Can You Prove Every Device in Your Company Is Secured Right Now?

Most companies have a policy that says every device should be secured. But policy and reality are different things. Our 2026 research found that 94% of companies set this as a goal — and 85% admit they haven't fully achieved it. That gap is where breaches happen, audits go sideways, and enterprise deals stall.

Key Takeaways

• 94% of companies believe every device should be secured. Only 15% think they've actually done it.
• 67% have found unsecured devices they didn't know about — often during an audit or after a breach.
• Security tools like Jamf, Intune, and CrowdStrike each answer a different question. None of them, on their own, tells you whether every device is covered.
• The risk isn't just unsecured devices — it's devices you don't know exist.
• Closing the gap requires unified, real-time visibility across your entire device fleet.

Security Is Now a Condition of Doing Business

For a long time, security was something companies invested in when they had budget for it, or when something went wrong. That dynamic has shifted. According to Zip's 2026 Security Survey of 301 companies, 75% now face specific security requirements from their customers — and 89% say those requirements are getting stricter year over year.

For founders, this shows up in sales. An enterprise prospect sends a security questionnaire, asks for documentation of your controls, or requires an audit before signing. For IT managers, it shows up in the audit itself — a customer or partner asking to verify that every device in your fleet meets their requirements.

In both cases, the question is the same: can you prove your devices are secured? Not assume. Not estimate. Prove.

Most companies find, when pressed, that they cannot. Not because they've ignored security — most haven't — but because visibility and coverage are harder to maintain than they look.

The Gap Between Policy and Reality

Nearly every organization we surveyed has a clear goal around device security. 94% said every company device should be secured. That's close to universal agreement on the objective.

But when we asked whether they'd achieved it, the picture changed. Only 15% of companies believed they had full coverage. The remaining 85% acknowledged gaps — meaning devices somewhere in their fleet that weren't fully secured, weren't fully visible, or both.

This is what we mean by the security visibility gap: the distance between what you intend your security program to cover and what it actually covers, in real time. It's not a failure of intent. It's a failure of verification.

The gaps tend to follow predictable patterns. Devices provisioned outside standard onboarding workflows. Contractors or short-term hires whose endpoints were never enrolled. Legacy devices that aged out of one system but weren't cleaned up. Devices enrolled in an MDM but missing CrowdStrike. The individual gaps are often small. Collectively, they add up to significant exposure.

To see how Zip gives you real-time visibility into every device, book a demo here.

How Most Companies Find Out About Unsecured Devices

The more revealing data point in our survey wasn't the existence of gaps — it was how organizations discovered them. 67% of companies found unsecured devices they thought were covered. That number alone tells you that most organizations are operating with incomplete information about their own security posture.

What's more concerning is when they found out. Routine maintenance and internal audits are the most common discovery path, which is a relatively good outcome. But 31% of companies discovered unsecured devices through an actual breach. Nearly one in three organizations learned about a coverage gap after something went wrong.

This is reactive security. The tools are in place. The intention is there. But without continuous, unified visibility, gaps exist invisibly until an external trigger forces them to the surface — whether that trigger is a customer audit, a failed questionnaire, or an incident.

It also creates a specific problem for companies with enterprise customers. Our data shows that companies with active customer security requirements are more likely to discover unsecured devices and experience breaches tied to them — not because they're less security-conscious, but because they operate in more complex environments, face more scrutiny, and are higher-value targets. The more security matters to your business, the more expensive the visibility gap becomes.

Read more: How Zip approaches compliance and device coverage

Why Your Existing Tools Don't Fully Close the Gap

Most companies dealing with a security visibility gap aren't ignoring their security stack. They have MDM tools. They have endpoint protection. They have identity platforms. The problem isn't a lack of investment — it's fragmentation.

Each tool answers a different question in isolation:

• Jamf and Intune (MDM) tell you which devices are enrolled and managed.
• CrowdStrike (EDR) tells you which devices have endpoint protection running.
• Entra ID and other identity providers tell you which users have access to which systems.

What no single tool answers, on its own, is: are all of my devices accounted for, and are all of them secured? A device can be enrolled in Jamf but missing CrowdStrike. A device can show as compliant in Intune but have a lapsed encryption key. An identity platform shows active users, but doesn't surface the unmanaged laptop that one of those users also accesses company data from.

Device management is essential to a strong security posture, but keeping Jamf (for Macs) and Intune (for Windows devices) in sync across a mixed fleet is harder than it sounds. The two platforms don't natively share a unified view. Zip connects them, surfaces discrepancies between what each tool reports, and gives you a single answer to the coverage question — instead of two partial answers you have to reconcile manually.

Read more: Zip's Device Management Solutions

The Bigger Risk: Devices You Don't Know Exist

Most security conversations focus on securing known devices. The harder problem is the devices that aren't in any system at all.

An employee uses a personal laptop to check work email. A contractor gets set up quickly and their device never goes through standard enrollment. A device gets replaced and the old one is decommissioned from MDM but stays connected to company systems. These devices aren't just unsecured — they're invisible.

This is how the security visibility gap compounds over time. Teams believe their coverage is complete because the devices they know about are secured. The devices they don't know about sit outside every tool's view. When an auditor or a breach investigation asks for a full device inventory, the gaps surface all at once.

The 2025 Jamf Security 360 Report found that "organizations consistently underestimate the number of unmanaged endpoints" accessing corporate systems. The average exceeds IT team expectations — and each unmanaged device represents a potential vulnerability vector.

What Real Device Coverage Looks Like

Closing the security visibility gap means moving from periodic verification to continuous verification. Instead of checking device compliance during an audit and hoping nothing has changed since the last review, your security posture should be visible and provable at any moment.

In practice, that requires three things working together: a complete device inventory that accounts for every endpoint accessing company resources; real-time validation that security controls are active on each of those devices; and a unified view that pulls from your MDM, EDR, and identity platforms without requiring someone to manually reconcile the outputs.

Zip is built to deliver exactly that. By connecting Jamf, Intune, CrowdStrike, and Entra ID into a single platform, Zip gives you a live view of your full device fleet and each device's security status. When a new device comes online, Zip flags it. When a control drops out of compliance, Zip surfaces it. When a customer sends an audit questionnaire asking for documentation of your device coverage, you can pull the answer without a fire drill.

For founders, that means fewer surprises in enterprise deals. For IT teams, it means fewer hours spent manually cross-referencing reports across tools that don't talk to each other.

Most companies don't have a visibility gap because they lack the right tools. They have it because those tools aren't connected. Book a demo with Zip to see how we close that gap — and keep it closed.