Gap analysis is the process of comparing what security or compliance controls are required with what is actually in place. The goal is to identify missing safeguards, weak configurations, and process failures before they become incidents. In cybersecurity, it is often used to assess identity controls, logging, patching, access restrictions, incident response, and data protection against a standard such as an internal policy, framework, or regulation.
It matters because attackers usually exploit the gaps between policy and practice: an unpatched system, excessive privileges, missing audit logs, or a control that exists on paper but not in operation. Defenders use gap analysis to prioritize remediation, validate hardening plans, and measure whether automated systems are safe to trust. In agentic or automated workflows, it can also show where human approval, better logging, or tighter tool access is needed so the system remains traceable and defensible.