TL;DR: Identity security programmes fail when teams rush to tools before understanding current capability, future state, and the communication needed to align security decisions with business priorities, according to SailPoint’s interview with CISO Rex Booth. The practical lesson is that identity governance starts with scope, trust, and maturity assessment, not procurement.
At a glance
What this is: This is a CISO interview that argues identity security should begin with a clear assessment of current state, future state, and communication before teams choose tools or programmes.
Why it matters: It matters because IAM, NHI, and broader security teams all need a shared baseline for deciding what to govern first, how to communicate risk, and where maturity gaps are really located.
👉 Read SailPoint's interview with CISO Rex Booth on identity security leadership
Context
Identity security fails fastest when teams start with technology selection instead of a clear view of what they already control, what they need to protect, and how much change the business can absorb. In practice, that means identity programmes need a maturity baseline before they can make credible decisions about access, governance, and risk.
Rex Booth’s comments point to a familiar IAM problem: many organisations know they have an identity issue, but not whether it is primarily about visibility, access governance, communication, or operating model. That distinction matters across human identity, machine identity, and non-human identity programmes because the first control failure is often programme clarity, not enforcement.
Key questions
Q: How should security teams decide where to start with identity governance?
A: They should start by assessing current state against a defined target state, then rank the biggest control gaps by business risk. That usually means identifying where visibility, approvals, lifecycle management, or access review processes are weakest before choosing tools. The right first step is a baseline, not a purchase.
Q: Why does communication matter so much in identity security programmes?
A: Because identity work succeeds only when leaders, application owners, and risk stakeholders understand the same problem in the same terms. If the security team cannot explain why a control matters, the programme struggles to get support, adoption, and consistent action. Communication turns technical findings into decisions.
Q: What do organisations get wrong when they rush into identity tooling?
A: They often assume the tool will define the programme. In reality, tooling only works well after teams know what they need to govern, which identities matter most, and how mature their current processes are. Without that clarity, teams automate confusion instead of reducing it.
Q: How can teams reduce bottlenecks in identity governance without losing control?
A: By giving the people closest to the risk enough authority to act, while keeping clear ownership and review for high-risk decisions. Excessive handoffs and approval layers usually slow remediation more than they improve security. The goal is disciplined delegation, not uncontrolled freedom.
Technical breakdown
Why identity maturity assessments matter before tooling decisions
An identity maturity assessment separates stated ambition from operational reality. It helps teams identify where access decisions are still manual, where lifecycle controls are inconsistent, and where governance processes cannot support growth. Without that baseline, organisations often buy controls that duplicate existing capability in one area while leaving the real gap untouched in another. The result is wasted effort and weak prioritisation. A maturity model is not a reporting exercise, it is a decision tool for sequencing identity work.
Practical implication: use a maturity assessment to decide whether your next investment should be lifecycle, access governance, or visibility first.
Why communication is an identity security control
Identity programmes fail when security teams cannot explain risk in the language of the business. Communication is not a soft skill in this context, it determines whether policy changes get funded, adopted, and sustained. If a CISO cannot translate access risk into operational impact, the programme stays tactical and reactive. Good communication also reduces friction between security and delivery teams because it clarifies trade-offs instead of presenting controls as abstract mandates.
Practical implication: build identity governance messaging around business outcomes, not control jargon or product features.
How trust, talent, and operating model shape identity governance
Identity governance depends on more than policy design. Teams need the right mix of experience, perspective, and delegated authority to manage access at scale. Booth’s emphasis on extending trust reflects a governance truth: once accountability is clear, blocking work with excessive internal boundaries slows remediation and weakens ownership. The operating model must let the people responsible for access decisions actually act on them. Otherwise the programme becomes a queue of approvals rather than a control system.
Practical implication: align decision rights with accountability so identity work can move without unnecessary internal bottlenecks.
NHI Mgmt Group analysis
Identity security fails first as a governance problem, not a tooling problem. Booth’s advice to pause before acting captures the reality that many programmes buy controls before they understand the control gap. The real failure is not the absence of a product feature, but the absence of a clear target state, which leaves access, lifecycle, and risk management fragmented. Practitioners should treat programme clarity as the first control boundary.
Communication is part of the identity control plane. If security leaders cannot explain identity risk in terms the business understands, they cannot secure the funding or operating alignment needed to fix it. That makes communication an enabling control for IAM and identity governance, not a side skill. The implication is that identity programmes need narrative discipline as much as enforcement discipline.
Trust without role clarity creates governance drag. Booth’s point about extending trust only works when accountability is explicit and boundaries are minimal enough to let the right people operate. In identity programmes, over-approval and excessive handoffs often slow lifecycle work more than they improve security. Practitioners should design governance so decision rights are clear and action can happen close to the risk.
Identity security maturity: the programme-level gap is the inability to assess current state before selecting controls. This is the named concept that runs through the interview. It describes a common failure mode where organisations know identity matters but cannot sequence action because they lack a defensible baseline. The implication is that maturity, not product choice, determines whether identity work becomes strategic or stays fragmented.
Lifecycle governance is only effective when the operating model can carry it. The interview reinforces that access management is not just a policy question but a people and process question. If teams cannot translate risk, assign ownership, and act with enough autonomy, lifecycle controls stall. Practitioners should read this as a signal that governance design and organisational behaviour must be fixed together.
From our research:
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
- Only 6 distinct secrets manager instances exist on average across organisations, creating fragmentation that weakens centralised control and slows governance decisions.
- For the broader identity picture, Ultimate Guide to NHIs , Why NHI Security Matters Now helps teams connect identity growth to programme maturity and operating model choices.
What this signals
Identity maturity is becoming the real differentiator in security programmes. As teams add more identities, more workflows, and more governance expectations, the organisations that can explain their current state clearly will make better decisions faster. The practical signal is simple: if you cannot describe your baseline, you cannot prioritise your next control with confidence.
The pressure to simplify identity operations will keep rising because fragmented governance slows every downstream decision. That is true for human identity, machine identity, and non-human identity programmes alike. Teams should expect more scrutiny on whether their processes reduce complexity or just redistribute it across approvals and tooling.
For practitioners
- Run an identity maturity assessment first Document current access governance, lifecycle coverage, and visibility gaps before buying or expanding tooling. Use the assessment to define a future state and sequence work by risk, not by vendor roadmap.
- Translate identity risk into business language Create a standard way to explain access exposure, approval delays, and lifecycle gaps in terms leaders already use for cost, resilience, and delivery impact.
- Clarify decision rights for identity owners Assign who can approve, revoke, and remediate access without unnecessary escalation. The goal is to reduce bottlenecks while preserving accountability for high-risk access.
- Minimise governance handoffs that slow remediation Review where identity tasks stall between security, IT, and application owners. Remove approval layers that do not materially reduce risk and use exception handling for genuinely high-risk cases.
Key takeaways
- Identity security breaks down when teams treat tooling as the starting point instead of the outcome of a maturity assessment.
- Communication is an operational requirement in IAM because risk only changes behaviour when stakeholders understand it clearly.
- Clear decision rights and reduced governance friction are often the difference between identity control and identity backlog.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OC-01 | The article centres on understanding organisational current state before selecting controls. |
| NIST CSF 2.0 | PR.AC-1 | Identity governance depends on clear access decisions and ownership. |
| NIST SP 800-63 | The interview's identity focus touches assurance and trust in digital identity programmes. |
Use identity assurance thinking to align access decisions with business risk and governance maturity.
Key terms
- Identity Maturity Assessment: A structured review of how well an organisation can see, govern, and control identities across its environment. It compares the current operating state with the desired future state so teams can prioritise the highest-risk gaps instead of buying controls blindly.
- Decision Rights: The authority to approve, revoke, or remediate access in a defined identity process. Clear decision rights prevent delays, reduce handoff friction, and make accountability visible when identity governance is spread across security, IT, and application owners.
- Identity Governance Operating Model: The set of roles, handoffs, approval paths, and accountability structures that make identity controls work in practice. A strong operating model lets policy become action, while a weak one turns governance into backlog and exception handling.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by SailPoint: Meet our CISO, Rex Booth. Read the original.
Published by the NHIMG editorial team on 2025-12-10.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
