Public-data analysis · 17 pages · 3,200 words · Published 2026-04-17

The State of Employee Lifecycle Orchestration at NA Mid-Market 2026.

A public-data report for VP People, CIO, and CISO co-buying committees at 500-5,000 employee North American B2B mid-market companies preparing for 2026 audits.

Every number traces back to a named public source — no private customer telemetry, no vendor-sponsored analyst content, no email-gated "state of X" reports in the citation chain. A skeptical reader can verify every footnote inside an hour.

Five findings for your morning briefing

  1. Ghost-account rates stuck at 20-35% at mid-market

    Stitchflow and Nudge Security public telemetry confirms a 20-35% 90-day ghost-account rate at mid-market without automation. A 2,000-employee company averaging 10 terminations per month carries 24-42 live former-employee SaaS entries at any moment.

  2. SOC 2 auditors shifted from per-system to per-subject sampling

    Per-system quarterly campaigns no longer clear CC6.2. Auditors now ask for the complete per-subject access history across all 40+ apps from hire through post-termination. This is why VP People joined the buying committee.

  3. State privacy laws compound — one request triggers five regimes

    CCPA, NY SHIELD, Colorado AI Act, Texas TDPSA, and EU AI Act Article 26 each impose distinct audit-trail obligations on the same former-employee record. A single DSAR can trigger five parallel investigations.

  4. Tri-buyer committee shift is measurable, not rhetorical

    Forrester 2025 Wave for SaaS Management: 62% of mid-market evaluations in 2026 include VP People + CIO + CISO, versus 23% in 2022. IT-only procurement paths now lose more deals than they win at 500-5,000 employees.

  5. A structural tooling gap exists at 500-1,500 employees

    Stitchflow targets $5k+/mo IT-led deployments. SailPoint and Saviynt require 5,000+ employee dedicated identity programs. Zluri, BetterCloud, Torii are management suites where lifecycle is a module. The VP-People-led mid-market tier is served only by spreadsheets.

Methodology · 14 public sources

The report draws exclusively on public data — analyst reports, published blog telemetry from operating vendors, statutory text, and audit-standard-setter guidance. No private customer data is cited. Every quantitative claim ties back to one of these fourteen sources:

  • Stitchflow 2024 customer benchmark
  • Nudge Security 2024-2025 SaaS telemetry
  • Okta Businesses at Work 2025
  • BetterCloud 2024 State of SaaSOps
  • Rippling 2024 Workforce Lifecycle
  • SHRM 2025 HR survey abstracts
  • Forrester 2025 Wave for SaaS Management
  • AICPA SOC 2 guidance 2024
  • California CCPA / CPRA statutory text
  • NY SHIELD Act (S 5575B)
  • Colorado AI Act (SB24-205)
  • EU AI Act Article 26 (Regulation (EU) 2024/1689)
  • State AG breach notifications 2022-2025
  • Verizon DBIR 2024

Table of contents

  1. 01Executive summary
  2. 02Methodology and data sources
  3. 03Ghost-account rate data at mid-market
  4. 04SOC 2 Type II auditor expectation shift
  5. 05State privacy law compounding effect
  6. 06The tooling landscape structural gap
  7. 07The continuous-audit-ready orchestration blueprint
  8. 0860-day VP People preparation plan
  9. 09Key takeaways and actions
  10. 10References (14 citations)

Read the full report

Enter a work email. We send the PDF plus an inline reader link within thirty seconds. One email, no drip, no sales rep.

By submitting you join the Tenet research list — roughly one email per quarter when a new public-data report publishes. Unsubscribe in one click from any email.

Keep reading

Facts · citation-ready

20+ citation-ready stats

Per-statistic source links, no email required.

Resources · templates

Free policy and audit templates

Offboarding checklist, SaaS inventory, state-privacy matrix.

Founder call · 15 min

Book a 15-min founder call

Walk your SOC 2 or DSAR exposure against Tenet's orchestration spine.