Identity security awards show where IAM programs are maturing

At a glance

What this is: SailPoint’s customer awards highlight how mature identity security programs are shortening access delays, automating lifecycle tasks, and standardising control across complex environments.

Why it matters: For IAM practitioners, the article shows that identity governance is moving from administrative overhead to measurable operating capability across human, NHI, and workload access.

By the numbers:

• After deploying SailPoint Identity Security Cloud, Health New Zealand provisioned 300 users to a new app within 10 minutes, avoiding at least 15-20 service desk tickets and 10-15 hours of work.
• RWE cut average onboarding time from 25 days to less than 3 hours after moving to Identity Security Cloud, even as its user base increased tenfold.
• 21-day process to immediate action.
• Swiss Re manages over 20 thousand internal and external identities after migrating from IdentityIQ to Identity Security Cloud.

👉 Read SailPoint's 2024 customer award winners and identity security outcomes

Context

Identity security programs are increasingly judged on how quickly they can grant, govern, and remove access across business systems. In practice, that means the programme must reduce manual delay, standardise decisions, and keep lifecycle controls aligned with policy across human users, service identities, and other non-human accounts.

SailPoint’s customer awards are framed as proof points for that shift. The common thread is not branding or advocacy, but operational identity maturity: faster provisioning, faster deactivation, stronger access control, and better consistency in complex environments. Those are the measures that matter when IAM and IGA are expected to support business change rather than slow it down.

Key questions

Q: How should IAM teams reduce delay in access provisioning and deprovisioning?

A: IAM teams should measure the full lifecycle from request to revocation, then automate the steps that create the longest delays. The goal is not only faster onboarding. It is also immediate or near-immediate removal of access when business need ends, with exceptions tracked and reviewed as control issues.

Q: Why does centralised identity governance matter in complex enterprises?

A: Centralised governance matters because complex enterprises need one authoritative view of entitlement state, ownership, and review cadence. Without that, local process variation creates inconsistent access decisions, weaker audit evidence, and slower response when access must change across multiple business units or identity populations.

Q: What breaks when non-employee access is managed outside the main identity programme?

A: What breaks is accountability. Contractors, partners, and other external identities often end up with different approval paths, slower offboarding, and weaker certification coverage. That creates hidden standing access, makes audits harder, and leaves risk concentrated in the least standardised part of the estate.

Q: How do organisations know whether identity automation is actually improving control?

A: They should look for shorter request-to-access times, faster deactivation, fewer manual tickets, and cleaner audit evidence. If automation only speeds up the front end but leaves revocation slow or inconsistent, the programme has improved convenience more than security.

Technical breakdown

Centralised access management as a lifecycle control plane

A centralised access management platform turns identity from a series of manual tickets into a governed control plane for request, approval, provisioning, and revocation. The value is not just speed. It is consistency: the same policy logic can be applied across applications, business units, and identity types so that access decisions are repeatable and auditable. In mature programmes, this becomes the system of record for who has access, why they have it, and when that access should end.

Practical implication: map access request and removal flows to a single governance model so deprovisioning cannot lag behind business change.

Automation in identity lifecycle management

Automation in identity lifecycle management reduces the gap between entitlement change and enforcement. That matters because the largest exposure often comes from delayed joiner, mover, and leaver processing, not from initial policy design. When onboarding, certification, and deactivation are automated, the programme gains both control and operating speed. The real test is whether automation removes manual rework without weakening exception handling or auditability.

Practical implication: automate the highest-volume lifecycle events first, then measure how much manual delay remains in exceptions and offboarding.

Identity security for complex environments and non-employee access

Large organisations often run multiple identity populations at once, including employees, contractors, partners, and specialised non-employee populations. That creates a governance problem that spans access scope, recertification cadence, and ownership. In these environments, identity security is less about one product feature than about establishing one authoritative view of entitlement risk and lifecycle state. The stronger the environment complexity, the more the programme depends on standardisation rather than local process variation.

Practical implication: define ownership and review cadence separately for employee and non-employee access so risk does not hide in the exceptions.

NHI Mgmt Group analysis

Identity security maturity is now defined by lifecycle speed, not policy aspiration. The customer examples show that leading programmes are measured by how quickly they can provision, certify, and remove access in real operating conditions. That shifts identity from a control framework to an execution layer for the business. Practitioners should treat latency in access decisions as an operational risk signal, not an inconvenience.

The strongest identity programmes standardise access across heterogeneous populations. The article repeatedly points to organisations managing employees, contractors, and non-employee populations under one governance model. That matters because access sprawl usually emerges where different populations follow different rules, tools, or review cadences. The field is moving toward unified entitlement governance, and fragmented lifecycle treatment is becoming the weak link.

Centralised identity control is becoming a prerequisite for auditability at scale. Several examples emphasise compliance, audit, and regulatory alignment alongside faster provisioning. That combination shows that identity programmes are being asked to do more than enforce policy. They must produce evidence, support oversight, and withstand scrutiny across complex application estates. Practitioners should expect identity governance to be judged on traceability as much as on control coverage.

Automation is not just efficiency work, it is resilience work. Reducing manual account creation from days to minutes or deactivation from weeks to immediate action changes the security posture of the entire programme. Every manual step expands the window for privilege drift and service desk dependency. The operational conclusion is simple: where access changes are frequent, manual handling is a control weakness, not a process choice.

From our research:

• Companies are dedicating an average of 32.4% of their security budgets to secrets management and code security, with US organisations leading at 40.8%, according to The State of Secrets in AppSec.
• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
• That gap compounds when identity programmes depend on manual lifecycle handling, which is why practitioners should also review DeepSeek breach for how exposed secrets and delayed control turn into broad identity risk.

What this signals

Identity programmes that still rely on ticket queues and manual approvals will struggle to keep pace with the speed benchmarks now being shown in large-scale deployments. When provisioning drops from days to minutes and deactivation from weeks to immediate action, the governance question shifts from whether identity is controlled to whether control is occurring soon enough to matter.

Lifecycle latency debt: the longer access changes take, the more residual privilege the programme carries between business need and enforcement. That debt shows up as audit friction, exception sprawl, and hidden exposure in external identities, especially where contractors and partners follow different processes.

For teams modernising IAM and IGA, the practical signal is not the number of features deployed but the reduction in manual work per identity event. Map that work to an operating model, then anchor it to the NIST Cybersecurity Framework 2.0 so access control, detection, and recovery remain aligned as the estate grows.

For practitioners

• Measure lifecycle latency across joiner, mover, and leaver flows Track how long it takes to grant access, remove access, and close exceptions across each major identity population. Compare the measured delay to business and audit expectations, then treat outliers as control defects rather than backlog.
• Unify governance for employee and non-employee access Create a single ownership model for contractors, partners, and other external identities so certification cadence, approval paths, and offboarding do not vary by local team or application cluster.
• Prioritise deprovisioning over cosmetic access cleanup Focus first on removing stale access and immediate account closure, because delayed offboarding creates the largest residual exposure. Use automated triggers where possible and require documented exception handling where not.
• Build audit evidence into the identity workflow Record request, approval, provisioning, and removal events in a way that produces usable evidence for compliance teams without manual reconstruction. The control should prove who changed access, when, and under which policy.

Key takeaways

• The article shows that identity security is being judged by operational speed, not just policy design or platform coverage.
• The clearest evidence is faster onboarding, immediate deactivation, and standardised governance across complex identity populations.
• Practitioners should focus on reducing lifecycle latency, unifying non-employee governance, and making audit evidence part of the identity workflow.

Key terms

• Identity security programme: An identity security programme is the operating model that governs who or what gets access, under what approval, and for how long. It combines policy, workflow, certification, and audit evidence so access changes are controlled end to end rather than handled as isolated tickets.
• Lifecycle latency: Lifecycle latency is the time between a business event, such as joining, moving roles, or leaving, and the corresponding access change. In mature identity governance, shorter latency means less residual privilege, fewer exceptions, and more reliable evidence that policy is actually enforced.
• Non-employee identity: A non-employee identity is any external or non-staff account that needs governed access, including contractors, partners, and vendors. These identities often create the highest governance risk because ownership, review cadence, and offboarding discipline are less standardised than for employees.
• Access certification: Access certification is the review and approval process used to confirm that an identity still needs its assigned entitlements. It is only useful when the underlying data is current, the reviewer has accountability, and the programme can act on the outcome without delay.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by SailPoint: congratulations to the 2024 customer award winners. Read the original.