Identity security maturity is still stalling in most enterprises

At a glance

What this is: This is SailPoint’s analysis of its 2023-24 identity security maturity study with Accenture, focused on why many organisations remain early in their identity journey.

Why it matters: It matters because identity teams cannot mature governance for NHIs, autonomous systems, and human access if they still lack a clear baseline, operating plan, and business alignment.

By the numbers:

• 44% of them at horizon 1, which is the lowest maturity level
• reduce help desk calls by 40%
• cutting costs by 60%
• increasing automation by 90%

👉 Read SailPoint's analysis of the Horizons of Identity Security 2023-24 study

Context

Identity security maturity is the difference between a programme that can govern access at scale and one that relies on exceptions, manual work, and fragmented controls. In this article, the primary keyword is identity security maturity, and the central finding is that many enterprises still lack the planning, alignment, and operating discipline needed to move beyond the earliest stage.

The article frames maturity as both a technology and governance problem. Organisations may have adopted SaaS more broadly and may be experimenting with AI and analytics, but without a clear current-state view, business alignment, and a repeatable access model, identity work stays reactive rather than strategic.

That is relevant across human IAM, NHI governance, and emerging autonomous access patterns. The same maturity gap shows up when teams cannot articulate ownership, cannot prove business value, and cannot operationalise access decisions in a way that survives scale.

Key questions

Q: How should identity teams move beyond the first maturity horizon?

A: Teams should start by documenting current-state controls, ownership, and gaps, then map those findings to a realistic roadmap. The priority is not more tooling, but clearer governance, measurable outcomes, and business alignment. If the programme cannot show where it is today, it cannot prove that later automation or platform investment is actually improving identity security.

Q: Why do identity programmes stall even when organisations buy modern tools?

A: They stall because tooling does not replace operating discipline. If the programme lacks clear ownership, business alignment, and a repeatable access model, new platforms simply automate fragmented processes. Maturity requires a working baseline, not just more capability, especially when identity now spans employees, service accounts, and AI-driven access patterns.

Q: What signals show that an identity programme is actually maturing?

A: Useful signals include lower manual fulfilment, fewer help desk calls, better adoption, and clearer executive visibility into progress. A mature programme can connect access controls to business outcomes and show that identity work is reducing friction as well as risk. If those signals are missing, the programme may be active but not advancing.

Q: How do organisations choose identity technology without locking themselves into the wrong model?

A: They should test technical fit, business fit, delivery history, and implementation support against the organisation’s real use cases. The question is not which platform looks strongest in the abstract, but which one can sustain governance over time and still work when business requirements change.

Technical breakdown

Why identity security maturity stalls at the first horizon

Identity maturity stalls when programmes cannot connect policy, operating model, and business outcomes. In the article, the recurring blockers are fragmented tool choices, limited skills, and weak clarity on what “good” looks like for the current state. Maturity models are useful only when they reveal where governance breaks down, not when they become a reporting exercise. The practical problem is that teams often automate isolated tasks while leaving access strategy, certification discipline, and lifecycle ownership unresolved.

Practical implication: map current identity controls to a maturity baseline before buying more tooling or expanding scope.

How AI and analytics change identity operations

The article argues that AI and analytics become valuable only after the identity basics are in place. That means certifications, birthright access, and provisioning discipline already need to work before automation can reduce friction. In practical terms, AI should help identify likely access needs, accelerate fulfilment, and reduce manual retrieval, but it does not replace the governance model underneath it. Without stable identity data and trusted workflows, automation simply scales inconsistency.

Practical implication: automate only the parts of identity operations that already have clear rules, clean data, and accountable owners.

Why business value has to be measurable in identity programmes

Identity programmes stall when they are treated as cost centres rather than operating enablers. The article stresses measuring progress, adoption, and daily usage so stakeholders can see value in concrete terms. That is a governance signal, not just a finance one. If identity cannot show reduced manual work, better fulfilment, or lower access friction, it becomes harder to sustain executive support and harder to justify expansion into broader governance domains.

Practical implication: define success metrics that connect identity controls to operational outcomes, not just compliance checkpoints.

NHI Mgmt Group analysis

Identity maturity is now a governance ceiling, not just a tooling gap. The article’s core message is that many organisations are still at the starting line because they lack a plan, not because they lack product options. That is a familiar failure mode in identity programmes: the control stack exists, but the operating model does not. The implication is that maturity work has to begin with current-state clarity, ownership, and measurable outcomes.

The named failure mode here is horizon-lock. Horizon-lock is what happens when organisations remain trapped in early-stage identity patterns because every new initiative is layered on top of unresolved basics. The article shows this through manual fulfilment, limited skills, and weak alignment to business needs. That matters because unresolved basics become structural debt, and structural debt prevents identity from supporting broader governance across human, NHI, and autonomous access.

AI does not fix identity maturity, it exposes it. The article’s discussion of AI and analytics assumes a stable base of certifications, birthright access, and provisioning discipline. Where that base is weak, automation merely accelerates flawed decisions. The field-level lesson is that identity maturity is now a prerequisite for safe AI-enabled operations, not a downstream benefit.

Identity value must be proven in business terms or it will stay politically fragile. The article is explicit that identity needs to be framed as an enabler of business growth, not a back-office cost. That framing matters because executive support follows outcomes, not architecture diagrams. Practitioners should treat value measurement as part of governance design, not as a reporting afterthought.

Vendor selection is becoming an operating-model decision, not a feature comparison. The article points to technical fit, business use cases, delivery history, and partner behaviour as the real selection criteria. That reflects the market shift from point solutions toward platforms that must support governance over time. The implication is that identity teams need to evaluate longevity, not just functionality, when choosing the next control layer.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• That gap makes 52 NHI Breaches Analysis the natural next resource for understanding how lifecycle failures become incidents.

What this signals

Horizon-lock: identity programmes often plateau because they treat maturity as a vendor selection problem rather than an operating-model problem. For teams planning NHI or autonomous governance, the lesson is to fix current-state visibility, lifecycle ownership, and measurable outcomes before scaling automation or adding more policy layers.

The same maturity gap is visible in NHI governance. Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs, which is why access review programmes frequently report activity without changing actual risk.

That means identity leaders should prepare for a broader governance merge between human IAM, NHI lifecycle control, and AI-driven access decisions. The programmes that win will be the ones that can prove business value while also showing control integrity across all three identity classes.

For practitioners

• Baseline identity maturity before expanding scope Document current-state identity controls, ownership, and gaps across certifications, provisioning, and lifecycle management before adding new automation or platform layers.
• Tie identity metrics to business outcomes Track adoption, fulfilment speed, help desk reduction, and user friction so the programme can demonstrate measurable value to executives and business partners.
• Sequence AI after governance basics Use AI and analytics only where access rules, identity data, and approvals are already stable enough to support trustworthy automation.
• Evaluate vendors through operating longevity Involve business stakeholders in selection, test delivery history in similar environments, and assess whether the platform can support long-term governance rather than a one-time deployment.

Key takeaways

• Most identity programmes stall because governance, skills, and operating discipline lag behind tool adoption.
• The article’s own maturity data shows that 44% of organisations remain at the lowest horizon, which signals a wide gap between ambition and execution.
• Identity teams should measure outcomes, strengthen current-state visibility, and delay broad automation until the baseline is stable.

Key terms

• Identity security maturity: The degree to which an organisation can govern access consistently, measure outcomes, and scale controls without relying on manual exception handling. In practice, maturity reflects whether identity processes are aligned to business goals, ownership, and repeatable operations across users, service accounts, and automated access patterns.
• Birthright access: Access that is granted automatically based on a role, job function, or defined starting condition. In a mature identity programme, birthright access should be predictable, reviewable, and limited to what a new identity genuinely needs at the point of onboarding or activation.
• Identity operating model: The combination of people, processes, and technology that determines how identity decisions are made and enforced. It is the practical layer between policy and execution, and it decides whether access is handled consistently or left to manual work, local exceptions, and fragmented ownership.
• Access fulfilment: The process of granting or modifying access after a request, approval, or trigger. Effective fulfilment is fast, auditable, and aligned to policy, but weak fulfilment becomes a source of delay, inconsistency, and hidden risk when it depends on manual intervention.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by SailPoint: Navigating the digital landscape: A deep dive into the Horizons of Identity Security 2023-24 with Accenture. Read the original.