Identity maturity in 2026 is becoming an operating model

At a glance

What this is: This is a blog post arguing that identity maturity should be treated as a continuous operating model, not a one-time programme milestone, with discovery, hygiene, contextual governance, and just-in-time access as the progression path.

Why it matters: It matters because IAM teams now have to govern people, service accounts, and AI agents through the same maturity lens, while avoiding blind spots that turn automation, privilege drift, and stale access into systemic risk.

👉 Read ConductorOne's guide to identity maturity in 2026

Context

Identity maturity is the point where an identity programme stops being a collection of controls and becomes an operating model. The article argues that teams fail when they treat maturity as a finish line rather than a progression, especially once access decisions become continuous across people, machines, and AI agents.

For IAM teams, the governance gap is not simply lack of tools. It is the mismatch between static programme assumptions and a reality where identity sprawl, privilege drift, and contextual access decisions happen all the time. That is why visibility, hygiene, and lifecycle discipline matter before automation can safely scale.

Key questions

Q: How should security teams build identity maturity without over-automating too early?

A: Start with discovery and hygiene. Teams need a complete view of identities, entitlements, and stale access before they automate reviews or privilege decisions. If the baseline is incomplete, automation will accelerate bad data and mask risk instead of reducing it. Mature programmes earn automation by proving their identity inventory is trustworthy first.

Q: Why does standing privilege still create so much identity risk?

A: Standing privilege keeps elevated access available long after the work that justified it has ended. That increases blast radius, weakens accountability, and makes review processes chase a moving target. Just-in-time access only helps when elevation is short-lived, context-aware, and paired with clean role design and reliable offboarding.

Q: What do teams get wrong about zero standing privilege?

A: They treat it as a feature rather than a maturity shift. Zero standing privilege only works when organisations can define task scope, remove unused access, and trust the controls that grant and revoke elevation. Without those foundations, the programme simply replaces one form of drift with another.

Q: How should IAM teams govern AI agents as identity programmes mature?

A: Treat AI agents as identities that need discovery, entitlement boundaries, and continuous oversight. They do not wait for ticket queues or static review cadences, so governance has to adapt to runtime behaviour. The practical test is whether the programme can control access at machine speed without relying on manual approval loops.

Technical breakdown

Discovery and identity hygiene as the baseline for maturity

Discovery is the inventory layer of identity maturity. It means finding every identity across employees, vendors, service accounts, workload credentials, and AI agents so the programme can measure privilege instead of guessing at it. Hygiene follows discovery and removes stale accounts, unused permissions, and broken role structures. Without that baseline, any governance layer sits on unstable data and any automation amplifies hidden risk rather than reducing it.

Practical implication: establish complete identity discovery and cleanup before trying to automate reviews or privilege decisions.

Contextual governance and just-in-time access

Contextual governance changes access from a static approval problem into a risk-based decision problem. Just-in-time access and zero standing privilege shorten the period in which elevated rights exist, but the control only works when tied to clean identity baselines and reliable context signals. The real shift is not temporary access alone. It is moving from persistent entitlement to work-scoped elevation that expires as soon as the task ends.

Practical implication: tie privileged access to task context and remove standing rights wherever the business process allows.

Autonomous identity changes the maturity model

Autonomous identity is where AI supports entitlement recommendations, anomaly detection, and real-time policy adaptation. That changes the role of identity from a mostly reactive control plane into a continuously adjusting enforcement layer between humans, machines, and AI agents. The maturity model has to account for runtime behaviour that moves faster than periodic reviews and policy cycles.

Practical implication: design governance so it can respond to machine-speed access changes without relying on manual review cadence alone.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity maturity is now an operating model problem, not a tooling problem. The article is right to reject the idea that maturity is a destination. In practice, immature identity programmes fail because they do not create a repeatable way to discover, clean, govern, and retire access across every identity type. That is a governance design issue, not a product-selection issue. Practitioners should treat maturity as a lifecycle discipline that has to survive scale, sprawl, and AI adoption.

Discovery first is not a slogan, it is the control plane that makes every later decision credible. The programme cannot rationalise privilege, enforce separation of duties, or evaluate risk if it cannot see the full identity estate. That includes service accounts and AI-driven access paths, not just human users. The field keeps rediscovering the same lesson: governance built on partial inventory becomes theatre, not control.

Just-in-time access is only meaningful when the programme can prove standing privilege has been removed. The article frames JIT as a maturity step, but the deeper point is that standing privilege is the condition that makes most downstream controls brittle. Temporary elevation works only when roles are clean, entitlements are current, and review processes are not compensating for bad baselines. Practitioners should read this as a warning that access freshness is part of maturity, not a separate optimisation.

Identity programmes now have to govern AI agents as first-class identities, not as a side effect of automation. The article's autonomous identity section signals where the market is heading: identity systems that recommend, adapt, and enforce based on runtime context. That expands identity governance from human pacing to machine pacing. The implication is that IAM teams will need to re-evaluate which controls depend on human review cycles and which controls must move into continuous enforcement.

Accessibility of governance matters more than the appearance of strictness. Reviews that are slow, performative, or disconnected from actual risk create a false sense of control. Modern maturity should be measured by whether the programme can make faster, more accurate decisions with less manual friction. For practitioners, the test is not whether policy exists. It is whether the policy changes behaviour at the point where access is granted or removed.

From our research:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which explains why maturity programmes stall at discovery before they reach governance.
• That gap is why readers should also review Top 10 NHI Issues for the control failures that most often block progress.

What this signals

Identity maturity is becoming a control-design discipline, not a checklist. Once organisations have humans, service accounts, and AI agents in the same access environment, maturity depends on whether governance can keep up with mixed-speed identities. The programme should be judged by how quickly it can see, classify, and retire access when the business changes, not by how many policy pages it has.

A useful way to think about this shift is as identity freshness debt: the longer access persists without clean review, the more likely the programme is governing stale assumptions rather than current risk. That concept matters because stale privileges are what make automation and AI adoption look manageable until they are not.

With 30.9% of organisations still storing long-term credentials directly in code, per Ultimate Guide to NHIs, teams cannot treat maturity as an abstract model. They need a roadmap that reduces exposed credentials, ties privilege to context, and closes the gap between policy intent and runtime access.

For practitioners

• Inventory every identity class Map employees, vendors, service accounts, workload credentials, and AI agents into one authoritative discovery process so access can be measured rather than inferred.
• Remove stale access before automating reviews Clean unused permissions, orphaned identities, and outdated role assignments first, then automate certification only after the identity baseline is trustworthy.
• Convert standing privilege into task-scoped elevation Use just-in-time access for privileged work so elevated rights exist only for the duration of the task and do not persist as idle entitlement.
• Tie governance to context, not hierarchy Base approvals on resource sensitivity, business purpose, and risk signal rather than seniority or broad role ownership, then review exceptions instead of full-volume access.

Key takeaways

• Identity maturity is failing as a one-time destination model because access now changes continuously across people, systems, and AI agents.
• The biggest blocker to maturity is not the absence of policy, but the absence of reliable discovery and hygiene across the identity estate.
• Teams should judge progress by how much standing privilege they remove and how quickly their governance can react to runtime access changes.

Key terms

• Identity maturity: Identity maturity is the degree to which an organisation can see, govern, and retire access in a repeatable way. In practice, it means identity controls are built as an operating model, with discovery, hygiene, governance, and privilege management working together across human, machine, and AI-driven access.
• Standing privilege: Standing privilege is elevated access that remains available outside the specific task that needs it. It creates unnecessary exposure because access exists when nobody is actively using it. For mature identity programmes, standing privilege is the condition that just-in-time access and least privilege are meant to replace.
• Discovery and hygiene: Discovery and hygiene are the baseline identity controls that make governance credible. Discovery finds every identity and entitlement in scope, while hygiene removes stale accounts, unused permissions, and bad role design. Without both, certification, automation, and policy enforcement are built on incomplete information.
• Autonomous identity: Autonomous identity refers to non-human or AI-driven identities that can influence access decisions or act in real time with limited manual intervention. The governance challenge is not just that they use credentials, but that their access patterns can change faster than periodic review cycles can capture.

Deepen your knowledge

Identity maturity, discovery, and lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a programme that has to scale across people, service accounts, and AI agents, it is worth exploring.

This post draws on content published by ConductorOne: Identity Maturity in 2026: How the Best Teams Move Forward. Read the original.