Cybersecurity skills shortages are pushing IAM toward automation

At a glance

What this is: This analysis argues that the cybersecurity skills gap is forcing organisations to combine managed services, IAM automation, and passwordless access to sustain security operations.

Why it matters: It matters because IAM, NHI, and human identity teams all inherit the same constraint: fewer people must govern more access, more systems, and faster response cycles.

By the numbers:

• In 2025, only 14% of companies report having the talent and resources they need to meet their security goals.
• Only 5.7% of organisations have full visibility into their service accounts.
• NHIs outnumber human identities by 25x to 50x in modern enterprises.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.

👉 Read Imprivata's analysis of automation, identity, and the cybersecurity skills gap

Context

The cybersecurity skills gap is no longer just a hiring problem. It is now an identity governance problem, because fewer operators must secure more privileged access paths, more service accounts, and more user access workflows than traditional teams were built to manage.

For IAM and security leaders, the core question is which controls can absorb operational pressure without weakening security. Managed services can extend coverage, but automation and access design determine whether teams reduce toil or simply move it elsewhere.

Key questions

Q: How should security teams reduce identity workload when staffing is limited?

A: They should automate repetitive identity tasks first, then delegate bounded operational work to managed services where runbooks and escalation paths are explicit. The goal is to reduce manual handling without losing auditability or ownership. Teams should focus on high-volume work such as resets, fulfilment, and monitoring before trying to automate complex exceptions.

Q: Why do passwordless programmes help overstretched security teams?

A: Passwordless programmes reduce password reset volume, lower phishing exposure, and shrink a major source of support burden. They help most when the organisation also governs recovery, enrolment, and exception handling carefully. Without those controls, the workload simply shifts from password management to identity recovery.

Q: What breaks when identity operations stay manual during a skills shortage?

A: Manual identity operations create slow approvals, inconsistent entitlement handling, and greater reliance on individual availability. When teams are stretched, that often leads to delayed changes, weaker exception handling, and more operational risk. The failure is not only speed but variability, because security decisions become harder to repeat consistently.

Q: Who is accountable when managed services handle security operations?

A: The organisation remains accountable for the control model, even when a third party performs the work. Teams must define what the provider monitors, what evidence it must retain, and where escalation returns to internal ownership. Managed services extend capacity, but they do not transfer governance responsibility.

Technical breakdown

Managed security services as capacity multipliers

Managed security services can absorb routine monitoring, alert handling, and first-line response when internal teams are understaffed. The technical value is not only 24x7 coverage, but the ability to standardise response paths and reduce variance in how repetitive work is handled. That matters because operational inconsistency becomes a security risk when teams are exhausted and response queues are long. In practice, managed services work best when internal identity, logging, and escalation standards are clear enough for a third party to act without introducing blind spots.

Practical implication: define the monitoring and escalation boundaries before outsourcing operational work.

Passwordless authentication and help-desk load reduction

Passwordless authentication reduces one of the most common sources of identity friction: password resets, phishing exposure, and user support tickets. From a control perspective, the benefit is not only better user experience, but fewer manual identity events that drain support teams and create recovery risk. It also shifts emphasis toward device trust, session assurance, and strong enrolment processes. If passwordless is deployed without governance around recovery paths and exception handling, the help desk simply becomes the weak point instead of the password itself.

Practical implication: pair passwordless rollout with tightly governed recovery and exception processes.

Identity automation where repetitive work creates operational risk

Automation is most effective where identity work is repetitive, policy-driven, and high-volume, such as password resets, provisioning tasks, and access fulfilment. The technical goal is to reduce human touchpoints without removing control, which means the workflow still needs approval logic, auditability, and rollback paths. This is especially important in IAM because rushed manual handling often leads to inconsistent entitlements and delayed remediation. Automation should remove noise from the queue, not obscure who approved what or why.

Practical implication: automate repetitive identity workflows only where logging and approval traceability are preserved.

NHI Mgmt Group analysis

Capacity shortage is now a governance problem, not just a staffing problem. When only 14% of companies say they have the talent and resources they need, the issue stops being simple headcount planning. Identity teams then inherit more approvals, more exceptions, and more administrative exceptions than their operating model can absorb. The practical conclusion is that security architecture must assume permanent resource pressure, not temporary shortage.

Managed services help only when the identity model is explicit. Outsourcing monitoring or response does not reduce risk if the organisation has not defined ownership for privileged access, escalation, and audit evidence. The vendor relationship can extend coverage, but it cannot substitute for clear IAM and PAM governance. Practitioners need a control model that specifies what is delegated, what remains internal, and what must never be externalised.

Passwordless access changes the economics of support, but not the governance burden. Removing passwords can reduce ticket volume and lower phishing exposure, yet it also shifts risk toward recovery, device trust, and enrolment integrity. That means the security gain depends on whether access governance is strong enough to manage edge cases at scale. The practitioner takeaway is that passwordless should be evaluated as an operating-model change, not a point solution.

Identity automation is the only sustainable response when teams are overextended. Routine access tasks should be engineered out of the queue where possible, because manual handling at scale creates inconsistency and delay. The stronger programme is the one that combines automation with clear review, logging, and exception governance. Teams that do this well can preserve security quality even as staffing pressure persists.

Identity throughput pressure: This article shows that the real problem is not simply a shortage of people, but a shortage of time per identity decision. The more access work stays manual, the more security outcomes depend on human availability rather than policy quality. Practitioners should treat throughput as a control metric, not just an operations metric.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• NHIs outnumber human identities by 25x to 50x in modern enterprises, which is why staffing shortages quickly turn into governance shortages.
• That visibility gap makes the case for Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs as the next resource for teams trying to reduce manual identity workload.

What this signals

Identity throughput will become a board-level control concern: when teams are under-resourced, the question is no longer whether access can be managed, but whether the organisation can process identity events quickly enough to preserve assurance. That shifts attention toward automation, evidence quality, and queue discipline rather than heroics.

With NHIs outnumbering human identities by 25x to 50x, every staffing shortage compounds faster in machine and workload governance than it does in human IAM. The programme that wins is the one that reduces manual touchpoints before scale exposes the gap.

Capacity-constrained IAM: the durable pattern here is to design identity controls that can survive chronic understaffing. That means standardising the work that can be standardised, outsourcing only bounded operations, and keeping recovery and exception handling under explicit governance.

For practitioners

• Map which identity tasks consume scarce analyst time Separate password resets, access fulfilment, monitoring, and exception handling so you can see where staff time is being spent. Prioritise the work that can be standardised or automated before it becomes a reliability problem.
• Use managed services for bounded operational coverage Outsource monitoring or alert triage only where runbooks, escalation paths, and evidence requirements are already defined. The service should extend coverage, not take ownership of unclear processes.
• Treat passwordless as an operating-model change Roll out passwordless authentication together with enrolment, recovery, and exception controls. That prevents the help desk from becoming the fallback identity control when users need to regain access.
• Automate repetitive identity workflows with auditability intact Build automation for recurring identity tasks only when approvals, logging, and rollback are preserved. The goal is to reduce manual load without creating invisible entitlement changes.

Key takeaways

• The article frames the cybersecurity skills gap as an identity operations problem, not just a hiring problem.
• Managed services and automation reduce operational strain only when the underlying identity governance model is explicit.
• Passwordless authentication can lower support load, but recovery and exception paths still need strict control.

Key terms

• Managed Security Services: Managed security services are outsourced operational functions that extend a security team’s coverage. In identity programmes, they usually handle monitoring, triage, or routine response, but the organisation still owns policy, escalation, and evidence requirements.
• Passwordless Authentication: Passwordless authentication verifies a user without requiring a reusable password. It reduces reset volume and phishing exposure, but it still depends on strong enrolment, recovery, and device or session assurance to prevent the control from shifting risk elsewhere.
• Identity Automation: Identity automation uses policy-driven workflows to complete repetitive access tasks with less manual intervention. It improves speed and consistency when approvals, logging, and rollback are built in, but it becomes dangerous if it hides exceptions or weakens accountability.
• Identity Throughput: Identity throughput is the rate at which an organisation can process access-related work without degrading control quality. It is a useful operational measure when staffing is thin, because security failures often begin when the queue grows faster than the team can safely clear it.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Imprivata: Rethinking the Cybersecurity Skills Gap with Automation, Identity, and Managed Services. Read the original.