Identity governance is now a board-level cyber control in 2025

At a glance

What this is: Omada’s 2025 identity governance report shows identity security has moved from an IAM concern to a core cyber priority, with leaders also reporting manual-process pain and IGA investment friction.

Why it matters: For IAM, NHI, and human identity programmes, the report reinforces that governance is now a resilience issue, not just an access-administration problem.

By the numbers:

• 95 percent of leaders now treat identity security as a critical component of their overall cybersecurity strategy.
• 86 percent express concern about the risks of, e risks of identity-based threats.
• 60 percent of respondents named restrictive total cost, al cost of ownership as the main drawback of their current IGA solution.

👉 Read Omada Identity's 2025 State of Identity Governance Report

Context

Identity governance is the set of controls that decides who or what should have access, how that access is approved, and when it should be removed. In this report, Omada Identity argues that those controls are now central to cybersecurity because leaders see identity as a primary attack surface, not a back-office administration function.

The programme tension is familiar to IAM leaders: organisations know they need stronger governance, but manual workflows, cloud transition pressure, and cost constraints keep slowing adoption. That makes the report relevant across human identities, service accounts, and other non-human identities, because the same lifecycle and access-control failures often show up in each domain.

Key questions

Q: How should organisations improve identity governance without making reviews slower?

A: Start by measuring where governance work stalls, then automate the repeatable steps that do not require human judgement. Keep approval ownership with business and control owners, but move evidence capture, exception tracking, and revocation follow-up into workflows that can be audited end to end. That is how governance gets faster without becoming less defensible.

Q: Why do manual access reviews fail in modern IAM programmes?

A: Manual reviews fail because they cannot reliably keep pace with access change velocity. In hybrid estates, identities are created, changed, delegated, and removed too quickly for spreadsheet or email-driven processes to stay current. The result is stale entitlement, weak evidence, and privilege that persists longer than the business expects.

Q: How can teams tell whether identity governance is actually working?

A: Look for three signals: review completion on schedule, revocation after exceptions, and clean evidence for auditors or control owners. If the programme produces paperwork but leaves access unchanged, it is producing compliance theatre rather than governance. Real effectiveness shows up when entitlement scope shrinks and stale access disappears.

Q: Which frameworks should guide identity governance for human and non-human identities?

A: Use NIST Cybersecurity Framework 2.0 to anchor governance in control outcomes, and use NHI-specific guidance for lifecycle, visibility, and revocation discipline. For organisations with cloud and workload-heavy estates, the key question is whether governance spans all identity types or still stops at human accounts.

Technical breakdown

Why identity governance becomes a control plane, not an admin layer

Identity governance and administration is the operational layer that connects access request, approval, certification, and revocation. When enterprises say identity security is critical, they are really acknowledging that governance determines whether entitlements are current, defensible, and auditable. The report’s emphasis on compliance pressure and financial loss reflects a common reality: weak governance turns access into accumulated risk, especially when environments span SaaS, hybrid infrastructure, and multiple business owners. Practical implication: treat governance as a control plane for access decisions, not as a ticketing workflow.

Practical implication: map governance decisions to control owners, evidence, and revocation triggers, not just service desk steps.

What manual IGA processes break at scale

Manual access reviews, email-based approvals, and spreadsheet-driven recertification do not scale cleanly when identity populations grow across employees, contractors, applications, and workloads. The report points to time-consuming manual processes as a top investment driver because the real failure is not only effort, but inconsistency. If access decisions are slow, stale, or poorly evidenced, organisations accumulate orphaned privilege and audit exposure. Practical implication: identify which governance steps still depend on human memory or ad hoc follow-up, then measure how often they miss deadlines or incomplete evidence.

Practical implication: replace human-dependent review loops with workflows that can prove completion, exception handling, and revocation.

Why AI features are becoming a selection criterion in IGA

AI and automation matter in IGA because they reduce the effort required to classify access, detect anomalies, and prioritise reviews. That does not mean AI replaces governance judgement. It means the governance team needs enough signal to focus on the highest-risk entitlements instead of processing every item with equal weight. In practice, this is most useful when the enterprise has large role sets, many dormant accounts, or frequent joiner-mover-leaver changes. Practical implication: use automation to narrow the review burden, but keep policy ownership and approval accountability with the business.

Practical implication: use automation to triage governance work, not to remove control ownership.

NHI Mgmt Group analysis

Identity governance has become a security control, not an administrative convenience. Omada’s findings reflect a shift already visible across IAM programmes: leaders are no longer evaluating IGA only for compliance support, but for breach prevention and operational resilience. That matters because access governance now sits on the path between identity creation and identity risk accumulation. Practitioners should treat this as a control-plane problem, not a workflow optimisation exercise.

The real constraint is governance throughput, not governance intent. The report shows organisations understand the need for stronger identity security, yet many still rely on manual processes and cost-constrained IGA estates. That combination creates delayed reviews, inconsistent approvals, and weak revocation discipline. In NIST CSF terms, the issue is not a lack of awareness, but a failure to sustain protection and governance functions at the speed the business now requires. Practitioners should measure whether governance can keep up with access change velocity.

Lifecycle Processes for Managing NHIs are now part of the same governance problem. Once organisations manage humans, applications, and workloads in the same cloud estate, access review and offboarding cannot remain human-only disciplines. The report’s concern with identity-driven threats applies equally to service accounts, API keys, and other NHIs that often escape traditional review cadences. Practitioners should assume lifecycle governance must span all identity types, or the weakest one will dominate the risk profile.

NHI visibility is still a blind spot inside broader identity governance. If organisations cannot clearly see who or what holds access, they cannot certify it with confidence. The same governance gaps that slow human IGA programmes also hide privilege in machine identities, third-party accounts, and service credentials. Practitioners should expect identity security maturity to be judged by visibility, revocation speed, and evidence quality across all identities.

Access sprawl becomes a compounding risk when governance is manual. Manual review processes tend to preserve old entitlements because they are built to process volume, not to continuously reduce privilege. That is why identity security programmes fail first at the edges: third-party access, stale accounts, and exceptions that never fully close. Practitioners should redesign governance around exception reduction, not periodic cleanup.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which is why revocation and certification controls fail so often in practice.
• For a broader lifecycle view, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs, where provisioning, rotation, and offboarding controls are broken down in more detail.

What this signals

Identity governance will be judged by remediation speed, not policy volume. The organisations that win here will be the ones that can prove access removal, not merely document it. With 79% of organisations having experienced secrets leaks in our research, the control question is whether governance can reduce exposed privilege before it becomes durable risk.

The next maturity step is to connect identity governance to broader zero trust architecture through NIST Cybersecurity Framework 2.0 and identity lifecycle discipline. That means treating access reviews, revocation, and exception handling as measurable security operations rather than annual compliance events.

Governance throughput gap: when manual approvals, recertification, and offboarding lag behind business change, the organisation is not under-governed, it is under-instrumented. The programme signal to watch is whether stale access is declining across employees, contractors, and NHIs at the same time.

For practitioners

• Baseline governance throughput against access change velocity Measure how long it takes to approve, certify, and revoke access across employees, contractors, applications, and service identities. If the governance cycle is slower than the rate of change, risk will accumulate no matter how strong the policy language is.
• Replace spreadsheet recertification with evidence-backed workflows Move access reviews into systems that can prove who approved what, when exceptions were granted, and when revocation actually occurred. This is especially important where auditors need clear evidence and business owners need repeatable decisions.
• Extend lifecycle governance to non-human identities Apply the same joiner-mover-leaver discipline to service accounts, API keys, tokens, and certificates that you apply to employees. Use the Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs as a reference point for where lifecycle control usually fails.
• Prioritise high-risk entitlements for automation first Use automation to sort access reviews by privilege level, business criticality, and recency of change. That reduces review fatigue and lets governance teams focus on the entitlements most likely to create audit or breach exposure.

Key takeaways

• The report shows identity security is now being treated as a core cyber control, not a narrow IAM function.
• The main weakness is not policy intent but execution friction, especially where manual governance slows access review and revocation.
• Identity governance programmes need to cover human, application, and workload identities together, or risk will simply move to the least-governed account type.

Key terms

• Identity Governance And Administration: Identity Governance and Administration is the discipline that defines, approves, certifies, and removes access across an organisation. It ties policy to evidence so access decisions can be audited, revoked, and justified across human accounts, applications, and non-human identities.
• Access Recertification: Access recertification is the periodic review of existing entitlements to confirm they are still needed. In mature programmes, it is evidence-based and outcome-driven, not just a checkbox exercise, and it must cover privileges for people, service accounts, and workload identities where relevant.
• Joiner-Mover-Leaver Lifecycle: The joiner-mover-leaver lifecycle is the access-management process that grants, adjusts, and removes access as identities change state. For non-human identities, the same concept applies to provisioning, rotation, and offboarding, but the trigger and timing are system-driven rather than employment-driven.
• Standing Privilege: Standing privilege is access that remains active until someone manually removes it. It is a governance problem because unused or forgotten entitlements accumulate over time, increasing audit exposure and breach blast radius across both human and non-human identity estates.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by Omada Identity: State of Identity Governance Report 2025. Read the original.