Cybersecurity skills gaps are pushing IAM toward automation

At a glance

What this is: This is an analysis of how the cybersecurity skills shortage is changing identity and access strategy, with automation, managed services, and passwordless access emerging as workload reducers.

Why it matters: It matters because identity programmes now have to lower operational burden as well as risk, across human IAM, machine access, and the growing automation layer around both.

By the numbers:

• Only 14% of companies report having the talent and resources they need to meet their security goals in 2025.
• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
• Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems.

👉 Read Imprivata's analysis of automation, identity, and the cybersecurity skills gap

Context

The cybersecurity skills gap is becoming an identity governance problem, not just a hiring problem. When teams cannot staff routine access work, password resets, monitoring, and response at the needed pace, organisations start leaning on automation and managed services to keep access control and incident handling operating.

That shift matters across human identity, NHI, and agentic AI programmes because the control plane is increasingly doing work that used to be handled manually. The question is no longer whether teams can add more people, but whether identity processes can be simplified, delegated, and monitored without creating new privilege and accountability gaps.

Key questions

Q: How should security teams reduce identity workload without weakening access governance?

A: Prioritise repetitive work such as password resets, account provisioning, and routine access checks for automation, but keep approval, logging, and exception handling visible. The goal is not to remove people from the process entirely. It is to remove low-value manual steps while preserving clear ownership for high-risk identity decisions.

Q: When does managed security services help identity teams most?

A: Managed services help most when the internal team lacks 24x7 coverage but still retains policy authority and accountability. They are strongest for monitoring, triage, and operational support. They become risky when the outsourcing model blurs who owns privileged access changes, exception approval, or lifecycle offboarding.

Q: What do teams get wrong about passwordless authentication in IAM?

A: They often treat passwordless as a support shortcut rather than a governance change. Passwordless can reduce resets and friction, but it still depends on strong device assurance, recovery controls, and enrollment policy. Without those, the help-desk burden may shrink while the exception risk moves elsewhere.

Q: Who remains accountable when identity operations are outsourced?

A: The organisation remains accountable for policy, risk acceptance, and the design of high-risk access decisions even when a provider runs monitoring or administration. Outsourcing changes execution, not responsibility. Teams should document ownership for escalation, privileged changes, and audit evidence before delegating operational work.

Technical breakdown

Automation as a control multiplier for identity operations

Automation in identity programmes works by removing repetitive tasks from human queues and moving them into policy-driven workflows. In practice, that includes password resets, access fulfilment, account provisioning, and routine monitoring. The advantage is not just speed. It is consistency, because repeated manual handling is where delays, errors, and shadow exceptions accumulate. For overworked teams, this can lower help-desk pressure and keep controls from being skipped under load. The risk is that automation can mask poor governance if approvals, exception handling, and logging are not designed into the workflow.

Practical implication: automate repetitive identity tasks only where the workflow still preserves approval, logging, and escalation boundaries.

Managed services and shared responsibility in IAM

Managed services extend security operations capacity, but they also change where identity accountability sits. A partner can provide 24x7 monitoring, triage, or administration, yet the organisation still owns policy, risk acceptance, and entitlement design. That matters in IAM because the outsourced function often touches privileged access, account lifecycle events, and authentication exceptions. If ownership is unclear, teams can end up with faster execution but weaker governance. Managed services are most effective when the delegation model is explicit and the internal team retains decision authority over high-risk identity changes.

Practical implication: define which identity decisions stay internal, especially for privileged changes, exception handling, and lifecycle offboarding.

Passwordless authentication and help-desk load reduction

Passwordless authentication removes a common source of friction and support demand by replacing password-based login with stronger factors such as device-bound or cryptographic methods. For stretched teams, the value is operational as much as security-related, because password resets are among the most common service desk tasks. The important point is that passwordless does not eliminate identity governance. It changes the control surface. Organisations still need device trust, recovery paths, phishing-resistant enrollment, and policy consistency across users and endpoints. Done well, it reduces both user friction and operational noise.

Practical implication: pair passwordless rollout with recovery governance and device assurance so the support burden does not reappear elsewhere.

Threat narrative

Attacker objective: The objective is to exploit stretched identity operations before teams can detect, approve, or contain risky access conditions.

1. Entry occurs through operational overload, where understaffed teams rely on partial automation or deferred review to keep identity services moving.
2. Escalation happens when unmanaged exceptions, slow approvals, or weak monitoring allow risky access states to persist longer than intended.
3. Impact is measured in delayed response, higher burnout, and a larger window for misuse of identity and access pathways.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Azure Key Vault privilege escalation exposure — Azure Key Vault Contributor role misconfiguration enabled privilege escalation.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity skills shortages are really governance capacity shortages. When security teams cannot keep up with access requests, resets, reviews, and monitoring, the weak point is not only headcount. It is the programme’s ability to sustain control over identity decisions at operational speed. That is why the skills gap increasingly shows up as inconsistent enforcement, delayed triage, and incomplete lifecycle execution. Practitioners should treat this as a control design problem, not just a recruitment problem.

Managed services only reduce risk when decision authority stays clear. Outsourcing monitoring or administration can restore coverage, but it also creates a new dependency chain around identity actions. If policy ownership, exception handling, and privileged approval are blurred, organisations may scale execution while weakening accountability. The practical lesson is that service augmentation works when the internal team still defines who can change what, when, and under which evidence requirements.

Automation is now part of the identity control plane, not an add-on. Password resets, account provisioning, and access validation are no longer isolated service tasks when every team is stretched. They become the mechanism that keeps the wider security model functioning under load. That means automation has to be governed like any other access path, with logging, fallback rules, and failure-state visibility. Practitioners should assess automation as part of IAM architecture, not as a productivity tool.

Passwordless adoption changes the burden, but not the governance requirement. Replacing passwords can remove a major support pain point, yet it also shifts risk into enrollment, device assurance, and recovery flows. For identity teams, this is a trade-off worth making only if the surrounding lifecycle controls are mature. The field should stop treating passwordless as a point solution and start treating it as a governance pattern across authentication, recovery, and exception management.

From our research:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
• Another 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems.
• That shift is why the Ultimate Guide to NHIs matters for teams trying to govern both human and machine access under one lifecycle model.

What this signals

With only 14% of companies saying they have the talent and resources they need to meet security goals, identity teams should expect automation demand to rise faster than internal staffing. That makes workflow design, policy clarity, and operational delegation the real pressure points, not just the size of the team.

Access-workload compression: when resets, approvals, and monitoring outpace staffing, the identity programme itself becomes the bottleneck. Organisations should watch for delayed reviews, inconsistent exception handling, and support queues that indicate governance is being absorbed by operations rather than enforced by policy.

Security leaders should also prepare for AI-enabled automation to be judged on control quality, not only efficiency. As more organisations push identity tasks into automated or managed layers, the question becomes whether the programme can still prove who approved what, when access changed, and how recovery paths are controlled.

For practitioners

• Automate repetitive identity tasks first Target password resets, access fulfilment, and routine account maintenance before expanding into higher-risk workflows. Keep human approval for privileged changes and exception handling.
• Define clear ownership for managed services Write down which access decisions, escalation paths, and audit findings remain owned by the internal team even when a provider handles monitoring or administration.
• Use passwordless to reduce service desk load Roll out phishing-resistant authentication where device assurance and recovery processes are already stable, then track whether reset volume and login friction actually decline.
• Treat automation as governed identity infrastructure Require logging, exception capture, and rollback paths for every automated identity workflow so failures do not become silent control gaps.

Key takeaways

• The cybersecurity skills gap is now an identity governance problem because understaffed teams cannot reliably sustain access control, review, and monitoring at scale.
• Automation and managed services reduce operational strain, but they only improve security when ownership, approvals, and exception handling remain explicit.
• Passwordless and workflow automation can buy back time, but they must be deployed as governed identity patterns rather than support shortcuts.

Key terms

• Identity governance capacity: The amount of operational control an organisation can sustain across access decisions, reviews, and exceptions. It is not just staffing. It is the combination of process discipline, tooling, and accountability needed to keep identity controls consistent under pressure.
• Managed security services: An outsourced operational model where a third party performs defined security functions such as monitoring or triage. In identity programmes, the model can expand coverage, but governance still stays with the organisation that owns policy, privileged access, and risk acceptance.
• Passwordless authentication: A way of signing in without entering a password, usually using cryptographic or device-bound methods. It can reduce reset volume and phishing exposure, but it only improves security when enrollment, recovery, and device trust are governed as part of the identity programme.
• Automated identity workflow: A policy-driven process that performs routine identity tasks with minimal manual intervention, such as provisioning, deprovisioning, or access resets. These workflows reduce load only when logging, exception handling, and rollback are built into the control design.

Deepen your knowledge

NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, agentic AI identity, and machine identity security. If you are responsible for identity security strategy or lifecycle governance, it is worth exploring.

This post draws on content published by Imprivata: Rethinking the Cybersecurity Skills Gap with Automation, Identity, and Managed Services. Read the original.