Identity security programmes stall when business value is not clear

At a glance

What this is: This is SailPoint’s customer-panel analysis of why identity security programmes struggle, with the core finding that stakeholder alignment, process simplification, and broader identity coverage remain the main blockers.

Why it matters: It matters because IAM, NHI, and lifecycle programmes fail in the same way when they are treated as isolated technical tasks rather than business-wide governance changes.

By the numbers:

• 4 in 10 companies are in the early stages of their identity security journey.
• Even mature companies cover less than 70% of the identities in their organization.
• The Horizons of Identity report surveyed 375 identity security decision-makers.

👉 Read SailPoint's customer panel analysis on identity security roadblocks and business value

Context

Identity security is the set of processes and controls that govern who or what gets access, how that access is approved, and how it is reviewed over time. In this article, the problem is not lack of technology but lack of programme maturity: the vendor’s customer examples show that business value, stakeholder alignment, and process simplification are still the barriers holding identity security back.

For IAM teams, the same pattern shows up across human, NHI, and lifecycle governance. If the programme cannot explain its value to finance, compliance, operations, and business owners, it will stay stuck at project level instead of becoming a durable control plane for access and accountability. The article’s examples are typical of enterprise identity transformations, not edge cases.

Key questions

Q: How should organisations build a business case for identity security?

A: They should tie identity security to outcomes that business leaders already manage: audit readiness, access risk, operational efficiency, and reduced manual work. A business case lands when it shows how better governance lowers support burden, reduces exposure, and improves the speed of change across the organisation. Technical controls matter, but the case is won in business language.

Q: Why do identity security programmes stall in large organisations?

A: They stall when teams treat identity as an IT implementation rather than an enterprise governance capability. Large organisations usually have competing stakeholders, legacy processes, and unclear ownership, so progress slows unless the programme simplifies workflows and creates a shared operating model that reaches beyond the security team.

Q: How do you know if an identity programme has enough coverage?

A: You know coverage is sufficient only when the inventory includes the identities that can actually create risk, including users, service accounts, and external access paths. If recertification and reporting only see part of the estate, the programme is managing a subset of risk rather than the real control surface.

Q: What should IAM leaders do before automating more access processes?

A: They should first remove process variation, document ownership, and identify where local exceptions exist. Automation should scale a clean process, not a broken one. If the underlying workflow is inconsistent, the result is faster inconsistency rather than stronger governance.

Technical breakdown

Why identity security programmes stall at the stakeholder layer

Identity security programmes fail early when they are framed as an IT control project instead of a business governance capability. The article shows that effective adoption depends on bringing compliance, HR, operations, and user representatives into the conversation, because each group judges success differently. That is a governance problem, not a tooling problem. Without a shared narrative on risk reduction, auditability, and operational efficiency, identity work stays underfunded and under-prioritised.

Practical implication: build a stakeholder model with named business owners, not just an IAM project team.

Process simplification is the real implementation test

The article’s strongest technical lesson is that identity security cannot just automate a broken process. If account creation, provisioning, or access changes are already messy, then adding workflow on top only preserves the complexity. Mature identity programmes simplify and harmonise processes before scaling them, because bad process design becomes the source of support incidents, delay, and inconsistent access outcomes. Identity security maturity is measured by process clarity as much as by automation coverage.

Practical implication: map and remove process variants before expanding automation or recertification scope.

Coverage gaps weaken both human IAM and NHI governance

The article’s maturity warning matters because incomplete coverage creates blind spots across the whole identity estate. When mature organisations still cover less than 70% of identities, access reviews, lifecycle controls, and reporting all become partial views of risk. That weakness applies equally to human identities and NHIs, where unmanaged accounts, keys, and service identities often sit outside the governance perimeter. Coverage is the base condition for any usable identity security programme.

Practical implication: measure identity inventory completeness before claiming recertification or least-privilege maturity.

NHI Mgmt Group analysis

Identity security fails first as a governance problem, not a tooling problem. The article’s recurring theme is that organisations struggle to communicate business value, secure sponsorship, and align stakeholders around what identity security is meant to change. That is the same failure pattern seen in immature IAM and NHI programmes: the control exists, but the operating model does not support it. The practitioner implication is that identity security must be treated as enterprise governance, not a back-office implementation.

Process harmonisation is the hidden prerequisite for scale. ExxonMobil’s example shows that identity security only creates leverage when teams are willing to redesign the workflows that caused support pain in the first place. This is where many programmes stall, because they automate process debt instead of removing it. The practitioner implication is that identity maturity should be judged by simplification, not by the number of workflows deployed.

Identity coverage gap: even mature programmes can leave a large share of identities outside governance because they were designed for narrower environments. That assumption was built for a world where identity scope was easier to define and the organisation changed more slowly. The implication is that practitioners must rethink the programme boundary itself, because incomplete coverage makes every downstream control look healthier than it really is.

Business-value framing is now part of identity control effectiveness. Best Buy and Cognizant both show that stakeholder language matters because CFO, compliance, operations, and business users evaluate identity work through different lenses. If the programme cannot translate access control into operational and risk outcomes, it will keep losing budget and sponsorship. The practitioner implication is that IAM leaders need a value model that survives outside the security team.

Lifecycle governance is the common thread across human, NHI, and AI-era identity work. The article’s emphasis on change management, staffing, and long-running transformation maps directly to joiner-mover-leaver discipline, access reviews, and control ownership. Whether the subject is a user account, a service account, or a future autonomous identity, the same programme weakness appears when governance is not built into the lifecycle. The practitioner implication is to design identity operating models around change, not static entitlement sets.

From our research:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which means most identity programmes still operate with partial control of the estate.
• That visibility gap is why practitioners should also review Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs alongside the broader governance baseline.

What this signals

Identity coverage, not just control design, will separate mature programmes from nominal ones. When less than 70% of identities are covered in mature environments, access review results and governance dashboards can look healthy while leaving material risk outside the programme. The practical signal for teams is to treat inventory completeness as a board-visible metric, not an implementation detail, and to pair it with NIST Cybersecurity Framework 2.0 governance reporting.

Process debt is the main drag on identity transformation. The article points to a familiar pattern: organisations try to buy faster execution before they redesign the workflow that caused the delay. That means IAM, IGA, and PAM teams should watch for exceptions, duplicated approvals, and manual rework as early signs that automation will underperform unless the operating model changes first.

Governance language will matter more as identity expands into NHI and autonomous systems. The same stakeholder challenge seen here will intensify when teams have to explain machine identities, workload identities, and agentic access to business owners. Programmes that already have a shared business narrative will adapt faster, especially when they can anchor lifecycle controls to the Ultimate Guide to NHIs , Regulatory and Audit Perspectives.

For practitioners

• Reframe identity as an enterprise governance programme Assign explicit business sponsors from compliance, HR, finance, operations, and security so identity outcomes are discussed in risk, audit, and productivity terms, not only technical terms.
• Simplify workflows before expanding automation Review provisioning, request, and approval paths for duplicated steps, handoffs, and local exceptions. Remove avoidable variation first so automation does not preserve process debt.
• Measure identity coverage as a control metric Track what percentage of human identities, service accounts, and third-party access paths are actually governed. If the inventory is incomplete, recertification and least-privilege claims are not reliable.
• Build a change-management plan for identity transformation Plan for multiple rollouts, role changes, staff turnover, and business-unit objections. Identity programmes fail when they assume the environment will stay stable long enough to finish a perfect implementation.

Key takeaways

• Identity security breaks down when it is treated as a narrow IT project rather than an enterprise governance function.
• Coverage gaps and process debt are the two clearest signs that maturity claims are overstated.
• Teams that simplify workflows, widen stakeholder ownership, and measure identity completeness are better positioned to scale control reliably.

Key terms

• Identity Security Programme: An identity security programme is the operating model, controls, and governance structure used to manage access across an organisation. It combines policy, workflow, lifecycle discipline, and reporting so identity is treated as a business control, not just a technical function.
• Identity Coverage: Identity coverage is the proportion of real identities and access paths that are actually governed by the programme. In practice, it matters because incomplete coverage leaves blind spots in reviews, risk reporting, and lifecycle control across human accounts, NHIs, and external access.
• Process Simplification: Process simplification is the removal of unnecessary steps, handoffs, and exceptions before automation is added. In identity governance, it is the difference between scaling a clean workflow and accelerating a broken one that creates support incidents and inconsistent access outcomes.
• Stakeholder Alignment: Stakeholder alignment is the deliberate coordination of security, operations, compliance, HR, and business leaders around identity goals. It matters because identity security succeeds only when different groups agree on risk, ownership, and the outcomes the programme is meant to deliver.

Deepen your knowledge

NHI governance, agentic AI identity, machine identity security, IAM, identity lifecycle, and secrets management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by SailPoint: Blog Best Buy, Cognizant, and ExxonMobil talk all things identity security. Read the original.