not have the institutional knowledge or skill to support.
The second is a consultant problem. Nearly a third of the GRC Engineer report respondents are consultants or advisors who influence tool decisions across multiple client organizations simultaneously — and 64.9% of those consultants use non-commercial solutions themselves. When the people steering purchasing decisions across the industry have personally opted out of the commercial category, the downstream effect on adoption is enormous.
The third is arguably the most striking: CISOs have largely rejected the category entirely. CISOs are the budget holders, the ones who sign off on new technologies, and 73.6% surveyed by GRC Engineer use no commercial GRC tool at all. Instead, they’re either building custom solutions, using spreadsheets, or using nothing. Their average technical skill is self-rated the highest of any seniority level (6.5), meaning that this is a deliberate choice rather than a skills issue. GRC tools have a trust problem with their most important buyer.
Understanding the 94/28 gap.
When we asked organizations whether they believed Continuous Controls Monitoring would improve both their compliance and security posture for our 2025 report, 94% said yes. When we asked how many were actually monitoring controls continuously in real-time for our 2026 report, the answer was 28%.
What we’ve taken away from this research is that everyone knows what the desired end state is, but they’re stuck in execution and implementation. In the meantime, manual processes and endless spreadsheets are filling the gap.
Bottom line? The spreadsheet is the symptom. The disease is the operational model that treats compliance as a periodic, manual, human-intensive exercise rather than a continuous, automated function woven into how the business actually runs.
How does CCM fits in?
Continuous Controls Monitoring is a direct answer to the problem both reports are describing. Instead of a team member manually collecting evidence, chasing down screenshots, and compiling audit packages by hand, CCM means that controls are monitored in real-time against live system data. As a result, compliance status is always current, gaps surface immediately, and evidence is generated automatically, not assembled by hand.
The ROI for CCM is clear. Our research found that 23% of organizations that have adopted GRC automation have cut their time spent on compliance tasks by more than half. Furthermore, 100% of AI adopters in our survey reported positive outcomes in Cyber GRC, with 64% describing the benefits as significant or transformational.
The gap won’t close on its own.
The 59% of practitioners who remain commercially unaddressed aren’t hoping for a better spreadsheet. They’re waiting for a solution that meets them where they are: a tool that lowers the cognitive barrier to adoption, that doesn’t require a senior engineer to configure, and that delivers immediate, visible value from day one.
This is the opportunity. And based on all available research, the window to capture it is wide open.
To learn more about RegScale’s CCM platform, contact us today.
Ready to get started?
Choose the path that is right for you!
Skip the line
My organization doesn’t have GRC tools yet and I am ready to start automating my compliance with continuous monitoring pipelines now.
Supercharge
My organization already has legacy compliance software, but I want to automate many of the manual processes that feed it.