Organizations have invested heavily in consent management. Consent Management Platforms (CMPs) are standard infrastructure for privacy programs, and for good reason. Regulations like GDPR, CCPA/CPRA, LGPD, PDPA, and HIPAA require organizations to obtain, record, and honor user consent before collecting or processing personal data. CMPs provide the framework to do that. Most organizations have done the right thing, they just don’t know if they’ve done the right thing right.
And yet the fines keep coming.
The California Privacy Protection Agency has issued enforcement actions under the CPRA against companies with established consent programs in place. These are not organizations that ignored privacy compliance. They had invested in the tools, built the programs, and implemented the policies. They were still fined.
The reason comes down to a single, consequential distinction: deploying a CMP configures rules. It does not verify that those rules work at runtime, across every page, in every consent state, after every release. Most consent programs fail not in the configuration, but in the gaps between configuration and actual enforcement.
Bridging that gap is the core challenge of a mature compliance and privacy program. Today, Feroot is introducing AI-powered consent audit as a core capability of DXComply, the first solution to deliver automated, continuous consent audit across both websites and mobile applications.
Where Consent Programs Actually Break Down
At IAPP 2026, my talk explores where consent programs most commonly fail. The answer is almost always one of three gaps.
- Gap 1: Policy to implementation. Consent rules are defined in the CMP but never validated at runtime. Banner logic, geo-targeting, and opt-out flows are assumed to work, not verified. The policy says one thing. What fires on the page may say something entirely different.
- Gap 2: Banner choice to runtime outcome. A user declines tracking. But what actually fires afterward? Without runtime verification across all consent states, organizations do not know which vendors load after a user makes a decision,and neither does the CMP. The CMP records the choice. It does not audit what happens downstream.
- Gap 3: Point-in-time to continuous. Website releases, script and tag manager updates, and new vendor tags can silently break consent controls overnight. A quarterly audit captures one day of proof out of 90. A yearly audit captures one day out of 365. Every other day is unverified, and every deployment is a potential regression that goes undetected until the next manual review.
What CMPs Are Designed to Do and What They Cannot Do
CMPs are an essential foundation for any privacy compliance program. They display consent notices, record user choices, manage cookie preference categories, and provide opt-out mechanisms. That infrastructure is necessary and should stay in place.
But there is a clear boundary to what CMPs were built to do. A CMP cannot control whether all tracking pixels are actually firing in accordance with consent decisions. It cannot prove whether pixels fire before consent is given. It cannot see data being sent by third-party scripts to external servers. And it cannot inspect pixels embedded deep inside iFrames or tag managers it does not own.
Three failure patterns show up in practice with striking regularity. The first is pre-consent fire, a pixel fires on page load before the user has interacted with a banner at all. This is the most common violation pattern, and it occurs even with GTM-based CMP integrations. The second is tag manager drift, a marketer adds a new pixel to Google Tag Manager without updating the CMP category rules. The CMP has no knowledge of the new tag, and the pixel fires unchecked. The third is the iFrame blind spot,third-party forms, chat widgets, or embedded content run in iFrames the CMP cannot inspect or block.
None of these failures are visible inside the CMP. All of them are regulatorily material.
The Scale Problem That Requires AI
Even if an organization wanted to verify consent enforcement manually, the scope makes it impossible. The full audit matrix for a modern digital organization looks like this:
Pages Ă— Properties Ă— Geographies Ă— Languages Ă— Consent States Ă— Vendor Behaviors
Every page type across every property. Every geography with its own consent rules. Every language variant of a banner. Every consent state, Accept, Decline, No Action, tested independently for each rule set. Every vendor behavior verified in each state. Across both websites and mobile applications.
Manual scripting cannot cover this matrix. Sampling creates blind spots. Point-in-time audits miss regressions after every release. Tag changes and deployments break consent constantly.
Every change is a risk. Every day is unverified.
The only defensible approach is automated testing that runs continuously. This is where AI changes what is possible.
Consent Audit Is Not Consent Management, It’s Verification That Consent Management Works
The most important reframing for privacy teams is this. Consent audit is not a replacement for a CMP. It is the operational layer that makes a CMP investment work as intended.
A closed loop consent and preference program verifies the full chain, not just that the banner appeared. That chain includes policy definition, user experience validation, consent signal verification, and evidence capture with remediation. Most programs fail between these steps, not within them. This is where compliance gaps hide.
Organizations that treat consent audit as an operational program, rather than an annual exercise, also change how they measure success. Binary checks like “our CMP is configured correctly” are not enough.
Instead, the metrics that matter are operational:
- Drift Rate: how many pages have changed consent behavior since the last test
- Violation Density: how many vendor fires occur in the wrong consent state per 100 pages
- Time to Remediate: how long it takes to identify, investigate, and fix a consent violation
- Evidence Coverage: the percentage of pages, apps, and user journeys continuously validated and backed by audit evidence
- Program Trend over time: how consent performance improves or degrades across releases, environments, and time
These are the metrics that show, in measurable terms, that a consent program is actually working.
Introducing DXComply AI-Powered Consent Audit
DXComply executes automated consent audit across an organization’s entire digital footprint, including websites and mobile applications, without manual intervention. This makes Feroot the first to deliver consent audit across the complete digital experience layer, spanning both web and mobile.
Every script, pixel, and SDK is continuously discovered across pages and app screens. Consent banners and app privacy controls are validated at runtime to ensure they function as intended. Downstream scripts, pixels, and tags are verified against user consent in every consent state. Pre-consent execution and tag manager drift are detected as they occur, not after the fact. An always-on audit trail captures historical proof of compliance for any point in time.
The platform works alongside existing CMP deployments, including OneTrust, Cookiebot, and TrustArc, extending the value of those investments through continuous verification of enforcement. When consent configurations fail on a page or within a mobile screen, the issue is identified so it can be corrected. This directly improves opt-in rates, data quality, and the return on existing consent infrastructure.
Support extends across more than 50 global privacy regulations and frameworks, including GDPR, CCPA and CPRA, LGPD, PDPA, POPIA, PIPEDA, and HIPAA, with compliance status updated daily across every applicable jurisdiction.
The Regulatory Environment Is Not Getting Simpler
The CPRA enforcement actions against organizations with established consent programs are a signal, not an anomaly. Regulators across jurisdictions are moving from framework adoption to active enforcement, and expectations are shifting from “do you have a consent program” to “can you prove it is working continuously and comprehensively across your entire digital footprint.”
Organizations that can demonstrate documented, ongoing enforcement of consent and preference policies across every website and mobile application they operate are far better positioned for that scrutiny than those relying on annual assessments and manual reviews.
The gap between CMP configuration and compliant outcomes is real, measurable, and now regulatorily material. AI-powered consent audit is how organizations close that gap, not once a year, but every day.
DXComply with AI-powered consent audit is available now. To learn more or request a demo, visit www.feroot.com.
About Ivan Tsarynny Ivan Tsarynny is the CEO and co-founder of Feroot Security Inc. He presented on consent audit and AI-powered compliance at IAPP 2026 and has testified before the U.S. Congress on digital privacy risks. He has been cited by ABC, CNBC, Bloomberg, the Wall Street Journal, the Associated Press, Forbes, and the New York Times. Feroot’s platform has scanned more than 1 billion web pages across some of the world’s most recognized digital brands.
