Every system begins in order — but order isn’t accidental.
It’s defined.
It’s called the baseline.
The baseline is the known-good state:
versions align, permissions hold, dependencies are verified, and controls are intact.
It isn’t perfection — it’s reference.
It shows what “right” looks like.
With time, all systems drift.
Configs shift, modules change, dependencies age, controls weaken.
That drift isn’t failure — it’s nature.
Security isn’t about stopping drift.
It’s about measuring it.
Audit exists to see how far reality has moved from the baseline — to put numbers on movement instead of fear on change.
Once you can see the drift, you can restore the order.
See how this fits into our methodology: Order, Signals, and Audit. Or review the controls that keep drift in check: 12 controls, 81 rules.