That is the uncomfortable reality behind modern identity breaches. Stolen credentials remain the starting point for nearly 70% of attacks, yet most security strategies still focus only on credential storage, MFA enforcement, and periodic access reviews.

The real problem begins after authentication succeeds. Once a legitimate credential is compromised, traditional identity controls often lose visibility into what happens next.

This is the gap Identity Threat Detection and Response was built to solve. But deploying an ITDR tool does not automatically create an effective ITDR program. That gap between tooling and operational maturity is where many enterprise identity security strategies are breaking down today.

What ITDR Detects That PAM Cannot 

PAM controls access to privileged accounts. It vaults secrets, records sessions, and enforces least privilege on accounts it knows about. What it cannot do is detect the abuse of credentials after authentication has already succeeded. 

• Token abuse and OAuth grant exploitation. An attacker who compromises a legitimate OAuth token can access data and systems without triggering any PAM alert. 
• Session hijacking after valid MFA. Post-authentication session theft bypasses both the vault and the MFA gate. 
• Lateral movement using legitimate credentials. Pass-the-Hash and Pass-the-Ticket attacks use real credentials against real systems. PAM sees a legitimate session. 
• Cloud control plane abuse. IAM role assumption, service principal exploitation, and cloud management API abuse look identical to legitimate administrative activity without behavioral context. 
• Directory enumeration and reconnaissance. Attackers querying Active Directory or Entra ID to map the environment before moving. This pattern is invisible to PAM but detectable through directory telemetry analysis. 

The ITDR Data Model 

ITDR operates on a fundamentally different data model from PAM or endpoint security. Building an effective ITDR capability requires pulling from the right telemetry sources: 

• Directory logs from Active Directory, Entra ID, and Okta 
• Cloud identity telemetry: AWS CloudTrail, Entra sign-in logs, GCP audit logs 
• Privileged session recordings from PAM platforms 
• SaaS access logs and OAuth grant activity 
• Endpoint telemetry correlated to identity events 

The goal is a unified identity threat picture that connects login events, session activity, privilege use, and lateral movement indicators across every environment where identities operate.

The post ITDR Is Not PAM With Better Alerts. Why Identity Threat Detection Needs Its Own Program appeared first on Compunnel.

The response from most fast-growing companies was not to stop hiring international talent. It was to change where those employees are based.

The shift in how companies think about global talent 

A survey by Atlas HXM released in March 2026 found that 68% of organizations globally say changing immigration policies are accelerating their workforce expansion and hiring decisions. Fewer than one in five reported delays. The instinct to slow down hiring in response to policy uncertainty is less common than it might seem. The more typical response is to look for a different entry point. 

That entry point, for a growing number of companies, is hiring workers in the countries where they already live rather than relocating them. An engineer in Bangalore, a designer in Warsaw, a data analyst in Nairobi: all of them can be employed compliantly through an employer of record service without a visa, a relocation package, or an 18-month wait. 

This approach was already gaining ground before 2025. The immigration policy shifts accelerated adoption significantly, because they removed the practical alternative for many hiring managers. 

Tariff volatility is creating a similar effect on workforce location decisions. 

Immigration is not the only policy variable companies are navigating. Tariff uncertainty under US Section 301 and 232 provisions has made some companies reconsider where they base teams that support global operations. When trade relationships with specific markets become unpredictable, having employees distributed across multiple jurisdictions rather than concentrated in one location provides operational flexibility. 

EOR structures make this easier because they allow companies to hire in a new market within days rather than months. You do not need a local entity to test whether a market works. You hire through an EOR, see whether the team performs and the market delivers, and then decide whether to establish a permanent presence. If circumstances change, you have options. 

The MENA and Africa opportunity most US companies are not yet taking. 

The Atlas HXM data shows that while 60% of US organizations plan to hire in Canada and 37% in Europe, only 8% are considering the Middle East and North Africa, and just 2% are looking at sub-Saharan Africa. Given that 97% of UAE companies plan to expand, and that APAC is growing at a 17.1% CAGR for EOR adoption, there is a significant talent pool that most US companies have not engaged with yet. 

South Africa, Nigeria, Morocco, and Kenya are seeing growing interest from companies building engineering and operations teams. The regulatory environments are more complex than in North America or Europe, which is exactly where having a well-resourced EOR makes the difference. An EOR with in-country staff in Nairobi or Lagos tracks labor law changes, processes local payroll correctly, and manages statutory contributions. You get access to a talent pool that most of your competitors have not yet found. 

Building workforce resilience through geographic distribution 

The companies that handled 2025 immigration disruptions the best were the ones that had already built distributed hiring muscle. They had EOR relationships in multiple markets, existing workflows for onboarding remote employees, and compensation benchmarking data across geographies. 

Building that infrastructure during a crisis is harder and more expensive than building it in advance. The cost of setting up an EOR relationship in a new market is relatively low. The benefit, having an operational hiring pathway ready before you need it, compounds over time. 

If your company’s hiring strategy currently depends heavily on bringing people to a single location, 2026 is a reasonable time to start diversifying that model. The policy environment is unlikely to simplify. The talent pools in markets like India, Vietnam, Poland, and Morocco are real and growing. EOR makes them accessible without requiring a commitment to full entity establishment in each one. 

Ready to hire globally without the compliance headache? Talk to our experts at Compunnel EOR Services and find out how we can get your next international hire done right. 

The post EOR as a Response to Immigration Uncertainty: How Global Companies Are Adapting in 2026 appeared first on Compunnel.

But there is one distinction that does not always come up clearly in the first conversation: whether the provider operates through its own legal entities in the countries where you want to hire, or whether it relies on a network of third-party local partners to deliver the service. 

That difference has always existed in the EOR market. In 2026, it matters a lot more.

How the aggregator model actually works 

An aggregator-model EOR accepts your contract and your employees, then subcontracts the actual in-country employment to a local partner. Your point of contact is the platform. The compliance work is done by a third party you have never vetted and may not even know the name of. 

This model is not inherently fraudulent. Many aggregator-model providers work with reputable local partners. The problem is lag time and accountability. When a country changes its minimum wage, updates its pension contribution rates, or passes new labor protections, an owned-entity provider with in-country staff usually knows before the effective date. An aggregator model is dependent on the local partner relaying that update, and that relay is not always timely. 

One specific example from early 2026: Armenia introduced new health insurance requirements in January. Providers with owned entities and in-country compliance teams updated payroll automatically before the effective date. Some aggregator-model providers were still catching up weeks later, because the change came through a partner notification rather than an internal monitoring process. 

What owned entities actually give you 

When an EOR provider has a registered legal entity in a country, they are the employer of record in the literal legal sense. The employment contract is issued from their local company. Payroll is processed from their local banking infrastructure. The compliance liability sits with an organization that is directly subject to local law. 

That changes the risk profile significantly. If a government audit flags an employment practice as non-compliant, the owned-entity EOR is in the room with you. They have local counsel, local relationships, and direct accountability. An aggregator model adds a layer of distance that can complicate resolution. 

For IP-sensitive companies, it also matters who signs the employment contracts for your engineers and product people. Contracts issued from an EOR’s owned local entity typically have cleaner IP assignment language because they are operating under a single legal framework. Partner-issued contracts sometimes introduce inconsistencies. 

The questions worth asking in your next EOR evaluation 

If you are comparing EOR providers for hiring in India, Brazil, Germany, or any market that matters to your company, here are the questions that get past the sales deck: 

• Can you show me your registered entity in [specific country], not regional coverage? 

• Who physically runs payroll in that country, your staff or a partner? 

• If a regulatory change happens, how does it flow into my employees’ payroll? 

• What is your response process if an employee raises a compliance concern with a local authority? 

• Can I speak to a reference from a client who had to navigate a compliance event in that market? 

The distinction between owned-entity and aggregator EOR is the most operationally critical factor when hiring across multiple markets. The Everest Group analysis on EOR consolidation notes that recent M&A activity reflects providers moving to bring compliance infrastructure in-house rather than relying on partners, precisely because enterprise clients have started asking these questions. 

The EOR market has matured enough that buyers no longer need to take marketing claims at face value. The right provider will welcome scrutiny of their in-country infrastructure, because it is genuinely what sets them apart. 

Ready to hire globally without the compliance headache? Talk to our experts at Compunnel EOR Services and find out how we can get your next international hire done right. 

The post Global EOR vs. local EOR: Why Owned Entities Matter More Than Ever appeared first on Compunnel.

According to Compunnel’s Zero Trust identity security guide, 84% of organizations experienced an identity-related breach in 2025. In 75% of those cases, attackers gained access using stolen credentials rather than breaking through the perimeter.

Zero Trust was designed to stop exactly this kind of attack. So why are breaches still happening? 

The Three Zero Trust Failure Modes in Multi-Cloud 

• Policy fragmentation: AWS, Azure, and GCP each have their own identity models, policy frameworks, and logging standards. A Zero Trust policy built in one cloud does not automatically translate to another. The enforcement gaps live at the seams. 
• Identity blindness: Most Zero Trust implementations focus on human user access. Workload identities, service accounts, AI agents, and other non-human identities exist outside the identity fabric and carry permissions that ZT policies never evaluate. 
• Implicit trust zones: Many “Zero Trust” environments still contain east-west traffic paths that were never fully segmented. Microsegmentation projects are frequently incomplete, leaving lateral movement paths that an attacker with one legitimate credential can use. 

Why Infrastructure-Centric Zero Trust Falls Short 

The root cause of most ZT failures is that organizations built their implementation around infrastructure perimeters rather than identity. 

ZTNA tools are excellent at securing human access to specific applications. They were not designed to govern machine-to-machine traffic, which represents the majority of enterprise network activity in 2026. Cloud-native service meshes introduce implicit trust between services that most teams never audit. Cloud control plane APIs carry administrative-level permissions that are rarely included in ZT policy scope. 

Zero Trust network architecture works. But it is only as effective as its identity coverage. A network segment that enforces Zero Trust for human users while allowing unrestricted machine identity traffic is not Zero Trust. It is a theater.

The Shift to Identity-Centric Zero Trust 

The organizations closing the ZT gap are those that have moved identity to the center of their implementation, treating it as the universal control plane across clouds rather than as one layer among many. 

• Continuous verification throughout the session. Zero Trust must validate risk signals continuously, not just during login.  
• Unified identity visibility across clouds. Security teams need one identity view across AWS, Azure, and GCP instead of siloed controls.  
• ITDR as the missing detection layer. ITDR helps detect misuse of legitimate access that traditional Zero Trust controls often miss.  
• Workload identity governance. Machine identities need the same monitoring, verification, and anomaly detection as human users.  

What Multi-Cloud Zero Trust Actually Requires 

Effective Zero Trust in a multi-cloud environment is not a tool purchase. It is an architectural decision that starts with identity. 

The organizations that make it work in 2026 are investing in Infrastructure Security Services that address policy consistency across cloud environments, alongside Identity and Access Management Services that extend identity governance to both human and non-human entities. 

The principle behind all of this is simple. Zero Trust works. Identity-blind Zero Trust does not.

Is your Zero Trust strategy enforced consistently across every cloud? Request a Zero Trust gap analysis from our security architects. 

The post Zero Trust Is Failing in Multi-Cloud. Here’s Why Architecture Is Not the Problem appeared first on Compunnel.

That is exactly what most enterprises are doing with machine identities right now. 

Research from Entro Labs puts the NHI-to-human identity ratio at 144:1 in cloud-native and DevOps environments. Rubrik Zero Labs puts the average enterprise figure at 45:1. ManageEngine’s 2026 Identity Security Outlook found organizations reporting ratios of 100:1 to 500:1. And according to CSO Online’s 2026 NHI analysis, 68% of IT security incidents now involve machine identities.

This is not a developer hygiene problem. It is an enterprise governance crisis. 

The Five NHI Categories Falling Through the Cracks 

• Orphaned service accounts. Created for temporary projects and left active long after the work ends.  
• API keys from SaaS integrations. Auto-generated credentials that rarely enter centralized identity systems.  
• OAuth tokens from third-party apps. Granted outside IT oversight and often never revoked.  
• AI agent credentials. New machine identities are created by AI tools with little governance or review.  
• CI/CD pipeline credentials. Shared secrets are embedded in workflows and rotated too infrequently. 

Why PAM Is Not the Answer 

Privileged Access Management was the right control for 2018. In 2026, it addresses only the NHIs your security team already knows about. 

PAM vaults secrets. It does not govern the sprawl of machine identities that were created outside IT workflows. A credential that was never registered with the vault is invisible to every PAM-based control you have built. 

The deeper problem is that NHI sprawl is fundamentally a governance failure, not a technical one. You cannot rotate a secret you do not know exists. You cannot enforce least privilege on an identity that has no owner. You cannot offboard a service account when nobody is accountable for tracking it. 

As The Hacker News reported in May 2026, organizations that cannot demonstrate lifecycle governance, ownership accountability, and least-privilege enforcement for NHIs are accumulating compliance exposure alongside security exposure. 

The Compliance Gap That Is Coming 

SOC 2, ISO 27001, PCI DSS, and NIST 800-53 all carry access governance requirements that apply to non-human identities as much as human ones. In practice, most audit processes focus on human users and treat NHIs as a grey zone. 

That grey zone is shrinking. Auditors are beginning to ask specific questions about machine identity governance. Generic answers no longer satisfy them. Organizations that have not built a formal NHI governance program are accumulating audit risk with every quarter they wait. 

Building an NHI Governance Program 

An effective NHI governance program rests on three pillars: 

• Continuous inventory: Automated discovery of every machine identity across cloud, SaaS, and on-premises environments. Not quarterly scans. Continuous. 
• Ownership accountability: Every NHI needs a human owner who is responsible for its existence, its permissions, and its eventual decommission. 
• Lifecycle enforcement: Creation gates that require justification. Rotation schedules that are automated, not manual. Decommission workflows that trigger when a project ends, or an owner departs. 

This connects directly to the broader Identity and Access Management Services framework that governs both human and machine identity risk. It also supports the Security Operations Services capability needed to detect anomalous NHI behavior in real time. 

For a detailed look at the NHI risk landscape, LastPass’s April 2026 NHI research provides strong data on AI agent credential sprawl and its security implications. 

Find out how many unmanaged machine identities are operating in your environment. Request an NHI Governance Assessment from our team. 

The post The NHI Governance Gap: Why 144 Machine Identities Per Human Is a Board Problem appeared first on Compunnel.

This is not a reporting requirement that kicks in years from now. Some of the core obligations are active right now, and they apply to every employer regardless of size. 

What the directive actually requires 

The EU Pay Transparency Directive (Directive 2023/970) has three layers of obligation that operate on different timelines. The ones that are live today cover recruitment and employee information rights. 

From this point forward, every job posting for an EU-based role must include the salary or salary range before the first interview. You cannot ask candidates what they currently earn. Candidates who accept a role can then request information about the average pay of people doing the same work, broken down by gender, and you have two months to respond. 

Pay secrecy clauses in employment contracts are now prohibited. If you have standard contracts that include a line about not discussing compensation, those clauses are invalid for EU employees from June 2026 onward. 

The reporting layer follows later. Companies with 250 or more employees need to submit their first gender pay gap report by June 2027, using 2026 pay data. Employers with 150 to 249 employees follow on the same timeline, every three years. Companies with 100 to 149 employees begin triennial reporting in 2031. Where a pay gap within a role category exceeds 5% and cannot be justified by objective criteria, a formal joint assessment with employee representatives is required. 

What this means for companies using EOR to hire in the EU 

If you are hiring in Germany, France, the Netherlands, Poland, or any other EU country through an EOR service provider, the directive applies based on where the employee is located, not where your company is headquartered. A US company hiring a developer in Berlin through an EOR is fully within scope. 

That creates a responsibility split worth understanding. The EOR is the legal employer in the EU country. They issue contracts, run payroll, and manage statutory obligations. Pay transparency compliance sits squarely within that. The EOR needs to issue job offers with salary ranges disclosed, handle pay information requests from employees within the two-month window, and collect the data needed for gender pay gap reporting when your headcount in a member state crosses the relevant threshold. 

What this means in practice: when evaluating EOR providers for EU hiring, pay transparency compliance should now be on your checklist. Ask specifically how they handle salary disclosure in recruitment, how they respond to employee pay information requests, and whether they have a data collection process ready for gender pay gap reporting. 

A broader impact on compensation strategy 

One effect that is easy to underestimate: because the directive applies based on employee location rather than company headquarters, multinationals may find it simpler to standardize pay transparency practices across their entire global workforce rather than maintaining different policies for EU and non-EU employees. The analysis by Gibson Dunn notes that non-EU employers with EU-based staff are fully in scope, which makes a unified global compensation architecture worth considering. 

Companies that have historically kept compensation ranges internal are adjusting their hiring processes right now. The companies that have been moving toward pay transparency over the past couple of years are finding the transition more straightforward than those starting from scratch. 

If you are building EU hiring programs in 2026 and want a partner that has already built these compliance requirements into their employment workflows, this is exactly the kind of operational detail that separates a well-prepared EOR from one that is still catching up. 

Ready to hire globally without the compliance headache? Talk to our experts at Compunnel EOR Services and find out how we can get your next international hire done right. 

The post The EU Pay Transparency Directive is Live: Here is What It Means For Global Hiring appeared first on Compunnel.

Worker misclassification, treating a full-time employee as an independent contractor, has always carried legal risk. What changed in 2026 is the enforcement environment. Tax authorities now run AI-powered audits that cross-reference payroll data, invoicing patterns, and work schedules. If your contractor works fixed hours, follows company processes, and has no other clients, regulators in the Netherlands, Spain, Brazil, and the UK are likely to reclassify that person as an employee retroactively. The penalties can reach tens of thousands of euros per worker. 

What is actually changing on the ground 

The EU Platform Work Directive has a December 2026 deadline, and most member states are still finalizing their national laws. What the directive does is create a legal presumption of employment for workers who meet certain indicators. That flips the burden of proof. Instead of regulators proving someone is an employee, your company has to prove they are genuine contractors. 

In the Netherlands, the enforcement moratorium that protected companies from retroactive penalties ended in early 2025. The Dutch tax authority is now running active audits, not just issuing guidance. Companies that continued operating under the old assumption are getting hit with corrections going back multiple years. 

The UK’s IR35 rules tell a similar story. HMRC intensified enforcement in early 2026, and new umbrella company regulations came into force in April. If you have long-term contractors embedded in your UK operations, IR35 now creates tax and legal exposure that a contract alone cannot fix. 

In Latin America, Brazil and Mexico have both moved toward proactive enforcement rather than reactive. Many North American companies that expanded into LATAM through contractor arrangements are now facing retroactive liability that far exceeds the cost savings they originally sought. 

The EOR model directly solves this. 

An employer of record steps in as the legal employer in each country where you have workers. The EOR handles the employment contract, local payroll, statutory benefits, and tax filings. Your team member gets a properly structured employment relationship that meets local labor law requirements. You get the operational benefit without the legal exposure. 

The practical effect is straightforward: with a quality employer of record service, there is no misclassification risk because the worker is a properly classified employee from day one. The EOR bears the compliance liability, not your company. 

This matters especially for companies scaling quickly in new markets. When you are testing whether a market works before committing to a local entity, an EOR gives you a clean employment structure without the overhead of incorporation. 

What to check when choosing an EOR provider 

The EOR market now has over 150 providers, and they are not all equal in compliance. The most important question is whether a provider operates through owned legal entities in your target countries or whether they use a network of third-party aggregators. Owned-entity providers track regulatory changes in real time through in-country staff. Aggregator models sometimes catch changes late, because they are dependent on partners relaying updates. 

A few things worth verifying before you sign: 

• Does the provider have a registered entity in the specific country, not just regional coverage? 
• How do they handle regulatory changes mid-contract? 
• What happens if a government reclassifies a worker and assesses back taxes? 
• Can they show you a real example of how they managed a compliance event in the past 12 months? 

The Everest Group’s February 2026 analysis of EOR consolidation points out that some providers view compliance infrastructure as too strategic to leave in partners’ hands. That is the right instinct, and it is a useful filter when you are comparing vendors. 

The compliance environment in 2026 rewards companies that set up employment relationships correctly from the start. An EOR is the most direct way to do that across multiple markets without building your own entity in each one. 

Ready to hire globally without the compliance headache? Talk to our experts at Compunnel EOR Services and find out how we can get your next international hire done right. 

The post Why worker misclassification is the biggest compliance risk your business faces in 2026 appeared first on Compunnel.

For most enterprises in 2026, the honest answer is no. Not because the security team is careless, but because the way enterprise data moves through cloud environments, SaaS tools, and development workflows makes it structurally impossible to know where all copies live. 

This is the shadow data problem. And it just became a legal problem, not only a security one. 

According to Netwrix’s 2025 Cybersecurity Trends Report, lack of visibility into sensitive data has ranked as the top security challenge for three consecutive years. More than a third of data breaches now involve unmanaged shadow data. With EU Cyber Resilience Act reporting obligations arriving in September 2026, compliance and legal teams are asking questions that security teams cannot yet answer.

How Shadow Data Is Created 

Shadow data is not the result of negligence. It is the natural byproduct of how modern enterprises operate. 

• Development and test environment clones. Developers copy production databases to build and debug features. These copies often outlive the project and accumulate across forgotten environments. 
• SaaS exports and BI extracts. Marketing downloads a customer list from the CRM. Finance pulls a year-end report into a desktop analytics tool. Each export immediately escapes governance frameworks. 
• Forgotten cloud storage. The S3 bucket was created for a proof-of-concept that launched two years ago. The Azure Blob container from a vendor demo. These persist long after the original purpose is gone. 
• AI tool ingestion. Employees are feeding enterprise data into AI tools without IT oversight. Data policy violations tied to generative AI usage doubled in 2025 and continue to grow in 2026. 

Why This Is Now a Regulatory Story 

The compliance exposure created by shadow data is specific and serious. 

GDPR Article 17 grants individuals the right to erasure. You cannot delete what you cannot find. If a customer requests deletion and you have 17 unindexed copies of their data scattered across cloud buckets, SaaS platforms, and developer environments, you are in violation the moment you cannot confirm deletion. 

HIPAA’s minimum necessary rule applies to every copy of protected health information, not just the primary database. Shadow copies of PHI in unmanaged environments create audit perimeter exposure that most healthcare organizations have not fully mapped. 

PCI DSS scope creep is one of the most overlooked shadow data risks. Every unmanaged copy of cardholder data expands your audit perimeter automatically, whether your security team knows it exists or not. 

The organizations that will face the steepest regulatory exposure in 2026 are not those that had the biggest breaches. They are the ones that could not demonstrate data lineage, ownership, and deletion capability when an auditor asked. 

Why Discovery Alone Is Not Enough 

Most DSPM conversations start and stop at discovery. Finding shadow data is necessary. It is not sufficient. 

The gap that most security teams fall into is treating inventory as control. Knowing where data exists is different from being able to prove it is protected, classified, and managed to regulatory standards. An unencrypted S3 bucket that has been discovered is still an unencrypted S3 bucket. 

True data-centric security means protection travels with the data. Classification, encryption, access controls, and deletion workflows need to follow each dataset wherever it goes, not just where you expect it to be. 

The DSPM Maturity Model 

Building toward complete shadow data governance follows a clear progression: 

• Level 1: Know where the data is. Continuous discovery across cloud, SaaS, and on-premises environments. 
• Level 2: Classify and assign ownership. Every dataset gets a sensitivity label and a human owner. 
• Level 3: Enforce controls that travel with the data. Encryption, access restrictions, and DLP policies tied to data classification, not just to system perimeters. 
• Level 4: Continuous posture validation. Automated remediation workflows that act on new shadow data as it appears, not quarterly. 

This is the foundation of a robust Data Protection Services program. It connects to broader Cloud Security Services that keep multi-environment data posture visible and enforceable. 

For additional context on the regulatory dimension, the Wiz Shadow Data guide covers discovery approaches and governance frameworks in depth. 

Shadow data is your next audit risk. Get a Data Security Assessment from our team and find out what your governance program cannot yet see. 

The post Shadow Data Is the Compliance Time Bomb No One Is Defusing appeared first on Compunnel.

Your IAM framework knew the rhythm. Employees logged in during office hours. They were onboarded when hired and deactivated when they left. MFA verified them. Quarterly access reviews cleaned up the loose ends. Predictable patterns. Predictable behavior. Predictable risk. 

Then 2026 arrived, and the entire model started cracking under pressure. 

Not because IAM platforms suddenly failed. Not because security teams stopped paying attention. But because enterprise environments are no longer populated by humans alone. AI agents, autonomous systems, machine identities, third-party automations, and non-human actors are now requesting access, making decisions, triggering workflows, and operating at a scale traditional identity governance was never designed to handle. 

The old rule was simple: one identity, one person.

That rule no longer exists. 

AI agents do not log in. They do not follow work hours. They do not have lifecycle events tied to employment. And according to Palo Alto Networks’ 2026 cybersecurity predictions, autonomous agents already outnumber humans by 82:1 in some enterprise environments. Most of those agent identities exist completely outside your governance model. 

The 5 IAM Assumptions AI Agents Break 

When security teams built their identity programs, they made five foundational assumptions. Each one is now a gap. 

• Identity equals a person. IAM systems were built for human users, not AI agents, service accounts, or machine identities.  

• Authentication equals a login event. MFA protects human logins, but AI agents operate through continuous machine-to-machine access.  

• Lifecycle equals employment events. Employees get offboarded. AI credentials often stay active long after projects end.  

• Access reviews are human audits. Manual reviews cannot keep up with the speed and scale of machine identities.  

• Behavior has a baseline. Traditional security tools rely on predictable behavior patterns. AI agents rarely follow them.  

Why PAM and IGA Cannot Fill the Gap 

Security leaders often assume PAM and IGA solutions already cover this problem. In reality, they do not, at least not without major redesigns.

PAM was built to secure known privileged accounts. But most non-human identities are created outside traditional IT workflows. A developer spins up an integration during a product launch. A SaaS platform auto-generates API credentials. A marketing employee connects a third-party AI tool using OAuth access from a personal account. None of these identities ever make it into the vault.

IGA faces a different challenge. It was designed for human access governance, not for thousands of machine identities appearing and changing in real time. AI agents do not follow employee lifecycles, fixed roles, or predictable usage patterns.

For example, an AI-powered customer support bot may access CRM data, trigger workflows, connect with payment systems, and interact with multiple SaaS applications simultaneously. Traditional IGA tools struggle to track whether those permissions are still necessary, who approved them, or when they should expire.

According to Gartner, AI agents are forcing organizations to rethink IAM strategies entirely, especially around identity registration, credential automation, governance, and policy-based authorization for machine actors. 

What Post-Human IAM Architecture Looks Like 

Fixing this requires more than adding a tool. It requires rethinking the governance model. 

• Continuous NHI inventory. You cannot govern what you cannot see. This means automated discovery of every service account, API key, OAuth grant, and agent credential across cloud and SaaS environments. 

• Behavioral baselining for machine identities. Build activity profiles for non-human entities so deviations from expected behavior trigger detection, not just anomaly alerts. 

• Just-in-time access for AI agents. Standing permissions for agents that only need access for specific tasks create unnecessary long-lived exposure. Ephemeral, time-bound credentials are the right model. 

• Policy-driven authorization for machine actors. Move beyond RBAC toward attribute-based and policy-based controls that can accommodate the dynamic nature of agentic workloads. 

• Ownership accountability. Every machine identity needs a human owner who is responsible for its lifecycle. Without ownership, there is no accountability and no offboarding. 

The Governance Shift That Has to Happen First 

The technology is only part of the answer. Before your platform can govern AI agent identities, your organization needs to decide who owns them. 

Most enterprises do not have a role defined for machine identity ownership. Developers create agents. IT does not know they exist. Security cannot audit what it was never told about. Building a post-human IAM program starts with an organizational design question: who is the AI identity owner, and what are they accountable for? 

You can explore how Compunnel approaches this through our Identity and Access Management Services and our broader Cybersecurity Services framework. 

For a deeper look at the identity sprawl problem, IBM’s 2026 Cybersecurity Predictions offer a strong grounding in where enterprise risk is heading. 

Ready to assess your AI agent identity exposure? Talk to our identity security team today. 

The post Your IAM Program Was Built for Humans. AI Agents Just Broke It. appeared first on Compunnel.

What does not make the pitch decks or the site-selection reports is the compliance complexity waiting on the other side of the hire. India is not a difficult market because of talent scarcity or infrastructure gaps. It is difficult because its employment law is genuinely fragmented, state-dependent, and regularly updated in ways that catch even experienced global HR teams off guard. 

Why is India compliance harder than most markets 

India operates a dual labor law system. Some legislation, like the Employees’ Provident Funds Act and the Employees’ State Insurance Act, is centrally administered. But much of what governs day-to-day employment, including working hours, leave entitlements, termination procedures, and establishment registration, falls under state-specific Shops and Establishments Acts. There are 28 states and 8 union territories, each with its own version. 

A 50-person team spread across Bengaluru, Hyderabad, and Pune is not operating under one employment system. It is navigating three different legal realities at the same time. Notice period requirements shift from state to state. Leave accrual rules follow different formulas. Professional tax registrations depend on varying thresholds tied to geography and salary bands. 

Most India market-entry playbooks barely scratch the surface of these operational nuances. But when these differences are overlooked or handled casually, they do not remain administrative for long. They turn into compliance risks, financial liabilities, and legal exposure waiting to surface. 

As noted in the eSparkBiz GCC Compliance Guide 2026, setting up or scaling a GCC in India offers access to world-class talent, but legal compliance is where many GCC strategies quietly fail. This maturity gap is a top priority for global leaders entering the market in 2026. 

The PF, ESIC, and payroll compliance stack 

Every employer in India with more than a certain headcount threshold is required to contribute to the Employees’ Provident Fund at 12 percent of basic salary from both the employer and employee sides. ESIC, the state insurance scheme, runs at 3.25 percent employer contribution and 0.75 percent employee contribution for workers below a salary ceiling. Both are monthly statutory obligations with precise calculation rules that vary based on salary structure, allowances, and the specific components of each employee’s compensation package. 

Getting this wrong is not a theoretical risk. Under-contribution, late contribution, or incorrect salary-band classification triggers back payment obligations, interest charges, and potential penalties from both the EPFO and ESIC authorities. Many multinational teams entering India replicate their home-country payroll logic and discover months later that Indian statutory payroll does not work the same way. 

Gratuity adds another layer. Employees who complete five or more years of continuous service are entitled to a statutory gratuity payment calculated at fifteen days of salary per year of service. This liability accrues from the first day of employment but is not always provisioned correctly by companies that assume it only becomes relevant at exit. For a team that scales quickly, this represents a growing balance sheet obligation that needs to be tracked from the start. 

The DPDP Act changes how you handle payroll data. 

India’s Digital Personal Data Protection Act became law in 2023 and is moving toward full enforcement by May 2027. Its implications for GCC operations go beyond IT security. The Act creates data localization and consent requirements for employee personal data, which includes payroll records. For multinational companies running global payroll on centralized platforms, the question of where Indian employee data is processed and stored is now a legal compliance question, not just a technical one. 

The DPDP Act enforcement timeline requires 72-hour breach reporting and mandatory consent management. Companies running payroll data for Indian employees through systems hosted exclusively outside India need to assess their compliance posture now, before the enforcement ramp-up makes reactive remediation the only option. 

Why the EOR-first entry strategy works 

The most common mistake global companies make when entering India is treating entity setup and hiring as parallel tracks. Setting up a wholly owned subsidiary in India can take anywhere from 12 to 24 weeks. The process includes company registration, tax IDs, PAN and TAN approvals, bank account setup, labor registrations, and ESIC enrollment. But while the paperwork moves slowly, your talent pipeline does not wait. 

Accessing the best employer of record services allows you to hire in India in two to three business days. The EOR becomes the legal employer on record, managing PF, ESIC, professional tax, gratuity provisioning, and state-specific compliance from day one. You get operational presence without the entity overhead, and your team can start building immediately while the entity process runs in the background. 

The EOR-to-entity transition is itself a structured process that quality EOR service providers manage. When your India team reaches the scale where a wholly owned subsidiary makes financial sense, typically somewhere between 50 and 100 employees, depending on the functions involved, a well-structured EOR transition plan moves workers to the new entity without compliance gaps or workforce disruption. Companies that skip EOR and go straight to an entity often spend their first 6 months of Indian operations firefighting payroll issues rather than building their team.

Tier 2 cities add opportunity and compliance nuance. 

India’s GCC footprint is expanding beyond Bengaluru, Hyderabad, and Pune into cities like Coimbatore, Jaipur, Indore, and Kochi. This geographic diversification makes sense from a talent and cost standpoint. Bengaluru tech salaries have risen sharply, and competition for senior AI and engineering talent in major hubs is intense. Tier 2 cities offer better retention rates and lower compensation benchmarks for many roles. 

What changes in Tier 2 is the compliance environment. Professional tax slabs, local establishment registration requirements, and available legal infrastructure differ from those in major metro centers. Companies expanding to multiple Indian cities need a compliance model that handles this geographic variation systematically, not city by city as issues arise. This is another area where global employer of record solutions provide real operational value, because in-country legal expertise covering multiple states is built into the service, not billed separately as a consulting engagement.

The post India Is Your Most Valuable Hiring Market, and Your Most Underestimated Compliance Risk appeared first on Compunnel.

Compliance debt is not a single fine or a missed filing. It is the accumulated gap between how your workforce has been structured and how it should have been structured under local employment law. By the time it becomes visible, through an audit, a regulatory inquiry, or an M&A due diligence review, the cost to remediate is typically three to five times what it would have cost to get it right at the point of hire. 

Where the debt starts accumulating 

Worker classification is the most important decision you make at the point of hire, and it is also the one most companies get wrong when scaling internationally. Global contractor hiring has grown significantly over the past two years as companies look for flexibility and speed. The problem is that many of those contractor relationships do not meet the legal tests for independent status in the jurisdictions where the work is performed. The U.S. Department of Labor applies the economic reality test to determine whether a worker is genuinely independent or effectively an employee. A contractor who works exclusively for your company, follows your schedule, and uses your tools almost always fails that test. 

The financial exposure is not theoretical. According to recent enforcement data, misclassifying a single worker can generate $15,000 to $100,000 or more in combined IRS back taxes, Department of Labor penalties, state fines, and legal fees. In states like California and Massachusetts, civil penalties alone can run from $5,000 to $25,000 per misclassified worker. Multiply that across ten or twenty contractors in multiple countries, and you can see how quickly the exposure grows before a single audit letter arrives. 

In fiscal year 2025, the DOL’s Wage and Hour Division recovered more than $259 million in back wages for nearly 177,000 workers across the United States. Audits are triggered by employee complaints, and one complaint typically surfaces an entire engagement model. 

Why compliance debt is especially dangerous in multi-country hiring 

Domestic misclassification is manageable. International misclassification is a different problem entirely. Employment law varies by jurisdiction in ways that catch even experienced HR teams off guard. What is legally acceptable in one country can constitute employment in another. The Netherlands and South Korea, for example, have been actively expanding the definition of employer based on how work is directed, not just on what a contract says. 

Here is what makes 2026 a turning point for the European workforce strategy. The EU Platform Work Directive, rolling out across member states throughout this year, now places the burden of proof on companies rather than workers. Unless an employer can demonstrate that a contractor relationship meets specific independence criteria, worker-employee status is presumed by default. For companies that have already built European contractor teams under the old framework, this is not a future concern. It is an active compliance position that needs to be reviewed and resolved now, before regulators do it for you. 

The compounding effect comes from the lookback window. The UK’s HMRC, for instance, can assess unpaid IR35 taxes going back six years in standard cases and twenty years where behavior is considered deliberate. A contractor relationship that started in 2019 is potentially still in scope today. This is what makes compliance debt so dangerous: it does not expire cleanly, it accumulates interest, and it almost always grows faster than the underlying business value it was funding. 

How employer of record services break the cycle

The structural fix for compliance debt is not better internal monitoring. It is getting the employment relationship right from the first hire. This is exactly where employer of record services change the equation. An EOR becomes the legal employer of your workers in each country, taking on statutory payroll obligations, benefits administration, and employment classification under local law. The compliance structure is correct from day one because the EOR owns the risk. 

The distinction between EOR models matters here. Aggregator EOR providers, those that use third-party in-country partners rather than their own legal entities, create liability layers that enterprises often do not discover until an audit or acquisition surfaces them. A directly owned EOR infrastructure means your workers are employed through a compliant legal entity, not a subcontract chain where indemnification may not extend to misclassification penalties. 

Beyond classification, quality EOR solutions handle the full statutory compliance stack: provident fund contributions, mandatory leave entitlements, termination notice requirements, and benefits that vary by jurisdiction. Each of these is a potential compliance debt source when managed manually across multiple countries without local legal expertise. 

The M&A moment when debt becomes undeniable 

For many companies, the reckoning comes during acquisition due diligence. Investors and acquirers now conduct workforce compliance reviews as a standard component of M&A diligence, and what they find is often sobering. Misclassified contractors, retroactive benefit obligations, and payroll data governance gaps are among the most common workforce liabilities that surface post-LOI. These findings do not just affect deal pricing; they can stall or kill transactions entirely. 

Companies that close deals smoothly usually either built compliant employment structures from the start or switched to an EOR model before the acquisition process began. EOR can also serve as a bridge structure during M&A integration, absorbing the acquired workforce into a compliant employment framework while the buyer prepares their own entity infrastructure. Learn more about how global EOR services can de-risk cross-border workforce transitions.

The post The Compliance Debt Crisis Hidden Inside Global Hiring appeared first on Compunnel.

Princeton, NJ – May  28, 2026 – Compunnel, Inc. a global provider of AI-driven workforce solutions, digital engineering, security, risk and transformation services, today announced that it has achieved Capability Maturity Model Integration (CMMI) Level 3 certification – a globally recognized benchmark for organizational process maturity and delivery excellence. The certification was conferred following a rigorous appraisal conducted by an authorized CMMI Lead Appraiser and represents a major milestone in Compunnel’s strategy to deliver consistent, high-quality outcomes at enterprise scale.

What CMMI Level 3 Means for Compunnel’s Clients 

CMMI Level 3 – known as the “Defined” maturity level – is awarded to organizations that have moved beyond reactive, project-by-project practices to establish standardized, well-documented, and proactive processes that are consistently applied across the entire organization. For Compunnel’s enterprise clients, this translates directly into: 

• Greater predictability in project timelines, cost, and outcomes 

• Standardized delivery frameworks that reduce errors, rework, and delivery risk 

• Robust quality assurance mechanisms embedded at every stage of the project lifecycle 

• Structured risk management that enables proactive mitigation before issues escalate 

• Higher levels of client confidence, accountability, and transparency

Leadership Perspective 

“This achievement reflects the dedication, discipline, and collaborative efforts of our teams across the organization. Achieving CMMI Level 3 is not just an external validation – it is a declaration of how we operate internally and the standard of care we bring to every client engagement. It strengthens our ability to deliver high-quality solutions, exceed expectations, and continuously improve the way we build and serve.” – Himanshu Kumar, Vice President – Digital Solutions

Certified. Validated. Audit-Ready. 

The appraisal was carried out by an authorized CMMI Lead Appraiser in full accordance with the globally recognized CMMI Institute standards. The certification confirms that Compunnel has implemented mature process frameworks across all key operational areas, including: 

• Project Planning and Monitoring – structured baselines, milestone tracking, and corrective action protocols 

• Process and Product Quality Assurance – independent QA reviews embedded within delivery workflows 

• Risk Management – formal risk identification, analysis, and mitigation across all active engagements 

• Configuration Management – controlled, traceable management of deliverables and work products 

• Measurement and Analysis – data-driven performance tracking to support continuous improvement 

• Causal Analysis and Resolution – root cause identification to prevent defect recurrence

A Strategic Foundation for Complex, Mission-Critical Engagements 

With CMMI Level 3 certification, Compunnel is now positioned to take on increasingly complex, mission-critical engagements with a process infrastructure that meets the most demanding enterprise requirements. This milestone strengthens Compunnel’s competitive standing in sectors such as financial services, healthcare, government, manufacturing, and technology – industries where process governance, auditability, and delivery consistency are non-negotiable.

About Compunnel 

Founded in 1994, Compunnel is a digital engineering, workforce solutions and AI services company serving global enterprises across Banking & Financial Services, Insurance, Healthcare, Life Sciences, MedTech, Retail, EdTech, and Manufacturing. The company specializes in Applied AI Engineering, Data Platforms & Intelligence, Cloud & Platform Engineering, and Autonomous Quality Engineering – delivered through AI-OS, its integrated enterprise delivery framework. With over three decades of experience in complex, compliance-driven transformation programs, Compunnel’s approach embeds AI into the software lifecycle by design. 23% of Fortune 500 companies work with Compunnel, with a 98% client retention rate. For more information, visit www.compunnel.com. 

Media Contact
pr@compunnel.com 

The post Compunnel Achieves CMMI Level 3 Certification appeared first on Compunnel.