Identity security is maturing, but most enterprises remain early

At a glance

What this is: This is SailPoint’s three-year review of identity security maturity, showing that most enterprises are still early in their journey even as a growing minority advances into stronger identity security horizons.

Why it matters: It matters because IAM teams must govern a mix of human, machine, and increasingly automated identity patterns without assuming yesterday’s manual controls will scale.

By the numbers:

• Most surveyed organizations remain in the early stages of their identity security journeys, including more than 40% still in Horizon 1.
• Organizations at Horizons 3 and 4 of their identity security evolution reap 20-50% higher coverage of third-party and machine identities.

👉 Read SailPoint's three-year review of identity security progress

Context

Identity security is the discipline of controlling who and what can access systems, data, and tools across human, machine, and increasingly automated environments. SailPoint’s three-year review argues that progress is real, but maturity remains uneven, with most enterprises still relying on early-stage capabilities while new identity types and context-aware access models become more important.

The governance gap is not simply about adding more tools. It is about moving from manual identity administration toward policy-driven control, integrated identity data, and measurable maturity across strategy, technology, operating model, and talent, especially as machine identities and automation expand the access surface.

Key questions

Q: How should security teams measure identity security maturity across human and machine identities?

A: Security teams should measure maturity across governance, tooling, operating model, and talent, then test whether those controls cover both human and machine identities. A strong programme can describe ownership, review cadence, policy enforcement, and exception handling for each identity class. If those elements are inconsistent, the organisation has partial coverage rather than mature identity security.

Q: Why do machine identities need the same governance attention as human identities?

A: Machine identities now carry real access paths through automation, copilots, APIs, and service accounts. When they are not owned, reviewed, and scoped properly, they become silent privilege channels that expand enterprise risk. Treating them as secondary identities leaves gaps in visibility, entitlement control, and accountability.

Q: What signals show that context-aware access policy is working?

A: Working context-aware policy produces consistent access decisions, fewer manual exceptions, and clearer links between behaviour signals and entitlement changes. If policy outcomes vary by system or if exceptions are growing faster than reviews, the model is not yet reliable. The best signal is whether identity data quality is strong enough to support repeatable decisions.

Q: How can organisations avoid over-automating identity governance too early?

A: Organisations should automate only after they can prove the underlying identity data is complete, current, and owned. If the programme cannot reliably identify who or what owns an entitlement, automation will scale inconsistency instead of control. Start with data quality, then move to policy enforcement and exception handling.

Technical breakdown

Identity security horizons and maturity measurement

SailPoint frames identity security progress through a horizon model that ties maturity to four vectors: strategy, technology and tools, operating model, and talent. Early horizons rely on manual activity and limited automation, while later horizons reflect broader adoption of integrated controls, analytics, and AI-assisted decision support. The useful insight is that maturity is not just a technology score. It is a capability stack that determines whether an organisation can scale identity governance without multiplying operational drag.

Practical implication: measure identity programme maturity across operating model and tooling, not only by number of deployments.

Machine identity management and identity data integration

The article highlights machine identity management as a core trend, driven by AI, automation, copilots, and machine learning systems that consume service accounts and other non-human identities. It also points to an integrated identity data layer, where context-rich identity graphs combine signals from multiple systems into a unified view. These two ideas belong together: without integrated data, machine identity sprawl is hard to see, and without machine governance, the data layer cannot support reliable access decisions.

Practical implication: build a unified inventory that connects machine identities, ownership, and entitlements before trying to automate policy enforcement.

Context-aware policy enforcement and dynamic trust

SailPoint’s review connects future identity security to context-aware policy enforcement, where AI-powered analytics adjust access based on behaviour, anomaly detection, and identity patterns. This is a move away from static entitlement thinking toward continuous evaluation of whether access still fits the current context. The technical consequence is that governance becomes more event-sensitive and more dependent on data quality. If identity signals are fragmented, dynamic trust models produce inconsistent decisions rather than better ones.

Practical implication: improve signal quality and policy consistency before relying on context-driven access decisions at scale.

Threat narrative

Attacker objective: The practical objective is to exploit identity programme gaps that create excessive access, weaker oversight, and easier movement across enterprise systems.

1. entry occurs when enterprises add new machine identities, copilots, and automated service accounts faster than they can govern them consistently.
2. escalation follows when incomplete identity data and manual controls leave entitlements under-reviewed and context signals fragmented across systems.
3. impact is broader identity sprawl, weaker privileged access governance, and reduced confidence in access decisions across human and non-human identities.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity maturity is now the controlling variable in enterprise security. SailPoint’s three-year review shows that the market is not failing because it lacks identity ambition, but because maturity is uneven across strategy, tools, operating model, and talent. That means two organisations can buy similar controls and still land in very different risk positions. The field should stop treating identity security as a feature checklist and start treating it as an operating maturity problem. Practitioners should measure capability depth, not deployment count.

Machine identity management has moved from edge case to core governance work. The article’s own trend line is clear: AI, automation, and bots are expanding the population of service accounts and other non-human identities. That changes identity governance from a human-centric exercise into a cross-actor discipline where machine entitlements need ownership, review, and context. The old assumption that machine access is a secondary concern no longer holds. Practitioners should treat machine identity coverage as a board-level control signal, not a niche technical metric.

Context-aware policy enforcement depends on identity data quality, not just analytics. SailPoint’s model assumes that behaviour, anomaly detection, and identity patterns can improve access decisions, but those signals only work when identity data is integrated and trustworthy. Fragmented entitlement data turns dynamic trust into inconsistent trust. The wider lesson is that the policy engine is only as reliable as the identity graph beneath it. Practitioners should view data integration as a prerequisite for adaptive governance, not a separate programme.

Integrated identity is becoming the new baseline for zero trust execution. The review links identity, cloud, SaaS, APIs, data, and frictionless access into one operating direction. That matters because identity is increasingly the control plane through which access is judged across environments. The governance implication is that identity architecture cannot remain split between human IAM, machine accounts, and privileged workflows. Practitioners should align identity, access, and policy design into one control model that can scale across domains.

Automated and AI-assisted identity decisions are only defensible when accountability is explicit. As organisations move toward more dynamic trust models, they also increase the need for clear ownership of policy logic, entitlement decisions, and exception handling. The article points toward a future where access changes in response to context rather than static roles alone. That future is only manageable if governance can explain why access changed. Practitioners should make decision accountability part of identity design from the start.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
• For a broader view of the governance gap behind that figure, see Ultimate Guide to NHIs , Why NHI Security Matters Now.

What this signals

Identity programme leaders should expect machine identity governance to become a core maturity marker. SailPoint’s review is another signal that organisations are moving from basic identity administration toward broader coverage of service accounts, automation identities, and policy-based decisioning. The governance gap is structural: if identity data remains fragmented, even strong controls will produce uneven enforcement. Practitioners should prioritise the integrated identity data layer before scaling advanced policy logic.

With 72% of organisations already reporting or suspecting NHI breaches in our research, the identity risk surface is no longer hypothetical. That makes the ability to inventory, classify, and govern non-human identities a prerequisite for any serious identity roadmap. For teams mapping their next steps, the question is not whether machine identities belong in the programme, but whether ownership and review can keep pace with their growth.

Adaptive policy depends on a trustworthy identity graph. If behaviour-based access decisions are built on stale entitlements or disconnected directories, the result is inconsistent governance rather than dynamic trust. Teams that want to use analytics to guide access should first make sure their identity data can support the decisions they are trying to automate. See Ultimate Guide to NHIs for the baseline control model.

For practitioners

• Map maturity across four governance vectors Assess strategy, technology and tools, operating model, and talent as separate control areas. Use that view to identify where automation is ahead of process maturity and where manual work is still masking risk.
• Inventory machine identities as first-class assets Create an authoritative register for service accounts, automation identities, and AI-related machine access. Tie each identity to ownership, purpose, and entitlement scope so review cycles can reach it.
• Unify identity data before expanding dynamic policies Consolidate identity signals from directories, cloud platforms, privileged access tools, and SaaS sources into one graph. Without that layer, context-aware policy enforcement will produce uneven decisions.
• Tie privileged access governance to identity horizons Use privileged access coverage as a maturity indicator, not a separate security silo. Track where elevated access is still granted manually and where policy-based controls can replace repetitive approvals.

Key takeaways

• Identity security maturity is the real differentiator, not tool count alone.
• Machine identities are now part of the core governance workload, not an edge case.
• Adaptive access controls only work when identity data is integrated, owned, and trustworthy.

Key terms

• Identity security horizon: A maturity stage used to describe how far an organisation has progressed in identity governance, tooling, and operating model. In practice, it separates manual identity administration from integrated, policy-driven control that can scale across human and machine identities.
• Machine identity: A non-human identity used by software, automation, or connected systems to authenticate and access resources. It includes service accounts, automation identities, and similar credentials that require ownership, entitlement control, and lifecycle governance just like human access.
• Context-aware policy enforcement: An access control approach that changes decisions based on current signals such as behaviour, identity pattern, and environment context. It is only reliable when the identity data feeding those decisions is complete, current, and consistently governed.
• Integrated identity data layer: A connected identity data foundation that brings together entitlements, ownership, activity, and context from multiple systems. It makes governance and analytics usable across fragmented environments, especially when organisations need to manage both human and non-human identities.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building identity security capability across IAM or governance teams, it is worth exploring.

This post draws on content published by SailPoint: The progress of identity security, a three-year review. Read the original.