NAC is mainly pushed as a risk-mitigation technology that can reduce the likelihood that an endpoint is infected or carrying out unauthorized activity, but its features have been pressed into other duties.

Because of its ability to tightly control access to network resources and to report on endpoint posture and what endpoints are up to, these platforms can be valuable in regulatory compliance.

Depending on the vendor, peripheral NAC reporting tools can generate reports on each endpoint and how well it complies with NAC policies, what each user does while connected to the network, correlate the first two reports, point out those endpoints that fail policy testing and tell the reason they failed.

When all of this can be done automatically, it can simplify preparation businesses have to go through when facing security audits by regulators. Rather than run around trying to compile relevant log data, IT executives can produce predefined reports. These reports generated more frequently for internal corporate use can help tighten up security of data and network use that regulations are created to ensure, which after all is the point of the regulations in the first place.

NAC isn’t perfect. Machines that pass policy tests might be infected anyway. Rogue devices might fly under the radar and compromise data. But NAC is an effective way to reduce threats and record what user devices accessed the network, what activity they engaged in and when they did it – all valuable functions.

Different NAC vendors’ gear perform these functions and format this data differently, some better, some worse. If customers are considering NAC as one of their compliance tools, the logging and reporting features of the products they are considering should be considered separately to make sure they meet whatever auditing chores they will be called up on to perform.

Tim Greene is senior editor at Network World.