The Device Security Gap:
What Companies Don’t Know Is Hurting Them

Congres update, Home, Latest News March 13, 2026

Executive Summary

Most organizations believe their device fleet is under control. They run an MDM solution, they have a patching policy, and they report compliance to their board. But when we look at what actually connects to corporate systems, a different picture emerges. An analysis of 13,000+ devices across 67 organizations reveals that the majority of corporate endpoints are invisible to IT, and the ones they can see are dangerously out of date.

The Invisible Fleet

Nearly two thirds of the devices accessing their systems are unknown to IT or ignored. We examined 29 organizations that had at least one managed device in their fleet. Together, these organizations had 7,447 devices connecting to corporate resources. Of those, only 2,701 (36%) were managed. The remaining 4,746 (64%) were previously unknown, discovered by XFA but invisible to the organization’s existing tooling. For every managed device, 1.8 additional unknown devices were discovered accessing corporate systems. Among the worst 5% of organizations, unknown devices accounted for over 97% of the fleet.

OS Outdatedness and Fat Tails

The devices they do manage run operating systems that are, on average, 146 days out of date. The median organization runs 84 days behind. However, the distribution is heavily right-skewed. The P95 company is 425 days behind, 5x the median. In our data, the P95 is five times the median; that multiplier is the hallmark of a fat tail.

Platform Breakdown

Not all platforms are equally affected:

  • Android: Devices run an average of 464 days behind the latest OS version.
  • macOS: The second-most outdated platform at 274 days average.
  • Windows: Despite being the largest platform by device count, sits at 135 days average.
  • iOS: Performs best, with a median of just 15 days.

Closing the Gap

The biggest risk in device security is not the devices you manage poorly, but the devices you do not know about at all. Closing this gap requires a fundamentally different approach than traditional MDM. XFA automatically discovers every device that authenticates to your business applications. It verifies security and helps users fix issues without taking ownership or control of the device. Finally, it enforces access policies: devices that do not meet your security requirements are blocked from accessing business applications until the issue is resolved.

Download the Whitepaper

By clicking on sign up you give permission to be emailed, you will receive the whitepaper in your mailbox.

Recent Posts

Interesting? Share this item!