Ask any CMO what powers their first-party data strategy and you will hear about clean rooms, identity graphs, and lookalike modelling. Ask where the consent record lives and the answer gets quieter. Usually it lives in a CMP vendor's database, refreshed on a cron job, reconciled against activation logs the morning after the campaign ran.
The IAB this week put a number on the gap. Its new report on first-party data maturity argues that most brand strategies are running on consent foundations that cannot survive an audit, and that the downstream effects of activation, measurement, and attribution are all compromised as a result. The framing matters. The IAB is not saying brands lack consent. It is saying brands lack enforceable consent at the point of decision.
The Audit Gap Nobody Costs In
Here is what the gap looks like in practice. A retailer collects opt-ins through a loyalty programme. Those opt-ins feed an audience platform. The audience platform syncs to a DSP. The DSP bids on impressions across CTV, display, and retail media inventory. Somewhere between the loyalty checkbox and the winning bid, the consent state becomes a snapshot rather than a live signal. If a shopper withdraws consent on Tuesday, the audience refresh on Friday catches it. The three days in between are a liability.
Multiply that across every channel a modern brand activates on, and the picture the IAB describes becomes obvious. Consent records and activation records drift. Reconciliation happens after the fact, if at all. When a regulator asks what was served to whom and on what legal basis, the answer is a stitched-together report from four systems that were never designed to agree with each other.
This is the hole. It is not a CMP problem. It is an architecture problem.
Compliance Theatre Versus Core Infrastructure
The brands treating CMPs as a banner on the homepage are running compliance theatre. The brands winning in 2026 will treat consent as core infrastructure, on the same tier as identity resolution and bid logic. That shift is structural, not cosmetic. It changes who owns the consent layer, where it sits in the stack, and what happens when it disagrees with the activation system.
Most stacks today fail this test. A CMP modal collects consent on a website. An analytics tool reads a cookie. An audience platform ingests a CRM list. None of them are the runtime authority on whether a specific impression is legal to deliver. They are reporters, not gatekeepers.
The IAB report is a polite warning that this design will not hold. Regulators are moving from documentation reviews to live audits, and the South African POPIA enforcement posture has hardened in line with European precedent. The brands that built consent as a downstream reconciliation exercise will discover, mid-audit, that their first-party data asset is also their largest exposure.
Why Xanite Was Built Differently
Xanite was built for exactly the world the IAB just described. Its consent layer is not a CMP modal bolted in front of analytics. It is an enforced gate inside every ad decision. Before any addressable ad serves on a retailer's storefront, an in-store screen, a WhatsApp slot, or a call-centre script, the decisioning engine checks a live consent cache fed in real time by the platform's consent service. No consent, no impression. Audit-logged, refusal-by-default.
That one design choice is what makes the network POPIA-native rather than POPIA-retrofitted. Retailers and brands using Xanite do not reconcile CMP records against last-click reports the morning after. Their consent state is the runtime decision point that determines whether an impression was even legal to deliver in the first place.
First-party data, identity resolution, consent enforcement, and ad decisioning all run on the same canonical shopper graph. When the regulator or the brand's audit team asks, what the platform reports matches what actually happened, impression by impression. That is what core infrastructure looks like in practice.
The takeaway for any brand reading the IAB report this week is narrow and concrete. Audit your stack against one question. Is your consent record the runtime authority on every impression you serve, or is it a reconciliation report you read the morning after. If it is the second, you do not have a first-party data strategy. You have a liability with a dashboard.
See how Xanite handles this at xanite.ai.